LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-14-2003, 11:06 AM   #1
Korff
Member
 
Registered: May 2003
Location: Central Florida
Distribution: Gentoo
Posts: 103

Rep: Reputation: 15
Recovering deleted data


Ok, here's the situation. I have 2 computers, each dual booting Windows and Linux. Crucial data was stored on pc#1's Windows partition. I wanted to upgrade pc#1's Windows from 98 to XP, but being a Microsoft operating system, my Win98 was messed up pretty bad and I wanted a clean install. I backed up all the crucial data (the whole damn hard drive, actually) onto PC#2's Linux partition. I then formatted pc#1 Windows from FAT32 to NTFS (destroying all data) and installed XP.
PC#2's Linux partition is XFS, running Mandrake.

I went to PC#2 to get the crucial data I backed up there, Boom, kernel panic - no init found. I put off the task of fixing it for a while and then what do you know, a friend that I had previously asked to put Redhat on PC#2 comes over. He does, and during the install, formats the PC#2 Linux partition to ext3 and installs Redhat.

Is there any way I can recover the data? It's very important =/ There was a whole lotta crap on PC#2's Linux partition so the backed up crucial data is probably not overwritten. The question is, it was written when the partition was XFS and then it was formatted to ext3...

Last edited by Korff; 06-14-2003 at 11:10 AM.
 
Old 06-14-2003, 11:57 AM   #2
mad_ady
Member
 
Registered: Jan 2003
Location: I'm all in your mind!
Distribution: Debian
Posts: 248

Rep: Reputation: 30
It's quite messy... I'm not sure if it's possible to salvage anything, but try this (as a last resort)...
Move the harddisk from pc#2 to another linux system with a lot of free space (about the size of your pc#2 harddisk). Then make binary copies (with dd) of your new partitions to another drive. You MAY be able to browse (or scan with grep) through those files and find something usefull... Mainly text (plain text).... However, your files may have been fragmented and it would be almost impossible to put them back together...

I'm not sure if formatting a drive to ext3 would erase its contents. I guess not because it would be too lenghty....

Good luck. See if you can get better solutions... I tried something like this, because I had to recover 200Mb of documents (*.doc) from a corrupted fat system. The first thing I did was to backup the whole thing (2Gb) on another system, and then run M$ scandisk. Fortunatelly for me, scandisk was able to recover most of the information and I didn't have to scavange around to get it!

The best of luck to you!
 
Old 06-14-2003, 11:59 AM   #3
mad_ady
Member
 
Registered: Jan 2003
Location: I'm all in your mind!
Distribution: Debian
Posts: 248

Rep: Reputation: 30
I just remembered something... There may be another way, but it will cost you! You can go to a special company that salvages information from destroyed disks. Maybe they can help you...
 
Old 06-14-2003, 02:20 PM   #4
Korff
Member
 
Registered: May 2003
Location: Central Florida
Distribution: Gentoo
Posts: 103

Original Poster
Rep: Reputation: 15
Looks like I might be able to get it back. =D

Anyway, here's a graphical representation of my HD at time of format, and now:

http://www.geocities.com/notadruid/hd.html

Looks pretty promising.

I've got a few questions so I can maximize my chances of getting my data back.

I have the mandrake disks and can reinstall mandrake and format it back to XFS. Should I?

Are there any undelete tools that can look this deep?

Can I shrink the partition a few gigs before making the binary image without lowering my chances or recovery? The Linux partition is about 40gb and my largest other hard drive's total capacity is 40gb (Ironically, it's also PC#1, but I don't mind wiping it out again since there's nothing on it). I would need Linux on PC#1 and the image so it'd be really tight.
 
Old 06-14-2003, 03:28 PM   #5
mad_ady
Member
 
Registered: Jan 2003
Location: I'm all in your mind!
Distribution: Debian
Posts: 248

Rep: Reputation: 30
If you format that zone again, you'll only lower your chances of finding anything usefull there...
Reinstalling Mandrake on the same partition doesn't guarrantee that everything will go back into place like the first time...

