Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
testdisk [2012/04/09 16:42]
mike 		testdisk [2012/04/10 15:46] (current)
mike
Line 84: Line 84:
 while [ $i -lt 10000 ] while [ $i -lt 10000 ]
 do do
-        echo $i+        echo $i
  
         set -- "$targetdir"/*         set -- "$targetdir"/*
Line 128: Line 128:
 To corrupt the disk, I'm throwing random nulls throughout the image with the code below. To corrupt the disk, I'm throwing random nulls throughout the image with the code below.
  
-<code> +<code bash
-blacktower:~/testdisk# vi ./corrupt.bash+blacktower:~/testdisk# cat ./corrupt.bash
 #!/bin/bash #!/bin/bash
 i=0 i=0
 while [ $i -lt 100 ] while [ $i -lt 100 ]
-do  +do 
- target=$(( RANDOM % 5120 ))$(( RANDOM % 10000 )) + target=$(( RANDOM % 5120 ))$(( RANDOM % 10000 )) 
- echo $target + echo $target 
- dd if=/dev/zero of=./baddisk.img bs=1 count=1 seek=$target 2> /dev/null + #dd if=/dev/zero of=./baddisk.img bs=1 count=1 seek=$target 2> /dev/null 
-  i=$((i+1))+ ./corrupt ./baddisk.img $target 
 +   i=$((i+1))
 done done
 +</code>
 +<code c>
 +blacktower:~/testdisk# cat ./corrupt.c
 +#include <stdio.h>
 +/* program to write to specific location of a file */
 +
 +int main(int argc, char* argv[])
 +{
 + FILE* fh;
 +
 + if( argc != 3 ) {
 +   printf( "\nUsage: %s filename\n\n Where \"filename\" is the file to corrupt and \"location\" is the offset in bytes\n", argv[0] );
 +   return(1);
 + }
 +
 + fh = fopen( argv[1], "r+" );
 +
 + if( fh == NULL ) {
 +   printf( "\nCould not open existing file for writing!\nUsage: %s filename\n\n Where \"filename\" is the file to corrupt and \"location\" is the offset in bytes\n", argv[0] );
 +   return(1);
 + }
 +
 + fseek( fh, atoi(argv[2])-2, SEEK_SET );
 +
 + fputc( 0, fh );
 +
 + fclose( fh );
 + return 0;
 +}
 +
 +</code>
 +
 +<code>
 blacktower:~/testdisk# ./corrupt.bash blacktower:~/testdisk# ./corrupt.bash
-8528335 +blacktower:~/testdisk# mount -o loop ./baddisk.img /mnt/baddisk/ 
-26272528 +blacktower:~/testdisk# md5sum /mnt/baddisk/* 2> /dev/null 
-17838022 +0b5080a051d53ba2432b666c90d7c0b4  /mnt/baddisk/fortunes.txt 
-... +8f301122918ab70d8cdccebdac46c8c5  /mnt/baddisk/libreoffice writer.doc 
-7885613 +45f1fbff8dcd6a92eef33e5639837c81  /mnt/baddisk/libreoffice writer.odt 
-12015832 +6dbeeb8ff8b82d35296dfc5265897f92  /mnt/baddisk/libreoffice writer.pdf 
-20671949+9d4cb7f894983e667a7c2173f9fa59c4  /mnt/baddisk/libreoffice writer.rtf 
 +24896c06121360c4b3daa1deca7e854f  /mnt/baddisk/testimage.bmp 
 +3c90cdc73c1b155b7cdd5e0a13584207  /mnt/baddisk/testimage.jpg 
 +8b40c922b02ef43be7c986fa59536260  /mnt/baddisk/testimage.png 
 +blacktower:~/testdisk# 
 +</code>
  
