LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Hardware (https://www.linuxquestions.org/questions/linux-hardware-18/)
-   -   HDD forensics... How to restore a partition? (https://www.linuxquestions.org/questions/linux-hardware-18/hdd-forensics-how-to-restore-a-partition-200383/)

Thetargos 07-02-2004 01:42 PM
HDD forensics... How to restore a partition?
 
Hi there! I'm in a real tight problem right now, yesterday when trying to install FC2 onto a friend's computer one of his SATA drives had problems being read by the installer disk (I later found out that the drive geometry is read differently in the 2.6 kernel)... Well it happnes the drive could not be accessed for installation, but the secondary drive could be read. Now here's the odd thing: when I got to see the partitions on the drive the drive seemed to be empty, and I know this drive has at least one HUGE 80Gb partition (a monolithic partition of the whole drive). Now the problem is that this drive was being used as the bakcup drive for the main 120 Gb drive (not set in RAID), we did a couple fo backups before starting with the installation process of FC2, but when I found out that the drive was empty I was like WTF??? The drive with problems was the primary drive.

This happened in a system with an ASUS A7N8X-Deluxe MoBo with a Silicon Image 3112 SATA controller, a previous install of Windows 2000 Professional plus Red Hat 9 runing a custom kernel to support DMA on the Silicon Image SATA controller.

As suggested in many places around the net, I used sfdisk to see what the problem was with the primary drive (hde) and found that in fact it had two partitions being reported as being at head 16 when the expected value was 254, so while I was doing this I remember about seing the secondary drive empty in the FC2 installer, so I listed the partitions on the drive and what do I find? NOTHING!!, the drive was pristine clean!! That was not possible, it should have at least 50 Gb of data and ONE partition!! but both sfdisk and fdisk reported the drive as being empty!!!

How can I undo this?? I know there are tools to read corrupted filesystems and partitions, but I do not know if there are any available for Linux.... and at what point the drive got "cleaned out"?. Thanks a MILLION for any help you can provide me with, I know it can be a long and hard process but if in the end I can restore the data that drive originally held it'd be swell!!! And the intriguing part here is why did the drive got deleted in the first place? or maybe not deleted, but it surely lost its partition table... but how or why? :scratch:

kilgoretrout 07-02-2004 02:23 PM
The partition table is corrupted. This is the official fix for the problem from rh:

http://www.redhat.com/archives/fedor.../msg00908.html

Thetargos 07-02-2004 03:59 PM
Thanks for the link, I checked last night the thread which derived this guide (great!!) I'm now printing this out, I'll need that handy when I handle the disk later on today! Maybe I should have mentioned that the secondary drive is/was formatted in the ext2 FS... do you think that after following these steps will I be able to see the drive's contents again? I mean, the drive is reported to have NO partitions in fdisk!!


All times are GMT -5. The time now is 01:10 AM.