Linux Raid Reconstr...
 
Notifications
Clear all

Linux Raid Reconstruction

Page 1 / 2
OM602
(@om602)
New Member

I'm struggling to get a EWF Linux Raid image working
Mount fails with
mount wrong fs type, bad option, bad superblock on /dev/md0,

Here are the steps followed

1) Used 'xmount' to disk image as a file

xmount –in ewf –cache ./acquired_disk.cache 1.1.e01 /mnt/raid

2) Used 'losetup' to expose the disk image files as block devices.

losetup 1.1.dd /dev/loop0

3) Used 'mdadm' to reconfigure the block devices as the requisite RAID device
mdadm –assemble –scan

mdadm –create /dev/md0 –level=raid1 –raid-devices=1 /dev/loop0 –force

4) Try to mount Raid disk

[email protected]/mnt/raid# mount /dev/md0 /mnt/
mount wrong fs type, bad option, bad superblock on /dev/md0,
missing codepage or helper program, or other error

In some cases useful info is found in syslog - try
dmesg | tail or so.

MDADM
[email protected]/mnt/raid# mdadm --misc --examine /dev/loop0
/dev/loop0
MBR Magic aa55
Partition[0] 33554433 sectors at 2048 (type fd)
Partition[1] 1048577 sectors at 33558528 (type fd)
Partition[2] 419430401 sectors at 34609152 (type fd)
Partition[3] 3452987568 sectors at 454041600 (type 0f)

FDISK

Fdisk - L
[b]Failed to read extended partition table (offset=454041600) Input/output error[/b]
Disk /dev/loop0 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disklabel type dos
Disk identifier 0x0001c486

Device Boot Start End Sectors Size Id Type
/dev/loop0p1 2048 33556480 33554433 16G fd Linux raid autodetect
/dev/loop0p2 33558528 34607104 1048577 512M fd Linux raid autodetect
/dev/loop0p3 34609152 454039552 419430401 200G fd Linux raid autodetect
/dev/loop0p4 454041600 3907029167 3452987568 1.6T f W95 Ext'd (LBA)

Also tried RAID reconstructor, OSforencics, DMDE, Encase etc
I'm able to run strings, photorec, foremost etc and get some data, but I need some specific mysql databases that are on there

any pointers would be greatly appreciated

Quote
Topic starter Posted : 01/02/2017 5:40 pm
thefuf
(@thefuf)
Active Member

Are you trying to reconstruct a linear array from a single drive?

ReplyQuote
Posted : 01/02/2017 6:31 pm
OM602
(@om602)
New Member

Should read Raid1, sorry about that.
I *assume* that is the RAID-level.

ReplyQuote
Topic starter Posted : 01/02/2017 6:38 pm
thefuf
(@thefuf)
Active Member

mdadm –create /dev/md0 –level=raid1 –raid-devices=1 /dev/loop0 –force

You didn't specify a partition here, you are using an image of a whole drive instead.

ReplyQuote
Posted : 01/02/2017 7:34 pm
OM602
(@om602)
New Member

Yes I believe it's just a single disk of RAID1 array.
When I try to mount the partitions or create the array I get the following errors

[email protected]/mnt/raid# mdadm --create /dev/md0 --level=raid1 --raid-devices=1 /dev/loop0p2 --force
mdadm cannot open /dev/loop0p2 Device or resource busy
[email protected]/mnt/raid# mount /dev/loop0p2 /mnt/raid2
mount unknown filesystem type 'linux_raid_member'

ReplyQuote
Topic starter Posted : 02/02/2017 2:51 pm
thefuf
(@thefuf)
Active Member


losetup -r -o $((2048*512)) /dev/loop0 1.1.dd
losetup -r -o $((33558528*512)) /dev/loop1 1.1.dd
losetup -r -o $((34609152*512)) /dev/loop2 1.1.dd
losetup -r -o $((454041600*512)) /dev/loop3 1.1.dd

Then quote the output of the following commands

mdadm --examine /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3
file -s /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3

