I have a 3TB external USB3 drive which had a single NTFS partition (although I believe windows slips in a hidden partition before the first one). Quite inexcusably I applied the following command to the disk (obviously it was meant for a different disk): cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdb disk
If I run cryptsetup luksOpen /dev/sdb disk (at least I've remembered the password), /dev/mapper/disk gets exposed. No data has been written to this disk since the accidental 'luks-ing'. Would I therefore be correct in assuming that decrypted, as /dev/mapper/disk, my data from the NTFS partition should still be in tact?
I'm currently using TestDisk to analyse /dev/mapper/disk. It produces two options: the first seems far too small, perhaps it's the hidden windows partition. The second seems more on target but once the analysis is complete it disappears. If I do a deeper search it only searches within the partition I've described as too small.
The numbers for the "small" partition are:
73123106 73659845 536739 732562549
292,492,424 294,639,380 2,146,956 2,930,250,196
278GB 280GB 2GB 2794GB
The first row are sector numbers and the total number is correct. The second row is me converting them into kilobytes (assuming 4k) so the third is GB. Again 2,794GB is the size of the disk but it seems to me that a span of 2GB is being indicated as recoverable. This was certainly not the size of the primary partition and I had appx 2.3TB on the disk
Any comments as to whether I'm doing this in the right way would be appreciated as well as about the data I've provided so far. I will also revert with the second set of numbers that appeared and disappeared if I can get them again.
By the way, just think of other approaches, could I somehow use kpartx to make /dev/mapper/disk mountable or is that just going to land me in a world of device mapper disorientation?
