Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
testdisk [2012/04/09 16:42] mike |
testdisk [2012/04/10 15:46] (current) mike |
||
---|---|---|---|
Line 84: | Line 84: | ||
while [ $i -lt 10000 ] | while [ $i -lt 10000 ] | ||
do | do | ||
- | echo $i | + | |
set -- " | set -- " | ||
Line 128: | Line 128: | ||
To corrupt the disk, I'm throwing random nulls throughout the image with the code below. | To corrupt the disk, I'm throwing random nulls throughout the image with the code below. | ||
- | < | + | < |
- | blacktower: | + | blacktower: |
#!/bin/bash | #!/bin/bash | ||
i=0 | i=0 | ||
while [ $i -lt 100 ] | while [ $i -lt 100 ] | ||
- | do | + | do |
- | target=$(( RANDOM % 5120 ))$(( RANDOM % 10000 )) | + | |
- | echo $target | + | echo $target |
- | dd if=/ | + | #dd if=/ |
- | i=$((i+1)) | + | ./corrupt ./ |
+ | i=$((i+1)) | ||
done | done | ||
+ | </ | ||
+ | <code c> | ||
+ | blacktower: | ||
+ | #include < | ||
+ | /* program to write to specific location of a file */ | ||
+ | |||
+ | int main(int argc, char* argv[]) | ||
+ | { | ||
+ | FILE* fh; | ||
+ | |||
+ | if( argc != 3 ) { | ||
+ | | ||
+ | | ||
+ | } | ||
+ | |||
+ | fh = fopen( argv[1], " | ||
+ | |||
+ | if( fh == NULL ) { | ||
+ | | ||
+ | | ||
+ | } | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | } | ||
+ | |||
+ | </ | ||
+ | |||
+ | < | ||
blacktower: | blacktower: | ||
- | 8528335 | + | blacktower: |
- | 26272528 | + | blacktower: |
- | 17838022 | + | 0b5080a051d53ba2432b666c90d7c0b4 |
- | ... | + | 8f301122918ab70d8cdccebdac46c8c5 |
- | 7885613 | + | 45f1fbff8dcd6a92eef33e5639837c81 |
- | 12015832 | + | 6dbeeb8ff8b82d35296dfc5265897f92 |
- | 20671949 | + | 9d4cb7f894983e667a7c2173f9fa59c4 |
+ | 24896c06121360c4b3daa1deca7e854f | ||
+ | 3c90cdc73c1b155b7cdd5e0a13584207 | ||
+ | 8b40c922b02ef43be7c986fa59536260 | ||
+ | blacktower: | ||
+ | </ | ||
+ | Looks like we hit mostly empty space. | ||
+ | |||
+ | Change the 100 random bytes to 10000 and run again: | ||
+ | |||
+ | < | ||
+ | blacktower: | ||
+ | e2fsck 1.41.12 (17-May-2010) | ||
+ | ./ | ||
+ | |||
+ | blacktower: | ||
+ | e04f2a97d51432d04a64f642e350b1f0 | ||
+ | 8f301122918ab70d8cdccebdac46c8c5 | ||
+ | fc2475f7a1a70f2f31ae50ca59b96cb7 | ||
+ | 6037209ee8c78156a1e6acea00b09dd1 | ||
+ | 16a93d89a8dedfd23ab629006104cbca | ||
+ | aaf2de72c3f2966bf414d598435dc432 | ||
+ | 3c8a111a8c9baaa09aea73e7d59e890e | ||
+ | e3912ad720969f46308cdccad73a66f8 | ||
</ | </ | ||
- | Success... corrupted filesystem. | + | Only the .doc file is safe now. |
+ | |||
+ | Again. | ||
< | < | ||
blacktower: | blacktower: | ||
e2fsck 1.41.12 (17-May-2010) | e2fsck 1.41.12 (17-May-2010) | ||
- | Superblock has an invalid journal (inode 8). | + | ./ |
- | Clear<y>? yes | + | blacktower: |
+ | </code> | ||
- | *** ext3 journal has been deleted - filesystem | + | fortunes.txt |
- | The filesystem size (according to the superblock) is 50000 blocks | + | {{: |
- | The physical size of the device is 20187 blocks | + | |
- | Either the superblock or the partition table is likely to be corrupt! | + | |
- | Abort< | + | |
- | blacktower: | + | Different method: |
+ | |||
+ | blacktower: | ||
+ | blacktower: | ||
+ | total 299852 | ||
+ | -rw-r--r-- 1 root root 50674559 Apr 10 18:10 baddisk-2b.img | ||
+ | -rw-r--r-- 1 root root 51200000 Apr 6 21:45 baddisk-2.img | ||
+ | |||
+ | blacktower: | ||
+ | mount: you must specify the filesystem type | ||
+ | blacktower: | ||
mount: wrong fs type, bad option, bad superblock on /dev/loop0, | mount: wrong fs type, bad option, bad superblock on /dev/loop0, | ||
