Recovering multiple deleted LUKS Partitions Topic is solved

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
naeg
Posts: 2
Joined: 24 Sep 2019, 08:22

Recovering multiple deleted LUKS Partitions

#1 Post by naeg »

Hello there,

while trying to rescue some data from a friends external drive, I accidentally made some changes with TestDisk to my internal hard drive. Foremost it seems to be the deletion of partitions. This is what it currently looks like:

Code: Select all

label: dos
label-id: 0x3c707216
device: /dev/sda
unit: sectors

/dev/sda1 : start=        2048, size=      204800, type=7, bootable
/dev/sda2 : start=      206848, size=   209510400, type=7
/dev/sda3 : start=   209717248, size=        4096, type=83
/dev/sda4 : start=   209721344, size=  1743804416, type=f
/dev/sda5 : start=   272631808, size=  1680893952, type=83
sda3 contains the LUKS information, but it's only 2MiB (is this normal?). I can luksOpen it and it accepts my key, but it gives me:

Code: Select all

mint@mint:/mnt$ sudo cryptsetup luksOpen /dev/sda3 sda3
Enter passphrase for /dev/sda3: 
Requested offset is beyond real size of device /dev/sda3.
I tried googling the "Requested offset is beyond real size" error, but it didn't really help me. The solution in other threads always seems to be to restore the old partition table, but I fail at doing that. I tried deleting partition 4 and 5, creating new ones with 30GiB for /root and same size for the current sda5, but it still won't let me luksOpen it.

Also strange is that the LUKS Header on /dev/sda5 seems off and on sda4 is nothing:

Code: Select all

> hexdump -C /dev/sda3 | grep LUKS
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|

> hexdump -C /dev/sda4 | grep LUKS

> hexdump -C /dev/sda5 | grep LUKS
10a1a190  64 00 4c 55 4b 53 ba be  00 25 73 20 21 3d 20 25  |d.LUKS...%s != %|
1f600000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
Creating a loop device with given offset and then luksOpen it does prompt for a password, but it wont accept it (using same as for sda3 before):

Code: Select all

> losetup -o 0x1f600000 -r -f /dev/sda5
> cryptsetup luksOpen /dev/loop1 recover
Enter passphrase for /dev/loop1: 
No key available with this passphrase
...
And here's the full TestDisk DeepSearch log and the Results table:

https://pastebin.com/wmXHww76

Code: Select all

Current partition structure:
 1 * HPFS - NTFS              0  32 33    12 223 19     204800
 2 P HPFS - NTFS             12 223 20 13054  75 13  209510400
 3 P Linux                13054  75 14 13054 140 14       4096
 4 E extended LBA         13054 140 15 121601  90 25 1743804416
 5 L Linux                16970 139  2 121601  90 25 168089395

Code: Select all

Results
   * HPFS - NTFS              0  32 33    12 223 19     204800
     NTFS, blocksize=4096, 104 MB / 100 MiB
     HPFS - NTFS             12 223 20 13054  75 13  209510400
     NTFS, blocksize=4096, 107 GB / 99 GiB
     HPFS - NTFS             29  49 21 121601  57 56 1953054720
     NTFS found using backup sector, blocksize=4096, 999 GB / 931 GiB
     Linux                13054  75 14 13054 140 14       4096
     LUKS 1 (Data size unknown), 2097 KB / 2048 KiB
     Linux                16970 139  2 121601  90 25 1680893952
     ext4 blocksize=4096 Large_file Sparse_SB, 860 GB / 801 GiB
     Linux                16970 171 32 17034 105 29    1024000
     ext4 blocksize=1024 Large_file Sparse_SB Backup_SB, 524 MB / 500 MiB
     Linux                17034 138  1 17034 203  1       4096
     LUKS 1 (Data size unknown), 2097 KB / 2048 KiB
     HPFS - NTFS          32363 224 54 121601  25 24 1433595904
     NTFS found using backup sector, blocksize=4096, 734 GB / 683 GiB
     Linux Swap           120293  33 61 121601  90 25   21016576
     SWAP2 version 1, pagesize=4096, 10 GB / 10 GiB
I am certain I had one encrypted root and one encrypted home partition. I'm not sure whether I had an extra /boot and swap partition on my latest setup.

As I dont want to create further damage, can someone please give me some hints? I already created a dd backup of the full disk, so I can create a loop device and try there first.
Big thanks in advance, I really feel like I lost a part of myself...definitely gonna do backups more often now.

Regards, naeg

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recovering multiple deleted LUKS Partitions

#2 Post by cgrenier »

You need to identify all normal/unencrypted partitions first. A LUKS partition ends one sector before the beginning of the next partition or the end of the disk.

To recover the first LUKS partition, after Quick Search,
- set the LUKS partition as D(eleted),
- manually add the partition
Linux 13054 75 14 16970 139 1
- set this partition as P(rimary)
- on next screen, choose Write, confirm, Quit
- restart your computer
Try to unlock and mount the partition.

Assuming the NTFS partition is unwanted, the other LUKS partition may be
Linux 17034 138 1 120293 33 60

Good luck

naeg
Posts: 2
Joined: 24 Sep 2019, 08:22

Re: Recovering multiple deleted LUKS Partitions

#3 Post by naeg »

Thank you very much cgrenier! Created both partitions as you suggested and I could access my root and home partitions. The reason why luksOpen didnt accept my password on the home before was that I was using a keyfile which was saved on my root. I already made a backup of all the data that is important to me.

