[Resolved] Help recovering an mdadm RAID1 array Topic is solved

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
5hades0f6rey
Posts: 5
Joined: 03 May 2012, 09:37

[Resolved] Help recovering an mdadm RAID1 array

#1 Post by 5hades0f6rey »

If this were happening on my Windows box, I have the tools and skills to at least determine if there's anything to recover and at most recover most if not all my data... Unfortunately, my experience with GNU/Linux is not as extensive and I'm pretty much at a loss as to what to do.

Here's what I did.

Can TestDisk do anything to help? If not, would anyone here have some suggestions as to what I might try? If so, should I be attempting this on /dev/md1 or /dev/sdb and/or /dev/sdc? What should I try and what should I absolutely not do? ...

Speaking off which. If /proc/mdstat states that /dev/mdo is "auto-read-only", how much damage could I have done by making /dev/md0 read-write? Or rather I should ask, would doing so basically force mdadm to try and rebuild an array that has no partition table and just kill any chance of recovery?
Last edited by 5hades0f6rey on 12 May 2012, 21:31, edited 2 times in total.

User avatar
remy
Posts: 457
Joined: 25 Mar 2012, 10:21
Location: Strasbourg, France.
Contact:

Re: Help recovering an mdadm RAID1 array

#2 Post by remy »

First of all :

I think you didn't loose all your data. It will be quite hard to recover, but still possible, as long as you minimise writtings on your disk.

Problems identified : filesystem corruption (2GB overwritten) and partition lost.

What you shouldn't do : write more on this disk.

What you have to do to recover :
- Testdisk scan (deepersearch probably) to recover old partition by it's superbloc. Perhaps you may be able to list files with testdisk, and copy them n another destination.
- If testdisk is unable to recover (filesystem damaged) but can find partition, write partition and try to mount in read only using superbloc.
- If not possible, try to repair using superbloc, but you really should suplicate your disk before, because it will do deep writtings on the disk, and if you can't recover what expected it will probably not possible to do it after.

Option : contact me by PM for professionnal recovery service. I give this solution because you told explicitely that you were "neebie" with linux, and... data recovery may be hasardous for beginners.

User avatar
remy
Posts: 457
Joined: 25 Mar 2012, 10:21
Location: Strasbourg, France.
Contact:

Re: Help recovering an mdadm RAID1 array

#3 Post by remy »

Wooops, forgot an answer :
As far as it was raid1 you can search on md0, sdb or sdc, you'll found same ext partition (if your raid was synchro)

5hades0f6rey
Posts: 5
Joined: 03 May 2012, 09:37

Re: Help recovering an mdadm RAID1 array

#4 Post by 5hades0f6rey »

remy wrote:Wooops, forgot an answer :
As far as it was raid1 you can search on md0, sdb or sdc, you'll found same ext partition (if your raid was synchro)
Thanks. I'll give your suggestions a try as soon as I get the chance. But before I seek a professional data recovery service, I'd like to at least try and see what I can do myself that is non-destructive. After all, professional data recovery isn't cheap.

BTW, when you refer to "superbloc", do you mean the drive/partition 'superblock' or an application called "superbloc"? I'm assuming the former as my my attempts to find an application called "superbloc" have come up empty, but then again, you would know better than I.

User avatar
remy
Posts: 457
Joined: 25 Mar 2012, 10:21
Location: Strasbourg, France.
Contact:

Re: Help recovering an mdadm RAID1 array

#5 Post by remy »

In a linux filesystem, there are groups of sectors with critical information about the filesystem. That is a superbloc. They are reproduced in multiple places on the disk. You have overwritten the beginnig of your filesystem, thus loosing the first superbloc, but testdisk, while scanning your disk, will probabely find another one and detect your old partition.

Then knowing the place it was, else you use "write" to rewrite MBR, and then you repair the filesystem using e2fsck, or you may also create a loopdevice (like virtual disk by offset) and try to mount using a superbloc. First should be easier to do, but involved writtings on the disk. Would be a good idea to make a bit to bit copy of your disks before.

First, we may diagnose, without using "Write" in testdisk :
Please give feedback of what you see with testdisk in first analyse, quicksearch and deepersearch. Table is very probably "intel" and you may use options "alignement : no" if results are not good.

5hades0f6rey
Posts: 5
Joined: 03 May 2012, 09:37

Re: Help recovering an mdadm RAID1 array

#6 Post by 5hades0f6rey »

remy wrote:In a linux filesystem, there are groups of sectors with critical information about the filesystem. That is a superbloc. They are reproduced in multiple places on the disk. You have overwritten the beginnig of your filesystem, thus loosing the first superbloc, but testdisk, while scanning your disk, will probabely find another one and detect your old partition.

Then knowing the place it was, else you use "write" to rewrite MBR, and then you repair the filesystem using e2fsck, or you may also create a loopdevice (like virtual disk by offset) and try to mount using a superbloc. First should be easier to do, but involved writtings on the disk. Would be a good idea to make a bit to bit copy of your disks before.

First, we may diagnose, without using "Write" in testdisk :
Please give feedback of what you see with testdisk in first analyse, quicksearch and deepersearch. Table is very probably "intel" and you may use options "alignement : no" if results are not good.
I am familiar with what a 'superbloc' is. I just wasn't sure if the alternate spelling indicated that you were referring to something other than the special bloc(ks) meant to identify partitions/file systems and their boot status.

I did some preliminary analysis this morning. Doing a "Quick Search" for an "[Intel]" partition table type on md1 had some interesting results, a 2TB drive doesn't have an approximate 6TB physical capacity. Logically though, it could if TestDisk were combining the reported capacities of md1, sdb, and sdc.

Anyway, TestDisk found multiple partition tables for containing ext4, FAT32, and NTFS-HPFS partitions. Given the number of partition tables found on md1 and the capacity disparity, I figured it might be safer if I took a look at sdb or sdc instead. When scanning sdb I choose, "[None] No partitioned media", just to see what the results would be. TestDisk did find an ext4 partition within the first 16 or so cylinders. I also noticed the "p: list files" command that I'd missed while scanning md1... Unfortunately, using that command TestDisk reported, "No file found, filesystem may be damaged". I didn't have any more time to experiment this morning so I haven't done a "Deep Search" yet.

BTW, I do plan on purchasing another drive for the purposes of cloning the existing drives and performing any recovery operations on the clone.

Again, many thanks. Once I've gotten a chance to do more thorough analysis of md1, sdb, and sdc, I'll let you know what I find.

User avatar
remy
Posts: 457
Joined: 25 Mar 2012, 10:21
Location: Strasbourg, France.
Contact:

Re: Help recovering an mdadm RAID1 array

#7 Post by remy »

Sorry for mistake in spelling... superbloc is the french word for superblock ;) I'm french and I knwo my english is awfull.

Take your time and let me know when you'll have results. Be careful to clone with bit to bit tool like dd, dcfldd or ddrescue (gnu ddrescue), else you'll copy only allocated space in the filesystem accessible...

5hades0f6rey
Posts: 5
Joined: 03 May 2012, 09:37

Re: Help recovering an mdadm RAID1 array

#8 Post by 5hades0f6rey »

remy wrote:Sorry for mistake in spelling... superbloc is the french word for superblock ;) I'm french and I knwo my english is awfull.

Take your time and let me know when you'll have results. Be careful to clone with bit to bit tool like dd, dcfldd or ddrescue (gnu ddrescue), else you'll copy only allocated space in the filesystem accessible...
No problem. I suspected "superbloc" was probably how a French (and other Romance language) speaker might spell what an English speaker would spell as "superblock". I just wanted to make sure that it didn't just happen to also be the name of an application... Sort of the way LibreOffice is a play on OpenOffice.

I actually have some promising results. I did a "[Deeper] Search" of sdb with "[None]" (the default) as the partition table type. I was able to use one of the backup superblocks to list and then copy a couple files, intact, to my home directory. So, I've placed an order for two additional drives so I can experiment further after cloning sdb and/or sdc. At best I'm hoping to use one of the backup superblocks to so I can hopefully mount a clone with my data intact. If not, I'll copy as much data as i can to the additional drive(s). When the drives arrive, might I PM you if I have any questions?

And BTW, is there a reason I should use the tools you mentioned as opposed to TestDisk's "[Image Creation]" "[Advanced] Filesystem Utils"? Never mind, I see now that TeskDisk uses dd to create the image. I have used dd before (long ago) to make/restore floppy images, so I'm not completely unfamiliar with it. But are there any specific advantaged to using dcfldd or ddrescue as opposed to dd in this case, in your opinion?


Thank you remy for your help and patience.

User avatar
remy
Posts: 457
Joined: 25 Mar 2012, 10:21
Location: Strasbourg, France.
Contact:

Re: Help recovering an mdadm RAID1 array

#9 Post by remy »

In short because of time...
- Yes, PM me when you'll be ready !
- dd < dcfldd because you can monitor % of data copied with dcfldd
(and many other thing not usefull there)
-[dd | dcfldd] < ddrescue because you can copy quickest a disk with ddrescue even if it has bad sectors, and copy it also in reverse mode, and with logging, you can stop and continue a copy later.

Usage is very similar :
dd if=source of=destination ...options...
ddrescue source destination logfile ...options...

5hades0f6rey
Posts: 5
Joined: 03 May 2012, 09:37

Re: [Resolved] Help recovering an mdadm RAID1 array

#10 Post by 5hades0f6rey »

Using TestDisk and fsck, I was able to restore the superblock from a backup and mount the clone of md1. I'm still validating the data against MD5 hash values I recorded. But so far, most of my data appears to be intact.

Thanks remy for your help.

Locked