Restoring filenames from partly damaged ext4-filesystem
Rudolf Zran
I recently damaged an ext4 partition by accident (mistakenly forced
a RAID sync with another partition onto it, which I realized after
about 3% completion). As a result the beginning of the ext4 partition
seems to be overwritten with garbage and refuses to mount.
As you might guess, I'd now like to get as most of my data back (from
the part which hasn't been overwritten, of course :)).
Maybe somebody knows a good method to just "repair" the ext4-structure
from the remaining part of the partition?
Background information:
Operation system: Debian GNU/Linux 6.0.4 (Squeeze)
Kernel: Linux 2.6.32-5
Architecture: x86-amd64
e2fsprogs: 1.41.12
Filesystem type: ext4, with default settings (mkfs.ext4 /dev/xyz)
Filesystem size: Around 1TB, filled with around 800GB of data.
Filesystem content: From a lot of ASCII stuff up to files with several
GB in size and arbitrary non-standard type.
What I've tried so far:
* First of all, though the source drive is physically fine, I work on
images of the partition on a spare drive, to experiment with. Everytime
I make unrecoverable errors to that image, I recopy the original.
* "dumpe2fs -b $SBERR /dev/loop0" does NOT work, for SBERR={32768, 98304,
163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000,
7962624} ( see https://pzt.me/1l55 )
* "dumpe2fs -b $SBOK /dev/loop0" DOES (partly) work, for SBOK={11239424,
20480000, 23887872, 71663616, 78675968, 214990848} ( see https://pzt.me/6txz )
* "mkfs.ext4 -S /dev/loop0" results in a completely empty filesystem
* "fsck.ext4 -b $SBOK -B 4096 -v -n /dev/loop0" shows a lot of errors.
Filesystem isn't mountable afterwards ( see https://pzt.me/42yk and
https://pzt.me/3frg )
* "fsck.ext4 -b $SBOK -B 4096 -v -y /dev/loop0" recoveres after a long time.
Filesystem is mountable. Root is empty besides lost+found folder, which
contains about 300GB mostly useless data: Millions of files with wrong
permissions, useless names and some random content.
* photorec from the testdisk package recoveres, luckily!, about 500GB of
data. Though the content seems to be pretty reasonable, no filenames
are recovered, since photorec operates without using filesystem knowledge.
Do you see any chances (besides consulting professional recovery companies)
getting the filenames back? I looked into the ext4 specs a bit to figure out
where this information is stored on disk, but before I step with hexedit
through a terabyte of data, I'd rather try some solutions which are maybe
already out there.
Any help is appretiated.
Thanks in advance, Rudolf.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/1328804993.343...@web132403.mail.ird.yahoo.com
Andreas Dilger
the directory structure and inodes were located. Filesystems tend to use
the start of the disk first, because it has the best performance (about 2x
as fast as the end).
> * photorec from the testdisk package recoveres, luckily!, about 500GB of
> data. Though the content seems to be pretty reasonable, no filenames
> are recovered, since photorec operates without using filesystem knowledge.
>
> Do you see any chances (besides consulting professional recovery companies)
> getting the filenames back?
looked at it, it was still fairly complex to use.
> I looked into the ext4 specs a bit to figure out
> where this information is stored on disk, but before I step with hexedit
> through a terabyte of data, I'd rather try some solutions which are maybe
> already out there.
>
> Any help is appretiated.
>
> Thanks in advance, Rudolf.
> --
> the body of a message to majo...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Cheers, Andreas
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Rudolf Zran
[ext4 partition overwritten with garbage at the beginning]
>> * photorec from the testdisk package recoveres, luckily!, about 500GB of
>> data. Though the content seems to be pretty reasonable, no filenames
>> are recovered, since photorec operates without using filesystem
>> knowledge.
>>
>> Do you see any chances (besides consulting professional recovery companies)
>> getting the filenames back?
>
> There was an ext3grep tool that some people had success with, but when I
> looked at it, it was still fairly complex to use.
Thanks for the hint, but the problem with ext3grep is that it seems to
rely on an intact filesystem structure. It even has no option to set
another superblock besides the default one and fails with all commands
I tried ( see https://pzt.me/8q6k ).
Bye, Rudolf.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/1328822543.658...@web132404.mail.ird.yahoo.com
Walter Hurry
partition and restore from backup.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Bernd Schubert
> Hello Andreas!
>
>
> [ext4 partition overwritten with garbage at the beginning]
>
>
>>> * photorec from the testdisk package recoveres, luckily!, about 500GB of
>>> data. Though the content seems to be pretty reasonable, no filenames
>>> are recovered, since photorec operates without using filesystem
>>> knowledge.
>>>
>>> Do you see any chances (besides consulting professional recovery companies)
>>> getting the filenames back?
>>
>> There was an ext3grep tool that some people had success with, but when I
>> looked at it, it was still fairly complex to use.
>
> Thanks for the hint, but the problem with ext3grep is that it seems to
> rely on an intact filesystem structure. It even has no option to set
> another superblock besides the default one and fails with all commands
> I tried ( see https://pzt.me/8q6k ).
