Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
testdisk [2012/04/09 16:42]
mike
testdisk [2012/04/10 15:46]
mike
Line 84: Line 84:
 while [ $i -lt 10000 ] while [ $i -lt 10000 ]
 do do
-        echo $i+        ​echo $i
  
         set -- "​$targetdir"/​*         set -- "​$targetdir"/​*
Line 128: Line 128:
 To corrupt the disk, I'm throwing random nulls throughout the image with the code below. To corrupt the disk, I'm throwing random nulls throughout the image with the code below.
  
-<​code>​ +<​code ​bash
-blacktower:​~/​testdisk# ​vi ./​corrupt.bash+blacktower:​~/​testdisk# ​cat ./​corrupt.bash
 #!/bin/bash #!/bin/bash
 i=0 i=0
 while [ $i -lt 100 ] while [ $i -lt 100 ]
-do  +do 
- target=$(( RANDOM % 5120 ))$(( RANDOM % 10000 )) + ​target=$(( RANDOM % 5120 ))$(( RANDOM % 10000 )) 
- echo $target + echo $target 
- dd if=/​dev/​zero of=./​baddisk.img bs=1 count=1 seek=$target 2> /dev/null + #dd if=/​dev/​zero of=./​baddisk.img bs=1 count=1 seek=$target 2> /dev/null 
-  i=$((i+1))+ ./corrupt ./​baddisk.img $target 
 +   i=$((i+1))
 done done
 +</​code>​
 +<code c>
 +blacktower:​~/​testdisk#​ cat ./corrupt.c
 +#include <​stdio.h>​
 +/* program to write to specific location of a file */
 +
 +int main(int argc, char* argv[])
 +{
 + FILE* fh;
 +
 + if( argc != 3 ) {
 +   ​printf( "​\nUsage:​ %s filename\n\n Where \"​filename\"​ is the file to corrupt and \"​location\"​ is the offset in bytes\n",​ argv[0] );
 +   ​return(1);​
 + }
 +
 + fh = fopen( argv[1], "​r+"​ );
 +
 + if( fh == NULL ) {
 +   ​printf( "​\nCould not open existing file for writing!\nUsage:​ %s filename\n\n Where \"​filename\"​ is the file to corrupt and \"​location\"​ is the offset in bytes\n",​ argv[0] );
 +   ​return(1);​
 + }
 +
 + ​fseek( fh, atoi(argv[2])-2,​ SEEK_SET );
 +
 + ​fputc( 0, fh );
 +
 + ​fclose( fh );
 + ​return 0;
 +}
 +
 +</​code>​
 +
 +<​code>​
 blacktower:​~/​testdisk#​ ./​corrupt.bash blacktower:​~/​testdisk#​ ./​corrupt.bash
-8528335 +blacktower:​~/​testdisk#​ mount -o loop ./​baddisk.img /​mnt/​baddisk/​ 
-26272528 +blacktower:​~/​testdisk#​ md5sum /​mnt/​baddisk/​* 2> /dev/null 
-17838022 +0b5080a051d53ba2432b666c90d7c0b4 ​ /​mnt/​baddisk/​fortunes.txt 
-... +8f301122918ab70d8cdccebdac46c8c5 ​ /​mnt/​baddisk/​libreoffice writer.doc 
-7885613 +45f1fbff8dcd6a92eef33e5639837c81 ​ /​mnt/​baddisk/​libreoffice writer.odt 
-12015832 +6dbeeb8ff8b82d35296dfc5265897f92 ​ /​mnt/​baddisk/​libreoffice writer.pdf 
-20671949+9d4cb7f894983e667a7c2173f9fa59c4 ​ /​mnt/​baddisk/​libreoffice writer.rtf 
 +24896c06121360c4b3daa1deca7e854f ​ /​mnt/​baddisk/​testimage.bmp 
 +3c90cdc73c1b155b7cdd5e0a13584207 ​ /​mnt/​baddisk/​testimage.jpg 
 +8b40c922b02ef43be7c986fa59536260 ​ /​mnt/​baddisk/​testimage.png 
 +blacktower:​~/​testdisk#​ 
 +</​code>​
  
