Advanced data recovery
(→hexdump) |
(→od) |
||
| Line 22: | Line 22: | ||
=== od === | === od === | ||
| + | |||
| + | # od -x /dev/sda2 | awk '$6 == "ef53"' | ||
| + | 73552560 9596 c4eb 7b93 1fe3 ef53 c026 45c5 6528 | ||
| + | 162430040 46ab 0015 0000 0000 ef53 0002 0000 0000 | ||
| + | 212126560 000a 0000 0055 0000 ef53 0001 0000 0000 | ||
| + | 212126640 000a 0000 0055 0000 ef53 0001 0000 0000 | ||
| + | 212202700 000a 0000 0055 0000 ef53 0001 0000 0000 | ||
| + | 212202760 000a 0000 0055 0000 ef53 0001 0000 0000 | ||
| + | 212233160 000a 0000 0055 0000 ef53 0001 0000 0000 | ||
| + | 212256400 03b9 0000 0000 0000 ef53 0001 0000 0000 | ||
| + | 230126360 4aab 0000 0000 0000 ef53 0002 0000 0000 | ||
| + | 257432300 16b6 0011 0000 0000 ef53 0000 0000 0000 | ||
| + | 311223400 bc3c 001b 0000 0000 ef53 0008 0000 0000 | ||
| + | 334427320 9d34 0002 0000 0000 ef53 0000 0000 0000 | ||
| + | 354777340 92ce 0013 0000 0000 ef53 0001 0000 0000 | ||
| + | 375542620 000a 0000 0041 0000 ef53 0000 0000 0000 | ||
| + | 375563300 000a 0000 0041 0000 ef53 0000 0000 0000 | ||
| + | 375571240 000a 0000 0041 0000 ef53 0000 0000 0000 | ||
| + | 375601340 000a 0000 0041 0000 ef53 0000 0000 0000 | ||
== ext fs header layouts == | == ext fs header layouts == | ||
Latest revision as of 20:12, 22 June 2017
This page is all about the on-disk data structures, and what to look for to help you find where on disk your data is, and hopefully how to recreate the higher level structures to point linux at your data. It's very hard at this point to tell you what to do, so you will have to use this information as best you can.
Contents |
[edit] Tools to examine your hard drive
[edit] hexdump
dd if=/dev/sdc bs=4k count=4k |hexdump -C |head -n1000
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001c0 02 00 ee ff ff ff 01 00 00 00 ff ff ff ff 00 00 |................| 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.| 00000200 45 46 49 20 50 41 52 54 00 00 01 00 5c 00 00 00 |EFI PART....\...| 00000210 18 2e 18 cc 00 00 00 00 01 00 00 00 00 00 00 00 |................| 00000220 af a3 50 5d 01 00 00 00 22 00 00 00 00 00 00 00 |..P]....".......| 00000230 8e a3 50 5d 01 00 00 00 14 93 43 88 89 57 07 4e |..P]......C..W.N| 00000240 b7 d5 77 5d 6d 5d 98 c1 02 00 00 00 00 00 00 00 |..w]m]..........| 00000250 80 00 00 00 80 00 00 00 86 d2 54 ab 00 00 00 00 |..........T.....| 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[edit] od
# od -x /dev/sda2 | awk '$6 == "ef53"' 73552560 9596 c4eb 7b93 1fe3 ef53 c026 45c5 6528 162430040 46ab 0015 0000 0000 ef53 0002 0000 0000 212126560 000a 0000 0055 0000 ef53 0001 0000 0000 212126640 000a 0000 0055 0000 ef53 0001 0000 0000 212202700 000a 0000 0055 0000 ef53 0001 0000 0000 212202760 000a 0000 0055 0000 ef53 0001 0000 0000 212233160 000a 0000 0055 0000 ef53 0001 0000 0000 212256400 03b9 0000 0000 0000 ef53 0001 0000 0000 230126360 4aab 0000 0000 0000 ef53 0002 0000 0000 257432300 16b6 0011 0000 0000 ef53 0000 0000 0000 311223400 bc3c 001b 0000 0000 ef53 0008 0000 0000 334427320 9d34 0002 0000 0000 ef53 0000 0000 0000 354777340 92ce 0013 0000 0000 ef53 0001 0000 0000 375542620 000a 0000 0041 0000 ef53 0000 0000 0000 375563300 000a 0000 0041 0000 ef53 0000 0000 0000 375571240 000a 0000 0041 0000 ef53 0000 0000 0000 375601340 000a 0000 0041 0000 ef53 0000 0000 0000
[edit] ext fs header layouts
An ext4 superblock typically starts 1K into the partition. Within the superblock, it contains the string 0xef53 at an offset of 0x38.
od -x /dev/sdac2 | awk '$6 == "ef53"'
The output from od lists each 16-byte block in hex preceded by its location in octal, the awk only displays lines of interest. Subtract 0002060 from the first number of the first line (remember they're both octal!!!), and this should be the start of the partition.
If you're trying to recover a mirror, you can now point your partition table at this partition and hopefully everything will work.
