Can I salvage this data?
October 7, 2010 10:30 AM   Subscribe

Is there a way to salvage data from a stupid dd mistake? [Ubuntu]

So first thing is that yes, I know. I know I'm an idiot.

Second thing is to describe my idiocy:
In Ubuntu [Karmic], I was making a usb boot image to try out a new version of linux, and in my haste I specified the output file of the dd job to
/dev/sd[omgnottheoneIwanted] - which is an internal hdd
instead of /dev/sdg

So now I have a 1 terrabyte drive that has about 2 gigs worth of image on it, and the rest unallocated.
I know that the section that was overwritten is never going to be salvageable, but I hope that I can still save something.

I'll be here all day, so I can answer questions about things I neglected to mention. I'm searching the googles and googling the nets, but my confidence levels are low right now.
posted by Acari to Technology (12 answers total) 1 user marked this as a favorite
 
Set your partitions back up exactly the way you had them (hopefully just one that filled the drive, in which case you shouldn't have much trouble recreating it); DON'T format it, but instead fsck the FS from one of the backup superblocks. You will lose the data that you overwrote, but anything that didn't get clobbered should remain intact.

I've done exactly that and had it work on EXT2, though not with nearly so much damage at the beginning of the drive, just a few megs. You may have more or less success depending on your actual FS type (and if you use LVM, good luck).
posted by pla at 10:38 AM on October 7, 2010


Response by poster: Do I get more than one shot at this?
[I can't remember 100% if it was NTFS or ext3]
posted by Acari at 10:40 AM on October 7, 2010


Maybe. Sleuth Kit (plus autopsy if you want a nice interface) has saved my ass in the past. Whatever you do, the safest thing at this point is to dd the damaged drive to an image and just work on the image, lest you incur further damage to your data.
posted by Cat Pie Hurts at 10:41 AM on October 7, 2010


Yeah, in this situation I would definitely be booting to a livecd and making a dd image of the hard drive to work from. You can mount the image using "-o loop" and try at FS/file recovery from the live system. Don't write any data to the mangled drive.

The Ubuntu Rescue liveCD has some decent documentation on data recovery, check that out.
posted by aaronbeekay at 10:51 AM on October 7, 2010


Do I get more than one shot at this? [I can't remember 100% if it was NTFS or ext3]

Most likely, one shot (if you work off the original drive) - I'd second the suggestion to work off a dd'd image, if you have the free space to do that from a 1TB drive. Depending on the difficulty of replacing the contents of the drive, I'd seriously consider picking up a 2TB on the cheap just for this purpose.

Anyway... EXT3 should work okay as I described (you can actually mount an EXT3 partition as a valid EXT2 filesystem). NTFS keeps both a backup boot sector and MFT, so the same idea should apply, but AFAIK, fsck.ntfs doesn't have the power to do a repair like this, so you'll need to find a suitable 3rd party tool to do it.
posted by pla at 11:00 AM on October 7, 2010


Response by poster: I don't believe that creating an image is possible, as this drive is in order of magnitude bigger than my other hdd [on which is my OS and little else]. pla's solution is sounding the most straightforward to me right now, but I'm going to keep reading for a bit to see what I find. I'm downloading the ubuntu rescue cd now to at least take a look at what it has to offer.
posted by Acari at 11:02 AM on October 7, 2010


Okay, if you can't make an image, I'd suggest trying this first (nondestructive, so safe to try):

Mount the partition R/O from a backup superblock (try 819200, the first backup you should have past 2GB from the start) and see how bad it looks. And if you can't find valid backup superblock, well, that would suggest you used NTFS.

This also gives you another option, if you can get it to mount (ignoring the errors it will spit at you) - You can try copying over as many files from the damaged partition to your boot partition as possible (in order of importance to you) before trying an actual repair. And although you don't have a spare large drive, you can dump files across your LAN if you have another machines that might have some decent space free.


Also, something to consider regardless of FS - If you made the partition in Linux, the partition probably starts at sector 0. If you made it in XP, sector 63. If you made it in Vista or Win7, sector 2048. Since you have nothing valid at the start of the drive anymore, you do get a second shot at your partition layout (but don't go all cowboy on it - The fewer mistakes, the better your chances of recovery).
posted by pla at 11:34 AM on October 7, 2010


Response by poster: ok.
from sudo dumpe2fs /dev/sdb |grep superblock , I found no superblocks.
from sudo mount -r -o loop,sb=819200 /dev/sdb mnt -t ntfs I got 'NTFS signature is missing'
[similarly when trying to mount as ext2 or ext3 dmesg | tail gives me a 'can't find [whatever] filesystem on /dev/sdb]

So I sort of infer that the absence of superblocks [being that there ought to be backups] implies more strongly that this is not ext2 or 3. I think the screwed up NTFS-ness is more likely a result of the first 2 GB being overwritten.

Does that sound plausible? This was more likely NTFS?

[and what is a good ntfs recovery tool for linux?]
posted by Acari at 11:55 AM on October 7, 2010


Well, dumping it should have found a superblock, so I'd agree, probably NTFS.

I honestly don't know that much about running NTFS under Linux (I've done it, but only as a mounted Windows partition when booting to a liveCD) - Afraid my helpfulness here may have come to an end.

Best I can offer, this seems like a pretty decent source of info, and they suggest a free (GNU) tool before going with something commercial, so they don't look like they just want to sell you a bottle of snake oil.

Best of luck!
posted by pla at 12:10 PM on October 7, 2010


Sleuth Kit supports NTFS. Here's a list of boot cds that include TSK.
posted by Cat Pie Hurts at 12:29 PM on October 7, 2010


Response by poster: [right now photorec has been running for a long time and is finding... some things? Testdisk found the name of the old partition, but could not find any of the files, claiming 'the filesystem seems broken'. I tried and failed to understand what to do with the sleuth kit, but it did sound like a good idea. 'Estimated time for achievement' in photorec is... tomorrow sometime. I'll report back when it finishes, I guess.]

Thanks to everybody for being so helpful. Thinking is hard, and I'm glad I had people who were kind enough to do it for me today.
posted by Acari at 5:12 PM on October 7, 2010


Response by poster: eulogy:
Photorec found lots of things. More things than could fit on the external drive I borrowed for this project. Those things, however, were mostly completely unusable. None of them had their filenames intact, of course, but some of them had their extensions correctly guessed.
Going through about 20000 files, trying to open it with a list of programs based on what I imagined the file to be from the size and place in the lineup got really old really fast.
Especially since the great majority [of those I tried] turned out to be fragments of things. I also had some 20gig files it told me were .pngs, and I would swear that the biggest file I had on there could be more than 4.7. And so on and so on.

I just called it a day and reformatted and told my wife that I took whatever files she had on there out to the farm to live a more carefree life. She took it really well, but I really hope that's not because we're going to the farm for thanksgiving dinner today...

Anyway. Thanks again to everybody for all of your advice. Internet hugs for all.
posted by Acari at 8:36 AM on October 10, 2010


« Older Classic American bootstrap stories?   |   Help Me Exalt, But Legally Newer »
This thread is closed to new comments.