EXT4 initialized or quick formatted with a new EXT4
Status: Abandoned
Brought to you by:
robi6
Menu
▾
▴
#2 EXT4 initialized or quick formatted with a new EXT4
Hello Robi, this is Robert
I'm wondering which are the switches to attempt to setup for this kind of scenario
EXT4 initialized or quick formatted or gparted with a brand new EXT4 (empty) file system.
With files carving processes I get all the files perfect, but I'm wondering if something may be attempted to get back some subdirectories and or files names.
The files amount is huge while the initialization process takes some seconds, so I'm pretty sure it is impossible it has erased ALL files names details, as well the directories names and structures.
I've tried
ext4magic /dev/sda3 -M -d /home/recover
try multi-stage recover of all files after the filesystem is
deleted with a "rm -rf *" . Write the files to "/home/recover".
(on ext4 : in this version skipped the last step.)
but instead than scanning the whole drive, it stops in few seconds returning only the current blank structure (it is the disk of a NAS with default "public" and "media" directories). Instead I hope you have an switch to force to parse or scan the whole drive.
Does it make sense? Could something got back?
Thank you
Roberto
Also
does ext4magic have a "dry run" switch?
You know, it may happen that the disk is even bigger (3TB or 4TB) and instead to buy a new one "for no results", it would be useful to have a dry run option to evaluate the result and next decide if to buy a "destination" storage and run a real recovery.
Thank you
Last edit: Robert Corsari 2014-11-24
The last question first. "a try run switch"
For the recover options "-R" and "-r" there are dry equivalente options "-L" and "-l"
The Magic functions the last step of the "-M" or "-m" options, presuppose that has run through the implied function "-R" or "-r".
This functions are dependent on the results of all previous steps. In the best case, this stage processed only data areas which previous stages could not recover. For this options no dry option are provided. That makes no sense. Imagine, you would only see the many file names from a dry run File Carving Tool ;-) You are happy with the number of files, and after the recover, everything is only broken files and data trash.
You can write on a small recover directory where you delete finished files or moving them during ext4magic still running.
robi
If you initialize a ext? file system with the same options, the following is set to NULL:
- all inode blocks
- all allocated block tables
- the journal
- some data on superblock
If you use other options for the re-initializing, such as another block size. these data are newly created and possibly elsewhere in the file system, but the new superblock is now pointing to the new empty metadata.
The file names and directory structure are in data blocks. These are not destroyed during re-initialization. However, they are useless, as a connection to the data blocks can be prepared only through inodes, and all these inodes have been destroyed.
A typical file carving tool ignores any directory blocks, all inode blocks and the journal. But under specific options, it uses the allocated block tables.
A good tool can give the recovered files extensions according to the content, and some files even the correct name can be found in the metadata within the files themselves. But can never produce orgin directories or entire directory structures.
File carving tools are many, for this reason, the Magic function of ext4magic works completely differently. ;-)
The exact function is very complex. ext4magic not search around the whole file system and not like other file carving tools at the non-allocated blocks. It locates in the journal the allocated block tables that were written during erasing. These are compared with the same blocks at earlier time points at the journal and/or the current tabels at the file system. The difference is then compared with the blocks which have been already recovers from the preceding ext4magic steps. And only on the remaining blocks are searched with carving methods for lost deleted files. And thus repeats the Magic function step by step backwards for each file system sync in the journal data have been written while deleting. Therefore, all the more data is written during delete of files to the Journal, the better can work this function.
The Magic function of ext4magic so requires, among other things, the journal data from the deletion. That is why they can not do anything in a newly initialized file system.
It is designed for the use according a large recursive deletion. And only there, and only when the journal data are not destroyed, it can function properly.
robi
Last edit: Robi 2014-11-25