ext2fs drama: i-node destroyed by mke2fs
 

All the file recovery documents i could find cover the ideal circumstance cases of file recovery...

I have a real-life situation with a worst-case scenario:

I have a ex2fs partition in a file (eg. part.img)

1. formatted
2. populated
<all ok, but problems start here...>
3. formatted (by mistake :-( )
<i need the files back, especially a 'file.odt'>
4. directory structure can be recovered somehow
5. all i-node information is bad (due to mke2fs's pass?)

How do I get my file(s).
I can see the data of the most important file (found the mime-magic string on the parttition) with lde ( version 2.6.1)

Is there a way to recover a destroyed i-node?
Is there a way to recover that single .odt file from that partition?
Is there a un-mke2fs tool?
Is there a better-than-lde ext2fs editor?

How are the file-blocks scattered on the partition after a copy (all the files where cp-ed in a single pass)? are they sequential?

Please, do post only examples that are real-life tested, as I already did all kind of tests from various howto-s that did only fail miserably. :-(
The kernel i 2.6.13.17, distro is slackware, the copy was done with konqueror.

I'm a lde newbie, just for the record, but have some basic experience with hex-editors.

Try sleuthkit package.

I will after I try foremost first,...
Did You try sleuthkit? Once I tried, I got lost among the configurations (case, ...)
Honestly, It looked a little bit over-done...
And later on ccorr

I did it finally.

Early in the morning (~0200am) I managed to carve the .odt file.

I had to edit the foremost.conf file:
I added a new line with the odt's file 'magic' for the footer and header...
I found the info in /etc/file/magic* and in two similar .odt files.

Then I ran foremost without the -t parameter and got the file finally. I spent some more time to make a script that takes required input via kdialog and plan to post it ASAP here...

I still plan to try to carve the fragmented png files if possible too.

Configuring foremost
 

How can you edit the foremost.conf file (and where should I find it, is it the thing with a lot of ##'s in it, the sample config file)?

My home partition was by accident formatted from ReiserFS (Suse 10.1) to Ext3 (same Suse, re-install). I had made a backup (I THOUHGT :scratch:) but the backup was gone after I wished to copy back my data :eek:...:cry:.

I have made an image of the home device and foremost found some of the data like pictures and old openoffice style documents I never made myself (sxw, sxi, etc.).
How can I make foremost finding documents in newer style like odt, ods, odp, odg, ot*?
Is there a possibility to restore the names to?

I have tried to restore the previous partition with reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb2 (hdb2 is my place of home), found at http://www.antrix.net/journal/techta...howto.comments, but without any luck.

Please instruct very carefully. I am a very n00b-y newbie.

Thnx 4 your help!


St. John
:newbie:

Dear John (the TV serial ;-) )
 

First of all:
Work only on a copy of the image. Allways!

Sorry for Your loss. Really.
The foremost.conf file is expected to be found in /etc/. In the package it's located in the root-dir of it.
I had that a while a go, it's a mess ... :-(. Expect no ore than 35% of files back. Anything more is reason for joy ;-)
You need to make new lines in the .conf file with footer- and header- data so foremost can figure out the file-body.
1. Open at least two konown-good *.odt files with eg. khexedit and examine the begin and end of the files. Also consult the mime-magic found in /etc/file/* for the right pointers. Use wildcards as lesser that better...
2. The magic for odt files is with vnd.oasis ...
3. Make the lines in the /etc/foremost.conf
4. uncomment other lines describing desired file types
5. run foremost ...
There is no possibility to restore names via carving.
You have allways the option to turn to reiser's developer team for paid recovery.
The other option is to use scalpel. It's a fork of foremost at 0.69 release. It looks a bit more advanced.
The damage is done allready. Take Your time, rush no more, to recover as most as You can.
The thing to hope for is that your mot imoprtant files are not too fragmented. Carving restores sequential blocks, so fragmented files will get garbage in them. There is no chance a carver can distinguish the right from the wrong footer in a sequence of blocks.
Chances are there is some i-node information left on the volume. Try to salvage as much i-nodes as possible.
I wish You best luck.

Hi SCerovec,

Sorry that I am late with responding but I am in a kind of a horror scene. Two people in the family are laying to death (how do you say that in correct English but you will understand me I think) and a friend of my had a bleeding in the brain so I am running from one hospital to another and I spend a lot of time with the partners of those that are in hospital to support them.

I will take a look at your advise and thank you for that!
I will let you know how it was going with my restoring adventure but if you don't see any respond of me just look a week later or something.
You will hear about me later.

Thanks for now, I am glad that I have some time now to put this message over here so you know that I will respond and I am still interested in your help and that I want to share mine restoring adventure.

Thanks and great Greetux,

John

Sorry
 

I'm truly sorry for You circumstances, I wish I could help You if i could...

regarding the time for answers, just take your time buddy and take it easy. This is a forum, it can wait for months (not that it must...).

Anyhow I'm subscribed for this thread, so when You back, I'll be there. Just keep in mind, we are documenting a procedure for the whole community, not just us. ;-)

--regarding the time for answers, just take your time buddy and take it easy.--


Thanks for your understanding answer.
I was afraid that I had left a bad reputation as a new comming newbie at this forum with responding that late! Anyway...

I have tried several times to restore the files and I looked at the beginning and the end of the file with khexedit but ods and odt files had the same beginning and ending! I could fill in more exe-code but I saw that that was different sometimes.
And what to fill in as maximum file size? I have tried a nice size, I thought :scratch: (some number with several zero's :)), but after scanning, the hard disk was too small to put all those files on!:eek:
And it where not the open office files.:cry:

What do you mean with "The magic for odt files is with vnd.oasis ..."?

Well, in the meanwhile we are some months later and mine administration is running very behind, so for now I give up.
I will keep the image for a while for if I have nothing to do better so I can try new advisement.

Live goes on, today I give it a restart with an installation of a newer distro version (nothing to loose now :p)!

Thanks for your answer(s)!

St. John