Linux – after fs crash and running fsck, some files were recovered but not place in lost+found

data-recoverye2fsckfscklinux

I had a I/O error on an external hard drive partition sdb4 (its usual mountpoint being /run/media/yan/data).

The partition was non responsive, couldn't be accessed and refused to unmount. I did not know what to do but unplug the disk and replug it. After that I had error on its fs, so I ran fsck:

sudo e2fsck /dev/sdb4 -y -v

It was asking for a lot of fixes (thousands) but since data is non-critical on that disk, I ran it with -y.

data contains a file system with errors, check forced.

Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
# Fixed invalid inode numbers, incorrect filetypes, cleared links, deleted/unused inodes
Pass 3: Checking directory connectivity
# Connected unconnected directory inodes to /lost+found
Pass 4: Checking reference counts
#Fix inodes ref count, connected unattached inode to /lost+found
Pass 5: Checking group summary information
# Fix block bitmap differences, blocks count wrong for group
# Fix inode bitmap differences, directories count wrong for group, free inodes count wrong for group

data: ***** FILE SYSTEM WAS MODIFIED *****

       72955 inodes used (0.14%, out of 51200000)
        2390 non-contiguous files (3.3%)
          17 non-contiguous directories (0.0%)
             # of inodes with ind/dind/tind blocks: 0/0/0
             Extent depth histogram: 72264/636/1
   186984621 blocks used (91.30%, out of 204800000)
           0 bad blocks
          34 large files

       70447 regular files
        2453 directories
           0 character device files
           0 block device files
           0 fifos
  4294966642 links
          46 symbolic links (46 fast symbolic links)
           0 sockets
------------
   71063 files

So if I understand correctly, fsck managed to salvage 70k files, so most of the files since I had like 75-80k files on that disk. The problem is that only 20k files appear in '/run/media/yan/data/lost+found', and only 24k on the entire partition.

[yan@machine ~]$ find /run/media/yan/data/lost+found | wc -l
19786
[yan@machine ~]$ find /run/media/yan/data | wc -l
23691

I reran fsck but he tells me that the partition is clear (and has 74k files ?)

[yan@machine ~]$ sudo fsck /dev/sdb4
fsck from util-linux 2.28
e2fsck 1.42.13 (17-May-2015)
data: clean, 74200/51200000 files, 186685980/204800000 blocks[/cpp]

I also have very different disk usage according to df and du (I know there should be a difference, but here it seems too big to be normal):

[yan@machine ~]$ df -h /run/media/yan/data
Filesystem      Size  Used Avail Use% Mounted on
/dev/sdb4       769G  700G   31G  96% /run/media/yan/data

[yan@machine ~]$ du -sh /run/media/yan/data
586G    /run/media/yan/data

I'm guessing there is still recovered data that I can't access.
My questions are :

1) Is it possible for recovered files by fsck to not be place in lost+found ? In that case, where are they ?

2) Is there any way to get back those missing files ?

3) If not, how do I free this space ?

EDIT:

I tried a more recent version of e2fsck on sourcejedi's recommandation:

[yan@machine build]$ sudo ./e2fsck/e2fsck -f /dev/sdb4
e2fsck 1.43.3 (04-Sep-2016)
Pass 1: Checking inodes, blocks, and sizes
Inode 40501578 extent tree (at level 2) could be narrower.  Fix<y>? yes

Pass 1E: Optimizing extent trees
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information

data: ***** FILE SYSTEM WAS MODIFIED *****
data: 74200/51200000 files (3.2% non-contiguous), 186685964/204800000 blocks

It did not do much, lost+found still has the same file count and size.

Best Answer

i also notice link count is very suspicious (nearly 2^32).

you can try more recent e2fsck, and/or report a bug. this is certainly a bug.

scanning the device/partition with photorec might restore more files, where the format is supported and they are contiguous. since your FS is quite full, many files are not contiguous. photorec does not recover file names or directories. (e.g. if they're mp3's, you can use something like picard to apply filenames from the mp3 metadata aka ID3 tags). note photorec requires free space on another filesystem, to recover all the files to.

Related Solutions

Saving data from a failing drive

You can use ddrescue or dd_rescue or myrescue to clone the failing disk, without aborting on any unreadable sector. (Myrescue is less configurable but has a better default strategy as it tries to skip over unreadable regions.) This will copy everything including blank space and won't let you set priorities. However, such a low-level approach has an advantage over filesystem-level tools: if a directory is unreadable, you might still recover the files it contains by searching the raw image with tools such as foremost, magicrescue, photorec included in testdisk, etc.

