"Guessing" superblock parameters
smb94532543 at w-lan.mine.nu
Mon May 1 01:51:54 UTC 2006
I have the following scenario: I've got a partition which has exactly
$ fdisk -l /dev/hda
Disk /dev/hda: 28.5 GB, 28520497152 bytes
255 heads, 63 sectors/track, 3467 cylinders
Units = Zylinder of 16065 * 512 = 8225280 bytes
Gerät Boot Start End Blocks Id System
/dev/hda4 1643 3467 14659312+ 83 Linux
Long, long time ago (5,6 years) I formatted this partition using a
simple "mke2fs /dev/hda4" call. Block size is 4096. On 5th July, 2004, I
accidently reformatted the partition with
mke2fs -j /dev/hda4
without having a backup. Silly.
(take a look at the '-j' switch which creates a journal!)
After that, I spent weeks in reconstructing data and had partial
success. I could reconstruct lots of mails, mysql tables, PHP documents
and so on using self written scripts. The most important data. Even a
50MB gpg compressed file with finding indirect blocks.
After that, I saved the image to disk, reformatted the partition and
kept on working ;-)
Last week, I searched for a file I've lost on that image. I just won't
realize that my data is lost. It's still out there ;-)
So I wrote a small program that finds all directory entries and had
partial success: Most directory entries were found and in small
directories with small files, the data in it followed the directory
entry so that I could reconstruct whole directories.
Now, I had the idea of searching for inodes. Maybe not all inodes are
overwritten? What would you say? Are there chances that some inodes are
not overwritten? Or are they all lost? Overwritten by zeros?
Maybe not all of them are overwritten because of the '-j' switch?
I modified the program "e2salvage" to find all inodes. I know, I had ~
117807 files and directories on the disk. e2salvage found 85064 inodes.
But I have the problem that on the disk there was an image (~1GB) with a
whole Linux file system. I think block size also 4096.
Do you think the inodes are from that image or could the inodes be from
my data file system itself?
And now the important question: Even if I would find a few inodes, they
are useless, unless I know the addresses of the inode tables for each
Is there a way to reconstruct/guess the superblock parameters (block
groups, inode tables, ...) if I have the the exact size of the partition
and the block size (4096)? I also know that I've taken the default
parameters for mke2fs.
Is the filesystem (offset of inode tables, ...) the same everytime I
format the same partition? If not, why?
Thank you very much in advance!
More information about the Ext3-users