1

I have rescued my 2gb usb stick in nearly two days onto an 100gb blank reiserfs partition with these two commands:

ddrescue -f -n /dev/sda /dev/sdb8 logfile

ddrescue -d -f -r3 /dev/sda /dev/sdb8 logfile

since I did not know what to do next, I tried mounting /dev/sdb8 to look what's inside. But mount: you must specify the filesystem type. Before that I was able to mount the blank reiserfs partition before ddrescue wrote on it. Is there a way to read the rescued data now?

Thanks.

panny
  • 655
  • 9
  • 23

2 Answers2

2

Most USB sticks use the PC partitioning format, and have a single partition. That means the first sector (512 bytes) of the disk contains a partition table (and optionally a bootloader), and the rest of the disk contains the partition.

You could have rescued just the partition with

ddrescue -f -n /dev/sda1 /dev/sdb8 logfile
ddrescue -d -f -r3 /dev/sda1 /dev/sdb8 logfile

But now that you have the whole disk, you can get at its partition.

losetup -o 512 /dev/loop0 /dev/sdb8
mount -r /dev/loop0 /mnt

If /dev/loop0 is already in use, you may have to choose another number. The command losetup -f will return the number of a free loop device.

However, manipulating partitions on a live system is error-prone, so rather than do this, I recommend moving the data from the USB stick to an ordinary file. Either copy the whole disk, then use losetup on the disk image (16M × 130 is calculated to be larger than the size of the USB stick):

dd bs=16M count=130 </dev/sdb8 >/var/tmp/usb-stick.disk

Or copy just the partition, and mount the partition image directly:

tail -c +513 </dev/sdb8 | dd bs=16M count=130 >/var/tmp/usb-stick.partition
mount -o loop,ro /var/tmp/usb-stick.partition /mnt

And for future reference, you might as well have passed an output file, rather than an output partition, to ddrescue in the first place.

Gilles 'SO- stop being evil'
  • 69,786
  • 21
  • 137
  • 178
  • hi! Cannot mount -r /dev/loop0 /mnt mount: you must specify the filesystem type so I gave mount -r -t usbfs /dev/loop0 /mnt a try and it worked, but the content was weired...four folders 001 002 003 004 and a textfile 'devices' ? – panny Nov 13 '10 at 22:21
  • @panny: `usbfs` is a pseudo-filesystem (like `proc` and `sysfs`); it ignores the device. What you have is probably a `vfat` filesystem, but if `mount` didn't figure out the filesystem automatically, there's probably something wrong elsewhere. How exactly did you create the loop device? What does `file - – Gilles 'SO- stop being evil' Nov 13 '10 at 22:29
  • file - – panny Nov 13 '10 at 22:40
  • #parted /dev/sdb8 unit B print Warning: GNU Parted has detected libreiserfs interface version mismatch. Found 1-1, required 0. ReiserFS support will be disabled. Error: /dev/sdb8: unrecognised disk label – panny Nov 13 '10 at 22:42
  • I created the loop filesystem like: losetup -o 512 /dev/loop0 /dev/sdb8 – panny Nov 13 '10 at 22:45
  • @panny: The first explanation that comes to me is that the very beginning of the disk is corrupt, so the filesystem structures are damaged. Does the ddrescue log show errors in the first kilobyte or so? If that's so, you'll have to turn to other repair techniques, such as looking for known patterns to try and recover files. Was this a FAT filesystem? If so, try `dosfsck` (on a **copy** (into a regular file) of what you have now in `/dev/sdb8`). – Gilles 'SO- stop being evil' Nov 13 '10 at 23:21
  • you mean the beginning of /dev/sdb? That sounds impossible since I can mount all partitions (except for /dev/sdb8 now) and read and write. I can't spot any errors in the logfile: – panny Nov 14 '10 at 01:06
  • # current_pos current status 0x7CFF0200 + # pos size status 0x00000000 0x7D000000 + – panny Nov 14 '10 at 01:07
  • dosfsck /dev/sdb8 dosfsck 3.0.10, 12 Sep 2010, FAT32, LFN Logical sector size (65535 bytes) is not a multiple of the physical sector size. returned: 1 – panny Nov 14 '10 at 01:09
  • @panny: I meant that I suspected that the beginning of the USB stick is corrupt (but there may be another explanation). What you have now at the beginning of `/dev/sdb8` (i.e. what you had on the USB stick) doesn't look like a filesystem or like a disk image with PC partition. Try adding the output of `head -c 1024 – Gilles 'SO- stop being evil' Nov 14 '10 at 10:32
1

you copied a disk to a partition - this is why there is a difference
if you wanted to mount the partition by itself to mount normally you should have used /dev/sda1 as the input file

you need to carve the partition out of the disk-file or use offsets for mounting tutorial:
http://www.andremiller.net/content/mounting-hard-disk-image-including-partitions-using-linux

you should also be able to easily see the contents with autopsy/sleuthkit available via apt-get or as rpm from CERT.org

typically i copy a disk or partition to a file...it's just easier to work with that way. then if i copied a disk to a file a carve the partitions into individual files or mount them like in the previously stated tutorial. last i have partition files i can mount and cp -pR to new partitions.

RobotHumans
  • 5,904
  • 1
  • 19
  • 25