| | ||
Line 171: | Line 238: | ||
dmesg | tail or so | dmesg | tail or so | ||
- | blacktower: | + | blacktower: |
- | ... | + | e2fsck 1.41.12 (17-May-2010) |
- | [2097323.950735] EXT3-fs: no journal found. | + | fsck.ext3: Superblock invalid, trying backup blocks... |
- | blacktower: | + | fsck.ext3: Bad magic number in super-block while trying to open ./ |
- | mount: Stale NFS file handle | + | |
- | </code> | + | The superblock could not be read or does not describe a correct ext2 |
+ | filesystem. | ||
+ | filesystem (and not swap or ufs or something else), then the superblock | ||
+ | is corrupt, and you might try running e2fsck with an alternate superblock: | ||
+ | e2fsck -b 8193 < | ||
+ | |||
+ | blacktower: | ||
+ | e2fsck 1.41.12 (17-May-2010) | ||
+ | fsck.ext3: Attempt to read block from filesystem resulted in short read while trying to open ./baddisk-2b.img | ||
+ | Could this be a zero-length partition? | ||
+ | blacktower: | ||
+ | -rw-r--r-- 1 root root 50674559 Apr 10 18:10 ./baddisk-2b.img | ||
+ | blacktower:~/testdisk# | ||
+ | |||
+ | |||
+ | The partition table is missing and the offsets for the backups are all messed up. | ||
+ | |||
+ | |||
+ | === Testdisk === | ||
+ | |||
+ | |||
+ | non-partitioned | ||
+ | |||
+ | |||
+ | === photorec == | ||
+ | |||
+ | PhotoRec 6.11, Data Recovery Utility, April 2009 | ||
+ | Christophe GRENIER | ||
+ | http:// | ||
+ | |||
+ | Disk ./ | ||
+ | | ||
+ | P Unknown | ||
+ | |||
+ | |||
+ | 14 files saved in / | ||
+ | Recovery completed. | ||
+ | txt: 14 recovered | ||
+ | |||
+ | blacktower: | ||
+ | ==> f0000000.txt <== | ||
+ | Just to have it is enough. | ||
+ | |||
+ | ==> f0000128.txt <== | ||
+ | men proud. | ||
+ | |||
+ | ==> f0003072.txt <== | ||
+ | |||
+ | |||
+ | ==> f0004352.txt <== | ||
+ | it classified? | ||
+ | |||
+ | ==> f0004480.txt <== | ||
+ | rail2\hyphmax0}\aspalpha\ltrpar\langfe255\lang255\cf0\kerning1\hich\af3\dbch\af4\afs24\lang255\loch\f0\fs24{\rtlch \ltrch\loch | ||
+ | |||
+ | ==> f0006400.txt <== | ||
+ | wiss\fprq2\fcharset0 Arial; | ||
+ | |||
+ | ==> f0007552.txt <== | ||
+ | us. | ||
+ | |||
+ | ==> f0014848.txt <== | ||
+ | ker is a fellow who lends you his umbrella when the sun is shining | ||
+ | |||
+ | ==> f0017024.txt <== | ||
+ | ought, and the wisdom never to use either. | ||
+ | |||
+ | ==> f0017280.txt <== | ||
+ | owntown Newark is in your future. | ||
+ | |||
+ | ==> f0017664.txt <== | ||
+ | outh gets trashed. | ||
+ | |||
+ | ==> f0078080.txt <== | ||
+ | e | ||
+ | |||
+ | ==> f0095488.txt <== | ||
+ | amenco dancer' | ||
+ | |||
+ | ==> f0095616.txt <== | ||
+ | up to his neck in sand? | ||
+ | blacktower: | ||
- | === Running Testdisk === | ||
- | blacktower: | + | === Try harder === |
- | Seems like a lost cause. | + | Paranoid : Yes (Brute force enabled) |
+ | 14 files | ||
- | Disk ./ | ||
- | "Note: Disk capacity must be correctly detected for a successful recovery. | + | === Expert Mode === |
- | If a disk listed above has incorrect size, check HD jumper settings, BIOS | + | |
- | detection, and install the latest OS patches and disk drivers." | + | |
+ | 79 files saved in / | ||
+ | Recovery completed. | ||
+ | txt: 79 recovered | ||
+ | Unless we find the superblock, it looks like the fragmentation of the files is going to make it nearly impossible to find any files. | ||
+ | We could create a signature to find the superblock... hmmm... | ||
+ | http:// | ||
=== Additional Information === | === Additional Information === |