Data Recovery – Find if ext4 Block is in Inode Table and Extract from Journal

All right, so for the first question it turns out the debugfs stats command tells what the starting blocks for every section of a group are. In addition, I guessed that inumbers had to be consecutive and increasing, so basic addition of the offset into the inode table and the imap command gave me the first inumbers; it also confirmed my suspicion about the last bad sector, where my block group calculations indicated it was in the wrong group.

byte address  block      group  what                   first inumber
0x8B00020000  145752096  4448   inode table block 0    36438017
0x8B00027000  145752103  4448   inode table block 7    36438129
0x8B0002C000  145752108  4448   inode table block 12   36438209
0x8B00209000  145752585  4448   inode table block 489  36445841
0x8B0029A000  145752730  4449   inode table block 122  36448161

Since a block is 4096 bytes and each inode table entry is 256 bytes, there are 16 inodes per block. So I now have all 80 lost inode table entries by inumber.

Now let's turn to the journal. I wrote a small tool that dumps information in each block of the journal. Since the journal superblock was missing, there were two pieces of information that I needed for this that were lost:

whether the journal held 64-bit block numbers
whether the journal used version 3 checksums

Fortunately, if I forced one (or both) of these switches on, some of the descriptor blocks in the journal overflowed its block, proving that those flags were not set.

One awk script (fulllog.awk) later, I have a log of the form

0x0002A000 - descriptors
        0x0002B000 -> block 159383670
        0x0002C000 -> block 159383671
        0x0002D000 -> block 0
        0x0002E000 -> block 155189280
        0x0002F000 -> block 195559440
        0x00030000 -> block 47
        0x00031000 -> block 195559643
        0x00032000 -> block 195568036
        0x00033000 -> block 159383672
0x0002B000 - invalid/data block
0x0002C000 - invalid/data block
0x0002D000 - invalid/data block
0x0002E000 - invalid/data block
0x0002F000 - invalid/data block
0x00030000 - invalid/data block
0x00031000 - invalid/data block
0x00032000 - invalid/data block
0x00033000 - invalid/data block
0x00034000 - commit record
        commit time: 2014-12-25 16:53:13.703902604 -0500 EST

With this, another awk script (dumpallfor.awk) dumps all the blocks:

byte address  block      number of journaled blocks
0x8B00020000  145752096  6
0x8B00027000  145752103  10
0x8B0002C000  145752108  206
0x8B00209000  145752585  1
0x8B0029A000  145752730  0

So that last block is truly lost :( With any luck I can find out what files were there with debugfs's ncheck command.

So I have a bunch of blocks. And they all appear to differ! Now what?

I could go by the revocation records, but I can't seem to parse that structure meaningfully. I could go by the commit record timestamps, but before I try that, I want to see just how each inode table block differs. So I wrote another quick program (diff.go) to find that out.

For the most part, files that do differ differ only in timestamps, so we can just choose the file with the latest timestamps. We'll do that later. For all other files, we get this:

36438023 - size differs
36438139 - OSD1 (file version high dword) differs
36438209 - OSD1 differs

Hm, that's not good... The file with differing size will be a problem, and I have no idea what to do about the two OSD1 files. I also tried using debugfs's ncheck to see what the files were, but we don't have a match.

I then found out which block dumps have the latest timestamps for now (same repo, latest.go). The important thing to note is that I had the blocks scanned in chronological order by commit time. This is not necessarily the same as numerical order by block number; the journal is not always stored in chronologically increasing order.

As it turns out, however, the newest block (by commit time) is indeed the one with the latest timestamps!

Let's try these latest blocks and see if we can recover anything from them.

sudo dd if=BLOCKFILE of=DDRESCUEIMG bs=1 seek=BYTEOFFSET conv=notrunc

After that my home directory is back!

Now let's find out what those three differing files were...

Inode   Pathname
36438023    /pietro/.cache/gdm/session.log
36438209    /pietro/.config/liferea
36438139    /pietro/.local/share/zeitgeist/fts.index

The only important thing there is Liferea's configuration directory, but I don't think that was corrupted; it was one of the OSD1-differing ones.

And let's find out about those 16 inodes in the final block, the one that we could not recover:

Inode   Pathname
36448176    /pietro/k2
36448175    /pietro/Downloads/sOMe4P7.jpg
36448174    /pietro/Downloads/picture.png
36448164    /pietro/Downloads/tumblr_nfjvg292T21s4pk45o1_1280.png
36448169    /pietro/Downloads/METROID Super Zeromission v.2.3+HARD_v2.4.zip
36448165    /pietro/Downloads/tumblr_mrfex1kuxa1sbx6kgo1_500.jpg
36448173    /pietro/Downloads/1*-vuzP4JAoPf9S6ZdHNR_Jg.jpeg
36448162    /pietro/.cache/upstart/gnome-settings-daemon.log.6.gz
36448163    /pietro/.cache/upstart/dbus.log.7.gz
36448171    /pietro/.cache/upstart/gnome-settings-daemon.log.3.gz
36448161    /pietro/.local/share/applications/Knytt Underground.desktop
36448166    /pietro/Documents/Screenshots/Screenshot from 2014-12-03 15:47:29.png
36448170    /pietro/Documents/Screenshots/Screenshot from 2014-12-03 16:51:26.png
36448172    /pietro/Documents/Screenshots/Screenshot from 2014-12-03 19:08:54.png
36448168    /pietro/Documents/transactions/premiere to operating transaction 4305747926.pdf
36448167    /pietro/Documents/transactions/transaction 4315883542.pdf

In short:

a text file with only one or two things in that I could get back by brute force since I know that it has a date stamp and something that's also in my chat logs
some images downloaded from the internet; if I can't get the URLs back from Firefox's history then I can use photorec
a ROM hack that I can easily get on the Internet again =P
log files; no loss here
the .desktop file for a Steam game
screenshots; I can get these back with photorec assuming gnome-screenshot added the datestamp as metadata
bank account transaction records; if I can't get them from the bank I could probably use them with photorec

So not casualtyless but not a total loss, and I learned more about ext4 in the process. Thanks anyway!

UPDATE

Might as well put this out there:

NOT YET     /pietro/k2
FOUND       /pietro/Downloads/sOMe4P7.jpg
NOT YET     /pietro/Downloads/picture.png
FOUND       /pietro/Downloads/tumblr_nfjvg292T21s4pk45o1_1280.png
GOOGLEIT    /pietro/Downloads/METROID Super Zeromission v.2.3+HARD_v2.4.zip
FOUND       /pietro/Downloads/tumblr_mrfex1kuxa1sbx6kgo1_500.jpg
FOUND       /pietro/Downloads/1*-vuzP4JAoPf9S6ZdHNR_Jg.jpeg
UNNEEDED    /pietro/.cache/upstart/gnome-settings-daemon.log.6.gz
UNNEEDED    /pietro/.cache/upstart/dbus.log.7.gz
UNNEEDED    /pietro/.cache/upstart/gnome-settings-daemon.log.3.gz
UNNEEDED    /pietro/.local/share/applications/Knytt Underground.desktop
NOT YET     /pietro/Documents/Screenshots/Screenshot from 2014-12-03 15:47:29.png
NOT YET     /pietro/Documents/Screenshots/Screenshot from 2014-12-03 16:51:26.png
NOT YET     /pietro/Documents/Screenshots/Screenshot from 2014-12-03 19:08:54.png
NOT YET     /pietro/Documents/transactions/premiere to operating transaction 4305747926.pdf
NOT YET     /pietro/Documents/transactions/transaction 4315883542.pdf

And in case I'm not weird enough, the downloaded pictures were:

sOMe4P7.jpg (a parody of the Law & Order title card with "& KNUCKLES" added to it)
tumblr_nfjvg292T21s4pk45o1_1280.png (screenshot of this tweet from J. K. Rowling)
tumblr_mrfex1kuxa1sbx6kgo1_500.jpg (picture of a "Windows did not shut down successfully." error message on a billboard at what appears to be some sporting event)
1*-vuzP4JAoPf9S6ZdHNR_Jg.jpeg (this comic)

These were all shared by friends in chats.

I guess I'll keep this updated? (Not like it would make a difference...) I know I can recover everything; the only question is when =P

Best Answer

Related Solutions

Saving data from a failing drive

Data Recovery – Find if ext4 Block is in Inode Table and Extract from Journal

Related Question