LVM partition with ext4

[fLegmatik]

Hello. I have an interesting case. I accidentally run ransomware and lost ~bitcoins~ two hard drives from my system.
Before incident I have partitions and filesystems listed in the table. Old LVM config file: https://pastebin.com/kRqjH5Zt

Code: Select all

device/PV  VG         LV         FS type    FS label   Size, GiB   status     
/dev/sda1  -          -          ext2       boot                   ok         
/dev/sda2  vg0        root       ext4       lvm-root            50 ok         
                      home       ext4       lvm-home           190 ok         
                      var        ext4       lvm-var            200 ok. contain
                      swap                                      25
/dev/sdb   vg0        share      ext4       lvm-share         2794 corrupted  
/dev/sdc   vg0        family     ext4       family            2794 corrupted  

I reinstalled system to new drives and now want to restore my files. Drives sdb and sdc are corrupted by intruder. Sdb have files with near-zero value and I can experiment with it. Files at sdc is more valuable, 95 % of them already stored in backups, but it will be very good to restore all files and directories. Currently I plug off sdc drive and testing with sdb only.
LVM (vgscan) doesn’t list this PV. Fdisk doesn’t find any partition. Photorec successfully find many mediafiles even after one minute scan but I need a lot of time to sort them.

The most interesting tool is Testdisk. Testdisk find [lvm-share] filesystem but says that disk is too small. Log file attached below. I think this is because ext4 filesystem was not placed at sdb directly but was placed at the bigger lvm group. So I need solution to one of next problems.

1. Probably I need to add sdb to vg0 again (`vgextend vg0 /dev/sdb`?), create “new” LV (`lvcreate -n share -l 100%FREE vg0`?) and then testdisk this LV (`testdisk /dev/mapper/vg0-share`?). Does these commands save filesystem untouched? Anyway after extending vg0 will less 5388 GiB so I think Testdisk may say about unrecoverable partition again.

2. Probably I need to change filesystem’s start and end CHSes to fit them to real hard drive. But how to do this?

3. Maybe there are any other way to restore ext4 partition that was placed in lvm?


testdisk.log ( https://pastebin.com/vAkLBpyQ )

/dev/sdb: LBA, HPA, LBA48, DCO support
/dev/sdb: size 5860533168 sectors
/dev/sdb: user_max 5860533168 sectors
/dev/sdb: native_max 5860533168 sectors
Using locale 'ru_RU.UTF-8'.


Mon Feb 1 21:09:20 2021
Command line: TestDisk /log /dev/sdb

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 4.19.0-13-amd64 (#1 SMP Debian 4.19.160-2 (2020-11-28)) x86_64
Compiler: GCC 8.2
ext2fs lib: 1.44.5, ntfs lib: libntfs-3g, reiserfs lib: none, ewf lib: none, curses lib: ncurses 6.1
Hard disk list
Disk /dev/sdb - 3000 GB / 2794 GiB - CHS 364801 255 63, sector size=512 - ST3000DM008-2DM166, S/N:Z5045QT7, FW:CC26

Partition table type default to EFI GPT
Disk /dev/sdb - 3000 GB / 2794 GiB - ST3000DM008-2DM166
Partition table type: Intel

Interface Advanced

Analyse Disk /dev/sdb - 3000 GB / 2794 GiB - CHS 364801 255 63
Current partition structure:

Partition sector doesn't have the endmark 0xAA55

search_part()
Disk /dev/sdb - 3000 GB / 2794 GiB - CHS 364801 255 63
check_FAT: Unusual number of reserved sectors 4 (FAT), should be 1.
check_FAT: Unusual media descriptor (0xf8!=0xf0)
heads/cylinder 64 (FAT) != 255 (HD)
sect/track 32 (FAT) != 63 (HD)
FAT12 79842 173 12 79843 113 14 12288 [Firmware]
FAT12, blocksize=2048, 6291 KB / 6144 KiB
Linux 250883 226 32 250885 192 43 30000
ext3 blocksize=4096 Large_file Sparse_SB, 15 MB / 14 MiB
BAD_RS LBA=4600156160 257040
check_FAT: Unusual media descriptor (0xf0!=0xf8)
heads/cylinder 4 (FAT) != 255 (HD)
sect/track 8192 (FAT) != 63 (HD)
check_FAT: Unusual media descriptor (0xf0!=0xf8)
heads/cylinder 4 (FAT) != 255 (HD)
sect/track 8192 (FAT) != 63 (HD)
FAT16 LBA 286346 121 48 286411 190 51 1048576 [NO NAME]
FAT16, blocksize=8192, 536 MB / 512 MiB
Linux 286428 49 22 286466 111 45 614400
ext4 blocksize=1024 Large_file Sparse_SB, 314 MB / 300 MiB
Linux 286466 111 46 287000 19 59 8572928
ext4 blocksize=4096 Large_file Sparse_SB, 4389 MB / 4186 MiB
Linux 287049 203 3 287583 111 16 8572928
ext4 blocksize=4096 Large_file Sparse_SB Recover, 4389 MB / 4186 MiB
BAD_RS LBA=4737732608 257040
check_FAT: Unusual media descriptor (0xf0!=0xf8)
heads/cylinder 4 (FAT) != 255 (HD)
sect/track 8192 (FAT) != 63 (HD)
check_FAT: Unusual media descriptor (0xf0!=0xf8)
heads/cylinder 4 (FAT) != 255 (HD)
sect/track 8192 (FAT) != 63 (HD)
FAT16 LBA 294910 54 57 294975 123 60 1048576 [LAKKA]
FAT16, blocksize=8192, 536 MB / 512 MiB
Linux 296670 124 31 296674 144 46 65536 [LAKKA_DISK]
ext4 blocksize=1024 Large_file Sparse_SB, 33 MB / 32 MiB
Linux 338625 58 58 703358 170 44 5859442688 [lvm-share]
ext4 blocksize=4096 Large_file Sparse_SB, 3000 GB / 2794 GiB
This partition ends after the disk limits.
recover_EXT2: "e2fsck -b 32768 -B 4096 device" may be needed
Linux 363092 157 10 363484 61 33 6291456 [gemian]
ext4 blocksize=4096 Large_file Sparse_SB Backup_SB, 3221 MB / 3072 MiB
Disk /dev/sdb - 3000 GB / 2794 GiB - CHS 364801 255 63
Check the harddisk size: HD jumpers settings, BIOS detection...
The harddisk (3000 GB / 2794 GiB) seems too small! (< 5785 GB / 5388 GiB)
The following partition can't be recovered:
Linux 338625 58 58 703358 170 44 5859442688 [lvm-share]
ext4 blocksize=4096 Large_file Sparse_SB, 3000 GB / 2794 GiB

interface_write()

No partition found or selected for recovery
simulate write!
No extended partition

TestDisk exited normally.

[fLegmatik]

Any suggestions? Which way looks more prefer: 1st or 2nd? Maybe in first way I need to add to vg0 both sdb and sdc? So total space will be > 5785 GB.

BTW, i made a table to calculate myself this "338625 58 58 703358 170 44 5859442688" magic.
https://docs.google.com/spreadsheets/d/ ... sp=sharing