1

I accidentally (due to a typo) have overwritten parts of my encrypted ext3 partition with an iso file:

cat 200Mb-sized.iso > /dev/sdb

Is there any chance to recover the files of the partition that were not overwritten? If so how should it be done? If not then please give an explanation why (for example: The directory is overwritten so you cannot find the files).

As side node: The iso file partition is the only one shown on this volume but it is displayed as encrypted (while it was not).

Some more information:
The volume is not my boot volume and only had one partition on it that was fully encrypted.

Improve this question

4 Answers 4

Reset to default
2

Did you backup the volume header? If yes, you can restore the volume header and then use recovery utilites on the mounted volume.

If not, you are screwed.

Improve this answer
4
  • Well than I am screwed :(
    – Nobody moving away from SE
    Commented Mar 13, 2012 at 11:43
  • It would be nice to have an explanation so It would be easier for me to accept my fate.
    – Nobody moving away from SE
    Commented Mar 13, 2012 at 14:37
  • 2
    The passphrase you enter to unlock an encrypted volume isn't directly the key to decrypt the partition, but rather decrypts a key stored in the volume header. LUKS allows you to store up to 8 keys, but it is all at the beginning of the volume in the "volume header." You overwrite the volume from the beginning, stomping all over that header. So you overwrite the passphrase-protected keys and there is no way to get your data back.
    – LawrenceC
    Commented Mar 13, 2012 at 14:48
  • Ok, thx for clearing that up for me. Then I will have to setup everything again. Luckily these data were not that important. Still I hate this situation.
    – Nobody moving away from SE
    Commented Mar 13, 2012 at 14:57
0

If the overwritten partition were not encrypted, I'd say to try a recovery tool that hunts through the data looking for files (I've not got any specific recommendations, but I've previously used tools that would just search the raw data for anything that might be a jpeg or a word doc and recover them that way. Basically they look for magic numbers and then try to figure out where the rest of the file is).

The problem is that you've got an encrypted partition there. Which means that there's very little for a tool to go on in trying to find anything in the mess.

I'd shoot an e-mail to the encryption developers and see if there's some way to decrypt the remaining data. If you could do that, then you can fall back to normal data recovery tools. If you can't find a way to decrypt the remaining data, then you're never going to recover it, I fear.

Improve this answer
1
  • Thats pretty much my concern. I would like to let everything be encrypted and just recover the partition table to get my partition back. Probably it is not even encrypted but I do not know if I can simply overwrite it with a new one and for now I just search for tools that will not need to overwrite something (possibly making things worse)
    – Nobody moving away from SE
    Commented Mar 13, 2012 at 11:42
-2

This comes into the realm of data recovery.

I would highly recommend putting the drive in question into a master/slave configuration if possible. Place the drive in question as the slave and boot from another drive. An alternative to this is to run from a live-cd (get the same effect).

Since you're running in ext3 partition, you will have to use a linux data recovery tool. I am not familiar with many but I'm sure some research on google will yield satisfactory results. A lot of these tools can still read overwritten sectors and recompile them (with or without help). They take advantage of the fact that a hard drive never really writes over the same exact spot twice (a digital 1 on a hard drive is a length of space on the disk with a magnetic polarity associated as a "1"). So when the head comes over that spot again, it never/rarely overlaps perfectly.

There is hope yet.

Improve this answer
3
  • No one's ever demonstrated the ability to read over-written sectors on a hard disk, and you sure as heck can't do it with the drive's heads and firmware, which are explicitly designed to read back what was written, not leftover stray fields that won't exist most of the time anyway. If you actually wanted to pull that trick you'd need an electron microscope at a minimum, and probably a heck of a lab. You'll note that none of the major data recovery firms claim to be able to read data that's over-written.
    – Michael Kohne
    Commented Mar 13, 2012 at 11:37
  • Ah, you are correct. Reading the disk once overwritten is possible only in theory. Practical application's do not yet exist.
    – Kashif
    Commented Mar 13, 2012 at 12:48
  • This is an incorrect answer thus a downvote.
    – Ramhound
    Commented Mar 13, 2012 at 13:20
-2

I would try TestDisk, which is included on SystemRescueCD, though I'm not sure how well it handles partial encrypted partitions.

Improve this answer
1
  • 1
    If you are unsure why are you suggesting it?
    – Ramhound
    Commented Mar 13, 2012 at 13:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .