Data recover using Knoppix (or some form of Linux)

Hello experts,

I think I just royally screwed up.  I have a USB hard drive that I was using to backup my data from a laptop before I reloaded WinXP.  In the process of the reload, I accidentally delete the partition that is on the USB drive.  Normally I would not be so upset about a few lost documents or emails but I actually had pictures from my wedding and honeymoon on the laptop that were backed up.  I know Linux has the data dump command and was trying to use Knoppix for that to recover the data but it says that it does not recognize the file format or it has not been defined.  

I'm failrly new to Linux so I wanted to throw this out there to see if any of you experts could help me out.  Is it even possible to get that data back?  Could someone give me some insight as to how to get it back if it is?  Please help!!!  My marriage depends on it.  (Not really but it would be nice to get the pictures back)

Thanks,
Chad
bigbadchadAsked:
Who is Participating?
 
GnsConnect With a Mentor Commented:
Ok. The 2GiB limit is probably from the network fs point of view... dd should be clean in this respect.

And knoppix (in the latest incarnations) don't contain the necessary ntfs write support, so that's probably why you cannot write to the local drive from that.

You could try getting Ubuntu (the combined live and install CD). I think you might get that to write to the local HDD. Check it out at: http://www.ubuntu.org ... Be aware though that the ntfs write support in linux (kernel) has a rather sordid history (has been known to hose more than one ntfs partition:), so don't do that unless you are prepared to reinstall windoze, in the worst of cases:-). Having said that, write support has improved much lately, so you should be pretty OK...

But as you say... Things aren't exactly looking up:-(

-- Glenn
0
 
xDamoxCommented:
Hi,

What file system were you using? ext3 or ext2?
0
 
slow1000Commented:
If your laptop hasn't been rewritten, and it was in NTFS, try this utility to see what it finds.  I believe it's on Knoppix:

http://man.linux-ntfs.org/ntfsundelete.8.html
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
bigbadchadAuthor Commented:
The USB drive was using ntfs
0
 
xDamoxCommented:
Hi,

you can try that tool recommended by slow1000. I found this for windows and its excellent
for NTFS recovey

http://www.recovermyfiles.com/
0
 
slow1000Commented:
Good, then use ntfsundelete to see if you can recover the files.  I believe it is on Knoppix.
0
 
GnsCommented:
Um, did you delete the files or the partition? If you deleted the partiton, and didn't format a new one over it, one can often just redifine the partition table... and all will be well again (since the partition table was the only thing altered before, not the data on the actual diskblocks).
One just use (linux) fdisk to define the partition again... you can make it as large as you can, it will not matter if that is larger than it initially was, since the only really important thing is to make it start at the right block.... usually the first:-). Make the partition type 07, write it to disk.... and boot up windoze.... Hopefully you'll get all that you need back:-). Sure, one can use a whole slew of other tools, but for something like that, fdisk is all you need:-).

-- Glenn
0
 
bigbadchadAuthor Commented:
Forgive my ignorance.  

I gave ntfsundelete a try but it could not mooount the drive. I then tried using fdisk to create the new partition but I could not figure out how to define it as an ntfs partition.  It would only let me define a Linux file system.

Good stuff so far.
0
 
slow1000Commented:
For partitioning, NTFS is defined as filesystem type 07 (hint: if you see 82 or 83 for ext and swap, this is the fileystem type).

Using ntfsundelete, the command you probably want to use is "ntfsundelete /dev/sda" to scan the disk for files capable of being restored.
0
 
GnsCommented:
Yup.

In fdisk, you need first define the partition (size), then change the type via the "t" command, then w-rite the new partition table to disk.
And you need operate on the usb-storage device handle, as slow1000 mentions, and that is probably /dev/sda.... you can check what it becomes with dmesg.

-- Glenn
0
 
bigbadchadAuthor Commented:
So I have the disk partitioned correctly (or so I think).  However, windoze asks me to format the drive when I go to access it.   I go back into Knoppix to try ntfsundelete but it says that it cannot mount the volume: invalid argument.  If I try to mount it manually, I get an error saying: wrong fs type, bad option, bad superblock on /dev/sda,
       missing codepage or other error

I had a friend tell me about the datadump command that copys all of the 1s and 0s to a file and then you can mount the file.  Would this be possible if I can't moount the volume?
0
 
slow1000Commented:
It's possible that it could work, it definitely is worth a try.  
0
 
GnsCommented:
Yup.

One has to question:
1) wether it really was ntfs to begin with, and
2) whether the data blocks are intact.

Using dd to dump it all out somewhere (on another HDD) is an excellent idea.
If you opt to dump the entire drive (operate on the /dev/sda instead of /dev/sda1 handle), you might need skip the first block (MBR + partition table) to get at the actual partition data.
Start reading at "man dd";).

-- Glenn
0
 
slow1000Commented:
To add to Glenn's comments, unless you reformated it, it almost certainly would have come from the factory as fat32.  Are you certain it was ntfs?
0
 
bigbadchadAuthor Commented:
Now that you mention it, I don't really know for sure.  I got it from a friend and he may have never formatted it so I will try using fat32 or whatever the Linux equivelent is.
0
 
GnsCommented:
It's all M$, but fdisk will create it... You can l-ist the partition types, IIRC, in fdisk... Don't rightly remember the hex code though... Ah, Andries to the rescue: http://www.win.tue.nl/~aeb/partitions/partition_types-1.html (probably 0c... or 0b, as you can see). When you've vhanged it, you can try and mount it in linux with a command like
mount -t vfat -o rw /dev/sda1 /some/where
provided you've created the directory /some/where first ... Lets say you'd want it to mount on /usbdisk, then do "mkdir /usbdisk", and then
mount -t vfat -o rw /dev/sda1 /usbdisk
... The mount point can be any (empty... Well, it doesn't have to be, but it is better:-) directory of your choosing.
If it is recognaizable as vfat/fat32, it'll mount it there, and you should be able to list the files with
ls /usbdisk

Remember to umount it before unplugging it, or do a shutdown (the umount is implicit in that).

Best of luck
-- Glenn
0
 
bigbadchadAuthor Commented:
I did a simple dd (dd if=/dev/sda of=/mnt/smb1/usbdisk.img) to a file but I could not mount the file.

Glenn, you mentioned skipping the MBR and the partition table.  What would be the command to do that?
0
 
GnsCommented:
man dd
will show you that you can a) specifu the size of each read/write operation dd does, and b) specify how many such blocks you'd like to skip before starting the copy. So doing
dd if=/dev/sda bs=512 of=/where/ever skip=1
should skip the first block... If you've still have the file, you can operate directly on that, instead of the usb drive (might be a lot faster:-)... That is change if to if=/where/you/put/it and of to of=/a/copy/without/the/first/block
... But you could reach the same effect by using the partition (/dev/sda1), assuming it is where we think it is:-).

Did you try access it as vfat/fat32? No luck?

-- Glenn
0
 
bigbadchadAuthor Commented:
I just don't know.

I did try to mount the drive using both vfat and ntfs.  Each time it said that it was the wrong fs type.  In checking dmesg, it says that no vfat or ntfs volumes have been found.

As far as the dd goes, I gave it a try but it terminated in the middle of the process saying the file size limit has been exceeded stopping at 2 gigs.  I maybe have about 10 gigs worth that I need to get off of the drive.  It does create a file and when I try to  mount it, it says that the resource is busy and it can't determine the fs type.  I am having to dump the file to a mounted share on my other windows computer because I cannot write to my local HD in Knoppix so I don't know if that is affecting anything.  Nothing I have tried is allowing me to change the permissions on the local HD to allow me to write to it.

At this point, I havent given up hope but I'm not feeling too optimistic about getting this data back.

You have all been an incredible help so far. Thanks.

-Chad
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.