Need help recovering formatted LUKS Ext4 partition

anon072 · 09-30-2013, 06:19 PM

Hello all,

My apologies if this post is doubled, I wrote this earlier and now it's not appearing on the site for me.

It's the typical story, a couple hours ago, due to not paying attention, I nuked an external drive while attempting to back it up to a second drive. I did this in Ubuntu's Disk Manager, so I believe it was only a quick format and I may have a chance at getting at this data. The irony is, this is the only copy I have of this data, and I was backing it up to have a redundant copy. *facepalm*

I've found these:
http://onecool1.wordpress.com/2009/0...ora-to-create/
http://ubuntuforums.org/showthread.php?t=1643334

but they've only taken me so far.

If I run TestDisk on the drive, it initially shows:

Code:

Disk /dev/sdb - 200 GB / 186 GiB - CHS 24321 255 63
Current partition structure:
     Partition                  Start        End    Size in sectors

 1 P Linux                    0   1  1 24320 254 63  390716802

After running a quick scan and a deeper scan, I get this for both:

Code:

Disk /dev/sdb - 200 GB / 186 GiB - CHS 24321 255 63
     Partition               Start        End    Size in sectors
>* Linux                    0   1  1     0 254 63      16002

LUKS 1 (Data size unknown), 8193 KB / 8001 KiB

The size is way wrong (the original partition used the entire 200GB drive), but it does show a LUKs...something...this is exciting because I didn't attempt to encrypt the new drive when I accidentally formatted the old one.

Okay, moving on. If I run
fdisk -l
here are the relevant results:

Code:

Partition table entries are not in disk order

Disk /dev/sdb: 200.0 GB, 200049647616 bytes
255 heads, 63 sectors/track, 24321 cylinders, total 390721968 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000b8f28

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1              63   390716864   195358401   83  Linux

I see this has a different starting block than what TestDisk found. It also has something like the correct size. I assume this is the newly formatted partition, though?

So, if I run:
hexdump -C -n 512 /dev/sdb1
I get this:

Code:

00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00  |........sha1....|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 08 08 00 00 00 20  |............... |
00000070  4e da 67 8e 8b db c3 51  27 ff 8f d6 81 ef 51 d1  |N.g....Q'.....Q.|
00000080  7b 77 aa 7d fa 75 dd 2b  d6 b4 56 e1 b3 44 a3 01  |{w.}.u.+..V..D..|
00000090  9d 11 c8 77 7f eb d3 76  0e bc de ed dd ec 16 81  |...w...v........|
000000a0  56 06 8a 8e 00 00 6f d1  63 33 61 37 36 63 37 34  |V.....o.c3a76c74|
000000b0  2d 33 64 62 62 2d 34 37  34 39 2d 62 35 63 32 2d  |-3dbb-4749-b5c2-|
000000c0  38 30 34 33 31 63 34 33  34 63 33 34 00 00 00 00  |80431c434c34....|
000000d0  00 ac 71 f3 00 01 c0 6b  55 7a c4 84 18 24 95 8d  |..q....kUz...$..|
000000e0  0f b6 13 5c 6a bb 2e 7d  44 9f fd 49 3e ff 20 65  |...\j..}D..I>. e|
000000f0  d3 85 fc dd 7a 5c d8 7e  00 00 00 08 00 00 0f a0  |....z\.~........|
00000100  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 01 08 00 00 0f a0  |................|
00000130  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  00 00 02 08 00 00 0f a0  |................|
00000160  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 03 08 00 00 0f a0  |................|
00000190  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001b0  00 00 00 00 00 00 00 00  00 00 04 08 00 00 0f a0  |................|
000001c0  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001e0  00 00 00 00 00 00 00 00  00 00 05 08 00 00 0f a0  |................|
000001f0  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000200

Then, on:
cryptsetup -v luksDump /dev/sdb1

Code:

LUKS header information for /dev/sdb1

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	2056
MK bits:       	256
MK digest:     	4e da 67 8e 8b db c3 51 27 ff 8f d6 81 ef 51 d1 7b 77 aa 7d 
MK salt:       	fa 75 dd 2b d6 b4 56 e1 b3 44 a3 01 9d 11 c8 77 
               	7f eb d3 76 0e bc de ed dd ec 16 81 56 06 8a 8e 
MK iterations: 	28625
UUID:          	c3a76c74-3dbb-4749-b5c2-80431c434c34

Key Slot 0: ENABLED
	Iterations:         	114795
	Salt:               	55 7a c4 84 18 24 95 8d 0f b6 13 5c 6a bb 2e 7d 
	                      	44 9f fd 49 3e ff 20 65 d3 85 fc dd 7a 5c d8 7e 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Command successful.

If I run
cryptsetup luksOpen /dev/sdb1 sdb1
It prompts me for the password. If I enter the password for the partition I'm trying to recover...

Code:

Key slot 0 unlocked.
Command successful.

This seems promising, but I'm not sure what to do beyond here. The second link above recommends running vgscan, but if I do that, it returns:

Code:

No Volume Groups Found

Can anyone help? I feel like I'm so close!

Thanks in advance!

linosaurusroot · 10-01-2013, 11:39 AM

Looking at your

Code:

cryptsetup -v luksDump /dev/sdb1

I suggest you back up /dev/sb1 before doing anything risky with it.

Code:

dd if=/dev/sdb1 bs=32M of=some_large_separate_place

After entering the password the step of looking for volume groups would only apply if you had volume groups. If you just had a disk partition look for that.

anon072 · 10-01-2013, 07:57 PM

Hello, thanks for your quick reply linosaurusroot! Forgot to mention I did back up using dd to the drive which was originally supposed to hold the backup of the good data (I can almost taste the irony) and have been working off that.

I don't believe I had volume groups, but I am fairly *nix illiterate. It was initially set up under Ubuntu 9's Disk Manager. Can you offer any insight?

I've found this since last night: http://alvinabad.wordpress.com/2012/...ncrypted-disk/

I was able to run this and successfully enter the password same as last night.

Code:

cryptsetup -v luksOpen /dev/sdb1 sdb1_crypt

Then,

Code:

mkdir /tmp/disk

mount /dev/mapper/sdb1_crypt /tmp/disk

which returns:

Code:

mount: you must specify the filesystem type

I figure okay, no big deal, so I run:

Code:

mount -t ext4 /dev/mapper/sdb1_crypt /tmp/disk

which returns:

Code:

wrong fs type, bad option, bad superblock on /dev/mapper/sdb1_crypt

Damn! I figured maybe I remembered wrong and it was ext3, or even msdos, but same results for both.

At this point,

Code:

parted -l

shows:

Code:

Model: Seagate FreeAgentDesktop (scsi)

Disk /dev/sdb: 320GB

Sector size (logical/physical): 512B/512B

Partition Table: msdos

Disk Flags:

Number  Start   End    Size   Type     File system  Flags

1      32.3kB  200GB  200GB  primary

Error: /dev/mapper/sdb1_crypt: unrecognised disk label

Model: Linux device-mapper (crypt) (dm)                                   

Disk /dev/mapper/sdb1_crypt: 200GB

Sector size (logical/physical): 512B/512B

Partition Table: unknown

Disk Flags:

Interestingly, the Partition Table is listed as msdos for the drive, I swear I formatted it ext4 (originally and in yesterday’s accidental format) yesterday, I'm almost certain, actually, but it may have originally been formatted FAT.

Okay, I’m not sure what to do from here. I ran a TestDisk scan on /dev/mapper/sdb1_crypt and it returned a bunch of what I think are junk partitions resulting from collisions with the encrypted data (is that a correct evaluation?).

Is the data safe? From what I've gathered it seems I've unlocked it, I just need to figure out how to mount it?

Thanks in advance again!

anon072 · 10-01-2013, 08:07 PM

Forgot,

Code:

dmesg | tail

shows:

Code:

[ 1936.283812] EXT4-fs (dm-0): VFS: Can't find ext4 filesystem
[ 1962.328083] EXT3-fs (dm-0): error: can't find ext3 filesystem on dev dm-0.
[ 1969.787031] FAT-fs (dm-0): bogus number of reserved sectors
[ 1969.787035] FAT-fs (dm-0): Can't find a valid FAT filesystem

So perhaps it is in fact FAT?

anon072 · 10-02-2013, 01:27 AM

Just came across this. Sounds like he's had the same problem I did, though I don't exactly understand his solution, and I'm nervous to actually use fdisk to do anything other than list partitions.

http://forum.cgsecurity.org/phpBB3/r...ize-t2629.html

I have also seen suggestions to use e2fsck -s. How should I proceed?