Recover data from l...
 
Notifications
Clear all

Recover data from lost/corrupted ext4 partition.

Okti
 Okti
(@okti)
New Member

Hello forensic experts!

First of all sorry if this may seem as a general linux question and doesn't really belong in "forensics" area, but since I have data to recover maybe you could lend a hand. Besides I already have an account on this forum didn't wanted to create on another one just to ask the same question.

Anyway, I'm trying to recover my data from lost/corrupted ext4 partition. Everything worked fine until I decided to upgrade my windows version from 32bit to 64, I had dual boot win7 and ubuntu with GRUB in the first sector (the usual stuff). I launched Gparted from linux simply "deleted" ntfs partition (/dev/sda1) reformated it again to ntfs and installed windows. As windows usually does it removes GRUB from the disk, so I booted up my old ubuntu live cd trying to reinstall GRUB only to notice that my ext4 partition (/dev/sda2) is marked as "extended", and beginning of the partition is wiped with "33cc 55aa 33cc 55aa" pattern, so obviously "mount" couldn't mount this partition as it couldn't find a superblock signature.

Here is my layout of MBR (from live Caine linux distro)

[email protected]~/test# mmls -t dos /dev/sda
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectors

Slot Start End Length Description
00 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01 —– 0000000000 0000002047 0000002048 Unallocated
02 0000 0000002048 0257673215 0257671168 NTFS (0x07)
03 —– 0257673216 0968689663 0711016448 Unallocated
04 Meta 0257675262 0976771071 0719095810 DOS Extended (0x05)
05 Meta 0257675262 0257675262 0000000001 Extended Table (#1)
06 0100 0968689664 0976771071 0008081408 Linux Swap / Solaris x86 (0x82)
07 —– 0976771072 0976773167 0000002096 Unallocated

This seems very messed up.Second entry in the table should point to ext4 partition (sector offset 257675262) this is where my data is, /dev/sda2 file.

Strangely "fdisk's" output is even more messed up, yesterday when I launched fdisk from my old ubuntu cd, fdisk's output was ok it showed /dev/sda2 (ext4 partiion) starting at 257675262 offset.. Here's what I'v got today

Disk /dev/sda 500 GB, 500105249280 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 16040 128841268 7 HPFS/NTFS
Warning Partition 1 does not end on cylinder boundary.
/dev/sda2 16040 60802 359550765 5 Extended
Warning Partition 2 does not end on cylinder boundary.
/dev/sda5 60299 60802 4040347 82 Linux swap
Warning Partition 5 does not end on cylinder boundary.

Not sure whats with those sector offsets..
Running lsblk shows that /dev/sda2 is only 1K in size

[email protected]~/test# lsblk
NAME MAJMIN RM SIZE RO TYPE MOUNTPOINT
sda 80 0 465,8G 0 disk
sda1 81 0 122,9G 0 part
sda2 82 0 1K 0 part
sda5 85 0 3,9G 0 part
sr0 110 1 4,4G 0 rom /cdrom
loop0 70 0 1,8G 1 loop /rofs

I can assure you that /dev/sda2 was definitely my ext4 partiton (starting @ 257675262). I did some very simple keyword search through grep, and some of my files are still there.

Here are a few sectors in hex beginning at whats used to be /dev/sda2. I cannot post it all of course, so I skipped some of the sections.
BUT! FIRST AND THE LAST SECTORS of this partition are wiped with this 33cc 55aa pattern.

0000150 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000160 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000170 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000180 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000190 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
00001a0 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
00001b0 33cc 55aa 33cc 55aa 33cc 55aa 33cc 00fe 3.U.3.U.3.U.3…
00001c0 ffff 82fe ffff 0238 612a 0050 7b00 0000 …….8a*.P{…
00001d0 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00001e0 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00001f0 0000 0000 0000 0000 0000 0000 0000 55aa …………..U.
0000200 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000210 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000220 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000230 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000240 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000250 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.

————————————————————————-

0360 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000370 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000380 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
0000390 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
00003a0 33cc 55aa 33cc 55aa 33cc 55aa 33cc 55aa 3.U.3.U.3.U.3.U.
00003b0 33cc 55aa 33cc 55aa 33cc 55aa 33cc 00fe 3.U.3.U.3.U.3…
00003c0 ffff 83fe ffff 0100 0000 0038 612a 0000 ………..8a*..
00003d0 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00003e0 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00003f0 0000 0000 0000 0000 0000 0000 0000 55aa …………..U.
0000400 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000410 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000420 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000430 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000440 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000450 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000460 0000 0000 0000 0000 0000 0000 0000 0000 …………….

—————————————————————————

00007f0 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000800 0020 5301 0027 4c05 c0ce 4300 9113 ef04 . S..'L…C…..
0000810 46cf 4f01 0000 0000 0200 0000 0200 0000 F.O………….
0000820 0080 0000 0080 0000 0020 0000 4e5b ad54 ……… ..N[.T
0000830 4e5b ad54 3a00 ffff 53ef 0100 0100 0000 N[.T…S…….
0000840 e406 7354 0000 0000 0000 0000 0100 0000 ..sT…………
0000850 0000 0000 0b00 0000 0001 0000 3c00 0000 …………<…
0000860 4202 0000 7b00 0000 4cc7 d48d e903 4296 B…{…L…..B.
0000870 89a9 b5d4 f3d6 97f4 0000 0000 0000 0000 …………….
0000880 0000 0000 0000 0000 2f00 6172 6765 7400 ……../.arget.
0000890 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00008a0 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00008b0 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00008c0 0000 0000 0000 0000 0000 0000 0000 ea03 …………….
00008d0 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00008e0 0800 0000 0000 0000 0000 0000 7a53 79bc …………zSy.
00008f0 a153 4ace bcd5 f0b6 df6a 16a3 0101 0000 .SJ……j……
0000900 0c00 0000 0000 0000 e406 7354 0af3 0200 ……….sT….
0000910 0400 0000 0000 0000 0000 0000 ff7f 0000 …………….
0000920 0080 a002 ff7f 0000 0100 0000 ffff a002 …………….
0000930 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000940 0000 0000 0000 0000 0000 0000 0000 0008 …………….
0000950 0000 0000 0000 0000 0000 0000 1c00 1c00 …………….
0000960 0100 0000 0000 0000 0000 0000 0000 0000 …………….
0000970 0000 0000 0400 0000 d682 1f0f 0000 0000 …………….
0000980 0000 0000 0000 0000 0000 0000 0000 0000 …………….
0000990 0000 0000 0000 0000 0000 0000 0000 0000 …………….

——————————————————————

0001410 0200 0400 0000 0000 0000 0000 f21f fd79 ……………y
0001420 0204 0000 1204 0000 2106 0000 4e09 0020 ……..!…N..
0001430 0000 0500 0000 0000 0000 0000 0020 3464 …………. 4d
0001440 0304 0000 1304 0000 2108 0000 1107 0020 ……..!……
0001450 0000 0500 0000 0000 0000 0000 0020 64f7 …………. d.
0001460 0404 0000 1404 0000 210a 0000 c405 0020 ……..!……
0001470 0000 0500 0000 0000 0000 0000 0020 2523 …………. %#
0001480 0504 0000 1504 0000 210c 0000 e512 0020 ……..!……
0001490 0000 0500 0000 0000 0000 0000 0020 5e2b …………. ^+
00014a0 0604 0000 1604 0000 210e 0000 6614 0020 ……..!…f..
00014b0 0000 0500 0000 0000 0000 0000 0020 4e99 …………. N.
00014c0 0704 0000 1704 0000 2110 0000 4005 0020 ……..!…@..
00014d0 0000 0500 0000 0000 0000 0000 0020 fde8 …………. ..
00014e0 0804 0000 1804 0000 2112 0000 9909 0020 ……..!……
00014f0 0000 0500 0000 0000 0000 0000 0020 df73 …………. .s
0001500 0904 0000 1904 0000 2114 0000 5c21 0020 ……..!…\!.
0001510 0000 0500 0000 0000 0000 0000 0020 f1a8 …………. ..
0001520 0a04 0000 1a04 0000 2116 0000 d201 0020 ……..!……
0001530 0000 0500 0000 0000 0000 0000 0020 89de …………. ..
0001540 0b04 0000 1b04 0000 2118 0000 0000 0020 ……..!……
0001550 0000 0500 0000 0000 0000 0000 0020 57f9 …………. W.
0001560 0c04 0000 1c04 0000 211a 0000 981a 0020 ……..!……
0001570 0000 0500 0000 0000 0000 0000 0020 1b51 …………. .Q
0001580 0d04 0000 1d04 0000 211c 0000 e710 0020 ……..!……
0001590 0000 0500 0000 0000 0000 0000 0020 8af5 …………. ..
00015a0 0e04 0000 1e04 0000 211e 0000 c817 0020 ……..!……
00015b0 0000 0500 0000 0000 0000 0000 0020 2aa6 …………. *.
00015c0 0f04 0000 1f04 0000 2120 0000 f11a 0020 ……..! …..
00015d0 0000 0500 0000 0000 0000 0000 0020 41a1 …………. A.
00015e0 1004 0000 2004 0000 2122 0000 1a1d 0020 …. …!"…..

It seems there are some MBR signatures, followed be 33cc 55aa pattern some more zero's and finally some ext4 data structures (maybe?). A few years back I was digging through ext4 data structures and this does look familiar, could be group descriptor/inode table/bitmap or maybe just some random data.. ;d. No sign of superblock though.

