LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-09-2012, 06:13 AM   #16
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled

Quote:
Originally Posted by ambivalent View Post
sudo ext4magic /dev/sda1 -r -a 1346544000 -d media/recoverext4/recover
.......
But no data recovered at all.
Ext4magic stops running almost immediately.
I've also tried '-R' and 'm' but still nothing recovered.

What am I doing wrong?
Try the following command:
Code:
ext4magic -H -a 1346544000 /dev/sda1
If no further information come here, may be a access problem with sudo and ext4magic.
Switch to user root and then start ext4magic directly as root.
Code:
su -
or if not work by this distribution
Code:
sudo bash; su -
If the command outputs information, you should have a big activity at the 2. Table on 02. Sep or 03. Sep (the delete process )
At later times no major activities should be present.
Otherwise you have overwritten the old journal data.
Then you can still try the Magic Function. (For ext4 you need ext4magic-0.3.0 )
Code:
ext4magic /dev/sda1 -m -a 1346544000 -d media/recoverext4/recover
robi1
 
Old 09-12-2012, 05:45 AM   #17
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Stuck here, guys...

Removed this post.
I posted before seeing robi's reply, again ( something amiss with my browser reload skills it seems).

Thanks Robi, I'll give that a try now.

Last edited by ambivalent; 09-12-2012 at 10:54 AM.
 
Old 09-12-2012, 10:42 AM   #18
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
sudo ext4magic -H -a 1346544000 /dev/sda1

returns;

Filesystem in use: /dev/sda1

|-----------c_time Histogram----------------- after -------------------- Sun Sep 2 00:00:00 2012
1346635892 : 0 | | Mon Sep 3 01:31:32 2012
1346727784 : 7 |* | Tue Sep 4 03:03:04 2012
1346819676 : 0 | | Wed Sep 5 04:34:36 2012
1346911568 : 0 | | Thu Sep 6 06:06:08 2012
1347003460 : 1247 |**************************************************| Fri Sep 7 07:37:40 2012
1347095352 : 0 | | Sat Sep 8 09:09:12 2012
1347187244 : 0 | | Sun Sep 9 10:40:44 2012
1347279136 : 0 | | Mon Sep 10 12:12:16 2012
1347371028 : 0 | | Tue Sep 11 13:43:48 2012
1347462920 : 0 | | Wed Sep 12 15:15:20 2012


|-----------d_time Histogram----------------- after -------------------- Sun Sep 2 00:00:00 2012
1346635892 : 0 | | Mon Sep 3 01:31:32 2012
1346727784 : 96 |**************************************************| Tue Sep 4 03:03:04 2012
1346819676 : 10 |****** | Wed Sep 5 04:34:36 2012
1346911568 : 0 | | Thu Sep 6 06:06:08 2012
1347003460 : 11 |****** | Fri Sep 7 07:37:40 2012
1347095352 : 0 | | Sat Sep 8 09:09:12 2012
1347187244 : 0 | | Sun Sep 9 10:40:44 2012
1347279136 : 0 | | Mon Sep 10 12:12:16 2012
1347371028 : 0 | | Tue Sep 11 13:43:48 2012
1347462920 : 0 | | Wed Sep 12 15:15:20 2012


|-----------cr_time Histogram----------------- after -------------------- Sun Sep 2 00:00:00 2012
1346635892 : 0 | | Mon Sep 3 01:31:32 2012
1346727784 : 2 |* | Tue Sep 4 03:03:04 2012
1346819676 : 14 |* | Wed Sep 5 04:34:36 2012
1346911568 : 0 | | Thu Sep 6 06:06:08 2012
1347003460 : 1207 |**************************************************| Fri Sep 7 07:37:40 2012
1347095352 : 0 | | Sat Sep 8 09:09:12 2012
1347187244 : 0 | | Sun Sep 9 10:40:44 2012
1347279136 : 0 | | Mon Sep 10 12:12:16 2012
1347371028 : 0 | | Tue Sep 11 13:43:48 2012
1347462920 : 0 | | Wed Sep 12 15:15:20 2012
ext4magic : EXIT_SUCCESS

--

I then tried (using ext4magic 0.3.0);
ext4magic /dev/sda1 -m -a 1346544000 -d media/recoverext4/recover

It runs a moment but no recovery.

Can you tell what the problem is from the above?

Thanks.
 
Old 09-12-2012, 02:29 PM   #19
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled
Quote:
Originally Posted by ambivalent View Post
It runs a moment but no recovery.
Can you tell what the problem is from the above?
There is nothing to recover.
You have between 6. Sep and 7. Sep more than 1200 files new created and some more are changed. So you have overwritten the blocks and metadata of the deleted files.

All tools for recover deleted files on the most filesystems and all Howtos have a notice like this:
Protect your file system from further write access, or create a copy of the file system and try to recover the files from the copy. What do you think why ?

Damaged ecryptfs files are not usable. I think nobody can help you to recover the deleted files on this filesystem.

robi1
 
Old 09-13-2012, 02:29 AM   #20
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Oh no.

I know you can't write to the drive at all, and was careful not to.
I suppose it was attempting recovery using photorec that did this.
Or maybe I made a mistake along the way?

I couldn't save a copy of the drive as I don't have a drive big enough... I should have bought one with hindsight.

Total bummer.


I guess my only hope it the files that I did recover using photorec, although I couldn't find how to convert those back to usable files.
I'll research this futher.

Robi, thanks very much for your assistance.
I appreciate your taking the time, and your patience with my in-expertise.

Thanks also Laocoon, for your help.

Last edited by ambivalent; 09-13-2012 at 03:01 AM.
 
