Recovering ext4 partition after dd’ing over start of HD

data-recoverydiskext4filesystemspartition

I accidentally used dd and wrote over the first 208MB of my external disk. What I wrote over is a partition on its own (Debian nestinstaller) so what I see now is not my old (now damaged) ext4 partition but another smaller partition. This limits the tools and advices I could follow.

My plan was to recreate the partition table with testdisk and then fix everything with the backup superblocks as described here. I'd lose the first 208MB but that's ok compared to the other 300GB of data in there. Something like the following:

mke2fs -n /dev/sdb1   # doesn't work because sdb1 is the 208MB new partition
testdisk ...          # used this to create new correct partition table
mke2fs -n /dev/sdb1   # now works fine, get backup superblock positions
e2fsck -b backup_position -y /dev/sdb1 # returns many errors hence the -y

However, I have been unable to recover anything. I used testdisk to write a new partition table that matched what I had before. When I then run e2fsck I get many different errors. I get a filesystem after that but it's completely empty, no files.

The lost+found directory is full of files (recovered ones I think) but I need to recover the directory tree, not just the files. I need the filename and previous directories to know what the files are (microscope images, mass spec data, etc.. Without the names and the directories where they were, they mean nothing).

I got another HD exactly the same and made a copy of the whole HD with dd so I can experiment recovery without losing anything. Any advice?

Best Answer

I finally managed to fix this. Just for the record here's how I did it. Part of the solution I found here and it involves knowing the settings used to create the filesystem (I was pretty sure I didn't change the defaults).

Basically I first had to fix the partition table to reflect what I actually had there (I used testdisk for this but parted, cfdisk or fdisk should work fine as well). I just removed the wrong partitions and replaced by a single ext4 type partition covering the whole disk with the correct CHS values.

The rest is mostly from the link at start (read it for details) but basically I ran mke2fs -n /dev/xxx to find the positions for the superblocks backup. Then used the last backup closest to the end of the disk (only the ones at the start of the disk had been overwritten with dd) to run fsck. This generated a lot of errors but fsck has a -y option (not the same as -a).

$ sudo e2fsck -a -b backup_block_number /dev/xxx

I thought this had not worked because I couldn't see any files but actually they had all been saved to the lost+found directory.

So in the end I did salvage most of my files while keeping their filenames and directory structure. Hope this may help others in the future.

Best Answer

Related Solutions

Data Recovery – Recovering Ext4 Superblocks

Difference between backup superblocks

Related Question