UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Now to make a long story short, I accidentally in the terminal, put in mkswap /dev/sda1. I meant to put in mkswap /dev/hda1. At the time I did this /dev/sda1 was mounted to /media/disk. I did not format it or delete it and make a swap, I just put in mkswap /dev/sda1.
I need that back, all of the information on that partition. How do I do this? Gparted is telling me that it sees it as a swap partition with free space.
I am pissed. If it wasn't for the idiotic problems I was having with the Ubuntu swap and uuid then I wouldn't have had to do anything and in turn make an idiotic mistake like this.
I am doing some research now. I have installed TestDisk and PhotoRec. Now since I only did mkswap and did not format that partition as swap before that, is it possible I just screwed up the partition table and not the actual information, even though gparted is telling me that it is all freespace?
I am using testdisk to analyze /dev/sda1 I will add an edit here with the results. I never did this before and after making that one letter mistake (S and H are not even next to each other on the damn keyboard,) I am very worried about doing anything. So any help would be greatly appreciated. Also no one worry. If you offer help and it still doesn't work, etc, it was my fault to begin with, concerning /dev/sda1, and that is where any blame lies.
EDIT: After I posted this I checked (2) with the P option and all my files and folders are there. So Should I select L next and Load Back Up?
Edit: Edit: I choose the Load Back Up, L, and there is nothing there. All my files and folders are there, so I need to this in order.
Ok this is what got when I analyzed /dev/sda,
(((I added the numbers 1-5)))
I am guessing that (2) is what I need to restore? (1) is what I currently have. Also I have XP on a partition that it did not pick up, and I could care less about loosing that partition. I don't use XP for much other then games now a days.
Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63
Partition Start End Size in sectors
(1)D Linux Swap 0 1 1 16214 254 63 260493912
(2)D Linux 0 1 1 16214 254 63 260493912
(3)* FreeBSD 16215 0 1 17744 254 63 24579450
(4)D Linux 17745 0 1 19456 254 63 27503280
(5)D Linux 17867 0 1 19456 254 63 25543350
(1)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type,
Enter: to continue
SWAP2 version 1, 133 GB / 124 GiB
(2)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock Backup superblock, 133 GB / 124 GiB
(3)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type,
Enter: to continue
12 GB / 11 GiB
(4)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock Recover, 14 GB / 13 GiB
(5)
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
EXT3 Large file Sparse superblock, 13 GB / 12 GiB
Ok. I am really lost now. I can analyze the partition like I said and it shows all my files and folders there. But I have no idea how to get them back. It seems that I just overwrote the partition table and not the actual data. I could really use some help here, lol.
Mmmmm - testdisk is for restoring deleted partitions. It scans the disk looking for "eyecatchers" that indicate (possible) partition begin/end.
But it only updates the partition table.
What you did was wipeout the beginning of the partition - the filesystem meta-data. The files themselves are likely to still be there - most if not all. I did a quick test, and mkswap only appears to smash the first 4k - to build a map of the swapspace, and write an id at the end. Even most of that 4k looks to be mostly untouched (been a while since I looked at the mkswap code though, so this is just observation).
You need a tool to scan for file "eyecatchers" - photorec would be a good start, then you might have to use a forensic tool like Foremost. Will take a while (as in days possibly) - ext2/3 is probably best supported; I've had very little luck trying to recover NTFS.
Mmmmm - testdisk is for restoring deleted partitions. It scans the disk looking for "eyecatchers" that indicate (possible) partition begin/end.
But it only updates the partition table.
What you did was wipeout the beginning of the partition - the filesystem meta-data. The files themselves are likely to still be there - most if not all. I did a quick test, and mkswap only appears to smash the first 4k - to build a map of the swapspace, and write an id at the end. Even most of that 4k looks to be mostly untouched (been a while since I looked at the mkswap code though, so this is just observation).
You need a tool to scan for file "eyecatchers" - photorec would be a good start, then you might have to use a forensic tool like Foremost. Will take a while (as in days possibly) - ext2/3 is probably best supported; I've had very little luck trying to recover NTFS.