Because you have multiple partitions you can backup only the partion you want (in this case, the one with linux on it).

You can backup only the zone that you know contained your data! ARE YOU SURE it was in that red zone? If it was indeed, you can only backup up to a point... Let's say the data you want to recover is about 1GB. You could guess the start point of where the data used to be and copy 1GB from there. Use dd. Read the manual. It does miracles.

Question: What kind of data did you have? Plain text or binary? (avi, mp3, exe, doc, zip, etc..)? If it's binary it will be EXTREMELY difficult to salvage anything usefull... You'd have to search for headers and to know where the file's end is and PRAY that the system wasn't fragmented!

Tip: Any modifications you make should not be done on that linux filesystem. This way, if anything goes wrong, you can always get another copy or take the disk to proffesionals, so that they can retreive the information...

GOOD LUCK!
And keep me posted... I'm curious if it can be done!
 
Old 06-14-2003, 06:19 PM   #6
Korff
Member
 
Registered: May 2003
Location: Central Florida
Distribution: Gentoo
Posts: 103

Original Poster
Rep: Reputation: 15
Good news:
The whole ordeal happened on the same day, so I'm positive that the data isn't fragmented.

I am also sure that all the data is in the first 20GB of the partition.

However, there is some bad news too:
The files I'm trying to recover are binary (the most important things are jpeg images)

I am still a noob at linux. How can I tell dd to make the image onto my other hard drive? Do I disconnect the drive I'm trying to recover from and attach it to PC#1 and make the image onto the drive there?
man dd and info dd just added some confusion. I'm thinking that you can tell me what to type since I'd probably mess everything up.
 
Old 06-15-2003, 06:14 AM   #7
mad_ady
Member
 
Registered: Jan 2003
Location: I'm all in your mind!
Distribution: Debian
Posts: 248

Rep: Reputation: 30
You might be in luck if they are jpeg. They must have some kind of header that can be easily detected. Maybe in the header is some reference to the size of the image. If not, you could (in theory) copy from header #1 to header #2 then from header #2 to header #3 and so on... This can be done by grep, but it's too complex and I don't know how to do this (maybe from a shell script or something...).

Now, first of all you must create a copy of that info...
To do this you must have a running linux, prefferably not the linux on the partition you're trying to salvage... You can move the disk, or boot from a knoppix cd (if you have one)...
Let's say you've moved the disk to another pc. Connect it as master slave (this means that it's hdb). Boot the pc and run a linux from its primary disk (hda)

Prepare the destination ... Make sure you have enough free space + some margin of error.
Issue this command :
Code:
dd if=/dev/hdb2 of=/path/to/destination bs=1 skip=3G count=2G
where
hdb2 is the partition you want to salvage. This means it's the second primary partition on the primary slave disk

/path/to/destination is where you want to put the copy. You'd want this in a place where you have enough space (preferably not on /dev/hdb2)!

bs = block size (1b) - it will be VERY slow, but it MIGHT work ok

skip=3G skips the first 3Gb from the source... Change 3Gb with the size you estimate your old linux was ocupying...

count=2G the size you want salvaged (2Gb*1b)

WARNING: after you issue the command, you won't see any output untill it finishes. It may take from 2 minutes to 2 hours! It's hard to say. So be pacient...

What you should do in the mean time:
1. Pray!
2. Periodically check the destinations size... If it excedes 2G it means the command didn't function as planned, and you can stop dd by pressing CTRL+C

If it stops, and the output is 2G it means it worked fine. Make another backup and read the manual of grep. It's much more complicated than dd, but you may have a chance!

Good luck
& keep me posted
 
Old 06-15-2003, 06:51 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
You might be in luck if they are jpeg. They must have some kind of header that can be easily detected.
Have a look at FIRE/Biatchux (what's in a name). It's THE forensics/recovery cdrom and comes loaded with TCT, so you got all the tools to recover files on one disk.
If you're looking for a header-based recovery tool, search sourceforge for "foremost", that tool fits the description 100 percent.

These are advanced tools, so if you use them you better read the docs before you start.
 
