Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,495
Rep:
Recovering 2 drives with all files deleted
I was messing around in the KDE settings when I noticed that my windows borders were changing, and I didn't change them. I went to change them back and noticed that all but 2 themes were gone. I started switching between windows seeing if they were all changed, and my system was becoming sluggish. I thought maybe this was a problem that a reboot would fix or a login and logout would fix. My system had become too sluggish to reboot it anytime soon so I did a alt+sys req REISUB.
Now I had a new strange problem. My computer wasn't booting Linux. It would try to boot from the usb drive or anything but Linux. I have Slackware with KDE on my usb drive as a live system. I booted it up and discovered that all of my files from 2 drives had been wiped except for very few that might have been in my ram and written to disk right before I issued the reboot.
I suspect it was a buggy script that could have caused it. The important thing for right now is not what caused it but can it be recovered. How much of it can be recovered? I can tell this is not the result of a faulty drive or a reformat. The filesystems on both drives are perfectly intact. There's a bunch of free space that wasn't there before. I've been mounting the drives with read-only and have not written anything to disk.
One drive is a 1 terabyte that was formatted as NTFS because Windows had to be able to access it too. The other drive is is a 200-300 gb SSD with ext4.
I'm about to try photorec. What else do I need to know about recovering the files besides don't write anything new to the disks? How much of it can be recovered? What's the chances of doing a successful recovery? Is there anything besides photorec I should be using?
I use photorec - but not for system files, especially Windoze. Handles NTFS fine. coupla warnings;
- you need to make sure you have a separate target/recovery disk, and ensure photorec is pointed to it.
- you lose all filenames. Can be a PITA, but it is what it is.
Forgot to mention, you can narrow the files that need to be scanned for - so in my case I only care about photos. Saves work later. Oh, and it will take a while - maybe days.
Last edited by syg00; 06-17-2020 at 01:37 AM.
Reason: forgot to ...
The important thing is definitely "what caused it".
The more info you can provide,the more likely you are to take the correct steps to recover.
Otherwise, yeah, flail about with photorec and see what you can find.
Completely agree.
I've been in computer forensics for a long time now. My advice:
Do not even power on your SSD, before you are going to execute a carefully planned action.
A trim on on this SSD and you will not be able to recover deleted files.
Best steps, assuming your drives are not encrypted:
Take out both drives and make dcfldd (much better than dd) images (or another forensically sound format, like EWF), to a large enough drive.
Be sure to mount the drives READ ONLY (will not protect you against firmware induced trim).
It's very OK, to use a Windows pc for this and use FTK-Imager (free!) FTK_Imager will show you lots of usefull information about your drive, and deleted files. It's one of my favorite Windows forensics tools.
Then run Photorec on the images and not on the drives itself. You will be missing file names, so it probaly leaves you with a big puzzle. restorung a running system this way will be a PITA. Getting back user files is more likely.
In Photorec limit the mime-types to look for as much as possible, for the best results. By working on the images, you can play with this settings to find the optimum. Probably the best to start with lookin in "free space" on the FS only and not "whole disk". Your mileage may vary.
Keep the drives as they are, if you can afford it.
If you really want to use your own pc:
Boot from a forensically sound Linux distro. Paladin is probably best of breed for this job.
Attach a larg enough drive to create the images on.
Paladin includes Photorec
And then...? Root cause analysis! You really have to find out what happened. Use the images for that.
Mount the images
Check for root kits and other malware.
Look for suspicious files.
Compare with a fresh install...
Photorec is part of testdisk.
See my earlier quote on how to operate in a sound way.
I consider "Try Testdisk" as an advice that may do more harm then good.
Perhaps you too are not the embodiment of all knowledge.
Not perhaps, but certainly.
As you can read, I gave an advice, not the ultimate solution.
If you can tell me what's wrong with my advice, I can learn from that.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,803
Rep:
Quote:
Originally Posted by syg00
- you lose all filenames. Can be a PITA, but it is what it is.
Wow. I would have thought that nobody would ever want to reinvent RECOVER.EXE. (I've was fortunate enough, back in the day, to never have been so desperate to have to use it to recover from a real problem.) I cringe at the thought of running such a tool on a terabyte of data files.
Oh the potential for damage that can result when a script run from, we can only assume given the extent of the file clobbering, the root account goes awry. Hopefully, there are recent backups.
How much space do I need for recovering 1 terabyte hdd + 300 gb hdd? Do I need identical amount of space?
Ideally you should clone the problematic drive to a secondary location first and work on that, so you'd need more than that.
If you don't do that you need at least as much extra space as all the data you want to recover, but keep in mind that photorec will always recover much more than that.
So, best case scenario, you need 2 extra TB for that 1TB drive only.
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,495
Original Poster
Rep:
Quote:
Originally Posted by ondoho
Ideally you should clone the problematic drive to a secondary location first and work on that, so you'd need more than that.
If you don't do that you need at least as much extra space as all the data you want to recover, but keep in mind that photorec will always recover much more than that.
So, best case scenario, you need 2 extra TB for that 1TB drive only.
I'm looking at possibly buying this drive for the recovery.
Other than using it for recovery, it would primary be used for storage, so I think the slower speed is OK for that because it looks like a great bang for the buck and Seagate should be higher quality than the el-cheapo off-brand chinese drive I found.
FWIW, I did something similar a while ago - bought extra storage to be able to properly restore lost data.
Since I had to establish a backup scheme anyhow (lesson learned!) it was just a matter of course.
If you are 100% sure that
you will use the drive in read-only only
it has no hardware problems
then, IMO, you can skip the cloning of the drive.
But beware: testdisk can do some read/write operations.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.