Data lost on all partotions - Is there a way to recover?

I had a series of problems with my FreeBSD machine (Release 5.2)
One thing led to another and I seem to have lost all data that was stored on all partitions. This I am not sure at what point it happend but I had to reinstall the system do to a kernel problem.
Anyway, Is there a way/tool/service that can restore FreeBSD data that seems to have been wiped? The system was not repartitioned or formatted so I would love to think that the data can be somehow restored. I have a backup but not recent enough. Lot's of data changes every day on the machine and a restore would not really help.
Who is Participating?
gheistConnect With a Mentor Commented:
1) you type disklabel ad0 > somesaferfile
2) backing up will not hurt, failed editing will
3) by doing (1)
4) by running disklabel -E ad0
5) no need to boot, no tool fixed your partition, main idea is to calculate offset of superblocks, they are single block long, and after use dd utility to transfer them to right places.
Is this partition with soft updates and background fsck?
If yes - softupdates is designed to have fsck always succeed, so files are always either lost or found, background fsck does this way,and you got the result.
You have done all what was possible using easy accessible tools, even used some forensic digging tool, so only chance is to apply to some data recovery company which is capable of digging up data behind ordinary, remembet that 100G partition recovery is very costly.
I remember tool named Tiramisu, which helped to bring back computers after Win95/CiH, not sure where is it now since google yielded nothing.
Most likely you will reinstall, so I will suggest avoiding experimental code of 5.2 and stay with 4.9 for a while and leave half of disk unpartitioned for future/backup uses (very handy when you run out of space etc)
>I had a series of (Release 5.2)
Production release is still labeled 4.9
>I seem to have lost all data.
Not yet, unless you rewrote the whole disk.(you rewrote some parts by reinstall)
> This I am not to a kernel problem.
Was it generic kernel or just a faulty kernel build ???
> Anyway, Is there a way/tool/service that can restore wiped?

Great you did not wipe everything...

There can be many things lost

(1) PC Partition table - maybe you can rebuld it from your memory, as i see you do not have backup for that
(2) BSD disklabel
maybe scan_ffs from OpenBSD can help ( it recognizes ffs, I am not quite sure about ufs2 )
(3) Filesystem superblock (if first two seem OK)
If you wrote down superblock backup sectors while setup done newfs - you can get your superblock backup (like fsck -b 32 / )

Anyway consider that disk read-only for a while, and install any recovery tools on other disks, every write pushes your success further.
eyellinAuthor Commented:
I'll try to be a bit clearer about my situation:
1. I did not re-partition the disk at all at any point after the problem occurred.
2. The partitions seem to be exactly as they were before the problem.
3. I only have one partition with important data and it has not been touched. It's called /web.
4. I re-installed Freebsd without touching /web and labeled my partitions as they were labeled before:
Each partition is in place without change.
5. After install /web shows no files or directories.
6. I ran "Autopsy forensic browser" and could not see any directories of files, however when using the "Data Unit" option. I could see that my data (I think all of it) has not been altered. I could by searching text keywords I could even find specific data that I knew existed before the storm...
7. So my data is there on /web but I cannot access it...
8. I ran scan_ffs but all I got was a long, long list of blocks. How can this help? I don't have the knowledge.
9. I ran fsck -b 32 /web and this is what I got:
Alternate super block location: 32
** /dev/aacd0s1g (NO WRITE)
** Last Mounted on
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
(16 frags, 6471136 blocks, 0.0% fragmentation)

Does not seem to help much either.
Where do I go from here?

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

So my (1) and (2) are ok - you did not lose all references to data

8: this shows possible locations of ffs filesystems
try scan_ffs -l, it will output data in disklabel-friendly (and more user-friendly) format, so you can backup disklabel uzing disklabel utility and insert another disklabel, which maybe will get your files back.

9: Is the output any different when you specify or do not specify -b 32 ???
eyellinAuthor Commented:
Thanks gheist.

scan_ffs -l outputs (100 GB partition!)
X: 210350264 0 4.2BSD 2048 16384 89 # /web

fsck /web output is very similar:
** /dev/aacd0s1g (NO WRITE)
** Last Mounted on /web
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
(16 frags, 6471136 blocks, 0.0% fragmentation)

So now how do I continue?
1. How do I backup the current disklable?
2. May this not cause my whole system to be inaccessible?
3. How can I see if the current label is different than the above output.
4. How do I write the scan_ffs outputed label to the label.
5. I guess at the end I need to boot the system and home my data is back... Or is there a way to check without booting?
I'm looking up the man page however I feel like I'm walking on eggs here and don't want to make more mistakes...
You may want to check this out.
I am ordering it and have heard many compliments on it.
I received the offer through an email.

Page Editor
Bad Copy Pro
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.