Old 09-13-2012, 01:20 PM   #21
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled
Quote:
Originally Posted by ambivalent View Post
I guess my only hope it the files that I did recover using photorec, although I couldn't find how to convert those back to usable files.
I'll research this futher.
The result of photorec should include some (or a lot) undamaged ecryptfs files.
But you need either a copy of your ecryptfs passphrase or of the wrapped-passphrase.
From the one you can create the other and vice versa. Have you not a backup of one, is end here.
These files in the waste of photorec to identify is impossible for a novice.

If you have a backup of passphrase or wrapped-passphrase and your password, you can try.

  • create a new user.
  • in the home of this user create the directories ".Private" "Private" and ".ecryptfs"
  • copy all recovered ecryptfs files to the ".Private" folder
  • Then create the files in ".ecryptfs" (you need only 5 files, docu you can find if you search in the Ubuntu Wikis) The files: "auto-mount" "auto-umount" "Private.mnt" "Private.sig" "wrapped-passphrase"

Then it should be possible to "ecryptfs-mount-private" and you can try to find in "Private" directory your lost and restored files. If you doing this for the first time by hand, it may be some difficult. I know. But it works. ;-)
You can find some Ubuntu howtos.

robi1

Last edited by robi1; 09-13-2012 at 01:40 PM.
 
Old 09-14-2012, 05:04 AM   #22
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Thank you, Robi, once again.
Without people, like yourself, generous enough to assist others Linux life would not be so do-able.

Also my thanks to those running this forum for their efforts.

I've been on Kubuntu since 2006, I'm completely self-taught, and a designer by training, without guys like you I would be stuck with the (crappy) corporate options.

--

I know the password.
But I can find no backup of the ecryptfs passphrase or of the wrapped-passphrase - although I do have an *old* backup of the lost home directory - which presumably had the same .ecryptfs data.
I think that my rsync backup must not have been backing up directory symlinks, like .Private and .ecryptfs.
So, I guess, I'm stuffed.

It seems to me pretty suspect that the required ecryptfs passwords are stored outside of one's home folder... I didn't know I needed to back anything more than the home folder up to maintain a safe copy of all my files.
Turns out I needed to backup from outside the home folder too.
I would think this is a potential pitfall for anyone choosing the option to encrypt their home folder on installation of (k)ubuntu.
I certainly won't be choosing that option again.

--

Thanks again, Robi.
If you let me have a bitcoin address, I'd be delighted to send you the cost of a coffee or a beer or whatever...?
 
Old 09-14-2012, 10:01 AM   #23
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled
Quote:
Originally Posted by ambivalent View Post
I know the password.
But I can find no backup of the ecryptfs passphrase or of the wrapped-passphrase - although I do have an *old* backup of the lost home directory - which presumably had the same .ecryptfs data.
I think that my rsync backup must not have been backing up directory symlinks, like .Private and .ecryptfs.
So, I guess, I'm stuffed.

It seems to me pretty suspect that the required ecryptfs passwords are stored outside of one's home folder... I didn't know I needed to back anything more than the home folder up to maintain a safe copy of all my files.
Turns out I needed to backup from outside the home folder too.
I would think this is a potential pitfall for anyone choosing the option to encrypt their home folder on installation of (k)ubuntu
The configs for home ecryptfs is the directory:
Code:
/home/.ecryptfs/<Username>/.ecryptfs
There you can find the following files.
Code:
auto-mount  (Null-Byte File)
auto-umount (Null-Byte File)
Private.mnt (the mount-point, typical /home/<Username>)
Private.sig 
wrapped-passphrase 
.wrapped-passphrase.recorded (Null-Byte File)
The passphrase or the wrapped-passphrase file, you should create or have a backup.
This is very important.
All other files in this directeory can created by commands. And also the password must be known ( or you need the password-file or sslkey-file).


"Private" is only an encrypted directory. This is very suitable for recovery attempts.
The same config files, but "/home/<Username>/.ecrpyfs"
Directories in different versions can slightly differ iE "/home/.ecryptfs/<Username>/.Private/"

Quote:
Originally Posted by ecryptfs faq
Q: I forgot my password/lost my key! What can I do to recover my data?

Nothing; you're screwed. (Apologies to Bruce Schneier).

If you have forgotten your passphrase, your only hope is that you chose a weak passphrase in the first place. There is an outside chance that you might be able to perform a successful dictionary attack to recover your passphrase. If you manage to recover your passphrase that way, then you may as well have not been bothering to encrypt your data in the first place, since a malicious attacker could have done the exact same thing to recover your passphrase.

If you selected a strong passphrase or lost your key file, you are completely out of luck. Nobody can help you recover your data.
robi1

Last edited by robi1; 09-14-2012 at 10:17 AM.
 
1 members found this post helpful.
Old 09-17-2012, 03:51 AM   #24
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Yes, I see that when viewing a similar set-up on a different laptop.
/home/.ecryptfs/<Username>/.ecryptfs is a symlink to directory;
/home/.ecryptfs

My old backup was saving /home/<Username> , and not saving symlinks or their target directories.

So I don't have the required directory ...
Woe is me.

--

Thanks man, Robi, for your efforts.

Last edited by ambivalent; 09-17-2012 at 04:00 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to recover deleted folder 124vikas.dange@gmail.com Linux - Software 1 09-09-2009 07:21 AM
How do I recover a rm deleted folder? CrownAmbassador Linux - Desktop 13 02-16-2009 03:54 AM
How to recover permanently deleted folder in linux megerdin Linux - Newbie 2 05-06-2008 04:46 PM
I have deleted a folder accidentally? How do I recover it? srikanth_dhondi Linux - Software 2 02-19-2008 06:38 PM
Recover My Deleted File & Folder rajaniyer123 Linux - General 0 03-12-2004 12:51 AM


All times are GMT -5. The time now is 06:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration