IronHelix 05-19-2008 12:05 AM

Need to recover ext3 filesystem- MBR and LVM are gone :(
Hi all,

I have a sort of unusual problem. I have a Linux box (centos or fedora, forget which, left it alone for a good long time) that used to be a minor server. Its HDD started making a funny noise so i decided to move it to a new box and DD the disk over in the process. I cleaned out the box and attached the currently working drive as slave (hdb), new drive as master (hda)

helpful tip- it is probably a good idea to read your DD command at least 2-3 times before you hit enter.

After zeroing the 'new' drive with dd if=/dev/zero of=/dev/hda, I then went to DD the data from old drive to new. Except it was 3am, and by accident i started the zeroed drive DDing onto my good drive. I noticed the error and killed it after around 10 seconds, but the MBR, partition table, etc was all gone.

*as I recall*, /boot was either 512mb or 1gb, followed by my ext3 / partition, followed by a swap partition. Considering this was a really old 10gb HDD, I doubt that I managed to eat up the beginning of the / partition.

I've ran gpart and testdisk on the drive, no luck.

I'm guessing that it was partitioned using LVM and that might be why... honestly i don't remember as I put the thing together 2 years ago and haven't looked at it much since.

After this whole thing, I DD'd the (now screwed up) drive to an image file and i've been working on that so far... my current thread is a program called PhotoRec that goes through your drive and looks for files, then dumps them all into a folder with no names, only guesses at types. As you can imagine this takes a long time. It's done at the moment, doing the 'brute force' scan now and grepping through its output reveals what look like fragments of my files but nothing too useful., namely the particular files I need.

So my question...

Assuming my bad DD didn't nuke the beginning of / and the resulting file system...
what could I use to try and find the beginning of the / partition? Assuming it's LVM, how might I rebuild the LVM and get the partition back?

And/or is there any better idea that I should try?

syg00 05-19-2008 01:30 AM

No-one has a /boot that big - 100 Meg is generally considered over-kill. I'd say that was the size of your swap.
If testdisk didn't find the (root) partition, you've trampled on (at least the start of) it. Current testdisk versions are even LVM aware.
I'd say you are out of luck - all the filesystem metadata will be gone.

Normally I'd advise photorec then some forensic software like foremost.

I get pretty anal about backups - especially when screwing around with partitions at 03:00

IronHelix 05-19-2008 03:54 AM

i vaguely remember configuring a 512mb /boot partition. I agree there is little need for that much space and I have no idea why I did it, but I'm pretty sure I did. Or perhaps not...

As for backups I have one but it's really old. I coulda sworn I made one more recently but i can't seem to find it. I suspect a small shell script CRON'd to tar up the important stuff and upload it somewhere else is in my future...

Last question, i don't know much about ext3 filesystems but as i understand it metadata is stored in one or more superblocks which can be scattered around the FS. If I found one, would it do me any good / is there any tool I could use to recover data using it? I think photorec is capable of looking for them, perhaps one is in the 100k files it spat out... *shrug*

syg00 05-19-2008 04:14 AM

Check on the "-S" option of mkfs.ext3
Read the warnings particularly.

Edit: you would (of course) need to know where the partition started to even contemplate this.