 +Looks like we hit mostly empty space.  Only the bmp is corrupted.
 +
 +Change the 100 random bytes to 10000 and run again:
 +
 +<code>
 +blacktower:~/testdisk# fsck.ext3 ./baddisk.img
 +e2fsck 1.41.12 (17-May-2010)
 +./baddisk.img: clean, 20/12544 files, 7703/50000 blocks
 +
 +blacktower:~/testdisk# md5sum /mnt/baddisk/* 2> /dev/null
 +e04f2a97d51432d04a64f642e350b1f0  /mnt/baddisk/fortunes.txt
 +8f301122918ab70d8cdccebdac46c8c5  /mnt/baddisk/libreoffice writer.doc
 +fc2475f7a1a70f2f31ae50ca59b96cb7  /mnt/baddisk/libreoffice writer.odt
 +6037209ee8c78156a1e6acea00b09dd1  /mnt/baddisk/libreoffice writer.pdf
 +16a93d89a8dedfd23ab629006104cbca  /mnt/baddisk/libreoffice writer.rtf
 +aaf2de72c3f2966bf414d598435dc432  /mnt/baddisk/testimage.bmp
 +3c8a111a8c9baaa09aea73e7d59e890e  /mnt/baddisk/testimage.jpg
 +e3912ad720969f46308cdccad73a66f8  /mnt/baddisk/testimage.png
 </code> </code>
  
-Success... corrupted filesystem.+Only the .doc file is safe now  
 + 
 +Again.
  
 <code> <code>
 blacktower:~/testdisk# fsck.ext3 ./baddisk.img blacktower:~/testdisk# fsck.ext3 ./baddisk.img
 e2fsck 1.41.12 (17-May-2010) e2fsck 1.41.12 (17-May-2010)
-Superblock has an invalid journal (inode 8)+./baddisk.img: clean, 20/12544 files, 7703/50000 blocks 
-Clear<y>? yes+blacktower:~/testdisk# 
 +</code>
  
-*** ext3 journal has been deleted - filesystem is now ext2 only ***+fortunes.txt is visibly corrupted, and every file fails an MD5, but the filesystem hasn't reported any problems yet.
  
-The filesystem size (according to the superblock) is 50000 blocks +{{:article-testdisk:corruption.png?nolink&300 |}}
-The physical size of the device is 20187 blocks +
-Either the superblock or the partition table is likely to be corrupt! +
-Abort<y>yes+
  
-blacktower:~/testdisk# mount -o loop ./baddisk.img /mnt/baddisk/+Different method: 
 + 
 +blacktower:~/testdisk# tail -n +10 ./baddisk-2.img > baddisk-2b.img 
 +blacktower:~/testdisk# ls -l 
 +total 299852 
 +-rw-r--r-- 1 root root 50674559 Apr 10 18:10 baddisk-2b.img 
 +-rw-r--r-- 1 root root 51200000 Apr  6 21:45 baddisk-2.img 
 + 
 +blacktower:~/testdisk# mount -o loop ./baddisk-2b.img /mnt/baddisk/ 
 +mount: you must specify the filesystem type 
 +blacktower:~/testdisk# mount -t ext3 -o loop ./baddisk-2b.img /mnt/baddisk/
 mount: wrong fs type, bad option, bad superblock on /dev/loop0, mount: wrong fs type, bad option, bad superblock on /dev/loop0,
        missing codepage or helper program, or other error        missing codepage or helper program, or other error
Line 171: Line 238:
        dmesg | tail  or so        dmesg | tail  or so
  