Obviously I cannot use any of the diagnostic or repair tools (dumpe2fs, e2fsck, fsck) since beginning of the partition is wiped so they cannot find superblock signature.
I tried mkfs.ext4 -n to show possible locations of superblock backups, but that didn't work either. Some kinda of error with inode size (???)..

Tried to look for my file signatures (.docx, .xls, .pdf) with sigfind from TSK, but since my /dev/sda2 partition is "1K in size", that doesn't work too. Haven't tried file carving yet (but again, /dev/sda2 == 1k). I could try to carve files from my whole disk but with 465GB in size that would take me half a day, and obviously with a lot of false positives. If anyone could suggest some alternatives would be nice..

Anyways, thats it!. I would really appreciate it if someone could help or at least explain whats going on here. I really need to recover those MS office files or someone will have my head soon..

Thanks!

Quote
Topic starter Posted : 08/01/2015 7:17 pm
mscotgrove
(@mscotgrove)
Senior Member

Data carving is a possible solution. The logical block size of 0x400 should not be an issue.

FYI, with my CnW Recovery software for data carving, it will try and generate a date, and name for .docx files based on author/title when carving. This can help with finding files, though with all carving one ends up with lots of files and only creative names. Fortunately Ext4 does not fragment files too often, and .docx files tend to be short, so carving should find good files.

If you cannot find your files with carving, you will need to look further into data recovery of failed Ext4 disks

ReplyQuote
Posted : 08/01/2015 9:26 pm
jaclaz
(@jaclaz)
Community Legend

It seems to me like you are mixing two (or more) things.

Whatever it is on that disk, I wonder how you can say that it is "some MBR signatures". ?
The repeating pattern may well mean (besides evidently a possible software malfunction) also some kind of hardware issue 😯 , I would make very sure to NOT fiddle ith that disk/PC until you have made an image.

Data carving should be "last attempt" in data recovery, after volume/filesystem recovery, and while data carving is an excellent source for data in forensics it tends to be less so in data recovery due to non contiguous files (notwithstanding the "smart" features of the software).

If I were you I would (after having made a forensic or dd-like image of the whole disk) try on the image the DMDE
http//dmde.com/

I would try the Windows version, but only because I am more familiar with it, a Linux version exists also, though I never used it.

jaclaz

ReplyQuote
Posted : 08/01/2015 9:46 pm
Okti
 Okti
(@okti)
New Member

Thanks for the suggestions. I will look into data carving as it is probably the only solution in my case. I would really like to image my disk, but unfortunately I don't have any external hdd's, i simply don't have any space where I could save my disk image.. (or ext4 partition, need atleast 400+GB free space).

Whatever it is on that disk, I wonder how you can say that it is "some MBR signatures". ?

As far as I remember the last two bytes of MRB sector contain its signature 55aa.
After that 33cc 55aa pattern there are some MBR magic numbers, although this could be indeed some random data, nor should MBR be ever at this location. Again I'm not any technical guru so I can indeed confuse something here 😉 As for the hardware failure - not likely as everything was working perfectly fine just few days ago.

ReplyQuote
Topic starter Posted : 08/01/2015 11:03 pm
mscotgrove
(@mscotgrove)
Senior Member

It is best to make a secure copy (with any recovery). A new 500GB drive is very low cost these days.

Data carving should always be the final option, but it does has the advantage that it can be very simple. Reconstructing file system parameters, and fooling a program to read the data logically, can be complex .

ReplyQuote
Posted : 09/01/2015 4:19 am
gorvq7222
(@gorvq7222)
Active Member

Hi,

First of all,make sure you clone the disk to an dd or E01 image. Then you could use data recovery tools to recover from the image file. Don't touch original disk any more…

About carving I recommend you to use WinHex…

Wish you success~

Rick

ReplyQuote
Posted : 09/01/2015 9:10 am
jaclaz
(@jaclaz)
Community Legend

As far as I remember the last two bytes of MRB sector contain its signature 55aa.
After that 33cc 55aa pattern there are some MBR magic numbers, although this could be indeed some random data, nor should MBR be ever at this location.

Yep ) , the 55AA are the "Magic Bytes" that are "common" to MBR's and to bootsectors/PBR's and EPBR's, the Disk (or MBR) Signature is another thing, JFYI
http//thestarman.pcministry.com/asm/mbr/Win2kmbr.htm

and - though often it has a "repeating pattern" - it is a set of four "random" bytes, that's why I asked.

Again I'm not any technical guru so I can indeed confuse something here 😉 As for the hardware failure - not likely as everything was working perfectly fine just few days ago.

Well, inferring the present (or the future) from the past is not really a good idea, when it comes to a lot of electronic things failure is often if not always asymptomatic, it works and one nanosecond after it fails… 😯

jaclaz

ReplyQuote
Posted : 09/01/2015 4:07 pm
Share:
Share to...