You are not logged in.

#1 2015-10-22 16:41:44

MisterChoc
Member
Registered: 2013-02-17
Posts: 74

Ran dd on LVM partition by accident.

Soooo... Long story short I did this. I'm on another drive now but I'd like to get my data back. Of course I can't open the partition "not a valid LUKS device"

/dev/sdb1: UUID="f7c97412-b61b-45e1-8844-acd127c9cded" TYPE="ext4" PARTUUID="00068dcc-01"
/dev/sdb2: UUID="2015-09-01-17-41-34-00" LABEL="ARCH_201509" TYPE="iso9660" PTUUID="68ceed8e" PTTYPE="dos" PARTUUID="00068dcc-02"

Any idea / starting point on how I could get it back? Is it even possible?

Looks like I'm pretty much fucked imo

sudo hexdump -v /dev/sdb2 | head -n 40 
0000000 ed33 9090 9090 9090 9090 9090 9090 9090
0000010 9090 9090 9090 9090 9090 9090 9090 9090
0000020 ed33 8efa bcd5 7c00 fcfb 3166 66db c931
0000030 5366 5166 5706 dd8e c58e be52 7c00 00bf
0000040 b906 0100 a5f3 4bea 0006 5200 41b4 aabb
0000050 3155 30c9 f9f6 13cd 1672 fb81 aa55 1075
0000060 e183 7401 660b 06c7 06f1 42b4 15eb 00eb
0000070 515a 08b4 13cd e183 5b3f 0f51 c6b6 5040
0000080 e1f7 5253 bb50 7c00 04b9 6600 b0a1 e807
0000090 0044 820f 0080 4066 c780 e202 66f2 3e81
00000a0 7c40 c0fb 7078 0975 bcfa 7bec 44ea 007c
00000b0 e800 0083 7369 6c6f 6e69 7875 622e 6e69
00000c0 6d20 7369 6973 676e 6f20 2072 6f63 7272
00000d0 7075 2e74 0a0d 6066 3166 66d2 0603 7bf8
00000e0 1366 fc16 667b 6652 0650 6a53 6a01 8910
00000f0 66e6 36f7 7be8 e4c0 8806 88e1 92c5 36f6
0000100 7bee c688 e108 b841 0201 168a 7bf2 13cd
0000110 648d 6610 c361 1ee8 4f00 6570 6172 6974
0000120 676e 7320 7379 6574 206d 6f6c 6461 6520
0000130 7272 726f 0d2e 5e0a b4ac 8a0e 623e b304
0000140 cd07 3c10 750a cdf1 f418 fdeb 0000 0000
0000150 0000 0000 0000 0000 0000 0000 0000 0000
0000160 0000 0000 0000 0000 0000 0000 0000 0000
0000170 0000 0000 0000 0000 0000 0000 0000 0000
0000180 0000 0000 0000 0000 0000 0000 0000 0000
0000190 0000 0000 0000 0000 0000 0000 0000 0000
00001a0 0000 0000 0000 0000 0000 0000 0000 0000
00001b0 f8ac 0000 0000 0000 ed8e 68ce 0000 0080
00001c0 0001 3f00 91a0 0000 0000 9000 0014 fe00
00001d0 ffff feef ffff 00ac 0000 f800 0000 0000
00001e0 0000 0000 0000 0000 0000 0000 0000 0000
00001f0 0000 0000 0000 0000 0000 0000 0000 aa55
0000200 4645 2049 4150 5452 0000 0001 005c 0000
0000210 fb9e 2205 0000 0000 0001 0000 0000 0000
0000220 8fff 0014 0000 0000 0040 0000 0000 0000
0000230 8fc0 0014 0000 0000 4583 8dae 194f 4c01
0000240 f299 bd37 6b85 b202 0002 0000 0000 0000
0000250 00f8 0000 0080 0000 d34b ae86 0000 0000
0000260 0000 0000 0000 0000 0000 0000 0000 0000
0000270 0000 0000 0000 0000 0000 0000 0000 0000
sudo fsck /dev/sdb
fsck from util-linux 2.27
e2fsck 1.42.13 (17-May-2015)
ext2fs_open2: Bad magic number in super-block
fsck.ext2: Superblock invalid, trying backup blocks...
fsck.ext2: Bad magic number in super-block while trying to open /dev/sdb

The superblock could not be read or does not describe a valid ext2/ext3/ext4
filesystem.  If the device is valid and it really contains an ext2/ext3/ext4
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
    e2fsck -b 8193 <device>
 or
    e2fsck -b 32768 <device>

Last edited by MisterChoc (2015-10-22 16:54:17)

Offline

#2 2015-10-22 16:53:04

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Ran dd on LVM partition by accident.

You could start with giving a clearer description.

If you destroyed your LUKS header, and the LUKS device is no longer open cause you rebooted in between, and you have no backups of that LUKS header, that's the end of it.

Offline

#3 2015-10-22 16:53:53

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: Ran dd on LVM partition by accident.

I have no experience with LVM, but to answer whether it is possible to recover - there are (at least) two levels of recovery.

One is the kind you'd need a real expert with specific equipment.  This is almost always possible unless you've done something like bleachbit or some other 'cryptographically secure' data removal process.  But few of us would ever find this recovery to be worthwhile.

