FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 09-24-2011, 08:48 AM
Keith Roberts
 
Default data recovery

On Fri, 23 Sep 2011, Michel Donais wrote:

> To: CentOS mailing list <centos@centos.org>
> From: Michel Donais <donais@telupton.com>
> Subject: Re: [CentOS] data recovery
>
> Two weeks ago I've been in similar situation on an 80 gig sata drive.
>
> Found it with 8 partition; boot was there but nothing of the operating
> system to load Linux 5.6
>
> My recovery solution was to put the disk on a window system as a secondary
> drive. Just connected to read data
> For reading I found a software called ' nucleus kernel linux' from
> http://www.nucleustechnologies.com/Linux-Data-Recovery-Software.html
>
> On partition 3 I found nearly all my data files and their directories but
> were missiing /etc /bin /dev ....

There's also Parted Magic on the Ultimate Boot CD which is a
Live Linux recovery distribution:

New features in UBCD V5.x include:

* New! The Linux-based distro Parted Magic is now
included with UBCD V5.0. This should be the method of choice
when you need to resize/rescue partitions, access NTFS
filesystems or work with USB storage devices.

http://www.ultimatebootcd.com/download.html

Obviously the choice is yours which one suits your needs the
best.

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 10:53 AM
Lamar Owen
 
Default data recovery

On Friday, September 23, 2011 04:29:39 PM Paras pradhan wrote:
> This is a SAN drive mounted. I have checked with my storage
> administrator if this has been re mapped or any similar events and he
> verified that nothing has happened...(I trust him)

May I ask what sort of SAN? Fibre Channel or iSCSI? Are there any access controls (such as EMC's Access Logix or zoning in the switch) in place to prevent multiple initiators connecting to a particular LUN?

SAN attachment mildly complicates things; I've seen some odd LUN reshuffling before, but it was an older FLARE than what I'm currently running on our Clariions and it was something that was a corner case but was fixed in a later NDU, and it had to do with Access Logix (I don't remember the Primus number right off, as it has been several years now).

If the SAN OS keeps event logs you could try to correlate with the event; beyond that you may just have to do some testing.

As you say, someone somewhere had to do a repartition; the hard part is determining where the error is. Good luck.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 12:14 PM
John Doe
 
Default data recovery

From: Paras pradhan <pradhanparas@gmail.com>

> On Fri, Sep 23, 2011 at 3:17 PM, John R Pierce <pierce@hogranch.com>
> wrote:
>> On 09/23/11 12:33 PM, m.roth@5-cent.us wrote:
>>> Paras pradhan wrote:
>>>> > *Number *Start * End * * Size * File system *Name
>>>> > * * *Flags
>>>> > * *1 * * *17.4kB *134MB * 134MB * * * * * * * Microsoft
> reserved
>>>> > *partition *msftres
>>>> > * *2 * * *135MB * 134GB * 134GB *ntfs * * * * Basic data
> partition
>>>> > * *3 * * *134GB * 1100GB *965GB * * * * * * * Basic data
> partition
>>> <snip>
>>> Looks to me as though someone started to install Windows on top of your
>>> box. This isn't partition data magically changed - best guess is
> someone
>>> started, then stopped, realizing it was the wrong box they were working
>>> on.
>> ay-yup, thats EXACTLY what it looks like. * a NEWER version of Windows
>> at that.
> You mean the newer windows will create the partition schema as we are
> seeing it now? And you think its the automatic partitioning by windows
> if somebody has the access to this?

That looks lvery much ike my Windows laptop oem partitioning scheme...
1. The hidden boot partition for a recovery install
2. The main partition (ntfs)
3. The hidden recovery data partition

JD
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 03:18 PM
Paras pradhan
 
Default data recovery

Hi Lamar,

On Mon, Sep 26, 2011 at 5:53 AM, Lamar Owen <lowen@pari.edu> wrote:
> On Friday, September 23, 2011 04:29:39 PM Paras pradhan wrote:
>> This is a SAN drive mounted. I have checked with my storage
>> administrator if this has been re mapped or any similar events and he
>> verified that nothing has happened...(I trust him)
>
> May I ask what sort of SAN? *Fibre Channel or iSCSI? *Are there any access controls (such as EMC's Access Logix or zoning in the switch) in place to prevent multiple initiators connecting to a particular LUN?

Its a Hitachi OpenV fibre channel SAN (4Gbps HBA). My storage admin
checked if this LUN can be accessible by others and he found no other
hosts have access to it.

>
> SAN attachment mildly complicates things; I've seen some odd LUN reshuffling before, but it was an older FLARE than what I'm currently running on our Clariions and it was something that was a corner case but was fixed in a later NDU, and it had to do with Access Logix (I don't remember the Primus number right off, as it has been several years now).

reshuffling here means automatically changing disk's geometry as I am
having an issue? It would be interesting to know if this can happen.

>
> If the SAN OS keeps event logs you could try to correlate with the event; beyond that you may just have to do some testing.
>
> As you say, someone somewhere had to do a repartition; the hard part is determining where the error is. *Good luck.


Here are some new additional info :

My colleague mounted this LUN to a different host and we found the
same partitions over there too which is normal.

I dd a 1st device to a file and opened the image file with bvi and
found some hosts name, VG name etc etc. in there. Then he ran a
recovery tool (R studio) in all three devices and was able to recover
most of this data.
So my question is: if the LUN has been re partitioned for ex: say to
install windows , why am i seeing our data in these newly created
partitions? Is it possible to see data in a reapportioned drive?

Thanks
Paras.


> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 03:35 PM
 
Default data recovery

Paras pradhan wrote:
<snip>
> Here are some new additional info :
>
> My colleague mounted this LUN to a different host and we found the
> same partitions over there too which is normal.
>
> I dd a 1st device to a file and opened the image file with bvi and
> found some hosts name, VG name etc etc. in there. Then he ran a
> recovery tool (R studio) in all three devices and was able to recover
> most of this data.
> So my question is: if the LUN has been re partitioned for ex: say to
> install windows , why am i seeing our data in these newly created
> partitions? Is it possible to see data in a reapportioned drive?

Partitioning doesn't overwrite the disk. I'm not familiar with R studio,
so I don't know if you're saying that whole directories reappeared, or
whether it found and relinked the files, and added them to the directory
structure.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 10:41 PM
Ross Walker
 
Default data recovery

On Sep 26, 2011, at 11:18 AM, Paras pradhan <pradhanparas@gmail.com> wrote:

> Hi Lamar,
>
> On Mon, Sep 26, 2011 at 5:53 AM, Lamar Owen <lowen@pari.edu> wrote:
>> On Friday, September 23, 2011 04:29:39 PM Paras pradhan wrote:
>>> This is a SAN drive mounted. I have checked with my storage
>>> administrator if this has been re mapped or any similar events and he
>>> verified that nothing has happened...(I trust him)
>>
>> May I ask what sort of SAN? Fibre Channel or iSCSI? Are there any access controls (such as EMC's Access Logix or zoning in the switch) in place to prevent multiple initiators connecting to a particular LUN?
>
> Its a Hitachi OpenV fibre channel SAN (4Gbps HBA). My storage admin
> checked if this LUN can be accessible by others and he found no other
> hosts have access to it.
>
>>
>> SAN attachment mildly complicates things; I've seen some odd LUN reshuffling before, but it was an older FLARE than what I'm currently running on our Clariions and it was something that was a corner case but was fixed in a later NDU, and it had to do with Access Logix (I don't remember the Primus number right off, as it has been several years now).
>
> reshuffling here means automatically changing disk's geometry as I am
> having an issue? It would be interesting to know if this can happen.
>
>>
>> If the SAN OS keeps event logs you could try to correlate with the event; beyond that you may just have to do some testing.
>>
>> As you say, someone somewhere had to do a repartition; the hard part is determining where the error is. Good luck.
>
>
> Here are some new additional info :
>
> My colleague mounted this LUN to a different host and we found the
> same partitions over there too which is normal.
>
> I dd a 1st device to a file and opened the image file with bvi and
> found some hosts name, VG name etc etc. in there. Then he ran a
> recovery tool (R studio) in all three devices and was able to recover
> most of this data.
> So my question is: if the LUN has been re partitioned for ex: say to
> install windows , why am i seeing our data in these newly created
> partitions? Is it possible to see data in a reapportioned drive?

Might it be possible you ran KVM on the host and accidentally set the guest disk to /dev/sda?

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-27-2011, 03:40 PM
Lamar Owen
 
Default data recovery

On Monday, September 26, 2011 06:41:16 PM Ross Walker wrote:
> Might it be possible you ran KVM on the host and accidentally set the guest disk to /dev/sda?

/dev/sde is the OP's LUN device.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-27-2011, 03:44 PM
Lamar Owen
 
Default data recovery

On Monday, September 26, 2011 11:18:06 AM Paras pradhan wrote:
> On Mon, Sep 26, 2011 at 5:53 AM, Lamar Owen <lowen@pari.edu> wrote:
> > May I ask what sort of SAN?
> Its a Hitachi OpenV fibre channel SAN (4Gbps HBA). My storage admin
> checked if this LUN can be accessible by others and he found no other
> hosts have access to it.

Ok.

> > I've seen some odd LUN reshuffling before,
...
> reshuffling here means automatically changing disk's geometry as I am
> having an issue? It would be interesting to know if this can happen.

No, reshuffling as in a host gained access to LUNs in a 'phantom' manner that it should not have had access to. No longer a problem, and hasn't been for a great while. It was an odd interaction, but I forget the details.

If another host were put onto the FC with the exact same WWN onto the fabric it might be possible to see this sort of thing, too, but the WWN's are all supposed to be unique.