After I analyzied sda1 I looked at the (2) and I checked all the files and folders. They do appear to be there. Let me try what you suggested. I ran photorec to restore data but it was just extracting data, ex. videos, and putting them somewhere else (I told it in the /home/mydirectory/) The few things it recovered where still good. I was able to play a video. I just stopped it because I don't have the room to get all that data on my home directory.
Thanks for the help.
After all this is restored I am going to take a break and go over my alphabet and learn that H and S are different letters that look nothing alike, lol.
I am not sure what "eyecatchers" are. I did a quick Google and LQ search, which I usually do instead of asking 101 questions, lol, but I am not finding info on that. How would I use photorec to search for these "eyecatchers?"
Also I installed foremost. In the terminal I ran sudo foremost /dev/sda It appears to be working, but taking a bit of time.
I am new to data recovery and TestDisk, PhotoRec and ForeMost. I am sure my hands on crash course training with this will be helpful in the future for other problems that pop up but for now I am learning as I go.
Edit: There is probably around 50GB of data that I am trying to get back.
The forensic tools (photorec included) go looking for known file headers. Don't worry about it - that's the job of the software.
"eyecatcher" is just a term - something to catch your eye as you're looking at data.
Here is a question. If all my folders and files are still there and I screwed up file meta-data by mkswap, could I do the same in reverse for an ext3 and maybe get things back or are the pointers,or what ever is needed, not going to be there?
Meta-data is actually the names of all your data, not the data themselves. So if your meta-data were lost, then the files will still be there but they'll be "anonymous" as their names were swept off the disk. If you use photorec, it will retrieve everything but it will re-name each file using a combination of numbers and letters.
If your meta-data are not screwed, however, you may be able to recover the whole partition at once without too much trouble. I had a little accident myself a while ago - I wiped my partition table. What I did was launch testdisk to determine the exact "contours" (end and start) of each partition, then I re-created them exactly as they were using fdisk from the command line. Now I'm not quite sure whether that's all that was needed but I believe it was. Then again, I only wiped the partition table, I didn't change any partition type numbers (switching from a regular Linux partition to swap does involve changing types). What I would NOT do under any circumstances is re-format to ext3: this will not put back your meta-data but it will overwrite them with a new, empty "registry" (that is, assuming that those data are still there- if they aren't, then there isn't really much to overwrite anyway).
Meta-data is actually the names of all your data, not the data themselves. So if your meta-data were lost, then the files will still be there but they'll be "anonymous" as their names were swept off the disk. If you use photorec, it will retrieve everything but it will re-name each file using a combination of numbers and letters.
If your meta-data are not screwed, however, you may be able to recover the whole partition at once without too much trouble. I had a little accident myself a while ago - I wiped my partition table. What I did was launch testdisk to determine the exact "contours" (end and start) of each partition, then I re-created them exactly as they were using fdisk from the command line. Now I'm not quite sure whether that's all that was needed but I believe it was. Then again, I only wiped the partition table, I didn't change any partition type numbers (switching from a regular Linux partition to swap does involve changing types). What I would NOT do under any circumstances is re-format to ext3: this will not put back your meta-data but it will overwrite them with a new, empty "registry" (that is, assuming that those data are still there- if they aren't, then there isn't really much to overwrite anyway).
I am using foremost. It is recovering a lot so far but like you said it is renaming them with numbers and letters.
Let me add this from testdisk. I can go into each folder and see the data in there, including other folders and files, etc. Everything is still there and named.
I have testdisk open. I can see this when I view the folders, (Edit: also thanks for the heads up on the ext3. I am going to see what I can save that I really need or want first, however long this will take, then I will try what you said above.)
Now this is the information I got from testdisk for the (2), as I numbered them in an above reply here, this is where all my folders and files are which I can see when I analyze it.
CHS Cylinders 19457 Heads 255 sectors 63
----------start--------------end----------size in sectors
Linux--0--1--1--16214---254---63----260493912
Is this what you mean, or am I getting close to it?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
