LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-19-2009, 08:51 PM   #1
ste85
LQ Newbie
 
Registered: Jun 2005
Distribution: SUSE and Debian
Posts: 9

Rep: Reputation: 0
recover data after running "dd if=/dev/zero ..." for a few seconds... Heeelp!


I mistakenly ran
dd if=/dev/zero of=/dev/sda7
instead of
dd if=/dev/zero of=/dev/hda7

hda is my laptop's hard drive
sda is my external hard disk, to which I had moved ALL of my files in order to clean up the laptop's hard disk

when I realized the laptop's hard disk wasn't working too much i realized my mistake, went Ctrl-C, Ctrl-Z then kept the power button pushed down until power off...

What do I do now? Is there any files left of about 80 GB?? Can it be recovered?

Please help... I can't keep my eyes open right now (it's 2AM here). Hope someone helps me!

<<desperate>>
 
Old 03-19-2009, 09:00 PM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 357Reputation: 357Reputation: 357Reputation: 357
You have very little chance of recovering anything useful out of what was overwritten. What you did is exactly how you would permanently delete something if you didn't want anyone to be able to recover it.

If it really only ran for a few seconds than obviously it didn't zero out the entire 80 GB. But certainly whatever was in the beginning of that partition is wiped clean.
 
Old 03-19-2009, 09:03 PM   #3
snowman81
Member
 
Registered: Aug 2006
Location: Michigan
Distribution: Ubuntu
Posts: 245

Rep: Reputation: 30
You wouldn't happen to work for the NSA do you? That could help... What's the filesystem type?
 
Old 03-19-2009, 09:45 PM   #4
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 15,959

Rep: Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211
If you are only interested in file recovery, try PhotoRec - despite the name does more than just photos.
Else you might be in for a long nights with forensic software - foremost is generally recommended, but search here on LQ for "forensic" - you'll find plenty of hits.
 
Old 03-20-2009, 05:10 AM   #5
ste85
LQ Newbie
 
Registered: Jun 2005
Distribution: SUSE and Debian
Posts: 9

Original Poster
Rep: Reputation: 0
FS type and other...

The filesystem type was ext3.
The problem is... I was planning to do a backup on DVDs.
I was collecting everything I had and putting it on my external HD, to be burned immediately.
But I didn't have enough space on my laptop hard disk to save the temporary K3B image files.
So I also moved everything I had on my laptop to the external hard disk.

Then, I wanted to completely erase the partition on my laptop, and format it with ext2.

How can I recover what remains (hopefully) on the hard disk?
I know I probably won't recover what was overwritten with zeros...
but how can I get back the rest?

Last edited by ste85; 03-20-2009 at 05:13 AM.
 
Old 03-20-2009, 07:16 AM   #6
openSauce
Member
 
Registered: Oct 2007
Distribution: Fedora, openSUSE
Posts: 252

Rep: Reputation: 39
The partition table will have been wiped, so you'll want to look for data recovery software that can search for files without partition information. I'm afraid I don't know any but a search should turn up quite a few.

If you've got some free space somewhere, make an image of your external and do data recovery on that - then you still have the original if something goes wrong a second time (although if you're making an image with dd, there's a risk of typos again - your call).

As I understand the ext* filesystems, a directory is simply a file containing a list of pointers to other files. If you're lucky, the root directory might still be on there, although I guess it was probably near the beginning of the partition. It is possible to grep a drive with
Code:
dd if=/dev/sda | grep --binary-files=text [PATTERN]
but I'm not sure if there's a pattern you could use to look for a directory signature. Proper data recovery software is a far better way to go, but that kind of low-level stuff might help as a last resort.

A couple of tips for using dd in the future, don't want to rub salt in the wound and I know it doesn't help you right now, but might still be useful to think about:
  • Start your command with a '#' so it's actually a comment, and re-read it twice before deleting the '#' and hitting enter. That way if you're in the habit of just hitting enter as soon as you reach the end of the line, you might get the chance to catch a mistake.
  • If you're using dd for the same sort of things a lot, put the commands in a script, so you just have to get them right once then forget about them. Or in a case like this, you could set the variables $EXTERNAL_HDD=sda, $LAPTOP_HDD=hda, so they look very different and you're less likely to make a typo.
 
