[sleuthkit-users] Which blocks my very partly zeroed out, recoverable luks volume file occupies?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Which blocks my very partly zeroed out, recoverable luks volume file occupies?
|
From: <mir...@zg...> - 2015-04-02 08:23:15
|
As you can read here: Recover partly overwritten luks volume? https://forums.gentoo.org/viewtopic-t-1004014.html#7724054 , and around, I have been trying to get help from the Sleuthkit Forum/Users/Other for days. Never mind that. But what I next need to do and if anybody can suggest where to educate myself about it, is, on the lines of what I wrote in the last post in that topic of Gentoo Forums. But, in brief, I'll give a summary of the stage I am at right now. It is however too complex for me to sufficiently well explain it in this summary, so, pls look it up in the topic linked above, and accept my apologies for not having been able to provide clearer and not so redundant explanations there (but those explanations are, on the bright side, rather complete as to what I managed to understand and do so far). All the following are pastes from there. I had had (not a typo: past perfect tense) a luks-volume in a file: -rw-r--r-- 1 root root 465567744000 2014-09-11 23:07 H_E09.vol J had backed it up in time: # cryptsetup luksHeaderBackup H_E09.vol --header-backup-file H_E09.bak But I overwrote it (past tense, so after the above two events): uabox c1 # dd if=/dev/zero bs=4k count=1110000000 of=H_E09.vol & for only seconds though! Probably a matter of maximum a few GB (of the 430GB were zeroed. I managed to open it: uabox ~ # cryptsetup --verbose --header /mnt/sdk1/H_E09.bak open /dev/loop0 H_E09 Enter passphrase for /mnt/sdk1/H_E09.vol: Key slot 0 unlocked. Command successful. uabox ~ # And it may be best at this point, to find that exact text in this post: https://forums.gentoo.org/viewtopic-t-1004014.html#7723732 read a little about how the superblock would be written with the mke2fs -t ext4 -n -b /dev/mapper/H_E09 or mke2fs -t ext4 -n -b -4096 /dev/mapper/H_E09 command, and, maybe (sic! only maybe, for regular users like me; but probably if some of the experts are reading this) even skip a few post up to this one: https://forums.gentoo.org/viewtopic-t-1004014-start-25.html#7724538 where I summarize (pasting over from there): [I need to learn] > how do you get which exact blocks a particular file is > occupying on a device. > > Why? Because I want to be able to revert to the current status defined > by the MD5 sum of the device taken. > > How? By dumping, with dd dump seek... , just that which some of my > command will change in the next steps after this stage, so that if I go > wrong, I can recover, with dd dump skip ..., exactly those blocks only, > and check the MD5, and know that I am back at this exact stage at which > I am right now while I am writing this. > >... > > It occurs to me, a strong suspicion, right now. what if, that command, > and I'll post it 3+1st or 4+1st time now... > What if this: > > uabox ~ # mke2fs -t ext4 -n -b /dev/mapper/H_E09 > mke2fs: invalid block size - /dev/mapper/H_E09 > uabox ~ # > > that command wanted to write a new superblock, and not recover the > existing one? .. I'll be thankful to any kind people for their advice on this issue. Pls. allow time for my actions to follow your advice. I've got the entire case archived currently, as I needed the resorces, so I first need to retrace my steps, and I am generally rather slow in these difficult stunts for a 60 yrs old late adopter that I am. -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr |
