[CentOS] data recovery

Fri Sep 23 19:34:05 UTC 2011
Lamar Owen <lowen at pari.edu>

On Thursday, September 22, 2011 06:48:07 PM Paras pradhan wrote:
> Suddenly my disk device's geometry has been changed to something that
> doesnot make any sense. Its a 1.8TB in size and had only one single
> partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes
> 130M, 140GB and 10GB.
> 
> Is there any way to recover data from these newly created disk devices?

Perhaps.  It depends totally on how much has been written to these devices.  If anything has been written, you have a problem.  If nothing has been written, first back up the partition table, then use fdisk to re-partition with a single partition using exactly the same start and end sectors as you had before.  

You will have to find out what the original first sector of the original partition was; this will depend upon a number of factors, such as which version of CentOS we're talking about.  CentOS 3, 4, and 5 will probably default to a starting sector of 63; CentOS 6 defaults to a starting sector of 2048.  In CentOS 5 and prior you will have to run fdisk with the -u option to set the actual starting sector, as opposed to the starting cylinder; in CentOS 6 fdisk already is set that way, and -u does something different.

There are some recovery tools out there such as testdisk and photorec that don't use the filesystem to do recovery, but look for the raw data instead.  There are some other forensic tools, available on specialized distributions like CAINE, Backtrack, and NST, that can help you grab usable data off the drive.  But it will not be easy, and will take a long time, especially with that large of a drive.  Best thing there is to make an image of the drive and work with it instead of the original drive, though.

Once you have the partition table restored to the way it was, you'll probably have to locate a superblock copy somewhere on the drive.  I say 'somewhere' simply because the exact locations of the backup copies vary with the size of the device and the block size used in making the filesystem (for ext2,3,and4 filesystems; if it was a different filesystem you'll have to use that filesystem's tools and techniques).  

But you might get really lucky if absolutely nothing has been written to those three partitions; if you get the start sector correct and absolutely nothing has written to any area of the disk except the partition table your filesystem may be in readable shape.  And I mean readable; only attempt read-only mounting of such a filesystem.  

It's usually a good thing to keep a backup of the partition table and bootloader areas (typically the whole first cylinder-equivalent, up to the start of the first partition) for just such an emergency.

As to how this might have happened, a miskeyed 'dd' or 'fdisk' by someone can easily do this.  Making a new filesystem on the raw device instead of the partition can do that, too.  Look in .bash_history (assuming bash) and any audit logs you might have to anything dealing with that device.