I am trying to recover files from a partly encrypted (ecryptfs) file system using a live Ubuntu.
A few seconds after realizing the mistaken rm -r, I shut the system down.
Briefly, TestDisk 7.0 says my boot sector is erroneous on that partition, although PhotoRec does recover a lot of (too many to quickly check out) files without a problem.
The filenames are valuable, so I am trying to bring the TestDisk approach to life, but I'm told TD needs to have a "valid NTFS Boot sector" in order for this. It also says
the boot sector and the backup boot sector are not identical.
It is an ext4 partition, about 150 GB big, and works fine otherwise (I worked using it everyday up till the very incident, following which I decided to freeze in panic for a while
), though I did get similar warnings on occasions.Safe to say I am not a master of disk structures.
My questions:
1. If I attempt to fix the boot sector as TestDisk suggests, and things go bad, can I recover from that using an image created from the #1 partition on that disk?
Can I just as well back up the "backup" boot sector like this - is there a better/good way to prepare for this?
2. I guess this is a stupid thought, but might have to do with things. The "file" command said this partition needs a journal recovery - should I try using e2fsck?
Or would I be risking too much for no good reason - in other words, can this be the problem that is reported by TestDisk at all?
Thank you in advance!
Best,
Janos
--- more information: ---
* As a detour, I defaulted to PhotoRec, but then the true filenames are missing.
I am at a first glance lost - having an insane amount of recovered files (~70 GB - while I have about 7 gigs of free disk space).
* I bump into the following problem with TestDisk/Advanced:
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk /dev/sda - 256 GB / 238 GiB - CHS 31130 255 63
Partition Start End Size in sectors
2 P HPFS - NTFS 12 223 20 19457 21 20 312371200
Boot sector
Status: Bad
Backup boot sector
Status: Bad
Sectors are not identical.
A valid NTFS Boot sector must be present in order to access
any data; even if the partition is not bootable.
* TestDisk/Analyse output on the same disk:
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk /dev/sda - 256 GB / 238 GiB - CHS 31130 255 63
Current partition structure:
Partition Start End Size in sectors
1 * HPFS - NTFS 0 32 33 12 223 19 204800
Invalid NTFS or EXFAT boot
2 P HPFS - NTFS 12 223 20 19457 21 20 312371200
2 P HPFS - NTFS 12 223 20 19457 21 20 312371200
3 P HPFS - NTFS 19457 21 21 27106 2 32 122880000
4 E extended 27106 34 63 31130 223 5 64657410
5 L Linux Swap 30158 80 3 31130 223 5 15624192
X extended 27106 35 1 30158 80 2 49033217
6 L Linux 27106 35 2 30158 80 2 49033216
* FDisk output
$ sudo fdisk -l
Disk /dev/loop0: 1.4 GiB, 1532116992 bytes, 2992416 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x18f7fd89
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 206847 204800 100M 7 HPFS/NTFS/exFAT
/dev/sda2 206848 312578047 312371200 149G 7 HPFS/NTFS/exFAT
/dev/sda3 312578048 435458047 122880000 58.6G 7 HPFS/NTFS/exFAT
/dev/sda4 435460094 500117503 64657410 30.9G 5 Extended
/dev/sda5 484493312 500117503 15624192 7.5G 82 Linux swap / Solaris
/dev/sda6 435460096 484493311 49033216 23.4G 83 Linux
Partition table entries are not in disk order.
If I run "file" (as suggested here https://unix.stackexchange.com/question ... t3-or-ext4)
$ sudo file -sL /dev/sd*
/dev/sda: DOS/MBR boot sector
/dev/sda1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 2048, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 204799, $MFT start cluster 8533, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 030781eac781e70b8; contains Microsoft Windows XP/VISTA bootloader BOOTMGR
/dev/sda2: Linux rev 1.0 ext4 filesystem data, UUID=f75d3b84-d465-47b1-829b-dc825279e2d5 (needs journal recovery) (extents) (large files) (huge files)
/dev/sda3: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 312578048, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 122879999, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 07a3ea62e3ea5e2fd; contains Microsoft Windows XP/VISTA bootloader BOOTMGR
/dev/sda4: DOS/MBR boot sector; partition 1 : ID=0x82, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 49033218, 15624192 sectors; partition 2 : ID=0x5, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 49033217 sectors, extended partition table
/dev/sda5: Linux/i386 swap file (new style), version 1 (4K pages), size 1953023 pages, no label, UUID=88ccf8ad-15e7-45de-bc35-ae7c7e20f086
/dev/sda6: Linux rev 1.0 ext4 filesystem data, UUID=ef5c495b-0295-4dcf-b1b3-fe4d52195f8e (needs journal recovery) (extents) (large files) (huge files)
/dev/sdb: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x41,101,37), end-CHS (0x3ff,254,63), startsector 1050624, 173015040 sectors; partition 2 : ID=0x5, start-CHS (0x253,22,4), end-CHS (0x3ff,254,63), startsector 174065664, 1773316096 sectors; partition 3 : ID=0x7, start-CHS (0x0,32,33), end-CHS (0x41,101,36), startsector 2048, 1048576 sectors; partition 4 : ID=0x7, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1947381760, 6141952 sectors
/dev/sdb1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1050624, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 173015032, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0ec50405350402724
/dev/sdb2: DOS/MBR boot sector; partition 1 : ID=0x83, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 2048, 1773314048 sectors, extended partition table (last)
/dev/sdb3: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 2048, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 1048568, $MFT start cluster 4, $MFTMirror start cluster 32767, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0691530387f65dbd6; contains Microsoft Windows XP/VISTA bootloader BOOTMGR
/dev/sdb4: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1947381760, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 6141951, $MFT start cluster 4, $MFTMirror start cluster 383871, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 06d43c2d1429e8989; contains Microsoft Windows XP/VISTA bootloader BOOTMGR
/dev/sdb5: Linux rev 1.0 ext4 filesystem data, UUID=43772d92-2454-495d-b0da-6a82418b4f5b, volume name "BigOnes" (needs journal recovery) (extents) (large files) (huge files)
/dev/sdc: DOS/MBR boot sector; partition 1 : ID=0xc, active, start-CHS (0x1,0,1), end-CHS (0x35b,121,58), startsector 8064, 15192192 sectors
/dev/sdc1: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "SYSLINUX", sectors/cluster 32, reserved sectors 9056, Media descriptor 0xf8, sectors/track 63, heads 128, hidden sectors 8064, sectors 15192192 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 3712, reserved1 0x73496850, reserved2 0x6e4f, reserved 0x1, serial number 0xf80bc0f1, label: "SONY_8X "
