Just remembered I unmounted & re-mounted a couple times, hopefully that wasn’t too damaging then. Of course right now it is unmounted & stowed away.
I would, but it’ll take a couple weeks for me to acquire an adequately sized disk to put the 3TB cloned image on so I can more safely operate on & undelete files from it. Not sure what this forum’s policy is on when to sunset threads, but I would appreciate more assistance when I have the materials in order.
Yep, this one.
A filesystem’s job is to keeps track of pieces of files and lists of files in directories reliably, when you delete a file there’s probably multiple pieces of data that need to be modified and they’re usually a journal entry made that’s meant to help get the filesystem into a consistent state in case power is lost half way through modifying all the places.
extundelete can walk the journal and can try and find the old data that’s no longer referenced.
ddrescue doesn’t care about the filesystem, it can just make a copy of the data block by block, it’s like dd, but it has additional options that make working with broken devices easier, it won’t help you make sense of the data.
getting a copy of the data is very useful before you actually start the recovery using extundelete because extundelete also writes metadata, meaning it might overwrite someplace on disk where old useful metadata used to be, so having a copy is somewhat useful.
I don’t know about photorec internals, apparently it scans each block on disk for useful stuff of any kind.
Once you recover (or don’t recover), start using btrfs with snapper or timeshift, or start using lvm2.
Slower and more complex to use, for no benefit in your situation. ddrescue is a great utility when you have (potentially) damaged hardware to deal with.
I only recently got that new drive to dump a backup on to using dd, but not even that seems to have worked?
sudo dd if=/dev/sda of=/dev/sdb
[sudo] password for chris:
dd: error reading '/dev/sda': Input/output error
87672112+0 records in
87672112+0 records out
44888121344 bytes (45 GB, 42 GiB) copied, 2776.43 s, 16.2 MB/s
To clarify, it looks like nothing was copied on to the target (certainly no output file) & the target is still a 6 TB volume, so doesn’t seem to me like any action has actually taken place. I probably used dd incorrectly.
Well then I guess you do need to learn ddrescue after all:
Are you sure of that? I was just talking to someone who told me my issue was I didn’t specify a .img to clone into & that i should retry the cloning w/ that specified.
Relevant lsblk info:
sda 8:0 0 2.7T 0 disk
└─sda1 8:1 0 2.7T 0 part /media/chris/CHRISDRIVE
sdb 8:16 0 5.5T 0 disk /media/chris/BACKUP
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
└─nvme0n1p2 259:2 0 238G 0 part /
Was it wrong to use sda as the input instead of sda1? The 2.7T disk is what everything got deleted on that I’m trying to backup to recover from. sdb is my target.
EDIT: just reformatted the 6 TB target disk (sdb), & now it’s:
sdb 8:16 0 5.5T 0 disk
└─sdb1 8:17 0 5.5T 0 part /media/chris/BACKUP
This is also how it used to look before I used dd, I’m guessing my using sudo dd if=/dev/sda of=/dev/sdb wiped the target disk’s partition & rendered the disk raw? I guess I should be cloning sda1 to sdb2? Should I be specifying a .img to create also?
Hi, It might be better to copy the whole disk, but the partition should still have the deleted files (marked for deletion in the directory tree)
You can copy to a file if you rather, and then mount the image later.
The original dd command you showed, should have ended up with the data in /dev/sdb1. perhaps try testdisk on it, and see what it has?
I would still recommend ddrescue though, noting that dd uses the if= and of= but ddrescue does not need that. you could still choose a bunch of options to fine tune the process, check man ddrescue
If the large drive (sdb) is formatted with a filesystem, and mounted at /media/chris/BACKUP then
sudo ddrescue /dev/sda /media/chris/BACKUP/imagefileofdrive.img /media/chris/BACKUP/mapfile.map
If the large drive is not formatted and mounted (like, if the first DD overwrote the mounting info) then you can put the mapfile in your home directory, and copy over the large disk
sudo ddrescue /dev/sda /dev/sdb /home/chris/mapfile.map
This should end up with 2 drives, both showing with the same UUID and partition labels and stuff.
