You are not logged in.
- Topics: Active | Unanswered
#1 2019-05-01 12:21:24
- losko
- Member
- Registered: 2014-11-19
- Posts: 42
Qemu raw disk image recovery after a rsync backup
Hello everyone, I need an advice on data recovery.
Background story:
I'm dealing with a Qemu/KVM virtual machine that has been hit by a ransomware, and yes... is a Windows VM.
My question is not about ransomware anyway...
The Archlinux server running a custom made Qemu/KVM wrapper has a daily backup scheduled, the whole raw disk image (two raw images actually) are rsync'ed to a saparate ext4 backup disk.
Unfortunately the ransomware hit @1:30AM and the backup started afterwards @4:00AM, so now I have two raw backup images compromised as the original one!
Latest versions of my wrapper implements snapshots and backup rotations, but sadly not this one...
The backup disk has been removed less than 10 hours after the last tragic backup, and no activity occurred since then.
At this moment I have this 2TB disk connected (but not mounted) to my main archlinux system, doing a testdisk's photorec scan (still running and 6 hours to go).
Photorec is recovering thousands files on a separate volume, so I believe is recovering files inside the raw images too, which in not my goal as they are probably encrypted by ransomware.
Following the wiki, Extundelete and Ext4magic are the other tools I tested with no luck.
That said my real question is:
I hopefully need to recover only two large files inside the backup disk: "windows.raw" and "data.raw" as they were BEFORE the last rsync.
I don't know if rsync overwrites files with the same name at every run or allocates them in the free disk space and then deletes the old ones.
In the first case I'm afraid we have no hopes at all.
Any help will be appreciated.
Bye.
"Greetings from the Banana Republic"
Offline
#2 2019-05-02 10:25:18
- Lone_Wolf
- Member
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 11,911
Re: Qemu raw disk image recovery after a rsync backup
I don't know if rsync overwrites files with the same name at every run or allocates them in the free disk space and then deletes the old ones.
That depends on what options you gave rsync.
Please post the exact command (or the entire wrapper) you used.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
#3 2019-05-03 20:27:36
- losko
- Member
- Registered: 2014-11-19
- Posts: 42
Re: Qemu raw disk image recovery after a rsync backup
Here are the options used with rsync, the entire wrapper is about 10k lines:
rsync -aAHXv --delete $BK_DATA_IN/ $BK_DATA_OUTWhere $BK_DATA_IN and $BK_DATA_OUT are the mountpoints for two different disks.
The files are gone however...
"Greetings from the Banana Republic"
Offline
#4 2019-05-04 10:26:41
- Lone_Wolf
- Member
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 11,911
Re: Qemu raw disk image recovery after a rsync backup
It does look like retrieving them will be hard.
Maybe you could --delete-after in future to ensure both versions will be present on destination drive before old version is deleted.
This will increase bandwidth though.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline