is it possible to undo a dd on a LUKS partition?

Message

dumfk · #1 Post by **dumfk** » 26 Dec 2022, 14:23

Hello.

I did a

dd if=$distro_iso of=/dev/sda1 bs=$bs

where =$distro_iso= is the name of a .iso file (ARTIX_202107 2021-07-25-17-04-23-00) and =$bs= could have been 2M or 3M. =/dev/sda1= was a partition encrypted with LUKS. Under that, there is an LVM with 4 other partitions (main operating system, fallback operating system, personal files and swap). I was working on the operating system in the LVM container when I ran =dd=. I killed the process as soon as I realised of my stupid, stupid mistake. After the incident, I was able to keep working a bit on the system, but before I got to back-up the data, =sudo= stopped working. I think that I ran =testdisk= without remounting the partition as read-only, by the way--again I killed it; I was not thinking very clearly.

I have a backup of the partition structure, but not of the LUKS headers (which is what I am trying to recover). I know my password. How would you recommend to "undo" the dd?

Code: Select all

 NAME            LABEL UUID                                   MOUNTPOINT
# sda
# ├─sda1                fed58ef9-29ac-4a6c-8458-168243891765
# │ └─eL                x7Ce4c-1izc-eQSK-1qIY-bq1V-QC7I-4peu5D
# │   ├─eL-Sis    Sis   c3c8ddae-66cc-4297-a575-622297f40d33   /
# │   ├─eL-Alt    Alt   b410483c-fb9d-410f-b4c2-3ca48ba4594f   /alt
# │   ├─eL-lvswap       cc72bed1-e16b-496b-bbd1-d06d9af3dce5   [SWAP]
# │   └─eL-Dox    Dox   10dd6598-ff03-4a0a-a074-199e53e9966e   /home/myuser/Documents
# ├─sda2          Boot  d034c895-1e65-49b3-9aee-0d543e5f4338   /boot

Code: Select all

Disk /dev/sda: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: HGST HTS721010A9
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: F6C6C7CF-27A3-4C5D-A32C-94ABFC4E348D

Device          Start        End    Sectors   Size Type
/dev/sda1        2048 1950107647 1950105600 929.9G Linux filesystem
/dev/sda2  1950107648 1952446463    2338816   1.1G Linux filesystem
/dev/sda3  1952446464 1952450559       4096     2M BIOS boot


Disk /dev/mapper/eL: 929.88 GiB, 998451970048 bytes, 1950101504 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes


Disk /dev/mapper/eL-Sis: 150 GiB, 161061273600 bytes, 314572800 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes


Disk /dev/mapper/eL-Alt: 80 GiB, 85899345920 bytes, 167772160 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes


Disk /dev/mapper/eL-lvswap: 14 GiB, 15032385536 bytes, 29360128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes


Disk /dev/mapper/eL-Dox: 685.88 GiB, 736456867840 bytes, 1438392320 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

Number  Start       End          Size       File system  Name  Flags
        34s          2047s        2014s        Free Space
 1      2048s        1950107647s  1950105600s                       Crypt
 2      1950107648s  1952450559s  2342912s     ext4                 Boot
 3      1952450560s  1953523711s  1073152s     fat32                esp     boot, esp
        1953523712s  1953525134s  1423s        Free Space

Currently, a

Code: Select all

fdisk -l /dev/sda

shows this:

Code: Select all

Disk /dev/sda: 931,53 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: HGST HTS721010A9
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: F6C6C7CF-27A3-4C5D-A32C-94ABFC4E348D

Device          Start        End    Sectors   Size Type
/dev/sda1        2048 1950107647 1950105600 929,9G Linux filesystem
/dev/sda2  1950107648 1952446463    2338816   1,1G Linux filesystem
/dev/sda3  1952446464 1952450559       4096     2M Linux filesystem

and

Code: Select all

parted /dev/sda unit s print free

Code: Select all

Model: ATA HGST HTS721010A9 (scsi)
Disk /dev/sda: 1953525168s
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags: 

Number  Start        End          Size         File system  Name      Flags
        34s          2047s        2014s        Free Space
 1      2048s        1950107647s  1950105600s               Crypt
 2      1950107648s  1952446463s  2338816s     ext4         Boot
 3      1952446464s  1952450559s  4096s                     BiosBoot
        1952450560s  1953525134s  1074575s     Free Space

I don't know if I had LUKS1 or LUKS2. The fact that I am able to encrypt my drive does not imply that I understand some basic stuff (for instance, I don't know how they derive some calculations here or if the solution would help me):
https://bbs.archlinux.org/viewtopic.php?id=232727
I can follow instructions and feel confident with the command line, but I may need help to define offsets, understand or make use of =hexdump= and the like.

There is nothing fundamentally essential in the drive other than personal ramblings, some pictures that I will never be able to reproduce, books, music and the like. I would very grateful if I can retrieve these files. Thank you very much in advance.

#2 Post by **recuperation** » 26 Dec 2022, 14:58

dumfk wrote: ↑26 Dec 2022, 14:23 I have a backup of the partition structure, but not of the LUKS headers (which is what I am trying to recover). I know my password. How would you recommend to "undo" the dd?

There is no "undo" when overwriting storage.
In your case only a part of your storage was overwritten. Normally you can apply data recovery software on the remains.
Your case is different as your partition has been encrypted. Before recovering anything, you either would need to permanently decrypt the partition or provide a virtual partition that allows recovery software to work on.

Both is impossible as you have overwritten your LUKS header. Your key alone is worthless as it is only the key that enables access to the key in the LUKS header. Without a LUKS backup header you are lost here.

dumfk · #3 Post by **dumfk** » 26 Dec 2022, 15:45

Sniff, sniff. Thank you very much. At least, now I can nuke the drive, knowing that there is nothing to be done. Thanks.

. Do you have something which is not PayPal for donations?

#4 Post by **recuperation** » 26 Dec 2022, 15:55

Credit- debit cards are accepted as well.
Click on the yellow button here:

https://www.cgsecurity.org/

dumfk · #5 Post by **dumfk** » 26 Dec 2022, 18:14

If you mean the orange (with white gradients and blue Donate letters) button, it takes me to a PayPal website. The only other yellow tone is a key under Password Recovery. If you can share the IBAN, that's also an alternative.

By the way, I got this:
Your IP 23.129.64.136 has been blocked because it is blacklisted. For details please see http://www.spamhaus.org/query/bl?ip=23.129.64.136.

And creating an account was definitely not easy (using Tor).

#6 Post by **recuperation** » 26 Dec 2022, 18:56

Monsieur, je fais très confiance en vous d'être capable de contacter Christoph Grenier en directe pour trouver un moyen qui vous convient.

cgsecurity.org

is it possible to undo a dd on a LUKS partition?

is it possible to undo a dd on a LUKS partition?

Re: is it possible to undo a dd on a LUKS partition?

Re: is it possible to undo a dd on a LUKS partition?

Re: is it possible to undo a dd on a LUKS partition?

Re: is it possible to undo a dd on a LUKS partition?

Re: is it possible to undo a dd on a LUKS partition?