Recovering multiple deleted LUKS Partitions
Posted: 24 Sep 2019, 09:22
Hello there,
while trying to rescue some data from a friends external drive, I accidentally made some changes with TestDisk to my internal hard drive. Foremost it seems to be the deletion of partitions. This is what it currently looks like:
sda3 contains the LUKS information, but it's only 2MiB (is this normal?). I can luksOpen it and it accepts my key, but it gives me:
I tried googling the "Requested offset is beyond real size" error, but it didn't really help me. The solution in other threads always seems to be to restore the old partition table, but I fail at doing that. I tried deleting partition 4 and 5, creating new ones with 30GiB for /root and same size for the current sda5, but it still won't let me luksOpen it.
Also strange is that the LUKS Header on /dev/sda5 seems off and on sda4 is nothing:
Creating a loop device with given offset and then luksOpen it does prompt for a password, but it wont accept it (using same as for sda3 before):
And here's the full TestDisk DeepSearch log and the Results table:
https://pastebin.com/wmXHww76
I am certain I had one encrypted root and one encrypted home partition. I'm not sure whether I had an extra /boot and swap partition on my latest setup.
As I dont want to create further damage, can someone please give me some hints? I already created a dd backup of the full disk, so I can create a loop device and try there first.
Big thanks in advance, I really feel like I lost a part of myself...definitely gonna do backups more often now.
Regards, naeg
while trying to rescue some data from a friends external drive, I accidentally made some changes with TestDisk to my internal hard drive. Foremost it seems to be the deletion of partitions. This is what it currently looks like:
Code: Select all
label: dos
label-id: 0x3c707216
device: /dev/sda
unit: sectors
/dev/sda1 : start= 2048, size= 204800, type=7, bootable
/dev/sda2 : start= 206848, size= 209510400, type=7
/dev/sda3 : start= 209717248, size= 4096, type=83
/dev/sda4 : start= 209721344, size= 1743804416, type=f
/dev/sda5 : start= 272631808, size= 1680893952, type=83
Code: Select all
mint@mint:/mnt$ sudo cryptsetup luksOpen /dev/sda3 sda3
Enter passphrase for /dev/sda3:
Requested offset is beyond real size of device /dev/sda3.
Also strange is that the LUKS Header on /dev/sda5 seems off and on sda4 is nothing:
Code: Select all
> hexdump -C /dev/sda3 | grep LUKS
00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
> hexdump -C /dev/sda4 | grep LUKS
> hexdump -C /dev/sda5 | grep LUKS
10a1a190 64 00 4c 55 4b 53 ba be 00 25 73 20 21 3d 20 25 |d.LUKS...%s != %|
1f600000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
Code: Select all
> losetup -o 0x1f600000 -r -f /dev/sda5
> cryptsetup luksOpen /dev/loop1 recover
Enter passphrase for /dev/loop1:
No key available with this passphrase
...
https://pastebin.com/wmXHww76
Code: Select all
Current partition structure:
1 * HPFS - NTFS 0 32 33 12 223 19 204800
2 P HPFS - NTFS 12 223 20 13054 75 13 209510400
3 P Linux 13054 75 14 13054 140 14 4096
4 E extended LBA 13054 140 15 121601 90 25 1743804416
5 L Linux 16970 139 2 121601 90 25 168089395
Code: Select all
Results
* HPFS - NTFS 0 32 33 12 223 19 204800
NTFS, blocksize=4096, 104 MB / 100 MiB
HPFS - NTFS 12 223 20 13054 75 13 209510400
NTFS, blocksize=4096, 107 GB / 99 GiB
HPFS - NTFS 29 49 21 121601 57 56 1953054720
NTFS found using backup sector, blocksize=4096, 999 GB / 931 GiB
Linux 13054 75 14 13054 140 14 4096
LUKS 1 (Data size unknown), 2097 KB / 2048 KiB
Linux 16970 139 2 121601 90 25 1680893952
ext4 blocksize=4096 Large_file Sparse_SB, 860 GB / 801 GiB
Linux 16970 171 32 17034 105 29 1024000
ext4 blocksize=1024 Large_file Sparse_SB Backup_SB, 524 MB / 500 MiB
Linux 17034 138 1 17034 203 1 4096
LUKS 1 (Data size unknown), 2097 KB / 2048 KiB
HPFS - NTFS 32363 224 54 121601 25 24 1433595904
NTFS found using backup sector, blocksize=4096, 734 GB / 683 GiB
Linux Swap 120293 33 61 121601 90 25 21016576
SWAP2 version 1, pagesize=4096, 10 GB / 10 GiB
As I dont want to create further damage, can someone please give me some hints? I already created a dd backup of the full disk, so I can create a loop device and try there first.
Big thanks in advance, I really feel like I lost a part of myself...definitely gonna do backups more often now.
Regards, naeg