I have a RAID array configured with 3 partitions on it. I deleted some files on one of the partitions that I wish I had not deleted. I've found some tools that might be able to recover the files. But I want to make an exact copy of the disk and work on that, so I don't goof things up if they don't work out.

I figure I'll use dd to make the copy. But in order for the resulting exact copy to be mountable, the disk geometry and format info needs to be identical. (I think - I am out of my depth here.)

I assume I need to use parted or similar tool to format the target/copy drive before the dd copy process. But I don't know what information about the original I need to know, how to figure it out, and how to tell parted to make things exactly the same.

Can anyone point me to the appropriate friendly manual or web page?

Or if I am over-complicating it, please tell me a better way to do what I want to do (make an exact bit-by-bit copy of a RAID partition onto separate single hard drive, use analysis software on the copy to try to recover some deleted files).

Thanks for your attention.

I think you're over complicating it. Using dd to get a copy of the entire disk is an exact copy such that the system will not notice that the disk is a different one.

1 members found this post helpful.

I tried just using dd, but the result would not mount.

Original is /dev/sdb3, copy is /dev/sdc. I tried two approaches:

#dd if=/dev/sdb3 of=/dev/sdc
and
#use parted to create /dev/sdc1 larger than /dev/sdb3
#dd if=/dev/sdb3 of=/dev/sdc1

Could not mount the copy after either operation.

I was thinking "if=" would be all of /dev/sdb.

But perhaps that is too large for you.

In order to attain all of the partition information you'd need to use either fdisk or gparted to gather all of the partition information for /dev/sdb3 in order to make a full copy which should mount.

I.e. You could make all of /dev/sdc be that type of file system and then copy /dev/sdb3 to all of /dev/sdc. For me I've always had better success grabbing the entire source disk and then ignoring partitions which I didn't need.

I don't know how to do that yet. So that sounds like "read the man page for fdisk and gparted." Is that the best way?

I think if I did a good web search, I would find a hit that describes someone going through this exact process. But I am not familiar with the terminology, so I don't know how to make a good web search. Maybe:

dd (parted|gparted) fdisk "create an exact copy"

Anything else I could add to get rid of chaff?

This link to a manual on computer forensics looks like it might help me.

Maybe we need to know a bit more. A raid of some kind is composed of real drives (in some cases) that are put together. Generally the OS views this array as a single disk. What kind of array do you have?

You can't do a if=/dev/sdb3 of=/dev/sdc that isn't apples to apples.

I’m at home now, so going by memory. RAID6, 11 disks, ext3, 3 partitions or filesystems? It’s a Dell system.
Is that what you’re asking?

If you ever rebuild or reformat your array, you might look at OpenZFS instead of RAID. It has been ported to GNU/Linux lately. RAID-Z2 is similar to RAID-6. However, the two features which sound like would be of interest would be snapshots and zfs send/receive. The snapshots allow you to roll back and retrieve files that were inadvertantly deleted. The snapshots can also be sent to other hosts for backup or other duplcation-related tasks. That won't help you at the moment with your RAID-6 task, but is something to consider when planning future maintenance.

Try this:

LVM also supports snapshots. I like how ZFS handles them much better though.

That is the correct dd command. But sdk1 won't be right unless sdk is right?

Let me check my understanding. If I had enough space, I could # dd if=/dev/sdb of=/dev/sdk. That would make a bit by bit perfect copy.

But I don't have enough space on sdk. Total space on sdb is about 25TB, I have no place I can copy that much data. I have a 10TB disk available, and the virtual disk that has the data I want is between 7 & 8TB. It would fit, but I can't seem to get the copy to work. I want to # dd if=/dev/sdb3 of=/dev/sdk1, but that generates an error, "dd: writing to '/dev/sdk1': No space left on device". I think I need to format or partition the target disk (sdk) with parted or gparted or fdisk or whatever would work.

Maybe someone can just hand me the answer, or maybe I need to educate myself about what is really going on, in which case a pointer to a manual or web site where I could bone up on the basics might help.

A complication I hadn't mentioned is that I have to do this over the network, there is no practical way to mount the target disk on the same system as the source disk. So the command I have been trying is along the lines of:
# ssh root@10.1.255.224 "dd if=/dev/sdb2 " | dd of=/dev/sdb1

You don't need an actual raw disk partition. You can dd a partition to a regular file and mount the filesystem of the regular file. I've never tried it, but it would probably even work on an NFS share. Here is me doing it on my CentOS7 test VM on my XFS /boot partition. I omitted some of the output for brevity:

With ext4, I don't think you will even need to change the UUID or fsck it.

Presuming mdadm, I would strongly doubt you could simply use just one disk of a RAID6 like that.
But the bigger question is why do you need to mount it at all ?. Forensics should usually be done on an unmounted image - what are you planning to use ?.

I don't know what that means. I am a newb.

That is a good question. At the very beginning of this process I sort of looked around and convinced myself that there were programs to use and stopped with that. I was not real confident I could even get to this point, as I had to copy off all the undeleted useful files to another writeable disk so people could continue using them. I assumed that if I couldn't mount it the copy might be bogus. Depending on what the forensics programs need, you are probably right. Or at least I should give it a try, and if it fails then I can go through this further step.
Thanks to all for their suggestions.

A simple dd of the partition as in post #3 should be fine. For simple file deletion I find photorec works ok. See the testdisk homepage for some examples - photorec is a component of testdisk. You can refine the search to specific types - photos only or maybe doc files. Saves work later.
Note the filenames are gone - photorec assigns sequential names as it finds them.