[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

"Guessing" superblock parameters

Hi again,

I have the following scenario: I've got a partition which has exactly 14659312 blocks:

$ fdisk -l /dev/hda
Disk /dev/hda: 28.5 GB, 28520497152 bytes
255 heads, 63 sectors/track, 3467 cylinders
Units = Zylinder of 16065 * 512 = 8225280 bytes
    Gerät Boot      Start         End      Blocks   Id  System
/dev/hda4            1643        3467    14659312+  83  Linux

Long, long time ago (5,6 years) I formatted this partition using a simple "mke2fs /dev/hda4" call. Block size is 4096. On 5th July, 2004, I accidently reformatted the partition with

mke2fs -j /dev/hda4

without having a backup. Silly.
(take a look at the '-j' switch which creates a journal!)
After that, I spent weeks in reconstructing data and had partial success. I could reconstruct lots of mails, mysql tables, PHP documents and so on using self written scripts. The most important data. Even a 50MB gpg compressed file with finding indirect blocks. After that, I saved the image to disk, reformatted the partition and kept on working ;-)

Last week, I searched for a file I've lost on that image. I just won't realize that my data is lost. It's still out there ;-)

So I wrote a small program that finds all directory entries and had partial success: Most directory entries were found and in small directories with small files, the data in it followed the directory entry so that I could reconstruct whole directories.

Now, I had the idea of searching for inodes. Maybe not all inodes are overwritten? What would you say? Are there chances that some inodes are not overwritten? Or are they all lost? Overwritten by zeros?
Maybe not all of them are overwritten because of the '-j' switch?

I modified the program "e2salvage" to find all inodes. I know, I had ~ 117807 files and directories on the disk. e2salvage found 85064 inodes. But I have the problem that on the disk there was an image (~1GB) with a whole Linux file system. I think block size also 4096. Do you think the inodes are from that image or could the inodes be from my data file system itself?

And now the important question: Even if I would find a few inodes, they are useless, unless I know the addresses of the inode tables for each block group. Is there a way to reconstruct/guess the superblock parameters (block groups, inode tables, ...) if I have the the exact size of the partition and the block size (4096)? I also know that I've taken the default parameters for mke2fs.

Is the filesystem (offset of inode tables, ...) the same everytime I format the same partition? If not, why?

Thank you very much in advance!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]