The original issue was an accidental delete? So we would not be so worried about corruption, with several passes extracting variously damaged blocks.
It does kind of rely on the older drive being disconnected / unplugged / not mounted in the mean time.
If the drive has been in/on, there is a chance the system might have tried to fix stuff, and garbage collect the deleted files…
Either way, once a copy is made, then testdisk is the tool to go with, to examine the directory tree, and un-delete stuff, in my opinion.
Hello, thank you, parallel to you typing your reply I read dd's manpage & came up w/ this:
sudo dd if=/dev/sda of=/media/chris/BACKUP/sdadisk.img status=progress
I’m pretty confident that’ll work, so will probably be running it imminently, but what’s the .map stuff you showed & is it exclusive to ddrescue? Certainly didn’t see it documented by dd.
The mapfile is just a logfile, used to resume an interrupted transfer.
If you gotta quit part way through, it can pick up where left off, saving the time of the bits done is all.
To be fair, I would give the recovery software a go on the partial copy you already have, see if it shows anything, but then, I may be a little unhinged.
Anyways, the status=progress does give some output, which is reassuring, knowing it is working as it is whirling away
Same result?
sudo dd if=/dev/sda of=/media/chris/BACKUP/sdadisk.img status=progress
[sudo] password for chris:
44888121344 bytes (45 GB, 42 GiB) copied, 797 s, 56.4 MB/s
dd: error reading '/dev/sda': Input/output error
87672112+0 records in
87672112+0 records out
44888121344 bytes (45 GB, 42 GiB) copied, 809.004 s, 55.5 MB/sPossibly a dumb question, but is there any chance that having sda1 mounted is impacting the read operation?
Not a dumb question, having the partition attached and writeable, could mean some data OP wished restored, has already been overwritten by system messages and data, even if nothing new had been specifically saved to the partition.
Anything showing in the image file of the 42 gigs it transferred?
Were they files left over that hadn’t been deleted by the time you cancelled the rm?
the Arch Wiki actually looks to have a good page on recovery / undeletion. it recommends ext4magic:
https://wiki.archlinux.org/title/File_recovery
I didn’t think to check it first. my bad
For the past day I’ve since been running ddrescue (packaged as gddrescue in the official Ubuntu repos), which has come a long way at dumping my disk from what my dd commands were able to do, but it looks like it’ll take some more time scraping…
sudo ddrescue /dev/sda /media/chris/BACKUP/sdadisk.img /media/chris/BACKUP/mapfile.map
[sudo] password for chris:
GNU ddrescue 1.23
Press Ctrl-C to interrupt
ipos: 44888 MB, non-trimmed: 0 B, current rate: 0 B/s
opos: 44888 MB, non-scraped: 1569 kB, average rate: 34883 kB/s
non-tried: 0 B, bad-sector: 39424 B, error rate: 8 B/s
rescued: 3000 GB, bad areas: 38, run time: 23h 53m 38s
pct rescued: 99.99%, read errors: 116, remaining time: 17h 26m
time since last successful read: 2m 53s
Scraping failed blocks... (forwards)
Thank you all for the advice, I guess I’ll update this in another day lol.
I couldn’t even mount the disk image. In any case, I deleted the previous dd attempts & am currently just waiting on my ddrescue dump to–hopefully–finish.
I’m sorry to have dragged all this out for you.
At the end of the day, you might just have to work on the original drive.
I am just tied to the old idea of making a copy, then working on the copy, in case I damage anything.
And dd which you first chose, really should copy, even after a delete.
Do you have a tool in mind to try once the system completes? Like photorec or testdisk or anything?
I don’t mind having to wait a couple days for a cloned disk image to operate on, ddrescue seems to be working, & it’s a big drive so I was expecting this to take a while.
I was going to try testdisk/photorec, but you’ve brought ext4magic to my attention so I’ll investigate that also.