>
an over-formated ext3/ext4 device based on directory blocks.
With some tweaks it should be able to assign the file#inode_numbers in
lost+found to a directory structure.
Problem is that I'm rather busy with too many other projects already. Do
you know C and could you add some code on your own for the lost+found
assignment? I can assist you, but it is unlikely that I find much time
do it myself...
Cheers,
Bernd
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Rudolf Zran
> I have written some tools in the past to recover the file structure of
> an over-formated ext3/ext4 device based on directory blocks.
> With some tweaks it should be able to assign the file#inode_numbers in
> lost+found to a directory structure.
> Problem is that I'm rather busy with too many other projects already. Do
> you know C and could you add some code on your own for the lost+found
> assignment? I can assist you, but it is unlikely that I find much time
> do it myself...
I'm not that fluent in C, but I could just give it a try. Since it's my
own data and this recovery for personal "fun" I can't do something bad
with it :) So, if you could share the code I'd be happy!
Thanks, Rudolf.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/1328893673.790...@web132401.mail.ird.yahoo.com
Theodore Tso
On Feb 9, 2012, at 11:29 AM, Rudolf Zran wrote:
> Hi everybody!
>
> I recently damaged an ext4 partition by accident (mistakenly forced
> a RAID sync with another partition onto it, which I realized after
> about 3% completion). As a result the beginning of the ext4 partition
> seems to be overwritten with garbage and refuses to mount.
>
> As you might guess, I'd now like to get as most of my data back (from
> the part which hasn't been overwritten, of course :)).
>
> Maybe somebody knows a good method to just "repair" the ext4-structure
Have you tried just simply running e2fsck, specifying an alternate superblock?
I'd do this by making a copy of the file system first, of course….
-- Ted
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Rudolf Zran
>> I recently damaged an ext4 partition by accident
[...]
>> Maybe somebody knows a good method to just "repair" the
>> ext4-structure from the remaining part of the partition?
>
> Have you tried just simply running e2fsck, specifying an alternate superblock?
Yes of course I tried, as I wrote in my original post ($SBOK is one
of the intact superblocks at 11239424, 20480000, 23887872, 71663616,
78675968 and 214990848).
With "all answers: no":
>> * "fsck.ext4 -b $SBOK -B 4096 -v -n /dev/loop0" shows a lot of errors.
>> Filesystem isn't mountable afterwards
# fsck.ext4 -b 214990848 -B 4096 -v -n /dev/loop0
e2fsck 1.41.12 (17-May-2010)
One or more block group descriptor checksums are invalid. Fix? no
Group descriptor 0 checksum is invalid. IGNORED.
Group descriptor 1 checksum is invalid. IGNORED.
...
Group descriptor 7451 checksum is invalid. IGNORED.
Group descriptor 7452 checksum is invalid. IGNORED.
/dev/loop0 contains a file system with errors, check forced.
Resize inode not valid. Recreate? no
Pass 1: Checking inodes, blocks, and sizes
Root inode is not a directory. Clear? no
Inode 5 should not have EOFBLOCKS_FL set (size 2642074971391648798, lblk -1)
Clear? no
...
# mount -o ro /dev/loop0 /mnt
mount: /dev/loop0: can't read superblock
# dmesg
[504508.215515] EXT4-fs error (device loop0): ext4_iget: bad extended attribute block 1920620055 in inode #2
[504508.215530] EXT4-fs (loop0): get root inode failed
[504508.215534] EXT4-fs (loop0): mount failed
With "all answers: yes":
>> * "fsck.ext4 -b $SBOK -B 4096 -v -y /dev/loop0" recoveres after a long time.
>> Filesystem is mountable. Root is empty besides lost+found folder, which
>> contains about 300GB mostly useless data: Millions of files with wrong
>> permissions, useless names and some random content.
> I'd do this by making a copy of the file system first, of course….
For sure! :) I solely work on copies.
Thanks, Rudolf.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/1328899012.922...@web132404.mail.ird.yahoo.com
Ted Ts'o
> >> * "fsck.ext4 -b $SBOK -B 4096 -v -y /dev/loop0" recoveres after a long time.
> >> Filesystem is mountable. Root is empty besides lost+found folder, which
> >> contains about 300GB mostly useless data: Millions of files with wrong
> >> permissions, useless names and some random content.
>
> > I'd do this by making a copy of the file system first, of course….
hierarcy that contained useful content.
Just to set expectations, things that you might do that tried to look
for directory blocks, etc., *might* give you more useful filenames as
opposed to random inode numbers in lost+found, but it's unlikely to
recover any more *files*. It sounds most of your files were located
in part of the inode table that got smashed, and so short of looking
at each data block to find useful bits, I doubt spending a lot of time
on trying to use or create more recovery tools based on file system
metadata is likely to result in more data getting recovered.
- Ted
P.S. e2fsck -n by definition opens the block device read-only, so
it's not at all surprising you couldn't mount it after e2fsck -n; it
wouldn't have changed anything.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Bernd Schubert
> Hello Bernd!
>
>
>> I have written some tools in the past to recover the file structure of
>> an over-formated ext3/ext4 device based on directory blocks.