Now, as it would be much faster to correctly re-create the old partitions instead of setting up my laptop from scratch, I'd like to try that. Given the access to root, I can look at my setup files:

/etc/fstab

Code: Select all

# <file system>	<dir>	<type>	<options>	<dump>	<pass>
# UUID=bf8b26a6-1d76-4e6e-be71-bc5b10af54c7
/dev/mapper/cryptroot	/         	ext4      	rw,relatime,data=ordered	0 1

# UUID=aeff9e6c-0637-4ad0-92c9-116757483f1e
/dev/sda5           	/boot     	ext4      	rw,relatime,stripe=4,data=ordered	0 2

# UUID=d472f4f5-1328-4870-85f5-bab171c0349b
/dev/mapper/crypthome	/home     	ext4      	rw,relatime,data=ordered	0 2

# UUID=b44f18a9-bf7b-4660-800b-79e09b0fd208
/dev/sda7           	none      	swap      	defaults  	0 0
/etc/crypttab

Code: Select all

# crypttab: mappings for encrypted partitions
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# The Arch specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
crypthome      UUID=a8a1da13-81e4-4647-b30d-c7a741b97323 /etc/home.key

Code: Select all

Disk /dev/sda - 1000 GB / 931 GiB - CHS 121601 255 63
Current partition structure:
     Partition                  Start        End    Size in sectors

 1 * HPFS - NTFS              0  32 33    12 223 19     204800
 2 P HPFS - NTFS             12 223 20 13054  75 13  209510400
 3 P Linux                13054  75 14 16970 139  1   62914560
 4 P Linux                17034 138  1 120293  33 60 1658849280
 
My guess is that in between the third and fourth partition should be the /boot, the last 10GiB are the swap (which I got the parameters for from the DeepSearch), crypthome should be sda6 then but I'm very unsure about what cryptroot should be and, since they cant be all primary, where the logical/extended partitions are. I tried to create the following setup:

Code: Select all

1 * HPFS - NTFS              0  32 33    12 223 19     204800
2 P HPFS - NTFS             12 223 20 13054  75 13  209510400
3 P Linux                13054  75 14 16970 139  1   62914560
4 E Linux                16970 139  2 121601  90 25 1680893952
5 L Linux                16970 171 32 17034 105 29    1024000
6 L Linux                17034 138  1 120293  33 60 1658849280
7 L Linux Swap           120293  33 61 121601  90 25   21016576
But TestDisk wont let me create the Extended partition. I enter the parameters, create, and in the overview I cant switch the type to E, only to *, P, L and D.
Can you help me again by any chance? Cant tell you how grateful I am for your help, I'll donate to your project for sure! Amazing tool!


EDIT: I saw that by quicksearching, the extended lba partition was already present. So I didnt create it by hand, just all the others as in the table, rebooted, checked with fdisk and it said "Partition 5 does not start on physical sector boundary.". I deleted the partitions 5-7 with fdisk, created new ones. In fdisk it looks fine, but testdisk shows me doubles:

Code: Select all

### fdisk
Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x3c707216

Device     Boot      Start        End    Sectors   Size Id Type
/dev/sda1  *          2048     206847     204800   100M  7 HPFS/NTFS/exFAT
/dev/sda2           206848  209717247  209510400  99.9G  7 HPFS/NTFS/exFAT
/dev/sda3        209717248  272631807   62914560    30G 83 Linux
/dev/sda4        272631808 1953523711 1680891904 801.5G  f W95 Ext'd (LBA)
/dev/sda5        272633856  273657853    1023998   500M 83 Linux
/dev/sda6        273659904 1932509183 1658849280   791G 83 Linux
/dev/sda7       1932511232 1953523711   21012480    10G 82 Linux swap / Solaris

### testdisk
Disk /dev/sda - 1000 GB / 931 GiB - CHS 121601 255 63
Current partition structure:
     Partition                  Start        End    Size in sectors

 1 * HPFS - NTFS              0  32 33    12 223 19     204800
 2 P HPFS - NTFS             12 223 20 13054  75 13  209510400
 3 P Linux                13054  75 14 16970 139  1   62914560
 4 E extended LBA         16970 139  2 121601  57 56 1680891904
No ext2, JFS, Reiser, cramfs or XFS marker
 5 L Linux                16970 171 34 17034 105 29    1023998
 5 L Linux                16970 171 34 17034 105 29    1023998
   X extended             17034 105 32 120293  33 60 1658851328
 6 L Linux                17034 138  1 120293  33 60 1658849280
   X extended             120293  33 61 121601  57 56   21014528
 7 L Linux Swap           120293  66 30 121601  57 56   21012480
 7 L Linux Swap           120293  66 30 121601  57 56   21012480
Testdisk lets me minimize/maximize the extended LBA, so it either starts at the sector above or on 13054 where the first LUKS is - is it possible that this would be the correct value? Can it start there without messing with the LUKS partition?
Either way, I cant get access to sda5 which contains /boot, cant mount it ("wrong fs type, bad option, bad superblock...") nor can I read anything with testdisk. When used on sda and with intel structure, it tells me support for the filesystem wasnt enabled on compilation (should be ext4), when running testdisk on sda5 directly with "None"-structure, it tells me filesystem might be damaged.

Having lost /boot wouldnt be too bad, I should be able to recreate the initramfs images, etc. using a Arch chroot/live usb and I have to reinstall grub either way. The question is just could that work if I leave my partitions as they are now and thus not having 100% the same table as before (assuming I adjust fstab, etc. accordingly)?


EDIT 2: I went ahead and tried it. Chroot into my old system from live usb, setup /boot by reinstalling grub and linux kernel, adjust UUIDs in /boot/grub.cfg and rebooted. Worked like a charm. Thanks again cgrenier!

Locked