$ cat /dev/jlanza > /dev/nobody Home About

Home > Linux > Recover data after running dd if=/dev/zero for a few seconds

May 11, 2012 jlanza Leave a comment Go to comments Friday morning working on installing OpenWrt pivot overlay on an USB pendrive. I need to format the USB and as I was doing it quite so many times I wasnt paying too much attention. Dont do that at home The USB was recognized as /dev/sdb1 on my laptop but on the router it was on /dev/sda1. As you have probably already guessed my main laptop hardrive was /dev/sda1. I didnt notice I wasnt in the router console (f.. tabs) and after having successfully formatted the USB I decided to make it zero:
# dd if=/dev/zero of=/dev/sda1

I continue working on the laptop but when in typed ls nothing is shown and even I got unknown command. Uppps something is going wrong. I just realized I was formatting my hard drive in stead of the USB. Advice (take it if you want): In case this happens to you, press Ctrl+C as soon as you can to minimize the overwritten and lost data. Most of my work for the last few years was there, programs, repositories, configurations, I thought I was not going to be able to recover anything. Luckyly I pressed Ctrl+C quite quickly and only 1Gb was set to zero. Not everything was lost So if you ever come to that, dont panic. You can at least recover what was not overwritten with 0, and even part of that I think it can also be recovered. Next Im explaining how I did it. It is quite short and easy procedure.

My system was installed under ext4. I think in ext2/3 the procedure should be working, but for fat, ntfs, you should proceed differently. I only got one partition for / with everything on it. Now Ive learnt thats not the best decision. It is better to format your drive with multiple partion for each type of data, at least with one partition for /boot, another for swap, another for / and

another for /home. This will help you on reinstallation and in cases like this one. Get a copy of a system rescue disk or a distribution live CD. I installed it on my USB There are plenty of utilities for recovering data. For my case I only used testdisk.

Once you have the rescue disk, boot you system with it. Unfortunately you are not able to do it any other way. Make a complete binary image of your disk on an external hard drive or through network. In order to work with the image, I dont recommend you compress it as afterwards you will have to uncompress it, and thats time.
# dd if=/dev/sda of=/path_to_external_drive/my_broken_disk.img # dd if=/dev/sda | ssh user@remotehost -d | 'dd of=/path_backup/my_broken_disk.img' # dd if=/dev/sda | gzip - | ssh user@remotehost dd of=/backup/drive.img.gz

It takes quite a long time depending on the size of your drive, so go for a long long walk.

The recovery method is based on the information on the superblocks that are stored in ext2/3/4 and that replicate filesytem information. It would be very difficult you zero all the hard drive and all the superblocks. Using testdisk open your image. You can do it directly over your hard drive, but it is better not to work with it in order not to loose more information in case we do something wrong.
# testdisk my_broken_disk.img > [Proceed] > [Intel] > [Advanced] Partition > 1 * Linux 2 E extended 5 L Linux Swap

Start End Size in sectors 0 32 33 14223 110 31 228497408 14223 142 62 14593 66 1 5939202 14223 143 1 14593 66 1 5939200

Select your data partition Select [Supeblock] and copy them as this is the ones that are going to save you.
Partition Linux superblock superblock superblock superblock superblock superblock superblock superblock superblock superblock Start End Size in sectors 0 32 33 14223 110 31 228497408 0, blocksize=4096 [] 32768, blocksize=4096 [] 98304, blocksize=4096 [] 163840, blocksize=4096 [] 229376, blocksize=4096 [] 294912, blocksize=4096 [] 819200, blocksize=4096 [] 884736, blocksize=4096 [] 1605632, blocksize=4096 [] 2654208, blocksize=4096 []

To repair the filesystem using alternate superblock, run fsck.ext4 -p -b superblock -B blocksize device

You can try to use testdisk to recover the files but I didnt succeed.

As we have made the complete disk image you need to find out where your data partition starts in order to latter mount it.
# parted my_broken_disk.img parted my_broken_disk.img GNU Parted 2.3 Using my_broken_disk.img Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) unit Unit? [compact]? B (parted) print Model: (file) Disk my_broken_disk.img: 120034123776B Sector size (logical/physical): 512B/512B Partition Table: msdos Number 1 2 5 Start 1048576B 116992769024B 116992770048B End 116991721471B 120033640447B 120033640447B Size 116990672896B 3040871424B 3040870400B Type primary extended logical File system ext4 linux-swap(v1) Flags boot

(parted) quit

The Start number indicates where you partition begins. You can also get this information from testdisk data, but you need to do some aritmetics. This way theres no error. There is more information on mounting partitions from full disk images here.

Mount your data partition.

# losetup -o 1048576 /dev/loop1 my_broken_disk.img

Try to recover filesystem information from superblocks. If fsck can find a valid superblock you have a good chance to be able to recover part of the files that lived on your volume. It might even be able to restore your fs to a living state, however whats zeroed, its zeroed. No one can do anything about that, except for the enterprises specialized in info recovery as we said before. It is advisable and quicker to refer to a known not zeroed superblock. Choose one superblock (I took the last one) from the information you got with testdisk.
# fsck.ext4 -p -b 11239424 -B 4096 /dev/loop1 Follow any indication # fsck.ext4 -b 11239424 -B 4096 /dev/loop1

It will point all the inodes with broken links, etc. You will see the names of some of your dirs. Just say yes to everything. When you are asked if you want to link to `lost+found` say yes as this directory will be taken as root dir for the broken inodes.

If everything went as expected the image filesystem is fixed and the recoverable information is accesible. Mount the partion on the loop device to a directory
# mount -t ext4 -o ro /dev/loop1 /path_to_mount/

All the recovered data would probably be in lost+found directory, at least it was in my case. This directory is only root accesible.
# su # cd /path_to_mount/lost+found # ls #1179649 #1461384 #1464249 #1573254 #1179651 #1461525 #1464389 #1573330 #131073 #1461600 #1464476 #1573468 #1441961 #1461740 #1464483 #1573616 ....

#1576115 #1576253 #1576444 #1576529

#1723175 #1723189 #1723193 #1723285

#2235518 #2235529 #2235578 #2235583

Those directories and files are the ones recovered. If you enter any of them you can find your files, but in the incorrect mounting point. The best thing is to use find to locate some known files so this way you can retrieve which directory allocates your formely /home, etc.
# find /path_to_mount/lost+found -iname "<regex_for_known_files>"

Once you are done with it you should umount everything. You can also make a new image of your restored disk or partition.
# umount /dev/loop1 # dd if=/dev/loop1 of=/path_to_backup/my_restored_disk.img # losetup -d /dev/loop1

And thats all. Thanks God you have part of your data back.

[1] SystemRescueCd [2] DataRecovery Community Ubuntu Documentation [3] TestDisk CGSecurity [4] Manual disk partitioning guide for Ubuntu 11.04 [5] Mounting partitions from full disk images [6] Recover Data Like a Forensics Expert Using an Ubuntu Live CD How-To Geek [7] hard drive Is there a way to recover files from a storage device partially overwritten with dd? Ask Ubuntu [8] Mounting a hard disk image including partitions using Linux | andremiller.net [9] ext3 filesystem bad superblock recovery Jasons postings and stuff
Share this: Like this: Be the first to like this.

Categories: Linux Tags: backup, linux, restore Comments (0) Trackbacks (0) Leave a comment Trackback 1. No comments yet. 1. No trackbacks yet.

Leave a Reply

Customize Voyage Linux image Top WordPress Blog at WordPress.com. Theme: INove by NeoEase.