There are a lot of howtos and tutorials for using data recovery tools in Linux, but far less on how to choose a recovery tool or approach in the first place. Here’s an overview with suggestions for which route to go or tool to use:<\/p>\n
| Cause<\/th>\n | Outlook<\/th>\n | Tools<\/th>\n<\/tr>\n | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Forgotten login password<\/td>\n | Fantastic<\/td>\n | Any livecd<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||||
| <\/td>\n | This barely qualifies as data recovery, but is included for completeness. If you forget the login password, you can just boot a livecd and mount the drive to access the files. You can also chroot into it and reset the password. Google “linux forgot password”.<\/td>\n<\/tr>\n | |||||||||||||||||||||||||||||||||
| Accidentally deleting files in use<\/td>\n | Excellent<\/td>\n | lsof, cp<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||||
| <\/td>\n | When accidentally deleting a file that is still in use by some process — like an active log file or the source of a video you’re encoding — make sure the process doesn’t exit (sigstop if necessary) and copy the file from the \/proc file handle. Google “lsof recover deleted files”<\/td>\n<\/tr>\n | |||||||||||||||||||||||||||||||||
| Accidentally deleting other files<\/td>\n | Fair for harddisks, bad for SSDs<\/td>\n | testdisk, ext3grep, extundelete<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||||
| <\/td>\n | When deleting a file that’s not currently being held open, stop as much disk activity as you can to prevent the data from being overwritten. If you’re using an SSD, the data was probably irrevocably cleared within seconds, so bad luck there. Proceed with an fs specific undeletion tool: Testdisk can undelete NTFS, VFAT and ext2, extundelete\/ext3grep can help with ext3 and ext4. Google “YourFS undeletion”. If you can’t find an undeletion tool for your file systems, or if it fails, try PhotoRec.<\/td>\n<\/tr>\n | |||||||||||||||||||||||||||||||||
| Trashing the MBR or deleting partitions<\/td>\n | Excellent<\/td>\n | gpart (note: not gparted<\/strong>), testdisk<\/td>\n<\/tr>\n| <\/td>\n | If you delete a partition with fdisk or recover the MBR from a backup while forgetting that it also contains a partition table, gpart or testdisk will usually easily recover them. If you overwrite any more than the first couple of kilobytes though, it’s a different ballgame. Just don’t confuse gpart (guess partitions) with gparted (gtk\/graphical partition editor). Google “recover partition table”.<\/td>\n<\/tr>\n | Reformatting a file system<\/td>\n | Depends on fs<\/td>\n | e2fsck, photorec, testdisk<\/td>\n<\/tr>\n | <\/td>\n | If you format the wrong partition, recovery depends on the old and new file system. Try finding unformat\/recovery tools for your old fs. Accidentally formatting a ext3 fs to ntfs (like Windows helpfully suggests when it detects a Linux fs) can often be almost completely reverted by running fsck with an alternate superblock. Google “ext3 alternate superblock recovery” or somesuch. <\/p>\n\nReformatting ext2\/3\/4 with ext2\/3\/4 will tend to overwrite the superblocks, making this harder. Consider PhotoRec.\n<\/td>\n<\/tr>\n | Repartition and reinstall<\/td>\n | Depends on progress<\/td>\n | <\/td>\n<\/tr>\n | <\/td>\n | If you ran a distro installer and accidentally repartitioned and reformatted a disk, try treating it as a case of deleted partitions plus reformatted partitions as described above. Chances of recovery are smaller the more files the installer copied to the partitions. If all else fails, PhotoRec.<\/td>\n<\/tr>\n | Bad sectors and drive errors<\/td>\n | Ok, depending on extent<\/td>\n | ddrescue<\/td>\n<\/tr>\n | <\/td>\n | If the drive has errors, use ddrescue to get as much of the data as possible onto another drive, then treat it as a corrupted file system. Try the fs’ fsck tool, or if the drive is highly corrupted, PhotoRec.<\/td>\n<\/tr>\n | Lost encryption key<\/td>\n | Very bad<\/td>\n | bash, cryptsetup<\/td>\n<\/tr>\n | <\/td>\n | I don’t know of any tools made for attempting to crack a LUKS password, though you can generate permutations and script a simple cracker if you have limited number of permutations (“it was Swordfish with some l33t, and a few numbers at the end”). If you have no idea, or if your encryption software uses TPM (rare for Linux), you’re screwed.<\/td>\n<\/tr>\n | Reformatted or partially overwritten LUKS partition<\/td>\n | Horrible<\/td>\n | <\/td>\n<\/tr>\n | <\/td>\n | LUKS uses your passphrase to encrypt a master key, and stores this info at the start of the partition. If this gets overwritten, you’re screwed even if you know the passphrase.<\/td>\n<\/tr>\n | Other kinds of corruptions or unknown FS<\/td>\n | Indeterminable<\/td>\n | PhotoRec, strings, grep<\/td>\n<\/tr>\n | <\/td>\n | PhotoRec searches by file signature, and can therefore recover files from a boatload of FS and scenarios, though you’ll often lose filenames and hierarchies. If you have important ASCII data, strings can dump ASCII text regardless of FS, and you can grep that as a last resort.<\/td>\n<\/tr>\n<\/table>\n | If you have other suggestions for scenarios, tools or approaches, leave a commment. Otherwise, I’ll wish you a speedy recovery!<\/p>\n","protected":false},"excerpt":{"rendered":" There are a lot of howtos and tutorials for using data recovery tools in Linux, but far less on how to choose a recovery tool or approach in the first place. Here’s an overview with suggestions for which route to go or tool to use: Cause Outlook Tools Forgotten login password Fantastic Any livecd This … Continue reading “Approaches to data recovery”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[6,4],"tags":[24,53,45],"class_list":["post-195","post","type-post","status-publish","format-standard","hentry","category-basic-linux","category-linux","tag-fs","tag-linux","tag-recovery"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/posts\/195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=195"}],"version-history":[{"count":21,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/posts\/195\/revisions"}],"predecessor-version":[{"id":216,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/posts\/195\/revisions\/216"}],"wp:attachment":[{"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} |