I accidentally wrote a 512 bytes binary to the wrong USB disk with dd and the device doesn't show any partitions with fdisk anymore.
I thought all the data was gone, but dd if=/dev/sdx | strings shows that the data seems to be still there, since dd fortunately limited itself to the first 512 bytes. Is there any way to recover it?
The disk had two partitions: an ext4 (~4GB) one and the remaining of 16GB were formatted as NTFS.
Best Answer
It depends on what exactly was there before, but it might be easy(-ish) to recover from this.
Use
ddto create a full image of your USB drive on a safe location.Use
ddto create a full image of your USB drive on a safe location.Yes, please do keep a full image. Data recovery operations can often cause more damage than one would expect.
Try to remember what the partition layout on that USB drive was like. Write it down. It might help if you have system logs from when that disk (before being messed-up) is detected by the Linux kernel - quite often it will print-out some data about the detected partitions.
Use fdisk to recreate the MBR with the same partition table. Do not format and/or fsck any partitions.
Try to mount your partitions with the read-only (
-o ro)mountoption.If it succeeds, try to copy all files over to a safe location and watch your terminal and logs for I/O errors - the typical way for partition boundary errors to be expressed is via out-of-bound accesses on the underlying device.
If the copy fails, restore the image and go back to step 4.
Did I mention having a full image of the USB drive before doing anything else?
PS: You might also want to have a look at tools like TestDisk, that attempt to automate the recovery process. But you should still get an full image first.
PS2: If you feel comfortable enough, you could also experiment a bit. If you can make a reasonable assumption for the starting point of the first partition, then you can use
tune2fs -lto get the exact size of the first partition, which would allow you to hunt for the start of the second one.