LinuxQuestions.org
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Recovery of data from encrypted partition (https://www.linuxquestions.org/questions/slackware-14/recovery-of-data-from-encrypted-partition-4175445571/)

Phorize 01-15-2013 03:05 AM
This is going to come across as a very strange question, but what happens if I use the cfdisk on the slackware dvd to rewrite the partition table precisely as I did before?

TobiSGD 01-15-2013 06:12 AM
This looks like a valid bootrecord. Have you tried just mounting your partitions? What is the output of
Code:
fdisk -l

Phorize 01-15-2013 06:30 AM
Quote:
Originally Posted by TobiSGD (Post 4870468)
This looks like a valid bootrecord. Have you tried just mounting your partitions? What is the output of
Code:
fdisk -l
Code:
fdisk -l
Gives
Code:
Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk identifier: 0x00000000

  Device Boot      Start        End      Blocks  Id  System

GazL 01-15-2013 07:47 AM
Do a
Code:
dd if=/dev/sda | hexdump -C | grep 'LUKS'
(you can probably cancel this fairly early on as it should be within the first couple of hundred mb if what you say about your layout is accurate)

If you don't see a line starting with the characters "LUKS" then your luks header is gone and whatever else has happened to the drive really doesn't matter.

unSpawn 01-15-2013 07:52 AM
Quote:
Originally Posted by kristizz (Post 4870045)
testdisk doesn't find anything.
Please run testdisk again as
Code:
testdisk /debug /log /dev/sda
have it do a search and attach resultant "testdisk.log" as plain text file?

GazL 01-15-2013 07:58 AM
unSpawn, Does testdisk detect luks headers? I didn't see any mention of it on its website?

unSpawn 01-15-2013 08:08 AM
AFAIK no. The only reason why I would want the PT restored is to have a boundary for running 'isLuks'. One could look for
Code:
#define LUKS_MAGIC {'L','U','K','S', 0xba, 0xbe};
(http://code.google.com/p/cryptsetup/wiki/Specification -> http://code.google.com/p/cryptsetup/...9584a05f81f#51). Also see http://code.google.com/p/cryptsetup/...AskedQuestions.

Phorize 01-15-2013 08:52 AM
Quote:
Originally Posted by GazL (Post 4870536)
Do a
Code:
dd if=/dev/sda | hexdump -C | grep 'LUKS'
(you can probably cancel this fairly early on as it should be within the first couple of hundred mb if what you say about your layout is accurate)

If you don't see a line starting with the characters "LUKS" then your luks header is gone and whatever else has happened to the drive really doesn't matter.
Code:
dd if=/dev/sda | hexdump -C | grep 'LUKS'
gives

Code:
1de41bb20  b7 01 4c 55 4b 53 af 44  31 72 fa 19 f6 54 d4 6b  |..LUKS.D1r...T.k|

rknichols 01-15-2013 09:09 AM
You have obviously not re-zeroed the MBR since you still show data beginning at address 0. Easiest thing to do is just skip over the first megabyte and see how much of the rest of the drive got zeroed:
Code:
dd if=/dev/sda bs=1M skip=1 | hexdump | head
You'll then need to add 1 megabyte (0x100000) to the address of that first non-zero line to see where your remaining data begins.

Phorize 01-15-2013 09:31 AM
[QUOTE=kristizz;4870578]
Code:
dd if=/dev/sda | hexdump -C | grep 'LUKS'
contnued running and gives:

Code:
1de41bb20  b7 01 4c 55 4b 53 af 44  31 72 fa 19 f6 54 d4 6b  |..LUKS.D1r...T.k|
26d09d8d0  ed 5d 63 45 1f 7f b6 61  8e a2 4c 55 4b 53 49 64  |.]cE...a..LUKSId|
364edab20  7e 17 8e b3 fd 34 ae af  4c 55 4b 53 07 91 0b 54  |~....4..LUKS...T|

GazL 01-15-2013 09:31 AM
Quote:
Originally Posted by kristizz (Post 4870578)
Code:
dd if=/dev/sda | hexdump -C | grep 'LUKS'
gives

Code:
1de41bb20  b7 01 4c 55 4b 53 af 44  31 72 fa 19 f6 54 d4 6b  |..LUKS.D1r...T.k|
Hmm...I don't think that's it. It's about 8GB into your disk, 290 characters into a sector and It's not followed by the 0xba, 0xbe one would expect to see..

Phorize 01-15-2013 09:57 AM
Quote:
Originally Posted by rknichols (Post 4870592)
You have obviously not re-zeroed the MBR since you still show data beginning at address 0. Easiest thing to do is just skip over the first megabyte and see how much of the rest of the drive got zeroed:
Code:
dd if=/dev/sda bs=1M skip=1 | hexdump | head
You'll then need to add 1 megabyte (0x100000) to the address of that first non-zero line to see where your remaining data begins.
Code:
dd if=/dev/sda bs=1M skip=1 | hexdump | head
gives:

Code:
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
61e5000 4387 4e9c 5bab 1ec4 25b8 1ac7 4bb2 30a1
61e5010 726b 0969 c203 6937 9c9c 1010 4a06 e133
61e5020 2719 6dfc 2bfb 7874 24aa e053 a94b c68d
61e5030 a90d 2ce5 1572 7fd4 6cf8 3c61 de51 de71
61e5040 7de8 dca1 2bd0 072b f06e f9e0 c53a 5cc0
61e5050 e61f e091 b17b 5aa5 221f 3095 8af9 e83a
61e5060 922d d813 9a40 d4a0 dae6 39a9 d8ec 67da
61e5070 4f72 0e77 3b9f 9714 8f73 d701 1eef 830f

Phorize 05-13-2013 01:42 AM
I just wanted to say a big thank you to those of you who helped out on this. I wasn't able to locate the partition in the end and ran out of time due to the arrival of my baby daughter. Fortunately I was able to use testdisk to recover the files from my wife's external hard drive; she had forgotten that they had been backed up on there a while ago and then deleted, but it looks like they were never overwritten.


All times are GMT -5. The time now is 12:10 AM.
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page