> Here are some new additional info :
...
> So my question is: if the LUN has been re partitioned for ex: say to
> install windows , why am i seeing our data in these newly created
> partitions? Is it possible to see data in a reapportioned drive?

Yes, it is. If the recovery tool can look at the raw device it can grab stuff that isn't in any partition, and you can look at that data. Standard forensics. Repartitioning erases nothing except the partition table.

Now, in the specific case of GPT, it is further possible to have a GPT and an MBR at the same time, and while the 'shadow' MBR is supposed to match the GPT's partitioning it doesn't have to.

If you read through the LVM2 documentation and source code you may be able to find the signature used to mark a partition as being LVM; once you do that you should be able to find the start of the partition, and re-write the partition table(s). I use the plural there since with GPT you can have the GPT and the MBR coexisting; ideally you'd want to wipe the GPT out, but in reality you may not want to.

But, being that you really don't want to write anything to this volume, you really should set up an offset, read-only, loop device; that is, find the starting sector of the partition (preferably an image of the LUN, and not the actual LUN; can the Hitachi array do LUN replication (EMC's SANcopy or Snapview or MirrorView being the rough equivalents)?). Then, once you find the starting position of the LVM physical volume:

START_OFFSET_BYTE='actual starting sector number * sector size, zero origin'
DEVLUN='LUN device, probably /dev/sde in your case'
losetup -o $START_OFFSET_BYTE --read-only /dev/loop0 $DEVLUN

Then see if you can get LVM to see this physical volume (by default loop devices are included in the scan, but you may want to verify they're not filtered in /etc/lvm/lvm.conf):
pvscan
vgscan
lvscan

You may be able to mount (-o ro of course) the LV at that point (I'm going through the LVM business because you mentioned VG names in your post).

Hope that helps.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-29-2011, 10:34 PM
Paras pradhan
 
Default data recovery

Lamar,

Thanks for the info.

Paras.


On Tue, Sep 27, 2011 at 10:44 AM, Lamar Owen <lowen@pari.edu> wrote:
> On Monday, September 26, 2011 11:18:06 AM Paras pradhan wrote:
>> On Mon, Sep 26, 2011 at 5:53 AM, Lamar Owen <lowen@pari.edu> wrote:
>> > May I ask what sort of SAN?
>> Its a Hitachi OpenV fibre channel SAN (4Gbps HBA). My storage admin
>> checked if this LUN can be accessible by others and he found no other
>> hosts have access to it.
>
> Ok.
>
>> > I've seen some odd LUN reshuffling before,
> ...
>> reshuffling here means automatically changing disk's geometry as I am
>> having an issue? It would be interesting to know if this can happen.
>
> No, reshuffling as in a host gained access to LUNs in a 'phantom' manner that it should not have had access to. *No longer a problem, and hasn't been for a great while. *It was an odd interaction, but I forget the details.
>
> If another host were put onto the FC with the exact same WWN onto the fabric it might be possible to see this sort of thing, too, but the WWN's are all supposed to be unique.
>
>> Here are some new additional info :
> ...
>> So my question is: if the LUN has been re partitioned for ex: say to
>> install windows , why am i seeing our data in these newly created
>> partitions? Is it possible to see data in a reapportioned drive?
>
> Yes, it is. *If the recovery tool can look at the raw device it can grab stuff that isn't in any partition, and you can look at that data. *Standard forensics. *Repartitioning erases nothing except the partition table.
>
> Now, in the specific case of GPT, it is further possible to have a GPT and an MBR at the same time, and while the 'shadow' MBR is supposed to match the GPT's partitioning it doesn't have to.
>
> If you read through the LVM2 documentation and source code you may be able to find the signature used to mark a partition as being LVM; once you do that you should be able to find the start of the partition, and re-write the partition table(s). *I use the plural there since with GPT you can have the GPT and the MBR coexisting; ideally you'd want to wipe the GPT out, but in reality you may not want to.
>
> But, being that you really don't want to write anything to this volume, you really should set up an offset, read-only, loop device; that is, find the starting sector of the partition (preferably an image of the LUN, and not the actual LUN; can the Hitachi array do LUN replication (EMC's SANcopy or Snapview or MirrorView being the rough equivalents)?). *Then, once you find the starting position of the LVM physical volume:
>
> START_OFFSET_BYTE='actual starting sector number * sector size, zero origin'
> DEVLUN='LUN device, probably /dev/sde in your case'
> losetup -o $START_OFFSET_BYTE --read-only /dev/loop0 $DEVLUN
>
> Then see if you can get LVM to see this physical volume (by default loop devices are included in the scan, but you may want to verify they're not filtered in /etc/lvm/lvm.conf):
> pvscan
> vgscan
> lvscan
>
> You may be able to mount (-o ro of course) the LV at that point (I'm going through the LVM business because you mentioned VG names in your post).
>
> Hope that helps.
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:34 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org