Re: [sleuthkit-users] Which blocks my very partly zeroed out, recoverable luks volume file occupies
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Which blocks my very partly zeroed out, recoverable luks volume file occupies?
|
From: Atila <ati...@dp...> - 2015-04-02 19:07:37
|
Please don't use mke2fs!!! That's for create a new fs! Since you can mount the luks vol, I guess you are at a point were you have a unencrypted ext4 fs with the first 5% (or other number) overwritten. Is this correct? If so, a 'hexdump -C' of the middle of your unencrypted disk may have readable text. Did you try that that sugestion of using mount with sb=...? I didn't understand the MD5 part. You have the MD5 of the luks header? How is this helpful? On 02-04-2015 05:22, mir...@zg... wrote: > As you can read here: > Recover partly overwritten luks volume? > https://forums.gentoo.org/viewtopic-t-1004014.html#7724054 > , and around, I have been trying to get help from > the Sleuthkit Forum/Users/Other for days. > > Never mind that. But what I next need to do and if anybody can suggest > where to educate myself about it, is, on the lines of what I wrote in > the last post in that topic of Gentoo Forums. > > But, in brief, I'll give a summary of the stage I am at right now. It is > however too complex for me to sufficiently well explain it in this > summary, so, pls look it up in the topic linked above, and accept my > apologies for not having been able to provide clearer and not so > redundant explanations there (but those explanations are, on the bright > side, rather complete as to what I managed to understand and do so far). > > All the following are pastes from there. > > I had had (not a typo: past perfect tense) a luks-volume in a file: > > -rw-r--r-- 1 root root 465567744000 2014-09-11 23:07 H_E09.vol > > J had backed it up in time: > > # cryptsetup luksHeaderBackup H_E09.vol --header-backup-file H_E09.bak > > But I overwrote it (past tense, so after the above two events): > > uabox c1 # dd if=/dev/zero bs=4k count=1110000000 of=H_E09.vol & > > for only seconds though! Probably a matter of maximum a few GB (of the > 430GB were zeroed. > > I managed to open it: > > uabox ~ # cryptsetup --verbose --header /mnt/sdk1/H_E09.bak open > /dev/loop0 H_E09 > Enter passphrase for /mnt/sdk1/H_E09.vol: > Key slot 0 unlocked. > Command successful. > uabox ~ # > > And it may be best at this point, to find that exact text in this post: > > https://forums.gentoo.org/viewtopic-t-1004014.html#7723732 > > read a little about how the superblock would be written with the > > mke2fs -t ext4 -n -b /dev/mapper/H_E09 > > or > > mke2fs -t ext4 -n -b -4096 /dev/mapper/H_E09 > > command, and, maybe (sic! only maybe, for regular users like me; but > probably if some of the experts are reading this) even skip a few post > up to this one: > > https://forums.gentoo.org/viewtopic-t-1004014-start-25.html#7724538 > > where I summarize (pasting over from there): > > [I need to learn] >> how do you get which exact blocks a particular file is >> occupying on a device. >> >> Why? Because I want to be able to revert to the current status defined >> by the MD5 sum of the device taken. >> >> How? By dumping, with dd dump seek... , just that which some of my >> command will change in the next steps after this stage, so that if I go >> wrong, I can recover, with dd dump skip ..., exactly those blocks only, >> and check the MD5, and know that I am back at this exact stage at which >> I am right now while I am writing this. >> >> ... >> >> It occurs to me, a strong suspicion, right now. what if, that command, >> and I'll post it 3+1st or 4+1st time now... >> What if this: >> >> uabox ~ # mke2fs -t ext4 -n -b /dev/mapper/H_E09 >> mke2fs: invalid block size - /dev/mapper/H_E09 >> uabox ~ # >> >> that command wanted to write a new superblock, and not recover the >> existing one? .. > I'll be thankful to any kind people for their advice on this issue. > > Pls. allow time for my actions to follow your advice. I've got the > entire case archived currently, as I needed the resorces, so I first > need to retrace my steps, and I am generally rather slow in these > difficult stunts for a 60 yrs old late adopter that I am. > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
