[SWLUG] RAID Array data recovery

Justin Mitchell justin at discordia.org.uk
Fri Sep 25 09:47:26 UTC 2009 

On Thu, 2009-09-24 at 23:12 +0100, Matthew Moore wrote:
> justin wrote:
> > On Thu, 2009-09-24 at 21:55 +0100, Matthew Moore wrote:
> >> justin wrote:
> >>> On Thu, 2009-09-24 at 21:30 +0100, Matthew Moore wrote:
> 
> >>>
> >> root at hugh:/home/matt# fdisk -l /dev/md0
> >>
> >> Disk /dev/md0: 1000.2 GB, 1000215543808 bytes
> >> 255 heads, 63 sectors/track, 121602 cylinders
> >> Units = cylinders of 16065 * 512 = 8225280 bytes
> >>
> >>     Device Boot      Start         End      Blocks   Id  System
> >> /dev/md0p1               1       60801   488384001   fd  Linux raid
> >> autodetect
> >>
> >> Which is odd, as it ought to be a ext3 partition.  Is it possible to
> >> recover the ext3 partition that is on there?
> > try fsck and/or mounting the device it says there, see if thats where
> > you ext3 partiton has gone.
> > 
> > the partition type label shouldnt affect the commands.
> 
> fsck, e2fsck -b 32768 and mount run on /dev/md0p1 all return the same
> superblock error as before.
> 
> > if all else fails and you cant find a valid filesystem then there are
> > some free forensics tools around that will search a raw block device for
> > the tell-tale signatures of certain file types and try to recover them
> 
> Ok, I'll take a look.
> 
> Do you think the dd approach I outlined would work tho?


> If not on to plan B!  I can afford to buy a new 1tb hdd tomorrow if I
> have too (would rather not, but if it can't be avoided).  I was then
> thinking it would be possible to recover everything using dd.
> 
> My plan is:
> 
> Use dd to copy /dev/md0 to the 1tb hdd
> Mount the img of /dev/md0
> Backup the important data on /dev/mdo to my PC
> Recreate the RAID 5 array from scratch (re-format and re-create)
> Copy the img of /dev/md0 back to the newly created RAID array
> Mount the RAID array and all my data is back where it needs to be?
> 
> Would that work?

no. the filesystem is corrupt, the disks are fine (at last youve yet to show any disk errors)

the dd would just copy the corrupt filesystem to another disk
you still wouldnt be able to mount or fsck it.


it seems that you have managed to corrupt the filesystem, either through
errors in the initial shutdown, or due to mistaken attempts to fix
things.

i suspect your best hope now is some recovery tools on the md0 device,
dont try on the raw devices, the raid5 mechanism means theres no real
usable data there.

a few suggestions to try :

http://www.data-recovery-software.net/Linux_Recovery.shtml
http://www.linux-forensics.com/

More information about the Swlug mailing list