[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Data recover using Knoppix (or some form of Linux)

Posted on 2006-04-30
19
Medium Priority
?
422 Views
Last Modified: 2008-01-09
Hello experts,

I think I just royally screwed up.  I have a USB hard drive that I was using to backup my data from a laptop before I reloaded WinXP.  In the process of the reload, I accidentally delete the partition that is on the USB drive.  Normally I would not be so upset about a few lost documents or emails but I actually had pictures from my wedding and honeymoon on the laptop that were backed up.  I know Linux has the data dump command and was trying to use Knoppix for that to recover the data but it says that it does not recognize the file format or it has not been defined.  

I'm failrly new to Linux so I wanted to throw this out there to see if any of you experts could help me out.  Is it even possible to get that data back?  Could someone give me some insight as to how to get it back if it is?  Please help!!!  My marriage depends on it.  (Not really but it would be nice to get the pictures back)

Thanks,
Chad
0
Comment
Question by:bigbadchad
  • 6
  • 6
  • 5
  • +1
19 Comments
 
LVL 16

Expert Comment

by:xDamox
ID: 16572788
Hi,

What file system were you using? ext3 or ext2?
0
 
LVL 8

Expert Comment

by:slow1000
ID: 16572890
If your laptop hasn't been rewritten, and it was in NTFS, try this utility to see what it finds.  I believe it's on Knoppix:

http://man.linux-ntfs.org/ntfsundelete.8.html
0
 

Author Comment

by:bigbadchad
ID: 16573369
The USB drive was using ntfs
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 16

Expert Comment

by:xDamox
ID: 16573475
Hi,

you can try that tool recommended by slow1000. I found this for windows and its excellent
for NTFS recovey

http://www.recovermyfiles.com/
0
 
LVL 8

Expert Comment

by:slow1000
ID: 16573489
Good, then use ntfsundelete to see if you can recover the files.  I believe it is on Knoppix.
0
 
LVL 20

Expert Comment

by:Gns
ID: 16573920
Um, did you delete the files or the partition? If you deleted the partiton, and didn't format a new one over it, one can often just redifine the partition table... and all will be well again (since the partition table was the only thing altered before, not the data on the actual diskblocks).
One just use (linux) fdisk to define the partition again... you can make it as large as you can, it will not matter if that is larger than it initially was, since the only really important thing is to make it start at the right block.... usually the first:-). Make the partition type 07, write it to disk.... and boot up windoze.... Hopefully you'll get all that you need back:-). Sure, one can use a whole slew of other tools, but for something like that, fdisk is all you need:-).

-- Glenn
0
 

Author Comment

by:bigbadchad
ID: 16574782
Forgive my ignorance.  

I gave ntfsundelete a try but it could not mooount the drive. I then tried using fdisk to create the new partition but I could not figure out how to define it as an ntfs partition.  It would only let me define a Linux file system.

Good stuff so far.
0
 
LVL 8

Expert Comment

by:slow1000
ID: 16575169
For partitioning, NTFS is defined as filesystem type 07 (hint: if you see 82 or 83 for ext and swap, this is the fileystem type).

Using ntfsundelete, the command you probably want to use is "ntfsundelete /dev/sda" to scan the disk for files capable of being restored.
0
 
LVL 20

Expert Comment

by:Gns
ID: 16576367
Yup.

In fdisk, you need first define the partition (size), then change the type via the "t" command, then w-rite the new partition table to disk.
And you need operate on the usb-storage device handle, as slow1000 mentions, and that is probably /dev/sda.... you can check what it becomes with dmesg.

-- Glenn
0
 

Author Comment

by:bigbadchad
ID: 16582199
So I have the disk partitioned correctly (or so I think).  However, windoze asks me to format the drive when I go to access it.   I go back into Knoppix to try ntfsundelete but it says that it cannot mount the volume: invalid argument.  If I try to mount it manually, I get an error saying: wrong fs type, bad option, bad superblock on /dev/sda,
       missing codepage or other error

I had a friend tell me about the datadump command that copys all of the 1s and 0s to a file and then you can mount the file.  Would this be possible if I can't moount the volume?
0
 
LVL 8

Expert Comment

by:slow1000
ID: 16582818
It's possible that it could work, it definitely is worth a try.  
0
 
LVL 20

Expert Comment

by:Gns
ID: 16584018
Yup.

One has to question:
1) wether it really was ntfs to begin with, and
2) whether the data blocks are intact.

