Hi, not sure if this is the right place to post this question. This is not a question specifically related to Arch.
Since I didn't really know where else to post this I hope someone here might have some advice.
I accidentally formatted my external disk (have 2, clicked the wrong one..) and lost data of course (only data on this disk, no OS). The most important files are pictures and music. The disk was originally ext3 formatted. Then I formatted it to ntfs using gparted because I wanted to copy some large files to a windows pc. After transferring about 50G (total drive size is 500G, original data was about 400G) I noticed my mistake. Then, to make matters worse, I reformatted the drive to ext3 hoping that this would help in recognition of the file system but of course still no success.
I first tried using gparted's attempt data recovery with no success, it only found the ntfs data. Then I read up a bit on file recovery from ext3 partitions. The extundelete page contains some useful links on the difficulty and possible methods to recover files
- explanation of ext3grep
- Why recovery data from ext3 is difficult
The crucial difference between ext2 and ext3 in deleting files is that ext2 simply unallocates the memory, i.e. the file and metadata (an inode block containing basic information about the file like addresses to where it is on the filesystem), while ext3 deletes the metadata, i.e. zeroing out the metadata (maybe I'm simplifying not sure if I understood correctly).
- one option is the ext3-journal, which keeps track of changes in the filesystem and should allow one to retrieve the file addresses to be able to rewrite a metadata block and thus recover a file.
- Another more brute force option would be to scan the entire partition for specific headers/footers. Apparently JPG files start with 0xffd8 and end with 0xffd9 so scanning from addresses would allow to recover some files as long as they are not fragmented.
I suppose the journal is stored somewhere at the start of the partition and has long been overwritten in my case.
Moreover all the tools I find seem to rely on something of a 'partition' to still exist (more like rescue after 'rm -rf ..').
I hope I understood more or less correctly what happens / could be done.
I suppose it would it be safe to assume that a significant part of the *data* still exists. After all I only wrote 50G on a 500G drive.
Does anybody have some advice on what I could try?
Is there perhaps a program -- I didn't find so far -- that can really do a bruteforce scan on a physical device not a partition as in 'searchdisk /dev/sdb' instead of 'ext3grep /dev/sdb1'?
Thanks a lot.
Last edited by skiwi (2013-01-08 11:45:13)
I am cloning the disk overnight, hoping that gzip will allow me to fit it on a 250G drive.
I'll try those tools tomorrow and let you know if it works for me. They seem more promising at least.
I think you are missing the point here. You want to clone the drive so that you have an exact copy of it. "Cloning" is not what you are doing if you are trying to transfer it from a 500GB drive to a 250GB drive. If you really value the data that was on that drive, I think it would be best to go out and get a 500GB drive.
BTW, when you created the ntfs filesystem on it, did it take a long time? Because by default mkfs.ntfs will zero out the drive. If this is the case, you probably have no hope of recovering that data. But I am not sure about what gparted does and doesn't do.
I have a 500G disk or otherwise plenty of disk space at work. I was hoping I could get away with it like this opening the image as a gzip stream or pipe but otherwise I'll do that. Formatting didnt take very long. A minute or so if I remember correctly. Longer than I'd imagine necesssary to erase only the first couple of blocks but not long enough to write 500G of zeros I think.
Last edited by skiwi (2013-01-07 01:44:41)
Okay, that is good.... I think there is a small bit of hope for your data then. Just image it properly if you are serious about trying to get it back.
Thanks! Photorec worked its magic for me!
Testing was somehow still able to find the disk (as I could tell from the label) but no partitions unfortunately.
However with photorec I was able to rescue about 80% of data (a rough preliminary estimate) including about 10.000 pictures.
Not bad at all after having overwritten 10% of the disk!
Now to the immense task of sorting out the result! Removing duplicates and useless files and recreating files and folders from whatever metadata I can find.
Photorec also has some hints on this.
Thanks again !
I ended up working on an image and I agree its good practice. However photorec and testdisk in principle do *not* write to the disk so it is not strictly necessary unless you have some automount service running (I don't). Of course you still need disk space somewhere to store the found files.
Whoa, this was one thread I was happy seeing the "Solved"-tag on!
Remember backups for the future - It's much more reliable than "post-crisis" tools like PhotoRec