Old 03-20-2009, 07:41 AM   #7
ste85
LQ Newbie
 
Registered: Jun 2005
Distribution: SUSE and Debian
Posts: 9

Original Poster
Rep: Reputation: 0
Ironically, on my desktop computer
sda is the internal hard disk
sdb is the external hard disk

on the laptop
hda is the internal hard disk
sda is the external hard disk

sighhhhh......

Is there any reliable society/individual
(apart from the NSA)
that knows his business
and can help me out for $$$?
(I hope I can ask this kind of things here,
if not please message me privately)


I'm just not in the state of mind
to do that myself right now
(plus, all of my notes
and software were in the damaged drive,
so I'm really sitting on nothing....)

P.S. And, even if I was all right and
excited, I'm not that good to be able
to do that...

Last edited by ste85; 03-20-2009 at 07:56 AM.
 
Old 03-20-2009, 07:56 AM   #8
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,074

Rep: Reputation: 386Reputation: 386Reputation: 386Reputation: 386
Whatever you do, before doing it you should use dd (be careful now) to backup the whole drive to a file, and do it on that image instead of the real drive.

If it's ext3 you could try to replace the superblock with a copy. Ext3 stores many copies of the superblock around the disk, so you can try to recover a copy of the supeblock.

http://blog.edseek.com/archives/2004...lock-recovery/

Note that even if this succeeds, there's no guarantee that you will be able to recover anything at all.

Physically, it's possible to recover the data but only with very specialized hardware. That's because when you set all bytes to a logical zero, the real physical value is not exactly zero, and depends on the previous value, that's also why using /dev/random as input file is considered more secure than using /dev/zero, when you really want to take rid of the data. No idea about the economic cost of that at all.
 
Old 03-20-2009, 08:10 AM   #9
openSauce
Member
 
Registered: Oct 2007
Distribution: Fedora, openSUSE
Posts: 252

Rep: Reputation: 39
There are plenty of companies you could try:
http://www.google.com/search?q=data+...utf-8&oe=utf-8

On my system dd copies about 230 MB in to an internal ext3 hdd in 3 seconds, so if you hit ctrl-C quick enough most of your data should still be there:
Code:
~$ dd if=/dev/zero of=zerofile
460639+0 records in
460639+0 records out
235847168 bytes (236 MB) copied, 3.10298 s, 76.0 MB/s
 
Old 03-20-2009, 08:34 AM   #10
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Rep: Reputation: 63
You could try TestDisk, which used to be found in the SystemRescueCD LiveCD (I did not check it still is).

Yves.

Edit: I just checked: TestDisk is on the CD. And PhotoRec is too.

Last edited by theYinYeti; 03-20-2009 at 08:35 AM.
 
Old 03-20-2009, 08:36 AM   #11
ste85
LQ Newbie
 
Registered: Jun 2005
Distribution: SUSE and Debian
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
On my system dd copies about 230 MB in to an internal ext3 hdd in 3 seconds, so if you hit ctrl-C quick enough most of your data should still be there
Then there should be a lot of data still there...
But how comes nothing seemed to stop when I hit Ctrl-C??
I had to keep down the power button for 4-5 seconds to stop it!!


Quote:
If it's ext3 you could try to replace the superblock with a copy. Ext3 stores many copies of the superblock around the disk, so you can try to recover a copy of the supeblock.
That sounds really good, SPARE superblocks around the disk.
But how do I do that? Or (I know this is not the attitude here,
but I'm feeling a bit lost) how do I find someone to do that
for me?

I'm not planning to do hardware recovery (especially if that will cost me thousands of $), but recovering the un-zeroed part seems feasible, right?

Quote:
There are plenty of companies you could try:
http://www.google.com/search?q=data+...utf-8&oe=utf-8
Yes, I know, Google is my friend... but how can I decide if I can trust a certain company?
The big ones (e.g. "Guidance Software") seem to do just trillion$ business...
 
