View previous topic :: View next topic |
Author |
Message |
LinuxSmiley n00b
Joined: 13 May 2004 Posts: 36
|
Posted: Thu Jun 22, 2006 2:13 pm Post subject: ext3 - recovering garbaged directory structure |
|
|
Hello everybody,
due to some odd hard disk failure and (I suppose) a mistake of e2fsck my server lost some of its directories:
Code: | server kaputt # debugfs hda3.dd
debugfs 1.38 (30-Jun-2005)
debugfs: cd var
debugfs: cd spool
debugfs: ls -l
8244503 40755 (2) 0 0 4096 4-May-2006 12:31 .
8241153 40755 (2) 0 0 4096 8-Apr-2006 07:01 ..
8244504 100644 (1) 0 0 0 14-Feb-2006 01:03 .keep
8323165 40755 (2) 16 0 4096 4-May-2006 12:31 cron
8324257 40775 (2) 0 12 4096 8-Apr-2006 02:00 mail
0 0 (2) 0 0 0 imap <------------------------
0 0 (2) 0 0 0 postfix
0 0 (2) 0 0 0 at
debugfs: quit |
As you can see the directory entry of /var/spool/imap is pointing to inode 0 which is normally the case if the file had been deleted. But in my case the problem was a corrupted filesystem/harddisk and a run of e2fsck - there are some others directories "deleted", too.
I'm pretty sure that the data is still there - I managed to restore the scripts out of one of the other directories by scanning the image file for "#!/bin/bash" and everytime extracting an extra 30k of data. My problem are the emails stored in /var/spool/imap - my backup seems to be useless (yes, I should have tested it before).
So my question: If only /var/spool/imap itself has been "deleted", is there a possibility to scan for the subfolders (a-z) or the .keep file in it and then restore the /var/spool/imap entry? I checked several programs but I didn't find a program capable of doing this.
Thanks in advance,
Helge. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54387 Location: 56N 3W
|
Posted: Thu Jun 22, 2006 3:51 pm Post subject: |
|
|
LinuxSmiley,
Provided neither the data nor the partition are encrypted and you can find a seach string, ther is a chance.
Get hexedit, point it at the partition or better, your image of the partition, switch to string mode and search for a string.
I guess imap, means its your emal, so your email address may be a good seach string.
Every time you find something copy it to a file. That way you will create a .maildir format mailbox. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
LinuxSmiley n00b
Joined: 13 May 2004 Posts: 36
|
Posted: Thu Jun 22, 2006 6:09 pm Post subject: |
|
|
Thanks, that was my first idea, too, and it works with the scripts I lost ... but:
- there are about 25 different e-mail-accounts on the system not only mine
- the mails sum up to a total of about 10000 single mails
Isn't there a possibility to search for the contents of the directory directly on the filesystem? I definitively know that there are 26 directories named "a" to "z" and a file named ".keep" in /var/spool/imap. If I could find the adress of this directory index it should be possible to re-assign the missing inode entry in the /var/spool directory structure.
I'm really, really in need of these mails
/Edit: Has your signature anything to do with my case? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54387 Location: 56N 3W
|
Posted: Thu Jun 22, 2006 8:55 pm Post subject: |
|
|
LinuxSmiley
You can try but they provide very short search strings.
I don't know how you would recover a whole dorectory because its contents could be fragmented all over the drive.
You would need to reconstruct the pointers to it and maybe update the free space bitmap. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
LinuxSmiley n00b
Joined: 13 May 2004 Posts: 36
|
Posted: Fri Jun 23, 2006 8:50 am Post subject: |
|
|
Hi NeddySeagoon,
NeddySeagoon wrote: | I don't know how you would recover a whole dorectory because its contents could be fragmented all over the drive. |
I don't want to recover a whole directory just the pointer to it.
From my understanding the filesystem is organized like this:a) the entry "imap" in the directory listing of /var/spool/ points to inode 1234
b) inode 1234 contains a list of all directory entries (/var/spool/imap/*) which point to other inodes
As I know the list of directory entries, couldn't I just try to find (with some program I don't know) this list on the disk and then retrieve the inode number holding the list (in the above example: 1234) and then patch the /var/spool/imap-entry with the now-retrieved inode number?
Again: I didn't delete the files with rm -Rf or so, e2fsck did the "job". |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54387 Location: 56N 3W
|
Posted: Fri Jun 23, 2006 9:21 am Post subject: |
|
|
LinuxSmiley,
You have the theory of the filesystem.
When e2fsck made your filesystem structure self consistant, it did so without regard to any data you had on the filesystem.
However, any data that did not belong in the fsck'ed fs is now in lost+found at the top level of the partition affected.
Such data is named by inode number if its name is not know. Its worth looking there.
The drawback with the filesystem theory is that with your imap directory inode being free, e2fsck will have freed all the inodes that belong to it too, or added them to lost+found. That makes recovery difficult.
Look at Code: | ls --color lost+found | at the top level of /dev/hda3 then look into the directories in turn.
If you do Code: | ls -Ra lost+found > recovered.txt | you can Code: | grep <file> recovered.txt | for lost filenames.
You may be lucky. If the filenames are lost, you need to look inside the file to see whats there. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
LinuxSmiley n00b
Joined: 13 May 2004 Posts: 36
|
Posted: Fri Jun 23, 2006 10:03 am Post subject: |
|
|
That folder was one of the first I checked but there were only two directories and a couple of files. The directories were identical and seemed to be /var/spool/imap/i/user/istroeter ... the files were mails from other accounts but not even near the total number of e-mails.
I wrote a little PHP script parsing through the image of the partition looking for "Received: " and then copying everything until the next null-byte into a new file - it found over 145000 files and almost all seem to be e-mails (although nearly every ever deleted spam mail got restored, too :-/). So if you don't know a tool which could accomplish my idea written in the previous post(s) then I'm fine with feeding all the recovered mails to my Cyrus IMAP server again.
Thanks for your time and effort! |
|
Back to top |
|
|
|