-blacktower:~/testdisk# dmesg | tail +blacktower:~/testdisk# fsck.ext3 ./baddisk-2b.img 
-... +e2fsck 1.41.12 (17-May-2010) 
-[2097323.950735] EXT3-fsno journal found+fsck.ext3Superblock invalid, trying backup blocks... 
-blacktower:~/testdisk# mount -o loop -t ext2 ./baddisk.img /mnt/baddisk/ +fsck.ext3: Bad magic number in super-block while trying to open ./baddisk-2b.img 
-mountStale NFS file handle + 
-</code>+The superblock could not be read or does not describe a correct ext2 
 +filesystem.  If the device is valid and it really contains an ext2 
 +filesystem (and not swap or ufs or something else), then the superblock 
 +is corrupt, and you might try running e2fsck with an alternate superblock: 
 +    e2fsck -b 8193 <device> 
 + 
 +blacktower:~/testdisk# fsck.ext3 -b 8193 ./baddisk-2b.img 
 +e2fsck 1.41.12 (17-May-2010) 
 +fsck.ext3: Attempt to read block from filesystem resulted in short read while trying to open ./baddisk-2b.img 
 +Could this be a zero-length partition? 
 +blacktower:~/testdisk# ls -l ./baddisk-2b.img 
 +-rw-r--r-- 1 root root 50674559 Apr 10 18:10 ./baddisk-2b.img 
 +blacktower:~/testdisk# 
 + 
 + 
 +The partition table is missing and the offsets for the backups are all messed up. 
 + 
 + 
 +=== Testdisk === 
 + 
 + 
 +non-partitioned 
 + 
 + 
 +=== photorec == 
 + 
 +PhotoRec 6.11, Data Recovery Utility, April 2009 
 +Christophe GRENIER <grenier@cgsecurity.org> 
 +http://www.cgsecurity.org 
 + 
 +Disk ./baddisk-2b.img - 50 MB / 48 MiB (RO) 
 +     Partition                  Start        End    Size in sectors 
 +   P Unknown                  0    1      41  1      98974 
 + 
 + 
 +14 files saved in /root/testdisk/recup_dir directory. 
 +Recovery completed. 
 +txt: 14 recovered 
 + 
 +blacktower:~/testdisk/recup_dir.3# head -1 *.txt 
 +==f0000000.txt <== 
 +Just to have it is enough. 
 + 
 +==> f0000128.txt <== 
 +men proud. 
 + 
 +==> f0003072.txt <== 
 + 
 + 
 +==> f0004352.txt <== 
 +it classified? 
 + 
 +==> f0004480.txt <== 
 +rail2\hyphmax0}\aspalpha\ltrpar\langfe255\lang255\cf0\kerning1\hich\af3\dbch\af4\afs24\lang255\loch\f0\fs24{\rtlch \ltrch\loch 
 + 
 +==> f0006400.txt <== 
 +wiss\fprq2\fcharset0 Arial;}{\f3\fnil\fprq2\fcharset0 Andale Sans UI{\*\falt Arial Unicode MS};}{\f4\fnil\fprq2\fcharset0 Tahoma;}{\f5\fnil\fprq0\fcharset0 Tahoma;}} 
 + 
 +==> f0007552.txt <== 
 +us. 
 + 
 +==> f0014848.txt <== 
 +ker is a fellow who lends you his umbrella when the sun is shining 
 + 
 +==> f0017024.txt <== 
 +ought, and the wisdom never to use either. 
 + 
 +==> f0017280.txt <== 
 +owntown Newark is in your future. 
 + 
 +==> f0017664.txt <== 
 +outh gets trashed. 
 + 
 +==> f0078080.txt <== 
 +
 + 
 +==> f0095488.txt <== 
 +amenco dancer'
 + 
 +==> f0095616.txt <== 
 + up to his neck in sand? 
 +blacktower:~/testdisk/recup_dir.3#
  
-=== Running Testdisk === 
  
-blacktower:~/testdisk# testdisk ./baddisk.img+=== Try harder ===
  
-Seems like a lost cause.  Even the size of the disk comes up wrong in the "Geometry" menu of Testdisk+Paranoid : Yes (Brute force enabled) 
 +14 files
  
-Disk ./baddisk.img - 20 MB / 19 MiB - CHS 3 255 63, sector size=512 
  
-"Note: Disk capacity must be correctly detected for a successful recovery. +=== Expert Mode ===
-If a disk listed above has incorrect size, check HD jumper settings, BIOS +
-detection, and install the latest OS patches and disk drivers."+
  
 +79 files saved in /root/testdisk/recup_dir directory.
 +Recovery completed.
 +txt: 79 recovered
  
  
 +Unless we find the superblock, it looks like the fragmentation of the files is going to make it nearly impossible to find any files.
  
 +We could create a signature to find the superblock... hmmm... 
  
 +http://www.virtualblueness.net/Ext2fs-overview/Ext2fs-overview-0.1-12.html
  
 === Additional Information === === Additional Information ===