LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Ubuntu
User Name
Password
Ubuntu This forum is for the discussion of Ubuntu Linux.

Notices

Reply
 
Search this Thread
Old 07-28-2007, 05:52 PM   #1
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Rep: Reputation: 15
Urgent. Need to recover a partition


First, here is a link to the problems I was having that led to MY error.

http://www.linuxquestions.org/questi...70#post2840070


Now to make a long story short, I accidentally in the terminal, put in mkswap /dev/sda1. I meant to put in mkswap /dev/hda1. At the time I did this /dev/sda1 was mounted to /media/disk. I did not format it or delete it and make a swap, I just put in mkswap /dev/sda1.

I need that back, all of the information on that partition. How do I do this? Gparted is telling me that it sees it as a swap partition with free space.

I am pissed. If it wasn't for the idiotic problems I was having with the Ubuntu swap and uuid then I wouldn't have had to do anything and in turn make an idiotic mistake like this.

Last edited by Neo-Leper; 07-28-2007 at 05:54 PM.
 
Old 07-28-2007, 06:32 PM   #2
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
I am doing some research now. I have installed TestDisk and PhotoRec. Now since I only did mkswap and did not format that partition as swap before that, is it possible I just screwed up the partition table and not the actual information, even though gparted is telling me that it is all freespace?
 
Old 07-28-2007, 06:51 PM   #3
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
I am using testdisk to analyze /dev/sda1 I will add an edit here with the results. I never did this before and after making that one letter mistake (S and H are not even next to each other on the damn keyboard,) I am very worried about doing anything. So any help would be greatly appreciated. Also no one worry. If you offer help and it still doesn't work, etc, it was my fault to begin with, concerning /dev/sda1, and that is where any blame lies.

Last edited by Neo-Leper; 07-28-2007 at 06:53 PM.
 
Old 07-28-2007, 07:09 PM   #4
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
EDIT: After I posted this I checked (2) with the P option and all my files and folders are there. So Should I select L next and Load Back Up?
Edit: Edit: I choose the Load Back Up, L, and there is nothing there. All my files and folders are there, so I need to this in order.

Ok this is what got when I analyzed /dev/sda,

(((I added the numbers 1-5)))

I am guessing that (2) is what I need to restore? (1) is what I currently have. Also I have XP on a partition that it did not pick up, and I could care less about loosing that partition. I don't use XP for much other then games now a days.

Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63
Partition Start End Size in sectors
(1)D Linux Swap 0 1 1 16214 254 63 260493912
(2)D Linux 0 1 1 16214 254 63 260493912
(3)* FreeBSD 16215 0 1 17744 254 63 24579450
(4)D Linux 17745 0 1 19456 254 63 27503280
(5)D Linux 17867 0 1 19456 254 63 25543350



(1)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type,
Enter: to continue
SWAP2 version 1, 133 GB / 124 GiB


(2)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock Backup superblock, 133 GB / 124 GiB

(3)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type,
Enter: to continue
12 GB / 11 GiB

(4)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock Recover, 14 GB / 13 GiB


(5)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock, 13 GB / 12 GiB

Last edited by Neo-Leper; 07-28-2007 at 07:32 PM.
 
Old 07-28-2007, 08:32 PM   #5
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Ok. I am really lost now. I can analyze the partition like I said and it shows all my files and folders there. But I have no idea how to get them back. It seems that I just overwrote the partition table and not the actual data. I could really use some help here, lol.
 
Old 07-28-2007, 08:56 PM   #6
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 12,314

Rep: Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032
Mmmmm - testdisk is for restoring deleted partitions. It scans the disk looking for "eyecatchers" that indicate (possible) partition begin/end.
But it only updates the partition table.

What you did was wipeout the beginning of the partition - the filesystem meta-data. The files themselves are likely to still be there - most if not all. I did a quick test, and mkswap only appears to smash the first 4k - to build a map of the swapspace, and write an id at the end. Even most of that 4k looks to be mostly untouched (been a while since I looked at the mkswap code though, so this is just observation).

You need a tool to scan for file "eyecatchers" - photorec would be a good start, then you might have to use a forensic tool like Foremost. Will take a while (as in days possibly) - ext2/3 is probably best supported; I've had very little luck trying to recover NTFS.
 
Old 07-28-2007, 09:06 PM   #7
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by syg00
Mmmmm - testdisk is for restoring deleted partitions. It scans the disk looking for "eyecatchers" that indicate (possible) partition begin/end.
But it only updates the partition table.

What you did was wipeout the beginning of the partition - the filesystem meta-data. The files themselves are likely to still be there - most if not all. I did a quick test, and mkswap only appears to smash the first 4k - to build a map of the swapspace, and write an id at the end. Even most of that 4k looks to be mostly untouched (been a while since I looked at the mkswap code though, so this is just observation).

You need a tool to scan for file "eyecatchers" - photorec would be a good start, then you might have to use a forensic tool like Foremost. Will take a while (as in days possibly) - ext2/3 is probably best supported; I've had very little luck trying to recover NTFS.

After I analyzied sda1 I looked at the (2) and I checked all the files and folders. They do appear to be there. Let me try what you suggested. I ran photorec to restore data but it was just extracting data, ex. videos, and putting them somewhere else (I told it in the /home/mydirectory/) The few things it recovered where still good. I was able to play a video. I just stopped it because I don't have the room to get all that data on my home directory.


Thanks for the help.

After all this is restored I am going to take a break and go over my alphabet and learn that H and S are different letters that look nothing alike, lol.

Last edited by Neo-Leper; 07-28-2007 at 09:16 PM.
 
Old 07-28-2007, 09:27 PM   #8
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
I am not sure what "eyecatchers" are. I did a quick Google and LQ search, which I usually do instead of asking 101 questions, lol, but I am not finding info on that. How would I use photorec to search for these "eyecatchers?"


Also I installed foremost. In the terminal I ran sudo foremost /dev/sda It appears to be working, but taking a bit of time.

I am new to data recovery and TestDisk, PhotoRec and ForeMost. I am sure my hands on crash course training with this will be helpful in the future for other problems that pop up but for now I am learning as I go.

Edit: There is probably around 50GB of data that I am trying to get back.

Last edited by Neo-Leper; 07-28-2007 at 09:29 PM.
 
Old 07-28-2007, 09:56 PM   #9
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Just checked the output folder for foremost. It is working and keeping them organized. Problem is I am probably going to run out of room.
 
Old 07-28-2007, 10:04 PM   #10
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 12,314

Rep: Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032Reputation: 1032
The forensic tools (photorec included) go looking for known file headers. Don't worry about it - that's the job of the software.
"eyecatcher" is just a term - something to catch your eye as you're looking at data.
 
Old 07-28-2007, 10:07 PM   #11
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Ok, I understand what you mean by eyecatchers now, lol.

This is a serious learning experience for me.
 
Old 07-28-2007, 10:30 PM   #12
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Here is a question. If all my folders and files are still there and I screwed up file meta-data by mkswap, could I do the same in reverse for an ext3 and maybe get things back or are the pointers,or what ever is needed, not going to be there?
 
Old 07-28-2007, 11:42 PM   #13
jay73
Guru
 
Registered: Nov 2006
Location: Belgium
Distribution: Ubuntu 11.04, Debian testing
Posts: 5,019

Rep: Reputation: 130Reputation: 130
Meta-data is actually the names of all your data, not the data themselves. So if your meta-data were lost, then the files will still be there but they'll be "anonymous" as their names were swept off the disk. If you use photorec, it will retrieve everything but it will re-name each file using a combination of numbers and letters.

If your meta-data are not screwed, however, you may be able to recover the whole partition at once without too much trouble. I had a little accident myself a while ago - I wiped my partition table. What I did was launch testdisk to determine the exact "contours" (end and start) of each partition, then I re-created them exactly as they were using fdisk from the command line. Now I'm not quite sure whether that's all that was needed but I believe it was. Then again, I only wiped the partition table, I didn't change any partition type numbers (switching from a regular Linux partition to swap does involve changing types). What I would NOT do under any circumstances is re-format to ext3: this will not put back your meta-data but it will overwrite them with a new, empty "registry" (that is, assuming that those data are still there- if they aren't, then there isn't really much to overwrite anyway).

Last edited by jay73; 07-28-2007 at 11:45 PM.
 
Old 07-29-2007, 12:02 AM   #14
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jay73
Meta-data is actually the names of all your data, not the data themselves. So if your meta-data were lost, then the files will still be there but they'll be "anonymous" as their names were swept off the disk. If you use photorec, it will retrieve everything but it will re-name each file using a combination of numbers and letters.

If your meta-data are not screwed, however, you may be able to recover the whole partition at once without too much trouble. I had a little accident myself a while ago - I wiped my partition table. What I did was launch testdisk to determine the exact "contours" (end and start) of each partition, then I re-created them exactly as they were using fdisk from the command line. Now I'm not quite sure whether that's all that was needed but I believe it was. Then again, I only wiped the partition table, I didn't change any partition type numbers (switching from a regular Linux partition to swap does involve changing types). What I would NOT do under any circumstances is re-format to ext3: this will not put back your meta-data but it will overwrite them with a new, empty "registry" (that is, assuming that those data are still there- if they aren't, then there isn't really much to overwrite anyway).

I am using foremost. It is recovering a lot so far but like you said it is renaming them with numbers and letters.

Let me add this from testdisk. I can go into each folder and see the data in there, including other folders and files, etc. Everything is still there and named.

I have testdisk open. I can see this when I view the folders, (Edit: also thanks for the heads up on the ext3. I am going to see what I can save that I really need or want first, however long this will take, then I will try what you said above.)

drwxrwxr-x 0 1000 4096 26-Jul-2007 21:14 ..
drwxrwxr-x 0 0 16384 29-Jun-2007 22:56 lost+found
drwxrwxr-x 1000 1000 4096 22-Jul-2007 19:43 All Music
drwxrwxr-x 1000 1000 4096 27-Jul-2007 22:37 .Trash
-rw-r--r-- 1000 1000 12527070 26-Jul-2007 21:10 webmin_1.350_all.deb
drwxrwxr-x 1000 1000 4096 26-Jul-2007 21:14 Linux Stuff
drwxrwxr-x 1000 1000 4096 27-Jul-2007 16:10 My Website
drwxrwxr-x 1000 1000 4096 26-Jul-2007 21:14 zip
drwxrwxr-x 1000 1000 4096 21-May-2007 14:41 Website All
drwxrwxr-x 1000 1000 4096 27-Jul-2007 22:59 Pictures
drwxr-xr-x 1000 1000 4096 26-Jul-2007 04:18 Backup_All
drwxrwxr-x 1000 1000 12288 26-Jul-2007 04:21 exe
drwxrwxr-x 1000 1000 4096 27-Jul-2007 16:10 Documents
drwxrwxr-x 1000 1000 4096 26-Jul-2007 04:20 Cd Backup
drwxrwxr-x 1000 1000 4096 3-Jul-2007 16:02 Burn All

Last edited by Neo-Leper; 07-29-2007 at 12:13 AM.
 
Old 07-29-2007, 01:14 AM   #15
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
I want to make sure I get this right before I try it, I mean completely have it figured out.

This is what it says in fdisk for /dev/sda1

Disk /dev/sda1: 255 heads, 63 sectors, 16214 cylinders

Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 00 0 0 0 0 0 0 0 0 00
2 00 0 0 0 0 0 0 0 0 00
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00


Now this is the information I got from testdisk for the (2), as I numbered them in an above reply here, this is where all my folders and files are which I can see when I analyze it.


CHS Cylinders 19457 Heads 255 sectors 63

----------start--------------end----------size in sectors
Linux--0--1--1--16214---254---63----260493912


Is this what you mean, or am I getting close to it?

Last edited by Neo-Leper; 07-29-2007 at 01:16 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Recover lost data under Solaris10 intel (Urgent) dsids Solaris / OpenSolaris 4 07-06-2007 07:08 AM
urgent! how to recover files from os x? stairwayoflight Other *NIX 12 06-10-2007 06:55 PM
recover a missing partition pankaj99 Linux - General 5 06-03-2006 07:09 PM
Recover Partition??? HELP!!!! villusion Linux - Hardware 7 10-11-2005 04:34 PM
Recover a lost partition!!!!! Caveman Linux - Newbie 4 09-26-2003 01:10 PM


All times are GMT -5. The time now is 01:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration