You are not logged in.

#1 2010-05-18 10:21:27

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

dd if=archlinux-2010.05...

So... I made a stupid mistake. I have a computer with a Windows 7 partition of 250Gb, and a linux of 50Gb. I wanted to install Arch, so in the linux partition, I downloaded the archlinux-2010.05-core-x86-64.iso and did the command: "dd if=archlinux-2010.05-core-x86-64.iso of=/dev/sdA. The problem here was, when I typed it, I hit A instead of B. A is my main hard drive, while B was my usb drive... So my whole 250gb Windows partition disappeared to be replaced by ~400mb iso.... On the positive side, since the iso was on my harddrive, i was able to install arch and have a usable computer. Sadly, I lost my windows partition...

so the obvious question is, is it possible to recover my Windows partition?? if it helps, when I installed arch, I did not use the whole disk, only the 50gb linux space. So I think the space that Windows was on was left alone when I installed Arch. I searched for this problem for a while, but the only place that "dd if..." ever showed up was on the Wiki page o.O  I'd appreciate any advice given.

Offline

#2 2010-05-18 10:40:39

Odysseus
Member
Registered: 2009-02-15
Posts: 141

Re: dd if=archlinux-2010.05...

Only the first 400MB of the windows partition is gone, which was probably just system files, so you can certainly recover any important files with software like http://www.cgsecurity.org/wiki/PhotoRec.

It's a long shot, but then you could revert the partitions to the way they were originally (just change the partition table with fdisk, don't do any formatting), and try a repairing the windows partition with the install dvd. I doubt it'll recognize the partition though. sad


I'm the type to fling myself headlong through the magical wardrobe, and then incinerate the ornate mahogany portal behind me with a Molotov cocktail.

Offline

#3 2010-05-18 11:32:45

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

wow, that was a fast response.  Thanks big_smile  Well, it's good to know the data is not gone forever. I was a bit worried there cuz the wiki mentioned the word Irrevocable (:shudder:). As I have never had to revert a partition, that is something I have no clue about. I don't want to ruin it any further, so could you explain what i would have to do? Also, when I installed Arch, I started from the sda2 onward, and left sda1 where Windows was alone. Here is what fdisk -l displayed:

fdisk -l

Disk /dev/sda: 320.1 GB, 320072933376 bytes
64 heads, 32 sectors/track, 305245 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x606b6041

   Device Boot      Start         End      Blocks   Id  System
/dev/sda2          269007      305245    37108736    5  Extended
/dev/sda5   *      269007      269960      976880   83  Linux
/dev/sda6          269961      284265    14648304   83  Linux
/dev/sda7          284266      286172     1952752   83  Linux
/dev/sda8          286173      305245    19530736   83  Linux

On a side note: i have no idea what that sda2 is... i installed arch from sda5 onward. it doesn't show up on any partitioning tool (cfdisk or gparted) but it shows up here...

Offline

#4 2010-05-18 12:52:26

Surgat_
Member
Registered: 2007-08-08
Posts: 317

Re: dd if=archlinux-2010.05...

sda2 is your extended partition, which holds the four logical ones inside. If you read carefully, all sda[5-8] start and end within sda2

Offline

#5 2010-05-18 19:28:18

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

thank you for explaining the sda2 thing. Guess it does that automatically...that aside, does anyone know how to restore sda1 to windows again. Perhaps using fdisk like mentioned above? If there is a better way, i'm open to that as well. Failing that, any way to rescue my data would be helpful even...

Offline

#6 2010-05-18 20:02:44

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: dd if=archlinux-2010.05...

You can boot a live CD or USB that either contains 'testdisk' or on which testdisk can be installed. It may or may not work, but it can find and restore old partitions as well as old data.

Good luck!

Offline

#7 2010-05-18 20:40:32

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

sigh... Well, I went to the testdisk site, tried to get a livecd, and found a gparted liveCd. I am using Unetbootin to put the iso onto the usb. Once I formatted the drive to fat32, I tried to use unetbootin, but it told me to mount the drive, by removing and reinserting the usb. I did that, but it failed to mount. This is the warning I got in Thunar when i tried to open the usb

Rejected send message, 1 matched rules; type="method_call", sender=":1.18" (uid=1000 pid=6769 comm="exo-mount) interface="org.freedesktop.Hal.Device.Volume" member="Mount" error name="(unset)" requested_reply=0 destination="org.freedesktop.Hal" (uid=0 pid=1896 comm="/usr/sbin/hald)).

Well, after messing around a bit, I did "mount -t vfat /dev/sdb1 /media/" and it mounted it. So I cannot automount it, but at least it is mounted for now. So that part is out of the way now big_smile

Last edited by Japanlinux (2010-05-18 21:41:56)

Offline

#8 2010-05-18 23:18:18

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

I installed testdrive on arch and ran it, since it didn't work on gparted livecd (??). After analyzing, it only found my linux partitions and not the lost Windows partition. I'm running the detailed scan (or whatever it was called) and hoping something comes up there. If that fails, is that partition indefinitely lost? ; ;

Offline

#9 2010-05-19 00:21:30

byzkarl
Member
Registered: 2010-02-21
Posts: 15

Re: dd if=archlinux-2010.05...

The data isn't lost until you write something else on top of the physical location. You have my sympathies. I recall doing something like this 10 years ago.

Good luck!

Offline

#10 2010-05-19 01:12:43

JackH79
Member
From: Australia
Registered: 2009-06-18
Posts: 663
Website

Re: dd if=archlinux-2010.05...

If your scan failed, you may want to try autopsy. It's not the most userfriendly thing in the world, but it gets the job done.

http://www.sleuthkit.org/autopsy/index.php (edit: AUR: http://aur.archlinux.org/packages.php?ID=2013)

or have a look at all the other goodies:
http://wiki.archlinux.org/index.php/Arc … _Forensics

Last edited by JackH79 (2010-05-19 01:13:50)

Offline

#11 2010-05-19 02:29:54

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

thanks byzkarl, glad to know I'm not the first to do something like this... big_smile

It did, in fact, fail. it detected the current partitions as well as the old linux partitions before arch. However that was it. I will try your suggestion Jack, and i'm installing it from AUR right now. Guess I have some stuff to read up on before I can fix this though o.O

sigh. Couldn't figure out autopsy. I wants me to provide an image? of what? cuz if it wants a windows image, i'm out of luck because windows is gone mad
The help file doesn't help with that at all either...

Last edited by Japanlinux (2010-05-19 03:01:01)

Offline

#12 2010-05-19 04:53:08

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

Yay progress! I did the testdisk again on the liveCD and instead of searching the partitions, I searched th 'no partitions' area option. This indeed found the NTFS partition (with a bunch of errors):cool: I'll post a picture of the testdisk showing NTFS once I find where the screenshot saved the pic...


okay, coudn't find where the screen was, so I just ran testdisk again in arch and copied the stuff it should (though only at 35%, I got impatient tongue)

EDIT: added a second code box

 FAT12                11622  84 57 11623 159  5      20739 [NO NAME]
check_FAT: Unusual, only one FAT
check_FAT: Bad number of entries in root dir
  EXFAT                11644  13 30 11644  13 29          0
  XFS 4                12004 212 31 1211900714 201 54 27135938288949800 [ ^[vB]
  NTFS                 12159 241 42 51072 224 46  625136279
check_FAT: Unusual media descriptor (0xf0!=0xf8)
Warning: Incorrect number of heads/cylinder 2 (FAT) != 255 (HD)
Warning: Incorrect number of sectors per track 18 (FAT) != 63 (HD)
  FAT12                12662 220 22 12663  11  3       2880 [EFISECTOR]
check_FAT: Unusual media descriptor (0xf0!=0xf8)
Warning: Incorrect number of heads/cylinder 2 (FAT) != 255 (HD)
Warning: Incorrect number of sectors per track 18 (FAT) != 63 (HD)
  FAT12                12663  11  4 12663  56 48       2880 [EFISECTOR]
B  sB]

Does this help figure things out? when I did the quick scan on the liveCd, it finished and said that NTFS was unrecoverable. I'm hoping the deeper scan will give a better answer than that ; ;

EDIT: here's the final output. Sadly it says unrecoverable... That's slightly irritating.:/

Disk /dev/sda - 320 GB / 298 GiB - CHS 38913 255 63

The harddisk (320 GB / 298 GiB) seems too small! (< 13893600 TB / 1
Check the harddisk size: HD jumpers settings, BIOS detection...

The following partitions can't be recovered:
     Partition               Start        End    Size in sectors
  HFS                   4823 231 54 64414 223  5  957328863 [  X9    FB _ ^Ke      F]
  HFS                   7537   2 52 169313 216 27 2598944898
  XFS 4                12004 212 31 1211900714 201 54 27135938288949800 [ ^[vB] B  sB]
  NTFS                 12159 241 42 51072 224 46  625136279
  NTFS                 32634 243 15 65269 230 29  524280471
  HFS                  34227 183 25 55115  22 33  335555586
  ext4                 36082 104 15 40714  87 37   74412032
  ext4                 36082 110  5 40714  93 27   74412032
  ext4                 36082 113 16 40714  96 38   74412032
  ext4                 36082 114 41 40714  97 63   74412032

[ Continue ]
HFS, 490 GB / 456 GiB

Last edited by Japanlinux (2010-05-19 06:55:04)

Offline

#13 2010-05-19 19:47:17

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

well, I was using testdisk and I changed the boot sector hoping that would do something. That failed though, since I don't have a valid Windows partition, so it couldn't do anything. I'm not too sure what to do now though..


EDIT: well, I figure I should try to recover my data/folders from windows first. Since the stuff on there is important to me, can someone explain to me how I might go about getting those files/folders? That way, I don't have to worry so much about recovering Windows as quick as possible (should relieve some stress).

Last edited by Japanlinux (2010-05-20 00:11:12)

Offline

#14 2010-05-20 17:59:19

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

well. I guess no one knows how to recover files from a lost partition? Using photorec was very confusing to me. kept asking me questions about uxr...  rvr.... and a bunch of letters that didn't make sense to me.. Well, I tried one with the biggest size, and it seems to be searching and finding txt files and such. I guess that's better than nothing. Though I was hoping to be a bit more selective about what I recover. Will this program recover video files as well (such as .mkv)? Where do I find these recovered files, btw?

Last edited by Japanlinux (2010-05-20 18:16:17)

Offline

#15 2010-05-21 18:53:33

Odysseus
Member
Registered: 2009-02-15
Posts: 141

Re: dd if=archlinux-2010.05...

From the NTFS wikipedia entry: "The Master File Table (MFT) contains metadata about every file, directory, and metafile on an NTFS volume. It includes filenames, locations, size, and permissions."

You've almost certainly overwitten the MFT with the archlinux iso, so all the data about your data is utterly gone.

The files themselves can (with a lot of patience) can be recovered and found, using Photorec.
Photorec recovers files by scanning the hard drive byte by byte, looking for recognizable file headers.  You can configure which types it will back up.  Those letter combinations are just filename type extensions.  You should be able to answer any other questions you have about Photorec on its website or man page.  Also, Photorec is part of the "testdisk" archlinux package.


I'm the type to fling myself headlong through the magical wardrobe, and then incinerate the ornate mahogany portal behind me with a Molotov cocktail.

Offline

#16 2010-05-21 20:37:57

Japanlinux
Member
Registered: 2010-05-18
Posts: 173

Re: dd if=archlinux-2010.05...

Well, I ran photorec overnight. The good news is that it found a bunch of files. The bad news is that none of the 10k+ files it found uses it's origiinal file name. o.O it's gonna take me a while to search through this. Well, that's better than failing to get the files back at all..

Offline

#17 2010-05-22 08:20:35

JackH79
Member
From: Australia
Registered: 2009-06-18
Posts: 663
Website

Re: dd if=archlinux-2010.05...

Japanlinux wrote:

sigh. Couldn't figure out autopsy. I wants me to provide an image? of what? cuz if it wants a windows image, i'm out of luck because windows is gone mad
The help file doesn't help with that at all either...

Sorry Japanlinux. Completely missed re-reading your post. Well, the thing about autopsy is that it will not try to do anything from you rhard drive directly, as this may (in a professional forensic setting) compromise evidence. Therefore you will have to take in image of your affected disk. Best with dd. Something like:

dd if=/dev/sda of=/home/japanlinux/rescue.img

Problem here of course is space. Hope you've got enough hard drive space to copy your entire drive. Maybe you can use another external drive to do that.

Then you can use autopsy to read your rescue.img file.

Hope this'll work for you.

Offline

Board footer

Powered by FluxBB