[solved] Recover files from corrupt disk

[malern]

I'm using Amazons cloud services and I've just had a VM die and leave me with a corrupted virtual disk. I've attached the disk to a new VM but fdisk reports "Disk /dev/sdf doesn't contain a valid partition table". I've tried creating a new partition (on a snapshot of the disk), but then it doesn't detect a filesystem.

This disk had a bunch of files that users of my webapp had uploaded. Typically I've now discovered I've been backing up symlinks rather than the actual files, so this disk potentially holds my only copy of those files. I'm not really sure where to start with trying to recover these files.

I believe the filesystem was ext3. All the files had filenames in the format "attach_[a-z0-9]{16}" and could have been any sort of file (e.g. images, videos, random project files). The files arn't any use to me without the filename (as I can't put them back into my webapp), so I don't think file carving programs like app-forensics/foremost or app-forensics/scapel will help.

Do I have any chance of getting these files back? Is there an easy way to check if there is a filesystem still on this disk?

Edit: just found app-admin/testdisk, which seemed liked my best hope, but it didn't find anything, so I'm assuming I'm pretty much boned

[NeddySeagoon]

malern,

Run testdisk on the image. It will scan the entire disk surface and make a list of possible partitions, then optionally, write a partition table for you.
IF you are more cautious, you can make a list of the starts and calculate offset= values to go in the command below.

How was the disk partitioned ?
Can you remember *exacty* ?
What tool did you use to make the partitions ?

[malern]

Thanks for the useful advice. I'm pretty sure the disk was partitioned using fdisk, with a single linux (id 83) partition spanning the entire disk (10GB).

I've tried running testdisk on it and it didn't managed to find any partitions (even after the deep search). Running the mount command returned

[NeddySeagoon]

malern,

You may just have lost the superblock. However, the extX filesystems stashes backup all over the place, to the next thing to try is one of those.

[malern]

I still got the same error as before using the sb=n mount option, so I decided to give sleuthkit a try like you recommended. I ran tsk_recover on the disk image and it managed to extract all my files! I couldn't believe it

It's a fantastic tool, thanks for recommending it. I really appreciate all your help and advice, I owe you one!

[NeddySeagoon]

malern,

That is extracted all your files it good but it says nothing about the file content that was recovered.
What was recovered was whatever was in the space pointed to by the metadata.

There is no other way than checking the files one by one to establish that the file content is correct.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[malern]

Ok, that's good to know. Unfortunately there's too many files to be able to check them all. Plus some might have been corrupted to start with as this is a support site and we've had people upload broken files as examples. I've checked a few of the restored files and they've been fine, so I'm happy it's at least partially restored.

I'll be double checking my backups are working correctly in the future