Emergency
Jason Shein
jason-xgs8i/e9EeWTtA8H5PvdGCwD8/FfD2ys at public.gmane.org
Mon Jan 24 19:07:43 UTC 2005
On January 24, 2005 05:21 pm, Jason Shein wrote:
> I just got in the door, late on this thread.
>
> here's my 2 cents.
>
> I came across this howto a while ago, and it has helped me out of a pinch.
>
> First, if you have a spare hard drive, make a copy of the data on the
> bad disk (or better yet two) in case the hardware will die, and work on
> the copy.
>
> Then do:
>
> # /sbin/mke2fs -n /dev/hda5 -b [blocksize]
> Be sure to use the right block size here!
>
> You will see output including:
>
> Superblock backups stored on blocks:
> 8193, 24577, 40961, 57345, 73729
> These are the locations of the superblocks.
>
> Pass these one by one to:
>
> e2fsck -b [backup superblock location] -y /dev/hda5
>
> [read up on "man e2fsck"]
>
> If one of these superblocks are OK, e2fsck will start recovering all
> possible data (the -y switch means "yes to all"; otherwise you get
> thousands of prompts).
>
> All the possible files will be dumped into the /lost+found directory.
> - From there, you should be able to do something like:
>
> find /lost+found/* -name [some directory you are sure of the location of]
>
> i.e.
> find /long+found/* -name jason
> allowed me to find my home directory.
>
> the /lost+found directory basicly contains many hard links to the same
> files.
>
> You should be able to find your /home, /var, /etc, or whatever other
> directories you have on the drive and move them back to their respective
> spot.
>
> Be careful - many files may be corrupt without warning.
>
>
> Using this technique, I was able to recover an ext3 partition after
> deleting it, resizing the partition, reformatting as reiserfs, and using
> it for two days. About 70% of the files got recovered, but it obviously
> depends on the damage done.
>
> good luck.
I forgot to add, use Helix linux to do the job. (bootable live CD distro )
http://www.e-fense.com/helix/
-snip-
Helix is a customized distribution of the Knoppix Live Linux CD. Helix has
more than just a bootable live CD. You can still boot into a customized Linux
environment that includes customized linux kernels (2.4.27 & 2.6.7),
excellent hardware detection and many applications dedicated to Incident
Response and Forensics. Helix has been modified very carefully to NOT touch
the host computer in any way and it is forensically sound. Helix wil not auto
mount swap space, it will also not auto mount any found devices. Helix also
has a special Windows autorun side for Incident Response and Forensics. Helix
is used by SANS for training in Track 8: System Forensics, Investigation and
Response.
-snip-
--
" Eventually people tire of repairing broken Windows,
And decide to replace them with something stronger"
(o_
//\ Linux - The Choice Of A GNU Generation
V_/_ Jason Shein
Linux Registered User #281100
jason-xgs8i/e9EeWTtA8H5PvdGCwD8/FfD2ys at public.gmane.org
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list