Re: [sleuthkit-users] EXT2 superblock

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Lisa,

You are confusing the disk master boot record (partition table) with 
the file system superblock.   The MBR is located in the first sector of 
the _disk_.  The superblock is located 1,024 bytes from the start of 
the _partition_.  The first partition typically starts in sector 63 of 
the disk.   So, the below commands changed the partition table of your 
disk.  If you rebooted, then the OS is going to use that partition 
table for your disk, which may cause the OS to no longer associate a 
device with an actual file system.

So, at this point a tool like testdisk or gpart will be your best 
friends, but you said that testdisk did not find it.  Can you try 
'gpart'?

brian

On Oct 3, 2004, at 7:01 PM, Lisa Muir wrote:

> Brian, LT,
>
> Thank you. fsck and e2fsck don't work with any of the values you
> suggest. They both spit out the "bad superblock" error.
>
> I tried mounting under windows using an ext2 driver with no luck.
>
> Testdisk didn't find the partitions either. I'm thinking this disk
> might have physical damage.
>
> I copied the superblock data using dd
>
> # dd count=1 bs=4k if/dev/hda of=/dev/sda
>
>  Now, while this isn't the exact layout of the superblock here's what 
> I did:
>
> # od -x -N 64 /dev/sda +0x1000
>
> 0000000  1234 0234 0000 0000 0000 4000 0000 000a
> 0000020  0001 8000 1000 0000 2f6c 7633 0000 6c76
> 0000040  3300 0000 000a 0003 0100 0000 2f28 0383
> 0000060  0000 0001 0000 0200 0000 2000 0000 0000
> 0000100
>
> The very left column is exactly how it looked on my machine.
> The I ran the next command, to look at the next superblock copy:
>
> #  od -x -N 64 /dev/lv02 +0x1f000
>
> 0000000  1234 0234 0000 0000 0000 4000 0000 000a
> 0000020  0001 8000 1000 0000 2f6c 7633 0000 6c76
> 0000040  3300 0000 000a 0003 0100 0000 2f28 0383
> 0000060  0000 0001 0000 0200 0000 2000 0000 0000
> 0000100
>
> In other words, the copy was identical to the original. SO.....no
> point in copying that.  SO.....I ran:
>
> # od -x -N 64 /dev/hda 0x1000
>
> 0000000  4efb 3sc6 0000 0000 0000 4000 0000 000a
> 0000020  0001 8000 1000 0000 2f6c 7633 0000 6c76
> 0000040  3300 0000 000a 0003 0100 0000 2f28 0383
> 0000060  0000 0001 0000 0200 0000 2000 0000 0000
> 0000100
>
> Again not exactly what was on my machine, but the point is the top
> row, second column and third column entries were differentbut
> everything else stayed the same even the columns on the left. Only
> those two entries were different.  Soo....
>
> # dd count=1 bs=4k if/dev/hda of=/dev/sda
>
> (my thinking here was, well, hda boots just fine, so it's superblock
> must be intact....and it's ext2...
>
> and then running
>
> # od -x -N 64 /dev/sda +0x1000
>
> 0000000  4efb 3sc6 0000 0000 0000 4000 0000 000a
> 0000020  0001 8000 1000 0000 2f6c 7633 0000 6c76
> 0000040  3300 0000 000a 0003 0100 0000 2f28 0383
> 0000060  0000 0001 0000 0200 0000 2000 0000 0000
> 0000100
>
> So a successful change in the superblock...... Tried mounting
> /dev/sda1 but got no joy
>
> after running fdisk -l it told me the USB drive now contained the
> paritions that my main drive had, which of course it doesn't (but
> Brian, you say this doesn't matter).
>
> Now, I definitely need to read up on this. Most of the above was semi
> blindly following a help file I found via google. The main reason I'm
> sticking with this is that I'm curious if someone deliberately
> corrupted the superblock where one would go from there.
>
>