Old 03-20-2009, 02:58 PM   #12
ste85
LQ Newbie
 
Registered: Jun 2005
Distribution: SUSE and Debian
Posts: 9

Original Poster
Rep: Reputation: 0
When I formatted the disk I didn't use any exotic option.
So I understand there should be 5% space reserved for _something_ (superblock? i didn't understand very much...)
Someone here talked about several copies of the superblock...
where is this superblock placed?
If there are two copies of it, they should be around 2.5% each, right?
to erase that on my 80GB partition would take
more than 4 minutes at 8MB/s
and around 26 seconds at 76 MB/s

(my external hard disk would not erase any faster than my internal hard disk, would it?
my internal hard disk erased at 8MB/s... ps I know I should test it myself... I'll do that on another partition as soon as I have backed up the data...).
I would avoid to use recovery software if I could just repair this superblock...

Last edited by ste85; 03-20-2009 at 03:03 PM.
 
Old 03-20-2009, 03:39 PM   #13
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Have you looked at Testdisk (previously recommended)? I seem to recall that it can find superblocks.

Some file system tools will not work unless you can see the partition.

Quote:
I would avoid to use recovery software if I could just repair this superblock...
I don't think file recovery is any riskier than attempting to recover the superblock or the partition table.......If you have really valuable data, then just get the drive to a data recovery specialist.
 
Old 03-20-2009, 04:26 PM   #14
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Sorry, I misread your earlier post and forgot that it was a partition you zeroed and not the entire disk. If you read the earlier version of this post, please ignore it.

Since the partition table is intact for /dev/hda, you can use losetup to attach a device there. So it's possible to create an image of just the device.

Last edited by jschiwal; 03-20-2009 at 04:36 PM.
 
Old 03-20-2009, 04:29 PM   #15
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,074

Rep: Reputation: 386Reputation: 386Reputation: 386Reputation: 386
Quote:
Originally Posted by ste85 View Post
When I formatted the disk I didn't use any exotic option.
So I understand there should be 5% space reserved for _something_
That's space reserved for the superuser, which has nothing to do with the superblock.

Quote:
(superblock? i didn't understand very much...)
Someone here talked about several copies of the superblock...
where is this superblock placed?
That was me. And I also provided a link explaining the procedure.

Basically, what the guy in that link does is the following:
  1. find the size of the affected volume
  2. create a volume of the same size in a loopback file, you need empty space to do this
  3. note down on a paper the places where a copy of the superblock was stored, since the affected volume is of the same size, the backups of its superblock should be on the same locations, in the example in that link you can see that there are backups of the superblock into 8193, 24577, 40961, 57345 and 73729
  4. now run fsck on the affected volume and try to recover the last copy of the superblock (it's usually the last that will be overwritten by your evil dd command, that's why

If fsck can find a valid superblock you have a good chance to be able to recover part of the files that lived on your volume. It might even be able to restore your fs to a living state, however what's zeroed, it's zeroed. No one can do anything about that, except for the enterprises specialized in info recovery as we said before.

PS: Just for future reference, note that this is the reason why it's a very good thing to save a note on your drawer with the locations of the backups of your superblocks, each time that you mkfs a new filesystem.

Another PS: I am no specialist, and I said this before but repeat it now: if you really value your data, use dd to make a copy of the drive and operate on that, and not on the original drive.

Last edited by i92guboj; 03-20-2009 at 04:34 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
lilo says, "L 01 01 01" and fdisk says, "Unable to seek on /dev/hda1" clausawits Linux - General 3 12-31-2007 10:33 PM
C Drive "/dev/hda1" accidently used in dd command at "of=" switch M D Linux - Software 4 04-26-2007 09:56 AM
How do I switch the labels "/dev/sda1" with "/dev/sda3" vonst Linux - General 10 05-27-2006 11:48 PM
What are "/dev/hde" and "/dev/hdf" in #fdisk -l b0nd Linux - Newbie 1 03-31-2006 10:09 PM
How can I recover my RedHat if it BOOTs to a "Kernel Panic" error and stop running? yuzuohong Linux - General 5 12-05-2002 11:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration