Urgent. Need to recover a partition
 

First, here is a link to the problems I was having that led to MY error.

http://www.linuxquestions.org/questi...70#post2840070


Now to make a long story short, I accidentally in the terminal, put in mkswap /dev/sda1. I meant to put in mkswap /dev/hda1. At the time I did this /dev/sda1 was mounted to /media/disk. I did not format it or delete it and make a swap, I just put in mkswap /dev/sda1.

I need that back, all of the information on that partition. How do I do this? Gparted is telling me that it sees it as a swap partition with free space.

I am pissed. If it wasn't for the idiotic problems I was having with the Ubuntu swap and uuid then I wouldn't have had to do anything and in turn make an idiotic mistake like this.

I am doing some research now. I have installed TestDisk and PhotoRec. Now since I only did mkswap and did not format that partition as swap before that, is it possible I just screwed up the partition table and not the actual information, even though gparted is telling me that it is all freespace?

I am using testdisk to analyze /dev/sda1 I will add an edit here with the results. I never did this before and after making that one letter mistake (S and H are not even next to each other on the damn keyboard,) I am very worried about doing anything. So any help would be greatly appreciated. Also no one worry. If you offer help and it still doesn't work, etc, it was my fault to begin with, concerning /dev/sda1, and that is where any blame lies.

EDIT: After I posted this I checked (2) with the P option and all my files and folders are there. So Should I select L next and Load Back Up?
Edit: Edit: I choose the Load Back Up, L, and there is nothing there. All my files and folders are there, so I need to this in order.

Ok this is what got when I analyzed /dev/sda,

(((I added the numbers 1-5)))

I am guessing that (2) is what I need to restore? (1) is what I currently have. Also I have XP on a partition that it did not pick up, and I could care less about loosing that partition. I don't use XP for much other then games now a days.

Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63
Partition Start End Size in sectors
(1)D Linux Swap 0 1 1 16214 254 63 260493912
(2)D Linux 0 1 1 16214 254 63 260493912
(3)* FreeBSD 16215 0 1 17744 254 63 24579450
(4)D Linux 17745 0 1 19456 254 63 27503280
(5)D Linux 17867 0 1 19456 254 63 25543350



(1)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type,
Enter: to continue
SWAP2 version 1, 133 GB / 124 GiB


(2)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock Backup superblock, 133 GB / 124 GiB

(3)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type,
Enter: to continue
12 GB / 11 GiB

(4)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock Recover, 14 GB / 13 GiB


(5)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock, 13 GB / 12 GiB

Ok. I am really lost now. I can analyze the partition like I said and it shows all my files and folders there. But I have no idea how to get them back. It seems that I just overwrote the partition table and not the actual data. I could really use some help here, lol.

Mmmmm - testdisk is for restoring deleted partitions. It scans the disk looking for "eyecatchers" that indicate (possible) partition begin/end.
But it only updates the partition table.

What you did was wipeout the beginning of the partition - the filesystem meta-data. The files themselves are likely to still be there - most if not all. I did a quick test, and mkswap only appears to smash the first 4k - to build a map of the swapspace, and write an id at the end. Even most of that 4k looks to be mostly untouched (been a while since I looked at the mkswap code though, so this is just observation).

You need a tool to scan for file "eyecatchers" - photorec would be a good start, then you might have to use a forensic tool like Foremost. Will take a while (as in days possibly) - ext2/3 is probably best supported; I've had very little luck trying to recover NTFS.

After I analyzied sda1 I looked at the (2) and I checked all the files and folders. They do appear to be there. Let me try what you suggested. I ran photorec to restore data but it was just extracting data, ex. videos, and putting them somewhere else (I told it in the /home/mydirectory/) The few things it recovered where still good. I was able to play a video. I just stopped it because I don't have the room to get all that data on my home directory.


Thanks for the help.

After all this is restored I am going to take a break and go over my alphabet and learn that H and S are different letters that look nothing alike, lol.

I am not sure what "eyecatchers" are. I did a quick Google and LQ search, which I usually do instead of asking 101 questions, lol, but I am not finding info on that. How would I use photorec to search for these "eyecatchers?"


Also I installed foremost. In the terminal I ran sudo foremost /dev/sda It appears to be working, but taking a bit of time.