ReplyQuote
Posted : 02/02/2017 3:02 pm
OM602
(@om602)
New Member

/dev/loop0 Linux Software RAID version 1.2 (1) UUID=b38bc47dc9973cb92076d40ea8e346c1 name=rescue0 level=1 disks=2
/dev/loop1 Linux Software RAID version 1.2 (1) UUID=38399a30ee8a673ffd1ab5ffe8e71f59 name=rescue1 level=1 disks=2
/dev/loop2 Linux Software RAID version 1.2 (1) UUID=e12051e1 8fcd7a4932e64ba9c6e0494 name=rescue2 level=1 disks=2
/dev/loop3 ERROR cannot read `/dev/loop3' (Input/output error)

MDADM hangs, might have to with the fact that I tried mounting with write cache in xmount. Let met retry that

*Update, seems to be because of last partition
mdadm No md superblock detected on /dev/loop0.
mdadm No md superblock detected on /dev/loop1.
mdadm No md superblock detected on /dev/loop2.

ReplyQuote
Topic starter Posted : 02/02/2017 3:08 pm
thefuf
(@thefuf)
Active Member

/dev/loop0 Linux Software RAID version 1.2 (1) UUID=b38bc47dc9973cb92076d40ea8e346c1 name=rescue0 level=1 disks=2
/dev/loop1 Linux Software RAID version 1.2 (1) UUID=38399a30ee8a673ffd1ab5ffe8e71f59 name=rescue1 level=1 disks=2
/dev/loop2 Linux Software RAID version 1.2 (1) UUID=e12051e1 8fcd7a4932e64ba9c6e0494 name=rescue2 level=1 disks=2
/dev/loop3 ERROR cannot read `/dev/loop3' (Input/output error)

MDADM hangs, might have to with the fact that I tried mounting with write cache in xmount. Let met retry that

*Update, seems to be because of last partition
mdadm No md superblock detected on /dev/loop0.
mdadm No md superblock detected on /dev/loop1.
mdadm No md superblock detected on /dev/loop2.

Don't use xmount. Use the commands I provided on a raw image.

Well, the output "No md superblock detected on" means you are doing something wrong. Because you got valid superblocks previously.

ReplyQuote
Posted : 02/02/2017 3:11 pm
OM602
(@om602)
New Member

Thanks so far, I only have an E01.
I will export as RAW but it's gonna take a while

ReplyQuote
Topic starter Posted : 02/02/2017 3:16 pm
thefuf
(@thefuf)
Active Member

Thanks so far, I only have an E01.
I will export as RAW but it's gonna take a while

You can use ewfmount to mount an E01 image and get a raw image in the mountpoint.

ReplyQuote
Posted : 02/02/2017 3:18 pm
OM602
(@om602)
New Member

Yes but wouldnt that me the same as xmount? I will use EWFmount

ReplyQuote
Topic starter Posted : 02/02/2017 3:21 pm
OM602
(@om602)
New Member

That was a really good suggestion
File -s
/dev/loop0 Linux Software RAID version 1.2 (1) UUID=b38bc47dc9973cb92076d40ea8e346c1 name=rescue0 level=1 disks=2
/dev/loop1 Linux Software RAID version 1.2 (1) UUID=38399a30ee8a673ffd1ab5ffe8e71f59 name=rescue1 level=1 disks=2
/dev/loop2 Linux Software RAID version 1.2 (1) UUID=e12051e1 8fcd7a4932e64ba9c6e0494 name=rescue2 level=1 disks=2
/dev/loop3 DOS/MBR boot sector; partition 1 ID=0xfd, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 2048, 3452983473 sectors, extended partition table (last)

MDADM
[email protected]/mnt/ewf# mdadm --examine /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3
/dev/loop0
Magic a92b4efc
Version 1.2
Feature Map 0x0
Array UUID b38bc47dc9973cb92076d40ea8e346c1
Name rescue0
Creation Time Wed Nov 4 111520 2015
Raid Level raid1
Raid Devices 2