 +Looks like we hit mostly empty space. ​ Only the bmp is corrupted.
 +
 +Change the 100 random bytes to 10000 and run again:
 +
 +<​code>​
 +blacktower:​~/​testdisk#​ fsck.ext3 ./​baddisk.img
 +e2fsck 1.41.12 (17-May-2010)
 +./​baddisk.img:​ clean, 20/12544 files, 7703/50000 blocks
 +
 +blacktower:​~/​testdisk#​ md5sum /​mnt/​baddisk/​* 2> /dev/null
 +e04f2a97d51432d04a64f642e350b1f0 ​ /​mnt/​baddisk/​fortunes.txt
 +8f301122918ab70d8cdccebdac46c8c5 ​ /​mnt/​baddisk/​libreoffice writer.doc
 +fc2475f7a1a70f2f31ae50ca59b96cb7 ​ /​mnt/​baddisk/​libreoffice writer.odt
 +6037209ee8c78156a1e6acea00b09dd1 ​ /​mnt/​baddisk/​libreoffice writer.pdf
 +16a93d89a8dedfd23ab629006104cbca ​ /​mnt/​baddisk/​libreoffice writer.rtf
 +aaf2de72c3f2966bf414d598435dc432 ​ /​mnt/​baddisk/​testimage.bmp
 +3c8a111a8c9baaa09aea73e7d59e890e ​ /​mnt/​baddisk/​testimage.jpg
 +e3912ad720969f46308cdccad73a66f8 ​ /​mnt/​baddisk/​testimage.png
 </​code>​ </​code>​
  
-Success... corrupted filesystem.+Only the .doc file is safe now  
 + 
 +Again.
  
 <​code>​ <​code>​
 blacktower:​~/​testdisk#​ fsck.ext3 ./​baddisk.img blacktower:​~/​testdisk#​ fsck.ext3 ./​baddisk.img
 e2fsck 1.41.12 (17-May-2010) e2fsck 1.41.12 (17-May-2010)
-Superblock has an invalid journal (inode 8)+./​baddisk.img:​ clean, 20/12544 files, 7703/50000 blocks 
-Clear<y>? yes+blacktower:​~/​testdisk#​ 
 +</code>
  
-*** ext3 journal has been deleted - filesystem ​is now ext2 only ***+fortunes.txt ​is visibly corrupted, and every file fails an MD5, but the filesystem hasn't reported any problems yet.
  
-The filesystem size (according to the superblock) is 50000 blocks +{{:​article-testdisk:​corruption.png?nolink&​300 |}}
-The physical size of the device is 20187 blocks +
-Either the superblock or the partition table is likely to be corrupt! +
-Abort<​y>​yes+
  
-blacktower:​~/​testdisk#​ mount -o loop ./​baddisk.img /​mnt/​baddisk/​+Different method: 
 + 
 +blacktower:​~/​testdisk#​ tail -n +10 ./​baddisk-2.img > baddisk-2b.img 
 +blacktower:​~/​testdisk#​ ls -l 
 +total 299852 
 +-rw-r--r-- 1 root root 50674559 Apr 10 18:10 baddisk-2b.img 
 +-rw-r--r-- 1 root root 51200000 Apr  6 21:45 baddisk-2.img 
 + 
 +blacktower:​~/​testdisk#​ mount -o loop ./baddisk-2b.img /​mnt/​baddisk/​ 
 +mount: you must specify the filesystem type 
 +blacktower:​~/​testdisk#​ mount -t ext3 -o loop ./​baddisk-2b.img /​mnt/​baddisk/​
 mount: wrong fs type, bad option, bad superblock on /dev/loop0, mount: wrong fs type, bad option, bad superblock on /dev/loop0,
        ​missing codepage or helper program, or other error        ​missing codepage or helper program, or other error
Line 171: Line 238:
        dmesg | tail  or so        dmesg | tail  or so
  
