Recovering Files After Reinstall

Hello all,

I have a linux question about recovering files after a reinstall. But first I’d like to give some context. I have a home lab and I rebuild systems often. I was building a set of VMS with KVM, using centos 7 as the hypervisor and the VMS. I used qcow2 as the disk format. The main partition was formatted with XFS which is the new centos default. I ended up rebuilding the operating systems and later realized there were some files on one of the VMs I needed.

Is there anyway I can recover these files? Or does anyone know of a paid service that can help me recover the files I need? I tried foremost and scalpel for a few hours but I was not successful.

Thanks in advance to anyone that chimes in!

What kind of files? (file types)

Can you recreate them? If you never had a backup, they’re usually not worth the cost to recover.

1 Like

The data is still there.

These are not easy steps but you could.

  1. learn the file structure of the qcow2 format so you know what you’re looking for
  2. use dd to dump your drive to another drive, a binary copy
  3. search that copy for the signature of your qcow2 file, and hope it’s contiguous
  4. use dd to copy those blocks to a file
  5. mount that file as you would a qcow2 (loopback)
  6. extract the needed data
1 Like

this isn’t necessarily true. The files may have been overwritten or depending on the drive type, erased.

2 Likes

I can’t recreate them. Depending on the cost to recover I would be willing to pay for a reliable recovery service.

I know some linux but this seems like a highly specialized and complicated process.

In step 3 you mention search for the signature? I don’t have any hashes or file signatures. I know possible file names and extensions and the paths to the files, but I don’t have any other signatures I can go off of.

Also, how do I do that search? What command or software can I use to do this type of search?

If you know the file type then there’s ways to find those files if they still exist.

Main point to note that i should have mentioned already. You’re not on the machine now? The drive or machine needs to be off and not in use.

Was it on a hard drive or SSD? The latter poses a bigger problem as it may have already erased all the data.

The VMs are off, I made backup copies of the qcow2 disks. Using qemu-img.

qemu-img convert -f qcow2 -O raw /path/disk.qcow2 /path/disk.img. The drive is an NVME drive.

Ah, so you have a backup of the qcow image after you reinstalled the OS on the VM?

1 Like

Yes that is correct. I have the disk files (qcow2 files) after re-install and backups of that as well.

Hello and welcome to lvl1techs!

You have two options: Mount the qcow2-file(s) inside a VM or straight into the host:

Mounting inside a vm: libvirt-storage Just add the qcow2-file(s) as a virtual disk inside a VM and you can access the data inside the VM.

Mounting the qcow2-file(s) inside linux (on the host system) described here

I’d suggest going with the VM option first - The data should be presented as a disk just like normally installed VM OS. Backup the data from the VM however you like.

Good luck!

Thanks Pollo. I think that should give me access to scan the disk, but I still need some software or process to scan the disks and recover the files. The partitions were deleted and the operating system was reinstalled.

you can use scalpel (or xxd) to search for the files, and can just extract them with plain dd if you want, but as mentioned you need to know the file type and you need to get the header and footer for that file type to find it.

The thing that I can’t remember is if the qcow image (if its not encrypted) is readable as a raw ‘disk’ straight from the file. if it is you can just search it with the above tools directly. If its not you can probably add the disk to a VM as suggested and then perform a search of the whole disk.

You do need to know the file type and layout though, and even then its no guarantee it even exists or is stored in one continuous block.

1 Like

Since the actual qcow files still exist, there’s no recovery needed. Mount the file and rummage around the directory structure to copy what you need.

The directory structure was overwritten by new pertains and a new OS

I read it as the host was reinstalled after backing up the VM qcow?

No. The directory structure was overwritten by new partitions and a new OS