Advanced data recovery
m (→Tools to examine your hard drive) |
(→hexdump) |
||
Line 4: | Line 4: | ||
=== hexdump === | === hexdump === | ||
+ | |||
+ | dd if=/dev/sdc bs=4k count=4k |hexdump -C |head -n1000 | ||
+ | |||
+ | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | ||
+ | * | ||
+ | 000001c0 02 00 ee ff ff ff 01 00 00 00 ff ff ff ff 00 00 |................| | ||
+ | 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | ||
+ | * | ||
+ | 000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.| | ||
+ | 00000200 45 46 49 20 50 41 52 54 00 00 01 00 5c 00 00 00 |EFI PART....\...| | ||
+ | 00000210 18 2e 18 cc 00 00 00 00 01 00 00 00 00 00 00 00 |................| | ||
+ | 00000220 af a3 50 5d 01 00 00 00 22 00 00 00 00 00 00 00 |..P]....".......| | ||
+ | 00000230 8e a3 50 5d 01 00 00 00 14 93 43 88 89 57 07 4e |..P]......C..W.N| | ||
+ | 00000240 b7 d5 77 5d 6d 5d 98 c1 02 00 00 00 00 00 00 00 |..w]m]..........| | ||
+ | 00000250 80 00 00 00 80 00 00 00 86 d2 54 ab 00 00 00 00 |..........T.....| | ||
+ | 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | ||
=== od === | === od === |
Revision as of 20:11, 22 June 2017
This page is all about the on-disk data structures, and what to look for to help you find where on disk your data is, and hopefully how to recreate the higher level structures to point linux at your data. It's very hard at this point to tell you what to do, so you will have to use this information as best you can.
Contents |
Tools to examine your hard drive
hexdump
dd if=/dev/sdc bs=4k count=4k |hexdump -C |head -n1000
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001c0 02 00 ee ff ff ff 01 00 00 00 ff ff ff ff 00 00 |................| 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.| 00000200 45 46 49 20 50 41 52 54 00 00 01 00 5c 00 00 00 |EFI PART....\...| 00000210 18 2e 18 cc 00 00 00 00 01 00 00 00 00 00 00 00 |................| 00000220 af a3 50 5d 01 00 00 00 22 00 00 00 00 00 00 00 |..P]....".......| 00000230 8e a3 50 5d 01 00 00 00 14 93 43 88 89 57 07 4e |..P]......C..W.N| 00000240 b7 d5 77 5d 6d 5d 98 c1 02 00 00 00 00 00 00 00 |..w]m]..........| 00000250 80 00 00 00 80 00 00 00 86 d2 54 ab 00 00 00 00 |..........T.....| 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
od
ext fs header layouts
An ext4 superblock typically starts 1K into the partition. Within the superblock, it contains the string 0xef53 at an offset of 0x38.
od -x /dev/sdac2 | awk '$6 == "ef53"'
The output from od lists each 16-byte block in hex preceded by its location in octal, the awk only displays lines of interest. Subtract 0002060 from the first number of the first line (remember they're both octal!!!), and this should be the start of the partition.
If you're trying to recover a mirror, you can now point your partition table at this partition and hopefully everything will work.