-blacktower:​~/​testdisk# ​dmesg | tail +blacktower:​~/​testdisk# ​fsck.ext3 ./baddisk-2b.img 
-... +e2fsck 1.41.12 (17-May-2010) 
-[2097323.950735] EXT3-fsno journal found+fsck.ext3Superblock invalid, trying backup blocks... 
-blacktower:​~/​testdisk# ​mount -o loop -t ext2 ./​baddisk.img /mnt/baddisk/ +fsck.ext3: Bad magic number in super-block while trying to open ./​baddisk-2b.img 
-mountStale NFS file handle + 
-</code>+The superblock could not be read or does not describe a correct ext2 
 +filesystem. ​ If the device is valid and it really contains an ext2 
 +filesystem (and not swap or ufs or something else), then the superblock 
 +is corrupt, and you might try running e2fsck with an alternate superblock:​ 
 +    e2fsck -b 8193 <​device>​ 
 + 
 +blacktower:​~/​testdisk# ​fsck.ext3 ​-b 8193 ./baddisk-2b.img 
 +e2fsck 1.41.12 (17-May-2010) 
 +fsck.ext3: Attempt to read block from filesystem resulted in short read while trying to open ./baddisk-2b.img 
 +Could this be a zero-length partition?​ 
 +blacktower:​~/testdisk# ls -l ./baddisk-2b.img 
 +-rw-r--r-- 1 root root 50674559 Apr 10 18:10 ./baddisk-2b.img 
 +blacktower:~/testdisk# 
 + 
 + 
 +The partition table is missing and the offsets for the backups are all messed up. 
 + 
 + 
 +=== Testdisk === 
 + 
 + 
 +non-partitioned 
 + 
 + 
 +=== photorec == 
 + 
 +PhotoRec 6.11, Data Recovery Utility, April 2009 
 +Christophe GRENIER ​<grenier@cgsecurity.org>​ 
 +http://​www.cgsecurity.org 
 + 
 +Disk ./​baddisk-2b.img - 50 MB / 48 MiB (RO) 
 +     ​Partition ​                 Start        End    Size in sectors 
 +   P Unknown ​                 0   ​0 ​ 1     ​6 ​ 41  1      98974 
 + 
 + 
 +14 files saved in /​root/​testdisk/​recup_dir directory. 
 +Recovery completed. 
 +txt: 14 recovered 
 + 
 +blacktower:​~/​testdisk/​recup_dir.3#​ head -1 *.txt 
 +==f0000000.txt <== 
 +Just to have it is enough. 
 + 
 +==> f0000128.txt <== 
 +men proud. 
 + 
 +==> f0003072.txt <== 
 + 
 + 
 +==> f0004352.txt <== 
 +it classified?​ 
 + 
 +==> f0004480.txt <== 
 +rail2\hyphmax0}\aspalpha\ltrpar\langfe255\lang255\cf0\kerning1\hich\af3\dbch\af4\afs24\lang255\loch\f0\fs24{\rtlch \ltrch\loch 
 + 
 +==> f0006400.txt <== 
 +wiss\fprq2\fcharset0 Arial;​}{\f3\fnil\fprq2\fcharset0 Andale Sans UI{\*\falt Arial Unicode MS};​}{\f4\fnil\fprq2\fcharset0 Tahoma;​}{\f5\fnil\fprq0\fcharset0 Tahoma;}} 
 + 
 +==> f0007552.txt <== 
 +us. 
 + 
 +==> f0014848.txt <== 
 +ker is a fellow who lends you his umbrella when the sun is shining 
 + 
 +==> f0017024.txt <== 
 +ought, and the wisdom never to use either. 
 + 
 +==> f0017280.txt <== 
 +owntown Newark is in your future. 
 + 
 +==> f0017664.txt <== 
 +outh gets trashed. 
 + 
 +==> f0078080.txt <== 
 +
 + 
 +==> f0095488.txt <== 
 +amenco dancer'​s 
 + 
 +==> f0095616.txt <== 
 + up to his neck in sand? 
 +blacktower:​~/​testdisk/​recup_dir.3#​
  
-=== Running Testdisk === 
  
-blacktower:​~/​testdisk#​ testdisk ./​baddisk.img+=== Try harder ===
  
-Seems like a lost cause. ​ Even the size of the disk comes up wrong in the "​Geometry"​ menu of Testdisk+Paranoid : Yes (Brute force enabled) 
 +14 files
  
-Disk ./​baddisk.img - 20 MB / 19 MiB - CHS 3 255 63, sector size=512 
  
-"Note: Disk capacity must be correctly detected for a successful recovery. +=== Expert Mode ===
-If a disk listed above has incorrect size, check HD jumper settings, BIOS +
-detection, and install the latest OS patches and disk drivers."​+
  
 +79 files saved in /​root/​testdisk/​recup_dir directory.
 +Recovery completed.
 +txt: 79 recovered
  
  
 +Unless we find the superblock, it looks like the fragmentation of the files is going to make it nearly impossible to find any files.
  
 +We could create a signature to find the superblock... hmmm... ​
  
 +http://​www.virtualblueness.net/​Ext2fs-overview/​Ext2fs-overview-0.1-12.html
  
 === Additional Information === === Additional Information ===