Avail Dev Size 33538049 (15.99 GiB 17.17 GB)
Array Size 16768896 (15.99 GiB 17.17 GB)
Used Dev Size 33537792 (15.99 GiB 17.17 GB)
Data Offset 16384 sectors
Super Offset 8 sectors
Unused Space before=16304 sectors, after=3873472944 sectors
State clean
Device UUID ef99ca1cd3f3936eec80360162077227

Update Time Mon Oct 17 214031 2016
Checksum a9fe195e - correct
Events 45

Device Role Active device 1
Array State AA ('A' == active, '.' == missing, 'R' == replacing)
/dev/loop1
Magic a92b4efc
Version 1.2
Feature Map 0x0
Array UUID 38399a30ee8a673ffd1ab5ffe8e71f59
Name rescue1
Creation Time Wed Nov 4 111523 2015
Raid Level raid1
Raid Devices 2

Avail Dev Size 1048065 (511.75 MiB 536.61 MB)
Array Size 523968 (511.69 MiB 536.54 MB)
Used Dev Size 1047936 (511.69 MiB 536.54 MB)
Data Offset 512 sectors
Super Offset 8 sectors
Unused Space before=432 sectors, after=3872422192 sectors
State clean
Device UUID 65ea1928c8be4890fefbc363f129ae49

Update Time Tue Oct 18 040939 2016
Checksum 1aa6b608 - correct
Events 76

Device Role Active device 1
Array State AA ('A' == active, '.' == missing, 'R' == replacing)
/dev/loop2
Magic a92b4efc
Version 1.2
Feature Map 0x0
Array UUID e12051e108fcd7a4932e64ba9c6e0494
Name rescue2
Creation Time Wed Nov 4 111528 2015
Raid Level raid1
Raid Devices 2

Avail Dev Size 419168257 (199.88 GiB 214.61 GB)
Array Size 209584000 (199.87 GiB 214.61 GB)
Used Dev Size 419168000 (199.87 GiB 214.61 GB)
Data Offset 262144 sectors
Super Offset 8 sectors
Unused Space before=262064 sectors, after=3452989872 sectors
State clean
Device UUID 9cc87a40524004c9930fdc468c68bfad

Update Time Tue Oct 18 040940 2016
Checksum f1835d25 - correct
Events 228

Device Role Active device 1
Array State AA ('A' == active, '.' == missing, 'R' == replacing)
/dev/loop3
MBR Magic aa55
Partition[0] 3452983473 sectors at 2048 (type fd)

ReplyQuote
Topic starter Posted : 02/02/2017 3:32 pm
thefuf
(@thefuf)
Active Member

/dev/loop3 DOS/MBR boot sector; partition 1 ID=0xfd, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 2048, 3452983473 sectors, extended partition table (last)

This looks like a partition table within a partition. Can you run "mmls /dev/loop3", if you have TSK installed, and paste the output here?


Edit well, this might be an extended partition, which wasn't recognized by mdadm.

ReplyQuote
Posted : 02/02/2017 3:35 pm
OM602
(@om602)
New Member

[email protected]/mnt/ewf# mmls /dev/loop3
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectors

Slot Start End Length Description
000 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001 ------- 0000000000 0000002047 0000002048 Unallocated
002 000000 0000002048 3452985520 3452983473 Linux RAID (0xfd)
003 ------- 3452985521 3452987567 0000002047 Unallocated

ReplyQuote
Topic starter Posted : 02/02/2017 3:37 pm
thefuf
(@thefuf)
Active Member

[email protected]/mnt/ewf# mmls /dev/loop3
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectors

Slot Start End Length Description
000 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001 ------- 0000000000 0000002047 0000002048 Unallocated
002 000000 0000002048 3452985520 3452983473 Linux RAID (0xfd)
003 ------- 3452985521 3452987567 0000002047 Unallocated

And "mmls 1.1.dd" (the raw image) also, because it can be an extended partition.

ReplyQuote
Posted : 02/02/2017 3:42 pm
Page 1 / 2
Share:
Share to...