Recovering data from a damaged partition
Sweeping the boot sector
dd is a tool that easily allows to do a raw copy of one partition/file into another one. In order to wipe out the boot sector (namely the first 512 bytes, also known also Master Boot Record), you can use the command:
dd if=/dev/zero of=/dev/hda bs=512 count=1
This code will erase the first sector of the drive hda (note this is not /dev/hda1).
Unfortunately, i missed count=1 in my first attempt to restore the MBR!
This lead to dd beginning to wipe out datas on my hard drive. I realised rapidly what was happening but with modern computers, even if you react within seconds, damages are rapid!
There we are:
- no more boot sector
- beginning of the disk filed in with zero so the OS cannot boot.
Step 1: what is missing ?
I used a recovery CD (basically the Mandriva DVD in rescue mode) to have a look at the damages. I was not able to discriminate what was left and what was missing from this simple rescue mode. The reason was the partition table for the NTFS filesystem was missing.
Step 2: what is available under GPL?
In order to reconstruct it, i used the recovery utility Testdisk (thanks to a recommendation from Pascal Terjan via irc).
After a quick look at the documentation page, i also found out it was able to recover specifically images with Photorec.
I downloaded the static binary package and used my usb key to launch TestDisk in the Mandriva recovery mode.
Step 3: discovering and using TestDisk
I won’t reproduce the documentation since the wiki is well documented, but here are basic steps i did (with great help from Chistophe Grenier, the main TestDisk/PhotoRec developper):
- I launched PhotoRec and used the options "Analyse" then "Search
- The result of the analysis was:
* HPFS - NTFS 0 1 1 2610 254 63 41945652
L HPFS - NTFS 2611 1 1 14946 254 63 198177777
D HPFS - NTFS 2611 1 11 13468 254 63 174433697
D Linux Swap 13469 1 1 13569 254 63 1622502
D Linux 13570 1 1 14945 254 63 22105377
- As advised by Christophe, i did "Write" then "BackupBS".
The partition table was restored but some important files were missing, so no luck to reboot and restart the OS.
Step 4: recovering datas
The most important files were all my pictures (i had some backups, but recent ones were missing). To find them, I used PhotoRec. This lead me to a bunch of files with no link between their content and their name (file00001, file 00002, ...).
After some bash scripting, i finally recovered back most of my datas, for the operating system, i had to reinstall a clean copy of it (the recovery mode didn’t work).
In the end
- Never use a powerful GNU/Linux if you’re tired :-)
- Tesdisk is a wonderful tool, if in trouble you know what to use.
- Thanks a lot again to Christophe Grenier for his great help and patience in helping me in this difficult stage.