Solved

Data lost on all partotions - Is there a way to recover?

Posted on 2004-03-31
10
1,318 Views
Last Modified: 2013-11-22
I had a series of problems with my FreeBSD machine (Release 5.2)
One thing led to another and I seem to have lost all data that was stored on all partitions. This I am not sure at what point it happend but I had to reinstall the system do to a kernel problem.
Anyway, Is there a way/tool/service that can restore FreeBSD data that seems to have been wiped? The system was not repartitioned or formatted so I would love to think that the data can be somehow restored. I have a backup but not recent enough. Lot's of data changes every day on the machine and a restore would not really help.
0
Comment
Question by:eyellin
10 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 10735206
>I had a series of (Release 5.2)
Production release is still labeled 4.9
>I seem to have lost all data.
Not yet, unless you rewrote the whole disk.(you rewrote some parts by reinstall)
> This I am not to a kernel problem.
Was it generic kernel or just a faulty kernel build ???
> Anyway, Is there a way/tool/service that can restore wiped?
Yes/Yes/many_expensive



Great you did not wipe everything...

There can be many things lost

(1) PC Partition table - maybe you can rebuld it from your memory, as i see you do not have backup for that
(2) BSD disklabel
maybe scan_ffs from OpenBSD can help ( it recognizes ffs, I am not quite sure about ufs2 )
(3) Filesystem superblock (if first two seem OK)
If you wrote down superblock backup sectors while setup done newfs - you can get your superblock backup (like fsck -b 32 / )

Anyway consider that disk read-only for a while, and install any recovery tools on other disks, every write pushes your success further.
0
 

Author Comment

by:eyellin
ID: 10748134
I'll try to be a bit clearer about my situation:
1. I did not re-partition the disk at all at any point after the problem occurred.
2. The partitions seem to be exactly as they were before the problem.
3. I only have one partition with important data and it has not been touched. It's called /web.
4. I re-installed Freebsd without touching /web and labeled my partitions as they were labeled before:
/
/var
/usr
/home
/web
Each partition is in place without change.
5. After install /web shows no files or directories.
6. I ran "Autopsy forensic browser" and could not see any directories of files, however when using the "Data Unit" option. I could see that my data (I think all of it) has not been altered. I could by searching text keywords I could even find specific data that I knew existed before the storm...
7. So my data is there on /web but I cannot access it...
8. I ran scan_ffs but all I got was a long, long list of blocks. How can this help? I don't have the knowledge.
9. I ran fsck -b 32 /web and this is what I got:
Alternate super block location: 32
** /dev/aacd0s1g (NO WRITE)
** Last Mounted on
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
(16 frags, 6471136 blocks, 0.0% fragmentation)

Does not seem to help much either.
Where do I go from here?

0
 
LVL 61

Expert Comment

by:gheist
ID: 10748342
So my (1) and (2) are ok - you did not lose all references to data

8: this shows possible locations of ffs filesystems
try scan_ffs -l, it will output data in disklabel-friendly (and more user-friendly) format, so you can backup disklabel uzing disklabel utility and insert another disklabel, which maybe will get your files back.

9: Is the output any different when you specify or do not specify -b 32 ???
0
 

Author Comment

by:eyellin
ID: 10748771
Thanks gheist.

scan_ffs -l outputs (100 GB partition!)
X: 210350264 0 4.2BSD 2048 16384 89 # /web

fsck /web output is very similar:
** /dev/aacd0s1g (NO WRITE)
** Last Mounted on /web
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
(16 frags, 6471136 blocks, 0.0% fragmentation)

So now how do I continue?
1. How do I backup the current disklable?
2. May this not cause my whole system to be inaccessible?
3. How can I see if the current label is different than the above output.
4. How do I write the scan_ffs outputed label to the label.
5. I guess at the end I need to boot the system and home my data is back... Or is there a way to check without booting?
I'm looking up the man page however I feel like I'm walking on eggs here and don't want to make more mistakes...
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 10750970
1) you type disklabel ad0 > somesaferfile
2) backing up will not hurt, failed editing will
3) by doing (1)
4) by running disklabel -E ad0
5) no need to boot, no tool fixed your partition, main idea is to calculate offset of superblocks, they are single block long, and after use dd utility to transfer them to right places.
Is this partition with soft updates and background fsck?
If yes - softupdates is designed to have fsck always succeed, so files are always either lost or found, background fsck does this way,and you got the result.
You have done all what was possible using easy accessible tools, even used some forensic digging tool, so only chance is to apply to some data recovery company which is capable of digging up data behind ordinary, remembet that 100G partition recovery is very costly.
I remember tool named Tiramisu, which helped to bring back computers after Win95/CiH, not sure where is it now since google yielded nothing.
Most likely you will reinstall, so I will suggest avoiding experimental code of 5.2 and stay with 4.9 for a while and leave half of disk unpartitioned for future/backup uses (very handy when you run out of space etc)
0
 
LVL 2

Expert Comment

by:Nata
ID: 10754652
You may want to check this out.
I am ordering it and have heard many compliments on it.
I received the offer through an email.

http://store.worldstart.com/customer/product.php?productid=17077&cat=&page=1

Nata
Page Editor
0
 
LVL 45

Expert Comment

by:sunnycoder
ID: 10763964
0
 

Expert Comment

by:pacogray
ID: 10811235
Bad Copy Pro
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now