Hard Drive Recovery (Filesystem problems)
 

Hi folks. I'm trying to recover some data off a harddrive. The drive is still working, the filesystem seems to be messed up.

A brief history.

This was just a small server in our office here with some scripts and databases that made our job easier. It was running fedora. It would occassionly have filesystem errors (some read only error I can't remember) that would force a reboot and on the reboot a fsck was normally forced where the inodes would have to be fixed etc.. well the last time that was peformed the box was booted and came to a kernel panic and would no longer boot.

I took the drive out and put it in another box and it still spins and seems to functionally work (i.e. I could reformat and use it again) but I'm having trouble getting the data off of it. The partitions look like this

Device Boot Start End Blocks Id System
/dev/sdb1 * 1 64 514048+ 83 Linux
/dev/sdb2 65 1339 10241437+ 83 Linux
/dev/sdb3 1340 2550 9727357+ 83 Linux
/dev/sdb4 2551 4863 18579172+ 5 Extended
/dev/sdb5 2551 3506 7679038+ 83 Linux
/dev/sdb6 3507 3637 1052226 82 Linux swap / Solaris

It seems that the fsck moved everything on the partitions to lost + found directory. When I mount a partition I can't cd into the lost+found directory. What I can do is copy the directory as root to another harddrive, then change ownership to me but when I CD into the directory it's all numbers for files, directories, etc..

a du -sh still tells me there is 1.5G of data so I might be able to retrieve some stuff if I can figure out how to get at it

Thoughts?

The three steps I recommend:
1 Avoid writing to the drive
2 Go for the data
3 Worry about getting it to boot after your data is backed up.
If you have the drive as slave, this is a good thing. If you can install testdisk in a running Linux system on the same computer, do so or get a Live CD like Knoppix. Open a terminal maximized, from another drive or partition where you want the recovered data stored, issue command: photorec, go through the different settings to see what it can all get, which is just about any common file extension most people have data in. Also: man photorec might be some good reading also.

Ultimately
You'd want to make an image of the drive first, and then play with it. If you can't get it to run, you can recover the data off a copy of the image as to not ruin the original image. This would require a lot of extra storage space to accommodate a file the size of the hard drive twice, and a file system in these drives that can handle a file that size.
It's the forensically safe approach.

Yes, I made an image and have found the data I needed I believe. the drive is still in working order and I'm not using it other than to retrieve what i can.

I believe I have everything i need, going to let a coworker take a look tomorrow and I"ll go from there. I found the easiest way to find what I was looking for was to cd into the mounted partition

#ls -lh * >> /home/me/test

then I could grep that file for directories etc.. and find what I needed in the sea of info