"Guessing" superblock parameters

Niki Hammler smb94532543 at w-lan.mine.nu
Mon May 1 01:51:54 UTC 2006 

Hi again,

I have the following scenario: I've got a partition which has exactly 
14659312 blocks:

$ fdisk -l /dev/hda
Disk /dev/hda: 28.5 GB, 28520497152 bytes
255 heads, 63 sectors/track, 3467 cylinders
Units = Zylinder of 16065 * 512 = 8225280 bytes
     Gerät Boot      Start         End      Blocks   Id  System
(...)
/dev/hda4            1643        3467    14659312+  83  Linux
(...)

Long, long time ago (5,6 years) I formatted this partition using a 
simple "mke2fs /dev/hda4" call. Block size is 4096. On 5th July, 2004, I 
accidently reformatted the partition with

mke2fs -j /dev/hda4

without having a backup. Silly.
(take a look at the '-j' switch which creates a journal!)
After that, I spent weeks in reconstructing data and had partial 
success. I could reconstruct lots of mails, mysql tables, PHP documents 
and so on using self written scripts. The most important data. Even a 
50MB gpg compressed file with finding indirect blocks.
After that, I saved the image to disk, reformatted the partition and 
kept on working ;-)

Last week, I searched for a file I've lost on that image. I just won't 
realize that my data is lost. It's still out there ;-)

So I wrote a small program that finds all directory entries and had 
partial success: Most directory entries were found and in small 
directories with small files, the data in it followed the directory 
entry so that I could reconstruct whole directories.


Now, I had the idea of searching for inodes. Maybe not all inodes are 
overwritten? What would you say? Are there chances that some inodes are 
not overwritten? Or are they all lost? Overwritten by zeros?
Maybe not all of them are overwritten because of the '-j' switch?


I modified the program "e2salvage" to find all inodes. I know, I had ~ 
117807 files and directories on the disk. e2salvage found 85064 inodes.
But I have the problem that on the disk there was an image (~1GB) with a 
whole Linux file system. I think block size also 4096.
Do you think the inodes are from that image or could the inodes be from 
my data file system itself?

And now the important question: Even if I would find a few inodes, they 
are useless, unless I know the addresses of the inode tables for each 
block group.
Is there a way to reconstruct/guess the superblock parameters (block 
groups, inode tables, ...) if I have the the exact size of the partition 
and the block size (4096)? I also know that I've taken the default 
parameters for mke2fs.

Is the filesystem (offset of inode tables, ...) the same everytime I 
format the same partition? If not, why?


Thank you very much in advance!



Niki

More information about the Ext3-users mailing list