[SOLVED] Recovery of data from encrypted partition
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is going to come across as a very strange question, but what happens if I use the cfdisk on the slackware dvd to rewrite the partition table precisely as I did before?
(you can probably cancel this fairly early on as it should be within the first couple of hundred mb if what you say about your layout is accurate)
If you don't see a line starting with the characters "LUKS" then your luks header is gone and whatever else has happened to the drive really doesn't matter.
(you can probably cancel this fairly early on as it should be within the first couple of hundred mb if what you say about your layout is accurate)
If you don't see a line starting with the characters "LUKS" then your luks header is gone and whatever else has happened to the drive really doesn't matter.
Code:
dd if=/dev/sda | hexdump -C | grep 'LUKS'
gives
Code:
1de41bb20 b7 01 4c 55 4b 53 af 44 31 72 fa 19 f6 54 d4 6b |..LUKS.D1r...T.k|
You have obviously not re-zeroed the MBR since you still show data beginning at address 0. Easiest thing to do is just skip over the first megabyte and see how much of the rest of the drive got zeroed:
Code:
dd if=/dev/sda bs=1M skip=1 | hexdump | head
You'll then need to add 1 megabyte (0x100000) to the address of that first non-zero line to see where your remaining data begins.
1de41bb20 b7 01 4c 55 4b 53 af 44 31 72 fa 19 f6 54 d4 6b |..LUKS.D1r...T.k|
Hmm...I don't think that's it. It's about 8GB into your disk, 290 characters into a sector and It's not followed by the 0xba, 0xbe one would expect to see..
You have obviously not re-zeroed the MBR since you still show data beginning at address 0. Easiest thing to do is just skip over the first megabyte and see how much of the rest of the drive got zeroed:
Code:
dd if=/dev/sda bs=1M skip=1 | hexdump | head
You'll then need to add 1 megabyte (0x100000) to the address of that first non-zero line to see where your remaining data begins.
I just wanted to say a big thank you to those of you who helped out on this. I wasn't able to locate the partition in the end and ran out of time due to the arrival of my baby daughter. Fortunately I was able to use testdisk to recover the files from my wife's external hard drive; she had forgotten that they had been backed up on there a while ago and then deleted, but it looks like they were never overwritten.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.