Solved

Data lost on all partotions - Is there a way to recover?

Posted on 2004-03-31
10
1,325 Views
Last Modified: 2013-11-22
I had a series of problems with my FreeBSD machine (Release 5.2)
One thing led to another and I seem to have lost all data that was stored on all partitions. This I am not sure at what point it happend but I had to reinstall the system do to a kernel problem.
Anyway, Is there a way/tool/service that can restore FreeBSD data that seems to have been wiped? The system was not repartitioned or formatted so I would love to think that the data can be somehow restored. I have a backup but not recent enough. Lot's of data changes every day on the machine and a restore would not really help.
0
Comment
Question by:eyellin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 10735206
>I had a series of (Release 5.2)
Production release is still labeled 4.9
>I seem to have lost all data.
Not yet, unless you rewrote the whole disk.(you rewrote some parts by reinstall)
> This I am not to a kernel problem.
Was it generic kernel or just a faulty kernel build ???
> Anyway, Is there a way/tool/service that can restore wiped?
Yes/Yes/many_expensive



Great you did not wipe everything...

There can be many things lost

(1) PC Partition table - maybe you can rebuld it from your memory, as i see you do not have backup for that
(2) BSD disklabel
maybe scan_ffs from OpenBSD can help ( it recognizes ffs, I am not quite sure about ufs2 )
(3) Filesystem superblock (if first two seem OK)
If you wrote down superblock backup sectors while setup done newfs - you can get your superblock backup (like fsck -b 32 / )

Anyway consider that disk read-only for a while, and install any recovery tools on other disks, every write pushes your success further.
0
 

Author Comment

by:eyellin
ID: 10748134
I'll try to be a bit clearer about my situation:
1. I did not re-partition the disk at all at any point after the problem occurred.
2. The partitions seem to be exactly as they were before the problem.
3. I only have one partition with important data and it has not been touched. It's called /web.
4. I re-installed Freebsd without touching /web and labeled my partitions as they were labeled before:
/
/var
/usr
/home
/web
Each partition is in place without change.
5. After install /web shows no files or directories.
6. I ran "Autopsy forensic browser" and could not see any directories of files, however when using the "Data Unit" option. I could see that my data (I think all of it) has not been altered. I could by searching text keywords I could even find specific data that I knew existed before the storm...
7. So my data is there on /web but I cannot access it...
8. I ran scan_ffs but all I got was a long, long list of blocks. How can this help? I don't have the knowledge.
9. I ran fsck -b 32 /web and this is what I got:
Alternate super block location: 32
** /dev/aacd0s1g (NO WRITE)
** Last Mounted on
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
(16 frags, 6471136 blocks, 0.0% fragmentation)

Does not seem to help much either.
Where do I go from here?

0
 
LVL 62

Expert Comment

by:gheist
ID: 10748342
So my (1) and (2) are ok - you did not lose all references to data

8: this shows possible locations of ffs filesystems
try scan_ffs -l, it will output data in disklabel-friendly (and more user-friendly) format, so you can backup disklabel uzing disklabel utility and insert another disklabel, which maybe will get your files back.

9: Is the output any different when you specify or do not specify -b 32 ???
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:eyellin
ID: 10748771
Thanks gheist.

scan_ffs -l outputs (100 GB partition!)
X: 210350264 0 4.2BSD 2048 16384 89 # /web

fsck /web output is very similar:
** /dev/aacd0s1g (NO WRITE)
** Last Mounted on /web
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
(16 frags, 6471136 blocks, 0.0% fragmentation)

So now how do I continue?
1. How do I backup the current disklable?
2. May this not cause my whole system to be inaccessible?
3. How can I see if the current label is different than the above output.
4. How do I write the scan_ffs outputed label to the label.
5. I guess at the end I need to boot the system and home my data is back... Or is there a way to check without booting?
I'm looking up the man page however I feel like I'm walking on eggs here and don't want to make more mistakes...
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 10750970
1) you type disklabel ad0 > somesaferfile
2) backing up will not hurt, failed editing will
3) by doing (1)
4) by running disklabel -E ad0
5) no need to boot, no tool fixed your partition, main idea is to calculate offset of superblocks, they are single block long, and after use dd utility to transfer them to right places.
Is this partition with soft updates and background fsck?
If yes - softupdates is designed to have fsck always succeed, so files are always either lost or found, background fsck does this way,and you got the result.
You have done all what was possible using easy accessible tools, even used some forensic digging tool, so only chance is to apply to some data recovery company which is capable of digging up data behind ordinary, remembet that 100G partition recovery is very costly.
I remember tool named Tiramisu, which helped to bring back computers after Win95/CiH, not sure where is it now since google yielded nothing.
Most likely you will reinstall, so I will suggest avoiding experimental code of 5.2 and stay with 4.9 for a while and leave half of disk unpartitioned for future/backup uses (very handy when you run out of space etc)
0
 
LVL 2

Expert Comment

by:Nata
ID: 10754652
You may want to check this out.
I am ordering it and have heard many compliments on it.
I received the offer through an email.

http://store.worldstart.com/customer/product.php?productid=17077&cat=&page=1

Nata
Page Editor
0
 
LVL 45

Expert Comment

by:sunnycoder
ID: 10763964
0
 

Expert Comment

by:pacogray
ID: 10811235
Bad Copy Pro
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question