A plea for help; or, how to shoot yourself in the foot with ext3

Nathan Anderson nathan at anderson-net.com
Tue Jul 7 16:08:02 UTC 2009 

All,

I need help.  I did something dumb and shot myself in the foot.  What I 
was doing when it happened was something I've done plenty of other times 
before, and I simply acted carelessly during the process.

I tried to install a copy of MikroTik RouterOS (Linux-based routing 
software) onto a USB thumb-drive using my laptop last weekend, but I 
forgot to take the hard drive out of the laptop first like I usually do 
when attempting to do such things.  And the install program found my 
hard drive instead of the USB drive, and...well, you can guess what 
happened next.  HDD was wiped, repartitioned, and those partitions 
formatted.  I lost everything as a result.

MikroTik RouterOS appears to use ext3, which is why I'm here.

I have a bit-for-bit clone backup of my HDD from a few months back that 
I really should have been refreshing more regularly, but lucky for me my 
partition layout on the laptop hadn't changed since the last snapshot, 
so I was able to at least restore my MBR and get the partition 
boundaries back.

And, after doing so, miracle of miracles: I was able to see and access 
the filesystems of all three partitions I had on the drive (1 NTFS, 1 
HFS+, and 1 ext3)!!  It wasn't a great mystery to me that I was able to 
see the contents of the last 2 partitions, but I figured the filesystem 
structure of the NTFS partition at the beginning of the drive had to 
have been completely clobbered (since RouterOS did, in fact, complete 
the installation, and not just get as far as the formatting).  I was 
ecstatic to learn otherwise!

But I was in for a(nother) shock.  Despite the fact that the filesystem 
metadata seemed to be intact, the data itself that was contained therein 
didn't appear to be so lucky.  The corruption, or whatever it was, was 
so bad that I couldn't boot the operating systems contained on the 
latter 2 partitions even though they should have been minimally touched 
during the RouterOS disk format.  Right now, I'm trying to figure out if 
this is the fault of ext3 and the mkfs.ext3 (may its name be forever 
cursed[1]) format process, or what.

I took a large-ish (~200MB) file from one of the partitions, and 
compared it to a known-good copy of the file.  Here is what I found 
after analyzing the differences (which I'm guessing will not be news to 
most of you; also, my math may be a little off since I did this in 
rather a hurry):

* There are 2MiB + 8KiB contiguous "chunks" consisting completely of 0s 
with the exception of the first 64 bytes of the chunk, 63 of which are 
FF/255 and the 64th which is value 3.  Where those "chunks" exist, my 
data is gone/overwritten.

* These chunks of 0'd out data seem to occur in regular intervals of 
roughly 124Mbytes.

* About 12MiB or so (actually exactly 80KiB short of 12MiB) before each 
"hole" is another much smaller blanked-out area, 4KiB in size, that 
roughly consists of all 0s as well but which also contains a few unique 
values at the beginning as well.

Other files that I looked at in all three partitions had similar "holes" 
in them.  I am guessing that all of this lovely handiwork was in fact 
the result of mkfs.ext3 (may its firstborn perish in agony[1]) during 
the portion of the RouterOS install where it said "Partitioning and 
formatting disk," but am not sure because I don't have a deep enough 
knowledge of ext2 or ext3 to know whether this kind of pattern is to be 
expected from a format/mkfs.  Whatever it was that caused this, it took 
a shotgun to my data, and now it looks like swiss cheese.

Based on this info, does this sound like something that mkfs.ext3 (may 
it be exposed to the flames of Hades for all eternity[1]) would do/have 
done?  And does the ext3 formatting process really have to be so 
destructive?

I doubt that, whatever the cause, it can be undone now, unless there is 
something that I'm missing here and there is somebody out there who 
might be able to suggest how I can reconstruct or re-discover the 
seemingly missing data.  After learning of The Great Zero Challenge 
(http://16systems.com/zero/index.html and 
http://hostjury.com/blog/view/195/the-great-zero-challenge-remains-unaccepted), 
though, it doesn't sound as though there is much hope.

Thanks for listening, and if anybody either has any suggestions or can 
at least confirm for me that it is a lost cause so I can stop worrying 
about it and waste no more time on research, I would be grateful.

[1] I realize that the responsibility for the lost data lies solely with 
me and not with the author(s) of mkfs.ext3; this venting and poor 
attempt at comic relief is merely one method I've used to try to deal 
with the loss.

-- 
Nathan Anderson
nathan at anderson-net.com

More information about the Ext3-users mailing list