[Wylug-help] Disaster recovery: dd syntax

Dave Fisher wylug-help at davefisher.co.uk
Sun Feb 25 12:47:39 GMT 2007 

On Sun, Feb 25, 2007 at 11:42:01AM +0000, shaun laughey wrote:
> Perhaps testdisk will be more your cup of tea. I just tested it on a vmware 
> victim and it seemed to see the extended partitions properly following a 
> quick fdisk.
> 
> http://www.cgsecurity.org/wiki/TestDisk
> http://wiki.linuxquestions.org/wiki/MBR_and_partition_recovery
> 
> Use this and the output from /proc/partitions if you haven't rebooted yet to 
> check the partitions it finds because it may find the new ones too.

Thanks, I'll give that a go, but in the meantime I'd like to pose a
question that I was just about to post.

I have finite storage space, spread across several network-accessible
disks.  

So I was thinking that if I could ID the partitions from
/proc/partitions I could dd each of the partitions separately, rather than
one gigantic glob of the entire hard drive.

cat /proc/partitons shows this:

  major minor  #blocks  name
    
      3 0   78125000 hda
      3 5     377496 hda5
      3 6   42339276 hda6
      8 0  195360984 sda
      8 1  195358401 sda1
    254 0      56196 dm-0
    254 1   31664115 dm-1
    254 2    3670852 dm-2
    254 3     377496 dm-3
    254 4   42339276 dm-4
    254 5  195358401 dm-5

Assuming that I've got roughly 1MB blocks, dm-0 to dm-5 seem to match
the attached disk and partition sizes:

    dm-0 = hda1
    dm-1 = hda2
    dm-2 = hda5
    dm-3 = hda6
    dm-4 = hda4
    dm-5 = sda1 (the attached USB drive)

If so, I was thinking that I might be able to dd the requisite number of blocks
from the appropriate offset to get an image of each partition.

Unfortunately, I'm a bit stuck on the dd syntax:

  1. How do I specify dm-4 (for example) as an input file (if=) for dd?
     It's clearly not /dev/dm-4 ... but could it be, if I used mknod?

  2. Do I need to know the actual block sizes, or would simply knowing the
     number of them on each partition be sufficient?

Oh, and to answer your other question: no, I haven't rebooted.  I won't be
doing that (on purpose) until I've got some sort of solution.

Dave

More information about the Wylug-help mailing list