The more practical recovery would be to reconstruct the partition table (and or LVM equivalent) and hope that the original data is still on the disk.  But whether this is possible depends on what exactly you did with dd.

What was the dd command you used?  Did it run to completion, or did you cancel it as soon as you realized their was a problem?  How many bytes/blocks did dd report were written?

EDIT: oops, I missed the LUKS part - I thought this was a 'regular' LVM.  With LUKS it is much more likely that you are S.O.L. as the data was encrypted - and if you don't have what is needed to decrypt it, it's gone.  But agian, I have no hands-on experience with LVM or LUKS.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2015-10-22 16:56:46

MisterChoc
Member
Registered: 2013-02-17
Posts: 74

Re: Ran dd on LVM partition by accident.

The dd command I ran:

sudo dd if=/path/to/arch.iso of=/dev/sdb 

I was trying to create a live usb...

Offline

#5 2015-10-22 17:11:33

headkase
Member
Registered: 2011-12-06
Posts: 1,975

Re: Ran dd on LVM partition by accident.

The header contains the actual encryption key that your passphrase unlocks.  You can have all the passphrase you want but without the encryption key in the header that it unlocks..  Well, put it another way: if it was possible to decrypt your drive without that header - would the encryption actually be "secure"?

Offline

#6 2015-10-22 17:14:30

headkase
Member
Registered: 2011-12-06
Posts: 1,975

Re: Ran dd on LVM partition by accident.

But, what Trilby alluded to: if you have a ton of unneeded money lying around, you can send the drive to a data recovery specialist.  There is a very expensive piece of equipment that can read sectors on a hard drive that have been overwritten and it is so sensitive that it can reconstruct the magnetic signals underneath the overwritten parts - they leave a tiny trace and if only overwritten once then it is theoretically possible but unless you have the budget of a small country then likely not practically possible.

Offline

#7 2015-10-22 17:25:09

MisterChoc
Member
Registered: 2013-02-17
Posts: 74

Re: Ran dd on LVM partition by accident.

Ahah no, not worth it. But thanks for the informations guys

Offline

#8 2015-10-22 17:31:52

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Ran dd on LVM partition by accident.

frostschutz wrote:

You could start with giving a clearer description.

If you destroyed your LUKS header, and the LUKS device is no longer open cause you rebooted in between, and you have no backups of that LUKS header, that's the end of it.

This. Do you have a backup of the header?


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#9 2015-10-22 17:38:22

MisterChoc
Member
Registered: 2013-02-17
Posts: 74

Re: Ran dd on LVM partition by accident.

Unfortunately no

Offline

#10 2015-10-22 17:39:56

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Ran dd on LVM partition by accident.

headkase wrote:

There is a very expensive piece of equipment that can read sectors on a hard drive that have been overwritten and it is so sensitive that it can reconstruct the magnetic signals underneath the overwritten parts

Nope.

Data recovery companies are for physical damage (disks you dropped accidentally, or after earthquake, flood, fire, ...)

They can not recover overwritten sectors. No one can. It's not possible.

The best $OP can hope for is that he used LUKS on top of LVM (instead of the other way around) and used several LV so something may have survived in the regions that did not get overwritten.

But he's very unclear about how his data was laid out (partitioning, which storage layers involved in which order, etc.) so it's impossible to say for sure.

Offline

#11 2015-10-22 17:42:58

headkase
Member
Registered: 2011-12-06
Posts: 1,975

Re: Ran dd on LVM partition by accident.

frostschutz wrote:

Nope.


Damn, you're right: Linky - my memory needs an update.

Offline

#12 2015-10-22 17:52:21

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Re: Ran dd on LVM partition by accident.

Even the theory behind recovery seems iffy to me. If the heads aren't in the same location each time, how could normal reads be trusted?

There's also the never-fulfilled "Great Zero Challenge".

According to our Unix team, there is less than a zero percent chance of data recovery after that dd command. The drive itself has been overwritten in a very fundamental manner. However, if for legal reasons you need to demonstrate that an effort is being made to recover some or all of the data, go ahead and send it in and we'll certainly make an effort, but again, from what you've told us, our engineers are certain that we cannot recover data from the drive. We'll email you a quote."


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#13 2015-10-22 17:53:11

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Ran dd on LVM partition by accident.

headkase wrote:

Damn, you're right: Linky - my memory needs an update.

It never was possible either. It was a hoax from the start. ;-)

Magnetism doesn't have layers. There was this audio tape (US President Nixon) where several minutes were recorded-over and no one has managed to recover any of that either, and not for the lack of trying.

I don't think there is a single documented case of recovered-overwritten-sector for any type of storage media no matter how old. If it got recovered it wasn't overwritten in the first place.

Offline

#14 2015-10-22 17:59:21

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Re: Ran dd on LVM partition by accident.

Read headkase's linky. The cited theory was based on the idea that the data wasn't actually overwritten. The urban legend of recovery based on 'magnetic layers' could be just a result of Chinese Telephone.

Edit:

Daniel Feenberg wrote:

The requirements of military forces and intelligence agencies that disk drives with confidential information be destroyed rather than erased is sometimes offered as evidence that these agencies can read overwritten data. I expect the real explanation is far more prosaic... Smashing the drive with a sledgehammer is easy to do, easy to confirm, and very hard to get wrong.

Source

LOL

Last edited by alphaniner (2015-10-22 18:21:30)


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

Board footer

Powered by FluxBB