-   Linux - Software (
-   -   Lost EXT4 Encrypted Partition (

DarkWinterNights 09-26-2011 03:43 AM

Lost EXT4 Encrypted Partition

As I have scoured the web, I find I am not alone in having erased a partition accidentally. However, in my search I have yet an approach that works for me as of yet.

I recently used Gparted to remove a couple of partitions I had on a drive (the contents of all the partitions I cannot recall, but the one in particular I am interested in was an encrypted EXT4), and then allocated a new NTFS partition over top of it. The particular partition was about halfway through the volume. Beyond additional storage space, this volume is otherwise unused.

I of course then realized that I had made a tremendous blunder when trying to locate the partition I had thought was on a different drive. I had started copying some files onto the drive but immediately stopped and unmounted the filesystem to prevent further data loss (the new data is irrelevant to me as I have copies and can destroy it).

After googling around and searching, I've found some documents indicating TestDisk may be appropriate for recovering this filesystem, but unfortunately a "Deep Search" of the volume reveals only the new partition I overwrote it with (basically a quick format).

Things are seemingly a little bleak - there was some important documents among the documents stored there (this partition made up the home directory of my computer prior to a reformat a while ago).

Has anyone else encountered a similar situation they have been able to recover from? Or any other software packages I may want to try?

Thanks in advance.

syg00 09-26-2011 04:04 AM

How did you create the NTFS filesystem ?. If done from Linux (mkfs.ntfs) it zeroes the space first prior to doing the format of the filesystem metadata.
"(basically a quick format)" makes it sound like you did it from Windoze - I don't know what that mangles, but I believe it leaves most of the space untouched. Which in a normal environment might give you some hope of scraping the remnants of your files with something like photorec. But with a (probably) truncated encrypted f/s, I wouldn't like your chances - especially as all the metadata was probably at the beginning.
One of the forensic tools might help, but it would be a long shot.

qlue 09-26-2011 11:22 AM

You might be able to use testdisk to recover the partition. Photorec (included with Testdisk) won't help you, however, as the partition is encrypted.

DarkWinterNights 09-26-2011 09:41 PM

Hi all,

Thanks for your replies.

Indeed, everything I've done is from Ubuntu specifically; kind of surprised I forgot such an obviously significant detail. I left TestDisk overnight to probe the drive in question and it came back to me (again) after a deep search with just the NTFS partition I had created earlier in addition to a Linux partition starting at 1 that is 1032 sectors in size; this isn't the partition I was looking for, and doesn't appear to hold anything meaningful (and wasn't a partition I would have created being so small).

I kinda realized I shot myself in the foot having encrypted the data - successfully making it unrecoverable especially with a number of other tools, but I guess that's the price of security. Ultimately, I suppose I have some paper copies of most of my documents at work, although I was hoping to save myself the headache of sifting and reorganizing, especially since I'm not entirely sure what is missing.

I'll probably try on of the trial versions of some of the other recovery software to see if it can help, but much of it appears to be Windows based, which to me suggests it won't play nice with most of the ext partitions that existed before (unless it indiscrimitately restores the data as it is).

I'm open to any other ideas and will post back with results if I have success with any other software package to hopefully help the next hapless dumb-dumb who repeats my mistakes. :P

snooly 09-28-2011 08:06 AM

It's probably gone. I've previously deleted partitions, and recreated them with the same settings, and sometimes even that doesn't work. I did that on purpose, trying to make more primary partitions available. And sometimes it doesn't work.

You did much more, you deleted the partition, then smashed it by making new partitions, making filesystems, and writing data to those filesystems. If you don't know exactly where your partitions were before, you've got no chance. Even if you do know, your chances aren't much better.

Do you have backups? If not, maybe next time you will.

DarkWinterNights 10-01-2011 01:55 AM

Hi again,

Indeed, I nearly had a heart attack after I realized what drive I was actually writing to. I had a backup, but it was poorly maintained (actually, at this point in time, this partition was serving as the backup). I had accumulated too many discs and was in the process of amalgamating some of them. :P From the get-go I suspected I really didn't have much of a chance given all I had done, but thought I'd post just in case to get some additional insight. Fortunately, reviewing the paper copies at work, I realized the data was more dated than I had thought so ultimately I lost nothing of any real importance; I'm fortunate I had this mishap on something relatively insignificant.

Turns out, I was able to recover an otherwise lost partition, but not the one I was looking for. :P The encrypted partitions were basically lost in entirety, but the later partitions that weren't appearing in TestDisk appeared in a free Windows tool called EaseUS Partition Recovery (I tried a couple, and this one had the most success in this scenario), but is limitted in what kinds of partitions it can view.

I thought I would share the conclusion just for finality and anyone else looking for their options. Both TestDisk and EaseUS turned out to to do fairly decent jobs, just unfortunate with how late I realized my error - I could have potentially saved more had I noticed sooner lol. Hopefully a lesson learned on my part. :P

All times are GMT -5. The time now is 09:04 PM.