Page 1 of 1

data recovered after dd'ed wrong hard disk

Posted: 11 Jan 2019, 15:39
by lugge
Hi there,
first, I want to thank you for this wonderful tool which just saved my ass ;-)
Maybe this will help someone else.

OK, what I did was really stupid.
I wanted to use dd to copy a Raspbian image to a SD card which was plugged into an USB port of my PC. I did this a hundred times before.
However, due to really bad partition labels (yes, my fault), I used dd on the wrong device file. Instead of my SD card, I wrote the Raspbian image to my external 2Tb hard disk.
Which contained most of my recent data. With no backup. Yes, again, my fault.

The external harddrive previously just had one big 2Tb partition, formatted with ext4.
This was my data partition.
After dd'ing the image to it, it looked like:

Code: Select all

[lugge@lugge_desktop data]$ sudo lsblk
[sudo] password for lugge: 
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
....
sdd      8:48   0   1,8T  0 disk 
├─sdd1   8:49   0  43,9M  0 part 
└─sdd2   8:50   0   1,7G  0 part 
... 
You see, my precious data is gone, instead I had a Raspbian image, consisting of 2 partitions with 1,75Gb in total.
Yes, right! Not only did I delete my data partition. I also wrote 1,75Gb of random data over my old partition.
This means, not only was the MBR and ext4 superblock overwritten, but also thousands of inodes and ext4 data blocks have been overwritten!

However, because 1,75Gb is small compared to 2Tb, I had hope that I can somehow recover a good chunk of my data.
photorec was my last solution, but first I wanted to give testdisk a try.

I first used ddrescue to get me a complete image of my external hard drive.
This took about 16h, after that I had a big 1,8Tb image file on my internal 3Tb hard drive.
This way I can safely store the external USB drive for further use and can do my experiments on the image file.

Long story short:
Using testdisk's standard procedure (Analyse=>Quick search=> Deep Search (took about 5h)) I was able to find my ext4 data partition.

Code: Select all

     Linux                 1020  28 33 241667 112 45 3865999360 [DataStorage]
     ext4 blocksize=4096 Large_file Sparse_SB, 1979 GB / 1843 GiB
Using button P I was able to see my data files.
I used arrow keys to set it from D ("deleted") to P ("primary") and wrote the changes to the image. This naturally deleted my Raspbian partitions because they overlapped.

I mounted the image via loopback device, and, from what I can see, my data is there and OK.
I have not checked each file, maybe some files are gone, but it seems all important stuff and photos are still there.
I will now copy the files from loopback to another hard drive with a fresh ext4 file system because I still don't trust the old, recovered data partition.
Who knows which issues are still lurking in the deeps of block group and inode tables ;-)

OK cgrenier, I once again want to thank you for this tool (and will surely donate ;-) ).
But I have one question left, maybe you find the time to answer this:

The deep analysis searched for backup ext4 superblocks.
After finding some, testdisk was able to restore the primary superblock and the MBR (remember, both of them were overwritten with an Raspbian image).
In the superblock it then found information about the partition layout (stuff like "Blocks per group" or "Inodes per group").
However, my dd command also overwrote a lot of block groups and inodes.
About 1750000000 bytes written means the first 13 block groups were totally toasted. That means 106496 inodes.
And, as we know, inode 2 is the root directory of a partition.
Thus, all directory information about the root directory should have been lost forever.
But using debugfs and dumpe2fs, I can confirm that all groups and inodes look good, including inode 2.

How was testdisk able to restore this?
As far as my understanding goes, my dd overwrote this. Are there also backups for inodes?

Regards,
lugge

Re: data recovered after dd'ed wrong hard disk

Posted: 13 Jan 2019, 15:49
by cgrenier
Your DataStorage partition wasn't near the beginning of the disk, it's at cylinder 1020, about 8000 MB after the beginning of the disk.
Otherwise inode blocks are before data block (see https://ext4.wiki.kernel.org/index.php/ ... out#Layout ) so yes, your root directory should have been overwritten.