Using dd to dump it all out somewhere (on another HDD) is an excellent idea.
If you opt to dump the entire drive (operate on the /dev/sda instead of /dev/sda1 handle), you might need skip the first block (MBR + partition table) to get at the actual partition data.
Start reading at "man dd";).

-- Glenn
0
 
LVL 8

Expert Comment

by:slow1000
ID: 16586174
To add to Glenn's comments, unless you reformated it, it almost certainly would have come from the factory as fat32.  Are you certain it was ntfs?
0
 

Author Comment

by:bigbadchad
ID: 16588309
Now that you mention it, I don't really know for sure.  I got it from a friend and he may have never formatted it so I will try using fat32 or whatever the Linux equivelent is.
0
 
LVL 20

Expert Comment

by:Gns
ID: 16590552
It's all M$, but fdisk will create it... You can l-ist the partition types, IIRC, in fdisk... Don't rightly remember the hex code though... Ah, Andries to the rescue: http://www.win.tue.nl/~aeb/partitions/partition_types-1.html (probably 0c... or 0b, as you can see). When you've vhanged it, you can try and mount it in linux with a command like
mount -t vfat -o rw /dev/sda1 /some/where
provided you've created the directory /some/where first ... Lets say you'd want it to mount on /usbdisk, then do "mkdir /usbdisk", and then
mount -t vfat -o rw /dev/sda1 /usbdisk
... The mount point can be any (empty... Well, it doesn't have to be, but it is better:-) directory of your choosing.
If it is recognaizable as vfat/fat32, it'll mount it there, and you should be able to list the files with
ls /usbdisk

Remember to umount it before unplugging it, or do a shutdown (the umount is implicit in that).

Best of luck
-- Glenn
0
 

Author Comment

by:bigbadchad
ID: 16626003
I did a simple dd (dd if=/dev/sda of=/mnt/smb1/usbdisk.img) to a file but I could not mount the file.

Glenn, you mentioned skipping the MBR and the partition table.  What would be the command to do that?
0
 
LVL 20

Expert Comment

by:Gns
ID: 16626176
man dd
will show you that you can a) specifu the size of each read/write operation dd does, and b) specify how many such blocks you'd like to skip before starting the copy. So doing
dd if=/dev/sda bs=512 of=/where/ever skip=1
should skip the first block... If you've still have the file, you can operate directly on that, instead of the usb drive (might be a lot faster:-)... That is change if to if=/where/you/put/it and of to of=/a/copy/without/the/first/block
... But you could reach the same effect by using the partition (/dev/sda1), assuming it is where we think it is:-).

Did you try access it as vfat/fat32? No luck?

-- Glenn
0
 

Author Comment

by:bigbadchad
ID: 16629873
I just don't know.

I did try to mount the drive using both vfat and ntfs.  Each time it said that it was the wrong fs type.  In checking dmesg, it says that no vfat or ntfs volumes have been found.

As far as the dd goes, I gave it a try but it terminated in the middle of the process saying the file size limit has been exceeded stopping at 2 gigs.  I maybe have about 10 gigs worth that I need to get off of the drive.  It does create a file and when I try to  mount it, it says that the resource is busy and it can't determine the fs type.  I am having to dump the file to a mounted share on my other windows computer because I cannot write to my local HD in Knoppix so I don't know if that is affecting anything.  Nothing I have tried is allowing me to change the permissions on the local HD to allow me to write to it.

At this point, I havent given up hope but I'm not feeling too optimistic about getting this data back.

You have all been an incredible help so far. Thanks.

-Chad
0
 
LVL 20

Accepted Solution

by:
Gns earned 2000 total points
ID: 16630516
Ok. The 2GiB limit is probably from the network fs point of view... dd should be clean in this respect.

And knoppix (in the latest incarnations) don't contain the necessary ntfs write support, so that's probably why you cannot write to the local drive from that.

You could try getting Ubuntu (the combined live and install CD). I think you might get that to write to the local HDD. Check it out at: http://www.ubuntu.org ... Be aware though that the ntfs write support in linux (kernel) has a rather sordid history (has been known to hose more than one ntfs partition:), so don't do that unless you are prepared to reinstall windoze, in the worst of cases:-). Having said that, write support has improved much lately, so you should be pretty OK...

But as you say... Things aren't exactly looking up:-(

-- Glenn
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month20 days, 14 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question