How to rescue your data, 1/3

I could show you the recipe on how to rescue your data and disks, but as it mainly depends on the way they are erased / crashed, I will show you in which particular case the rescue I expose can be made.

Thus, in those 3 articles I’ll expose you three different ways of crashing data and disks, and the ways to rescue them. It serves another purpose : to show you how easy it is to lose data and disk.

I’ve tested for you the three crashes.

… Okay… Actually I successively crash my own personal data in those three ways… and finally rescued them three times.

I live under GNU/Linux, so I crashed / erased under GNU/Linux (in a way, it’s easier to make mistake with GNU/Linux ;) ). You may have crashed / erased stuff with whichever OS you want, it’s not important, it’s for the example. I rescued everything using GNU/Linux, and this is important (in the same way, it’s easier to fix those mistakes with GNU/Linux)

Please note that for the “screenshots” of this article I used a Linux VM (Ubuntu Server) in VirtualBox.

So now let’s…

Crash your partition table

The partition table is located at the end of the first 512 bytes of the hard disk. It tells the system where the four primary partitions are located.

The beginning of those 512 bytes is the boot loader. It’s used by the BIOS to boot the system, if told to do so with this disk.

If the partition table is erased, the OS doesn’t know anymore where the partitions are. Thus you can’t access them anymore.

Please note that the system can’t access them, but they are physically still present. If you want an analogy, it’s like losing the map of an unknown country : cities are still there but you don’t know where.

Let say, for example, that you plan to rescue partition /dev/sdb1 (that have bad sectors). For safety reason, you want to save the partition table of /dev/sdb with sfidsk(8) (which have the ability to dump and later restore a partition table)

You boot the computer with something like BackTrack, or System Rescue CD to perform your rescue.


[root@home]# cd /dev/
# You forgot the option to use, so :
[root@home]# man sfdisk
# You read the man page, and find that this is -d. Let's try :
[root@home]# sfdisk -d /dev/sdb
# partition table of /dev/sdb
unit: sectors
/dev/sdb1 : start=       63, size=   192717, Id=83
/dev/sdb2 : start=   192780, size=   240975, Id= 7
/dev/sdb3 : start=        0, size=        0, Id= 0
/dev/sdb4 : start=        0, size=        0, Id= 0
# Let's go :
[root@home]# sfdisk -d /deb/sdb > sdb

Just when pressing Enter, you realize that you are in /dev and you just filled the first bytes of /dev/sdb with something that does not really look like a MBR or a computer readable partition table.

Two possibilities :

  • the output of sfdisk -d is small : your partition table has not been altered (only the bytes corresponding to the boot loader) and you can mount your partitions (actually, with this example above, it is the case :) ) as long as you don’t reboot, as Linux has loaded the partition table into memory.
  • the output of sfdisk -d is large enough, and fdisk -l output something like :


Disk /dev/sdb: 222 MB, 222298112 bytes
255 heads, 63 sectors/track, 27 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x7a697320


This doesn't look like a partition table
Probably you selected the wrong device.


Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   ?       76368      126628   403709618   20  Unknown
Partition 1 has different physical/logical beginnings (non-Linux?):
phys=(32, 32, 32) logical=(76367, 148, 54)
Partition 1 has different physical/logical endings:
phys=(32, 32, 32) logical=(126627, 27, 12)
Partition 1 does not end on cylinder boundary.
/dev/sdb2   ?          13          27      120487+   7  HPFS/NTFS


Partition table entries are not in disk order

In the latter case, your partition table is unreadable. Once rebooted, the OS won’t be able to access your partitions anymore. Another mean to crash the partition table is to play with tools like Partition Magic. How do you know you have crashed your partition table ? Just when your OS can’t see them anymore :)

Rescue your partition table

It’s time to introduce teskdisk(1).

Testdisk is intended to fix exactly what you have broken : the partition table. To perform that, it scans the disk in search of special bytes and partition boundaries.

In my case, I “just” crashed the primary partition table, but testdisk can be used if you have (un)intentionally erased a partition when playing with Partition Magic.

Rescuing a partition table with testdisk is rather straightforward. Let’s go :

[root@home]# testdisk /dev/sdb
TestDisk 6.11, Data Recovery Utility, April 2009
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org


TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.


Select a media (use Arrow keys, then press Enter):
Disk /dev/sdb - 222 MB / 212 MiB - ATA VBOX HARDDISK


[Proceed ]  [  Quit  ]

Go on with ‘Proceed’

Please select the partition table type, press Enter when done.
[Intel  ]  Intel/PC partition
[EFI GPT]  EFI GPT partition map (Mac i386, some x86_64...)
[Mac    ]  Apple partition map
[None   ]  Non partitioned media
[Sun    ]  Sun Solaris partition
[XBox   ]  XBox partition
[Return ]  Return to disk selection

I suppose you use an Intel partition. So go on with it.

[ Analyse  ]  Analyse current partition structure and search for lost partitions
[ Advanced ]  Filesystem Utils
[ Geometry ]  Change disk geometry
[ Options  ]  Modify options
[ MBR Code ]  Write TestDisk MBR code to first sector
[ Delete   ]  Delete all data in the partition table
[ Quit     ]  Return to disk selection

You have lost partitions, so ‘Analyse’ is your choice.


Current partition structure:
Partition                  Start        End    Size in sectors
1 * Willowsoft OFS1      76367 148 54 126627  27 12  807419236


Warning: Bad starting cylinder (CHS and LBA don't match)
2 * HPFS - NTFS             12   0  1    26 254 63     240975
Only one partition must be bootable


*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
[Quick Search]  [ Backup ]

Validate on ‘Quick Search’


Should TestDisk search for partition created under Vista ? [Y/N] (answer Yes if
unsure)

Give the appropriate answer.


Disk /dev/sdb - 222 MB / 212 MiB - CHS 27 255 63
Partition               Start        End    Size in sectors
* Linux                    0   1  1    11 254 63     192717
P HPFS - NTFS             12   0  1    26 254 63     240975

Hey, testdisk has found your lost partitions :) Just press Enter.


Partition                  Start        End    Size in sectors

1 * Linux                    0   1  1    11 254 63     192717
2 P HPFS - NTFS             12   0  1    26 254 63     240975

[  Quit  ]  [Deeper Search]  [ Write  ]

Take a deep breath and press ‘Write’


Write partition table, confirm ? (Y/N)

Light a candle and press ‘Write’


You will have to reboot for the change to take effect.

Say yes, and quit testdisk (you’ll have to validate on ‘Quit’ several times)

Actually, you don’t have to reboot if partprobe is installed. If it is, just type ‘partprobe’

Ask fdisk -l /dev/sdb what it thinks about your rescue :

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1          12       96358+  83  Linux
/dev/sdb2              13          27      120487+   7  HPFS/NTFS

Congratulate yourself, and eventually give some money to the coders of testdisk.

Conclusion

Be careful when you are root and play with your disks and partition table. It’s very easy to make a mistake that will destroy a partition. Since your are making backups (isn’t it ?), this lost is not very harmful.

But testdisk, which can find and restore lost partitions, can be a great help in some cases, and make you save time.