Recovering data from a damaged partition
How to find back you breathe after breaking -badly- your system ...
Thursday 15 March 2007, by
Most of the time GNU/Linux is a powerful Operating System. Sometimes, i wish i had think twice before using one of its great console command, the simple and rapid dd.
In order to make room on one hard drive, i used dd to sweep the first 512 bytes of the boot sector, in order to let the other operating system to boot by itself instead of using lilo.
Sweeping the boot sector
dd is a tool that easily allows to do a raw copy of one partition/file into another one. In order to wipe out the boot sector (namely the first 512 bytes, also known also Master Boot Record), you can use the command:
dd if=/dev/zero of=/dev/hda bs=512 count=1
This code will erase the first sector of the drive hda (note this is not /dev/hda1).
Unfortunately, i missed count=1 in my first attempt to restore the MBR!
This lead to dd beginning to wipe out datas on my hard drive. I realised rapidly what was happening but with modern computers, even if you react within seconds, damages are rapid!
There we are:
- no more boot sector
- beginning of the disk filed in with zero so the OS cannot boot.
Step 1: what is missing ?
I used a recovery CD (basically the Mandriva DVD in rescue mode) to have a look at the damages. I was not able to discriminate what was left and what was missing from this simple rescue mode. The reason was the partition table for the NTFS filesystem was missing.
Step 2: what is available under GPL?
In order to reconstruct it, i used the recovery utility Testdisk (thanks to a recommendation from Pascal Terjan via irc).
After a quick look at the documentation page, i also found out it was able to recover specifically images with Photorec.
I downloaded the static binary package and used my usb key to launch TestDisk in the Mandriva recovery mode.
Step 3: discovering and using TestDisk
I won’t reproduce the documentation since the wiki is well documented, but here are basic steps i did (with great help from Chistophe Grenier, the main TestDisk/PhotoRec developper):
I launched PhotoRec and used the options "Analyse" then "Search
The result of the analysis was:
* HPFS - NTFS 0 1 1 2610 254 63 41945652
L HPFS - NTFS 2611 1 1 14946 254 63 198177777
D HPFS - NTFS 2611 1 11 13468 254 63 174433697
D Linux Swap 13469 1 1 13569 254 63 1622502
D Linux 13570 1 1 14945 254 63 22105377
As advised by Christophe, i did "Write" then "BackupBS".
The partition table was restored but some important files were missing, so no luck to reboot and restart the OS.
Step 4: recovering datas
The most important files were all my pictures (i had some backups, but recent ones were missing). To find them, I used PhotoRec. This lead me to a bunch of files with no link between their content and their name (file00001, file 00002, ...).
After some bash scripting, i finally recovered back most of my datas, for the operating system, i had to reinstall a clean copy of it (the recovery mode didn’t work).
In the end
- Never use a powerful GNU/Linux if you’re tired :-)
- Tesdisk is a wonderful tool, if in trouble you know what to use.
- Thanks a lot again to Christophe Grenier for his great help and patience in helping me in this difficult stage.