>> With some tweaks it should be able to assign the file#inode_numbers in
>> lost+found to a directory structure.
>> Problem is that I'm rather busy with too many other projects already. Do
>> you know C and could you add some code on your own for the lost+found
>> assignment? I can assist you, but it is unlikely that I find much time
>> do it myself...
>
> I'm not that fluent in C, but I could just give it a try. Since it's my
> own data and this recovery for personal "fun" I can't do something bad
> with it :) So, if you could share the code I'd be happy!
and I need to go to bed now.
Sorry for the day!
Cheers,
Bernd
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Bernd Schubert
> On Fri, Feb 10, 2012 at 06:36:52PM +0000, Rudolf Zran wrote:
>>>> * "fsck.ext4 -b $SBOK -B 4096 -v -y /dev/loop0" recoveres after a long time.
>>>> Filesystem is mountable. Root is empty besides lost+found folder, which
>>>> contains about 300GB mostly useless data: Millions of files with wrong
>>>> permissions, useless names and some random content.
>>
>>> I'd do this by making a copy of the file system first, of course….
>
> I would have expected at least some subdirectories from your directory
> hierarcy that contained useful content.
>
> Just to set expectations, things that you might do that tried to look
> for directory blocks, etc., *might* give you more useful filenames as
> opposed to random inode numbers in lost+found, but it's unlikely to
> recover any more *files*. It sounds most of your files were located
> in part of the inode table that got smashed, and so short of looking
> at each data block to find useful bits, I doubt spending a lot of time
> on trying to use or create more recovery tools based on file system
> metadata is likely to result in more data getting recovered.
>
Assigning directory blocks with '.' and '..' and then with real content
provide the file system structure and also inode-number to name
translation. Even better would be if secondary blocks also would have
'.' and '..'.
Cheers,
Bernd
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Russell L. Harris
because of a stupid blunder in attempting to format a USB flash drive.
>From this, I learned two things:
(1) Even a simple listing of the contents of a drive would be
invaluable in attempting to restore the drive from other sources. The
list would allow me to see (a) precisely which files were lost, and
(b) the directory structure (that is, the categorization), which is
complex and is the product of many refinements over a period of
several years.
Such a list could be generated automatically by a routine called
weekly (or better, daily) by cron. And it might be well to keep a
a copy of the list on every drive in the machine, or on the drive or
another machine.
Of course, a CVS, SVN, or Git backup would be still better.
(2) It would be well worthwhile to devote whatever desk or table space
is required to keep an old "workbench" machine readily available for
tasks such formatting flash devices and transferring data to devices
such as cell phones, audio recorders, digital cameras, etc. -- most of
which require fat-16 or fat-32 formatting and can be difficult to
mount.
The important thing is to avoid using the "workbench" machine as an
archive; important data should be stored elsewhere. Then, whenever a
blunder is made and files are deleted or a partition is corrupted, the
entire operating system can be reinstalled, with no loss other than
the time spent in reinstallation.
RLH
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Rudolf Zran
In an offlist reply someone recommended me ext4magic (see
http://developer.berlios.de/projects/ext4magic ).
Like magic it recovered complete directory hierarchies with filenames,
timestamps, even ownership and permissions for more than 300GB of the
deleted data.
I can recommend this to everybody who accidently destroyed parts of
his filesystem. In contrast to fsck ext4magic doesn't try to repair,
but just extracts the data completely in read only mode (feelslike
"tar xf" actually :).It's easier to use and understand and way more
effective when it comesto recovery. ext4magic shouldn't be missing
in any good recovery collection.
Thanks to all helping me out in this case.
Have a nice weekend, Rudolf.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/1328981610.632...@web132402.mail.ird.yahoo.com
Ted Ts'o
> Hi List!
>
> In an offlist reply someone recommended me ext4magic (see
> http://developer.berlios.de/projects/ext4magic ).
After taking a quick look at its wiki page, it looks like worthy
successor to ext3grep (which only works on ext3 file systems). It
appears from their web page (I haven't had a chance to play with it
yet) that it uses a variety of techniques to recover data, which
combined should work really well.
Thanks for reporting back!
- Ted
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Ted Ts'o
>
> Looks interesting and useful... I wonder if it makes sense to include
> this into e2fsprogs at some point, so that it is available when users
> need it most...
We'll need to talk to the author about that. At the very least it
would be good to translate the ext4magic wiki into English, so that
people who are doing web searches are more likely to find it. :-)
- Ted
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Andreas Dilger
> On Sat, Feb 11, 2012 at 05:33:30PM +0000, Rudolf Zran wrote:
>> Hi List!
>>
>> In an offlist reply someone recommended me ext4magic (see
>> http://developer.berlios.de/projects/ext4magic ).
>
> I wasn't familiar with ext4magic, so thanks for recommending it.
> After taking a quick look at its wiki page, it looks like worthy
> successor to ext3grep (which only works on ext3 file systems). It
> appears from their web page (I haven't had a chance to play with it
> yet) that it uses a variety of techniques to recover data, which
> combined should work really well.
this into e2fsprogs at some point, so that it is available when users
need it most...
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org