I am new to data recovery and TestDisk, PhotoRec and ForeMost. I am sure my hands on crash course training with this will be helpful in the future for other problems that pop up but for now I am learning as I go.

Edit: There is probably around 50GB of data that I am trying to get back.

Just checked the output folder for foremost. It is working and keeping them organized. Problem is I am probably going to run out of room.

The forensic tools (photorec included) go looking for known file headers. Don't worry about it - that's the job of the software.
"eyecatcher" is just a term - something to catch your eye as you're looking at data.

Ok, I understand what you mean by eyecatchers now, lol.

This is a serious learning experience for me.

Here is a question. If all my folders and files are still there and I screwed up file meta-data by mkswap, could I do the same in reverse for an ext3 and maybe get things back or are the pointers,or what ever is needed, not going to be there?

Meta-data is actually the names of all your data, not the data themselves. So if your meta-data were lost, then the files will still be there but they'll be "anonymous" as their names were swept off the disk. If you use photorec, it will retrieve everything but it will re-name each file using a combination of numbers and letters.

If your meta-data are not screwed, however, you may be able to recover the whole partition at once without too much trouble. I had a little accident myself a while ago - I wiped my partition table. What I did was launch testdisk to determine the exact "contours" (end and start) of each partition, then I re-created them exactly as they were using fdisk from the command line. Now I'm not quite sure whether that's all that was needed but I believe it was. Then again, I only wiped the partition table, I didn't change any partition type numbers (switching from a regular Linux partition to swap does involve changing types). What I would NOT do under any circumstances is re-format to ext3: this will not put back your meta-data but it will overwrite them with a new, empty "registry" (that is, assuming that those data are still there- if they aren't, then there isn't really much to overwrite anyway).

I am using foremost. It is recovering a lot so far but like you said it is renaming them with numbers and letters.

Let me add this from testdisk. I can go into each folder and see the data in there, including other folders and files, etc. Everything is still there and named.

I have testdisk open. I can see this when I view the folders, (Edit: also thanks for the heads up on the ext3. I am going to see what I can save that I really need or want first, however long this will take, then I will try what you said above.)

drwxrwxr-x 0 1000 4096 26-Jul-2007 21:14 ..
drwxrwxr-x 0 0 16384 29-Jun-2007 22:56 lost+found
drwxrwxr-x 1000 1000 4096 22-Jul-2007 19:43 All Music
drwxrwxr-x 1000 1000 4096 27-Jul-2007 22:37 .Trash
-rw-r--r-- 1000 1000 12527070 26-Jul-2007 21:10 webmin_1.350_all.deb
drwxrwxr-x 1000 1000 4096 26-Jul-2007 21:14 Linux Stuff
drwxrwxr-x 1000 1000 4096 27-Jul-2007 16:10 My Website
drwxrwxr-x 1000 1000 4096 26-Jul-2007 21:14 zip
drwxrwxr-x 1000 1000 4096 21-May-2007 14:41 Website All
drwxrwxr-x 1000 1000 4096 27-Jul-2007 22:59 Pictures
drwxr-xr-x 1000 1000 4096 26-Jul-2007 04:18 Backup_All
drwxrwxr-x 1000 1000 12288 26-Jul-2007 04:21 exe
drwxrwxr-x 1000 1000 4096 27-Jul-2007 16:10 Documents
drwxrwxr-x 1000 1000 4096 26-Jul-2007 04:20 Cd Backup
drwxrwxr-x 1000 1000 4096 3-Jul-2007 16:02 Burn All

I want to make sure I get this right before I try it, I mean completely have it figured out.

This is what it says in fdisk for /dev/sda1

Disk /dev/sda1: 255 heads, 63 sectors, 16214 cylinders

Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 00 0 0 0 0 0 0 0 0 00
2 00 0 0 0 0 0 0 0 0 00
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00


Now this is the information I got from testdisk for the (2), as I numbered them in an above reply here, this is where all my folders and files are which I can see when I analyze it.


CHS Cylinders 19457 Heads 255 sectors 63

----------start--------------end----------size in sectors
Linux--0--1--1--16214---254---63----260493912


Is this what you mean, or am I getting close to it?