You are not logged in.
- Topics: Active | Unanswered
#1 2019-03-23 11:39:38
- c.monty
- Member
- Registered: 2017-10-27
- Posts: 18
Emergency: Accidentally deleted 500MB of main disk
Hi,
I accidentally deleted ~500MB of my main disk with dd. Precisely 472166912 bytes of device /dev/sdb has been overwritten.
458008576 bytes (458 MB, 437 MiB) copied, 10 s, 45,8 MB/s^C
922201+0 Datensätze ein
922201+0 Datensätze aus
472166912 bytes (472 MB, 450 MiB) copied, 10,2479 s, 46,1 MB/sFortunately I was able to rebuild the GPT with recovery/transformation command "b - use backup GPT header (rebuilding main)"; this means the partition table is consistent again (in my understanding):
[thomas@pc7-cubi3 ~]$ sudo gdisk /dev/sdb
GPT fdisk (gdisk) version 1.0.4
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Command (? for help): p
Disk /dev/sdb: 250069680 sectors, 119.2 GiB
Model: SanDisk SD9SN8W1
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 59BD4119-D881-4011-B255-1C288F12CC92
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 250069646
Partitions will be aligned on 2048-sector boundaries
Total free space is 43629 sectors (21.3 MiB)
Number Start (sector) End (sector) Size Code Name
1 2048 206847 100.0 MiB EF00 EFI system partition
2 206848 468991 128.0 MiB 0C01 Microsoft reserved ...
3 468992 137885695 65.5 GiB 0700 Basic data partition
4 219805696 221444095 800.0 MiB 2700 Basic data partition
5 221444096 250028031 13.6 GiB 2700 Basic data partition
6 137885696 211417087 35.1 GiB 8300 Linux filesystem
7 211417088 219805695 4.0 GiB 8200 Linux swap
Command (? for help): qBased on the partition table the following partitions must be affected by deletion: 1, 2 and 3
I'm still in running Arch, therefore it should be possible to rebuild/repair the content of partition 1 that is mounted to /efi.
How can I do this?
With regards to partition 2 and 3, would it make sense to start data recovery procedures?
THX
Offline
#2 2019-03-23 12:18:49
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,732
- Website
Re: Emergency: Accidentally deleted 500MB of main disk
To restore the EFI system partition simply mount it under /efi and run grub install or bootctl install or whatever to repopulate it. You can do this from the live environment, just as you did when installing Arch originally.
For the second partition you will need to ask on a Windows forum 
The third partition can be restored from your backup, right?
Offline
#3 2019-03-23 12:21:06
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,417
Re: Emergency: Accidentally deleted 500MB of main disk
You can't recover the parts that were overwritten. So partition 1 and 2 is gone, nothing to recover. Partition 3 lost ~200MiB at the start, not sure what can be done here.
The problem is also that you likely wrote valid data (some ISO file perhaps?) and this can confuse recovery software. So what I like to do in this case is zero out what is gone anyway.
# verify how much has been overwritten
cmp image.iso /dev/sdx # ideal case
cmp -l image.iso /dev/sdx | less # not so ideal case
# write exact number of zero bytes
truncate -s 472166912 bytes_of_zero
cat bytes_of_zero > /dev/sdxThis way recovery software will not spend time analyzing valid-but-unrelated data (that came from the ISO file, not what you are looking for).
Note this will zap your partition table again. If you want to avoid that you have to do some maths and only zero the relevant portion of the partition 3.
This partition of yours is "only" 65G so if you have a TB-HDD somewhere, you could just pull an image then run any number of experiments as you like.
If it was not encrypted, if nothing else works, photorec should find some files at least (and not just photos).
Good luck
Offline
#4 2019-03-23 12:24:00
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,732
- Website
Re: Emergency: Accidentally deleted 500MB of main disk
The problem is also that you likely wrote valid data
Good point.
@OP: reformat the EFI system partition before mounting & repopulating it.
You will also need to recreate the Windows .efi loader but that is outside the scope of these boards.
Offline
#5 2019-03-23 12:54:11
- c.monty
- Member
- Registered: 2017-10-27
- Posts: 18
Re: Emergency: Accidentally deleted 500MB of main disk
Hi,
thanks for your input.
I have executed the following tasks:
1. Umount /efi
2. Create filesystem on /dev/sdb1:
sudo mkfs.fat -F32 /dev/sdb1
mkfs.fat 4.1 (2017-01-24)3. Modified /etc/fstab to reflect the new partion
4. Mounted /dev/sdb1 to /efi
[thomas@pc7-cubi3 ~]$ sudo blkid -o list
device fs_type label mount point UUID
------------------------------------------------------------------------------------------------------------------------------
/dev/sda1 ext2 boot (not mounted) 06f42bfd-3b35-4790-b7bc-c909f0a71a1f
/dev/sda5 btrfs Arch (not mounted) 757634a3-4218-4f76-8cf2-7d16c36dd41a
/dev/sda6 swap swap (not mounted) 3739be0d-100e-4f17-a044-363a9a9224a4
/dev/sdb1 vfat (not mounted) A638-FEE3
/dev/sdb2 (not mounted)
/dev/sdb3 (not mounted)
/dev/sdb4 ntfs WINRE (not mounted) 369467BB94677C6D
/dev/sdb5 ntfs BIOS_RVY (not mounted) 8CA26999A2698912
/dev/sdb6 btrfs ARCHLINUX (in use) 1b0a866a-8a41-4781-88cb-35d33acee88d
/dev/sdb7 swap swap [SWAP] c0732d52-e411-485f-b4d9-1fd8aba41f61When I run grub-install I get an error message saying EFI-directory is not found:
[thomas@pc7-cubi3 ~]$ sudo grub-install
x86_64-efi wird für Ihre Plattform installiert.
grub-install: Fehler: EFI-Verzeichnis kann nicht gefunden werden.Update:
I executed this command to install GRUB EFI application grubx64.efi to efi/EFI/GRUB/:
[thomas@pc7-cubi3 ~]$ sudo grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
x86_64-efi wird für Ihre Plattform installiert.
installation beendet. Keine Fehler aufgetreten.This finished w/o error.
Last edited by c.monty (2019-03-23 12:59:16)
Offline