Old 06-15-2003, 07:22 AM   #9
mad_ady
Member
 
Registered: Jan 2003
Location: I'm all in your mind!
Distribution: Debian
Posts: 248

Rep: Reputation: 30
Cool! I didn't know about them! Kroff, it looks like it's your lucky day!
 
Old 06-15-2003, 08:52 AM   #10
Korff
Member
 
Registered: May 2003
Location: Central Florida
Distribution: Gentoo
Posts: 103

Original Poster
Rep: Reputation: 15
Ah, I do have a Knoppix cd (and Linux loaded on PC#1), and that header info looks promising.

Gonna do the command tonight and teach myself grep. The thing is, the only thing I know about grep at the moment is that it searches for text within a file. And that might not be correct, even! Looks like I've got some reading to do.

One more thing: Any programs or such I can run under Windows?

The original HD might have its information somewhere on the drive. Similar story, new filesystem (destructive format of FAT32->NTFS5), new operating system (win98->winxp), and data probably not overwritten. No idea about fragmentation of original drive though. While it seems like it would not have as good chances as the linux partition on PC#2, it's worth a shot.

Thanks guys! I'l tell you how it worked out tomorrow.

Note to self: From now on, make TWO backups AND have one of them removable media, and TEST it!

Last edited by Korff; 06-15-2003 at 08:54 AM.
 
Old 06-15-2003, 09:26 AM   #11
mad_ady
Member
 
Registered: Jan 2003
Location: I'm all in your mind!
Distribution: Debian
Posts: 248

Rep: Reputation: 30
It is possible that the original info is somewhere on pc#1, but with ntfs... i really don't know. You can try this... Get Easy Recovery (from ontrack) and it will find deleted files. I know it works on fat and fat32, but I haven't got a clue if it works under ntfs too... (Tell me if it works). Also, I don't know if it can get anything out of formated disks... I think it relies on fat tables, and by format, these are wiped clean... but I don't know for sure... You can try it!
 
Old 06-22-2003, 07:17 PM   #12
Korff
Member
 
Registered: May 2003
Location: Central Florida
Distribution: Gentoo
Posts: 103

Original Poster
Rep: Reputation: 15
Cross one option off.

Booted from knoppix cd (Finally got it back - was introducing someone to Linux and let him borrow it for a week) and could read from both hd's just fine, but as soon as I did the dd command I got permission denied. You can't be root in knoppix anyway, I believe. I logs you in automatically as "knoppix"

Tonight I'll try booting off of one hd and attaching the one to create the binary dump from on the slave channel.

Barring that, I'll try the FIRE link.



..And you thought this topic died!!
 
Old 06-22-2003, 07:36 PM   #13
Steve Cronje
Member
 
Registered: Jan 2003
Location: Canada
Distribution: Ubuntu, Mepis, Debian
Posts: 158

Rep: Reputation: 30
Quote:
Originally posted by Korff
Cross one option off.

...You can't be root in knoppix anyway, I believe. I logs you in automatically as "knoppix"
Hey, Korff

Not so, as I understand. Just log in at a terminal ( Ctrl-Alt-F2, eg) and your are logged in as root. Just do "whoami"

HTH
Steve
 
Old 06-23-2003, 02:58 AM   #14
mad_ady
Member
 
Registered: Jan 2003
Location: I'm all in your mind!
Distribution: Debian
Posts: 248

Rep: Reputation: 30
You can issue root commands from any terminal like this:
Code:
sudo dd....
Keep us posted
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ugent:help recovering deleted data kushalkoolwal Debian 9 12-02-2005 12:21 AM
Recovering deleted files?? DaFrEQ Linux - General 8 09-17-2005 01:28 PM
recovering deleted files saipraveen Linux - Newbie 1 06-16-2005 12:00 PM
Recovering deleted Data in Redhat 9 linuxeagle Linux - Networking 0 05-29-2004 01:33 PM
Recovering Deleted Files Brian of Gep Linux - Newbie 1 03-02-2004 03:26 AM


All times are GMT -5. The time now is 06:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration