Announcement

Collapse
No announcement yet.

Need help to recover Shift+Deleted /bin directory on ext4 filesystem.

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #1

    Need help to recover Shift+Deleted /bin directory on ext4 filesystem.

    I accidently deleted /bin directory on ext4 filesystem, during a Live Boot Session for 14.04 using a bootable USB Drive.

    Following attempts were done in Read Only mode to recover data.

    1. TestDisk showed a deleted /bin directory but no file content.
    2. Photorec recovered too many files with weird names and i dont know how to identify exact set of files which belong to deleted /bin.
    3. extundelete did not recover any data for me.
    4. Autopsy and Sleuthkit did not recover any Data (It did say unknown data exists but cannot recover). It seems sleuthkit in 14.04 uses older version of libtsk which does not support ext4. Recovery was attempted on a partition image created by ddrescue as mentioned on https://help.ubuntu.com/community/DataRecovery

    I am planning to attempt data recovery with scalpel and foremost from raw image created using ddrescue, but don't know which file types to look for.
    What file types usually exist in /bin
    Last edited by rahulprabhakar; Mar 02, 2016, 04:18 AM.
    Tags: data recovery, ext4
    • Top
    • Bottom
    #2
    just about everything that is an executable - programs from small to large.
    • Top
    • Bottom

    Comment

      #3
      Originally posted by rahulprabhakar View Post
      What file types usually exist in /bin
      There are only 154 files = 9.5Mb total in my 14.04 /bin directory. Here is the exact content:
      Code:
      total 9984
-rwxr-xr-x 1 root 1021112 Oct  8  2014 bash
-rwxr-xr-x 1 root   31152 Oct 22  2013 bunzip2
-rwxr-xr-x 1 root 1918032 Nov 15  2013 busybox
-rwxr-xr-x 1 root   31152 Oct 22  2013 bzcat
lrwxrwxrwx 1 root       6 Jan 11  2015 bzcmp -> bzdiff
-rwxr-xr-x 1 root    2140 Oct 22  2013 bzdiff
lrwxrwxrwx 1 root       6 Jan 11  2015 bzegrep -> bzgrep
-rwxr-xr-x 1 root    4877 Oct 22  2013 bzexe
lrwxrwxrwx 1 root       6 Jan 11  2015 bzfgrep -> bzgrep
-rwxr-xr-x 1 root    3642 Oct 22  2013 bzgrep
-rwxr-xr-x 1 root   31152 Oct 22  2013 bzip2
-rwxr-xr-x 1 root   14480 Oct 22  2013 bzip2recover
lrwxrwxrwx 1 root       6 Jan 11  2015 bzless -> bzmore
-rwxr-xr-x 1 root    1297 Oct 22  2013 bzmore
-rwxr-xr-x 1 root   47904 Dec  4 06:14 cat
-rwxr-xr-x 1 root   14688 May 23  2013 chacl
-rwxr-xr-x 1 root   60160 Dec  4 06:14 chgrp
-rwxr-xr-x 1 root   56032 Dec  4 06:14 chmod
-rwxr-xr-x 1 root   60160 Dec  4 06:14 chown
-rwxr-xr-x 1 root   10480 Feb 19  2013 chvt
-rwxr-xr-x 1 root  130304 Dec  4 06:14 cp
-rwxr-xr-x 1 root  137304 Feb 19 05:16 cpio
-rwxr-xr-x 1 root  121272 Feb 20  2014 dash
-rwxr-xr-x 1 root   60160 Dec  4 06:14 date
-rwxr-xr-x 1 root   10536 Nov 26  2014 dbus-cleanup-sockets
-rwxr-xr-x 1 root  434032 Nov 26  2014 dbus-daemon
-rwxr-xr-x 1 root   10464 Nov 26  2014 dbus-uuidgen
-rwxr-xr-x 1 root   56136 Dec  4 06:14 dd
-rwxr-xr-x 1 root   97768 Dec  4 06:14 df
-rwxr-xr-x 1 root  110080 Dec  4 06:14 dir
-rwxr-xr-x 1 root   22896 Sep  3 06:35 dmesg
lrwxrwxrwx 1 root       8 Jan 11  2015 dnsdomainname -> hostname
lrwxrwxrwx 1 root       8 Jan 11  2015 domainname -> hostname
-rwxr-xr-x 1 root   82256 Feb 19  2013 dumpkeys
-rwxr-xr-x 1 root   31296 Dec  4 06:14 echo
-rwxr-xr-x 1 root   47712 Jul 17  2013 ed
-rwxr-xr-x 1 root   57952 Jul  1  2015 efibootmgr
-rwxr-xr-x 1 root  183696 Jan 19  2014 egrep
-rwxr-xr-x 1 root   27168 Dec  4 06:14 false
-rwxr-xr-x 1 root   10488 Feb 19  2013 fgconsole
-rwxr-xr-x 1 root  138352 Jan 19  2014 fgrep
-rwxr-xr-x 1 root   36144 Sep  3 06:35 findmnt
-rwxr-xr-x 1 root   31864 Nov 30  2012 fuser
-rwsr-xr-x 1 root   30800 May 16  2015 fusermount
-rwxr-xr-x 1 root   23688 May 23  2013 getfacl
-rwxr-xr-x 1 root  191952 Jan 19  2014 grep
-rwxr-xr-x 1 root    2303 Jan 10  2014 gunzip
-rwxr-xr-x 1 root    5937 Jan 10  2014 gzexe
-rwxr-xr-x 1 root   94048 Jan 10  2014 gzip
-rwxr-xr-x 1 root   14736 Dec 14  2013 hostname
-rwxr-xr-x 1 root  307328 Jul 24  2015 ip
-rwxr-xr-x 1 root   10480 Feb 19  2013 kbd_mode
-rwxr-xr-x 1 root   30792 Oct 22  2013 keyctl
-rwxr-xr-x 1 root   23088 Feb 11  2015 kill
-rwxr-xr-x 1 root  154616 Apr 11  2014 kmod
-rwxr-xr-x 1 root  153664 Jun 10  2013 less
-rwxr-xr-x 1 root   10440 Jun 10  2013 lessecho
lrwxrwxrwx 1 root       8 Jan 11  2015 lessfile -> lesspipe
-rwxr-xr-x 1 root   15912 Jun 10  2013 lesskey
-rwxr-xr-x 1 root    7758 Jun 10  2013 lesspipe
-rwxr-xr-x 1 root   56072 Dec  4 06:14 ln
-rwxr-xr-x 1 root  111432 Feb 19  2013 loadkeys
-rwxr-xr-x 1 root   49168 Jan 27 13:50 login
-rwxr-xr-x 1 root   92328 Jan 26 21:38 loginctl
-rwxr-xr-x 1 root   63912 Dec 19  2013 lowntfs-3g
-rwxr-xr-x 1 root  110080 Dec  4 06:14 ls
-rwxr-xr-x 1 root   44688 Sep  3 06:35 lsblk
lrwxrwxrwx 1 root       4 Jan 11  2015 lsmod -> kmod
-rwxr-xr-x 1 root   51936 Dec  4 06:14 mkdir
-rwxr-xr-x 1 root   35456 Dec  4 06:14 mknod
-rwxr-xr-x 1 root   39648 Dec  4 06:14 mktemp
-rwxr-xr-x 1 root   39600 Sep  3 06:35 more
-rwsr-xr-x 1 root   94792 Sep  3 06:35 mount
-rwxr-xr-x 1 root   10456 Feb 17 17:59 mountpoint
lrwxrwxrwx 1 root      20 Jan 11  2015 mt -> /etc/alternatives/mt
-rwxr-xr-x 1 root   68760 Feb 19 05:16 mt-gnu
-rwxr-xr-x 1 root  122088 Dec  4 06:14 mv
-rwxr-xr-x 1 root  192008 Oct  2  2012 nano
lrwxrwxrwx 1 root      20 Jan 11  2015 nc -> /etc/alternatives/nc
-rwxr-xr-x 1 root   31248 Dec  4  2012 nc.openbsd
lrwxrwxrwx 1 root      24 Jan 11  2015 netcat -> /etc/alternatives/netcat
-rwxr-xr-x 1 root  119624 Aug  6  2014 netstat
lrwxrwxrwx 1 root       8 Jan 11  2015 nisdomainname -> hostname
-rwxr-xr-x 1 root   59848 Dec 19  2013 ntfs-3g
-rwxr-xr-x 1 root   10312 Dec 19  2013 ntfs-3g.probe
-rwxr-xr-x 1 root   67608 Dec 19  2013 ntfs-3g.secaudit
-rwxr-xr-x 1 root   18432 Dec 19  2013 ntfs-3g.usermap
-rwxr-xr-x 1 root   26728 Dec 19  2013 ntfscat
-rwxr-xr-x 1 root   30752 Dec 19  2013 ntfsck
-rwxr-xr-x 1 root   30824 Dec 19  2013 ntfscluster
-rwxr-xr-x 1 root   34920 Dec 19  2013 ntfscmp
-rwxr-xr-x 1 root   22528 Dec 19  2013 ntfsdump_logfile
-rwxr-xr-x 1 root   39024 Dec 19  2013 ntfsfix
-rwxr-xr-x 1 root   55416 Dec 19  2013 ntfsinfo
-rwxr-xr-x 1 root   31928 Dec 19  2013 ntfsls
-rwxr-xr-x 1 root   26672 Dec 19  2013 ntfsmftalloc
-rwxr-xr-x 1 root   30824 Dec 19  2013 ntfsmove
-rwxr-xr-x 1 root   34856 Dec 19  2013 ntfstruncate
-rwxr-xr-x 1 root   43632 Dec 19  2013 ntfswipe
lrwxrwxrwx 1 root       6 Jan 11  2015 open -> openvt
-rwxr-xr-x 1 root   18912 Feb 19  2013 openvt
lrwxrwxrwx 1 root      14 Feb 17 17:59 pidof -> /sbin/killall5
-rwsr-xr-x 1 root   44168 May  8  2014 ping
-rwsr-xr-x 1 root   44680 May  8  2014 ping6
-rwxr-xr-x 1 root   35448 Dec  3  2014 plymouth
-rwxr-xr-x 1 root   31608 Dec  3  2014 plymouth-upstart-bridge
-rwxr-xr-x 1 root   93232 Feb 11  2015 ps
-rwxr-xr-x 1 root   31392 Dec  4 06:14 pwd
lrwxrwxrwx 1 root       4 Oct  8  2014 rbash -> bash
-rwxr-xr-x 1 root   39528 Dec  4 06:14 readlink
-rwxr-xr-x 1 root      89 Jul 17  2013 red
-rwxr-xr-x 1 root   60160 Dec  4 06:14 rm
-rwxr-xr-x 1 root   43648 Dec  4 06:14 rmdir
lrwxrwxrwx 1 root       4 Jan 11  2015 rnano -> nano
-rwxr-xr-x 1 root     254 Jul 18  2014 running-in-container
-rwxr-xr-x 1 root   19248 Aug 28  2013 run-parts
-rwxr-xr-x 1 root   73352 Feb 14  2014 sed
-rwxr-xr-x 1 root   36232 May 23  2013 setfacl
-rwxr-xr-x 1 root   39896 Feb 19  2013 setfont
-rwxr-xr-x 1 root   12052 Jan 30  2014 setupcon
lrwxrwxrwx 1 root       4 Jan 11  2015 sh -> dash
lrwxrwxrwx 1 root       4 Jan 11  2015 sh.distrib -> dash
-rwxr-xr-x 1 root   31296 Dec  4 06:14 sleep
-rwxr-xr-x 1 root   76624 Jul 24  2015 ss
lrwxrwxrwx 1 root       7 Jan 11  2015 static-sh -> busybox
-rwxr-xr-x 1 root   68256 Dec  4 06:14 stty
-rwsr-xr-x 1 root   36936 Jan 27 13:50 su
-rwxr-xr-x 1 root   27200 Dec  4 06:14 sync
-rwxr-xr-x 1 root   18816 Sep  3 06:35 tailf
-rwxr-xr-x 1 root  353840 Feb  5  2014 tar
-rwxr-xr-x 1 root   10344 Aug 28  2013 tempfile
-rwxr-xr-x 1 root   60224 Dec  4 06:14 touch
-rwxr-xr-x 1 root   27168 Dec  4 06:14 true
-rwxr-xr-x 1 root  248040 Jan 26 21:38 udevadm
-rwxr-xr-x 1 root   14336 May 16  2015 ulockmgr_server
-rwsr-xr-x 1 root   69120 Sep  3 06:35 umount
-rwxr-xr-x 1 root   31360 Dec  4 06:14 uname
-rwxr-xr-x 1 root    2303 Jan 10  2014 uncompress
-rwxr-xr-x 1 root    2762 Feb 19  2013 unicode_start
-rwxr-xr-x 1 root  110080 Dec  4 06:14 vdir
-rwxr-xr-x 1 root    6248 Feb  5  2014 vmmouse_detect
-rwxr-xr-x 1 root     946 Aug 28  2013 which
-rwxr-xr-x 1 root   27368 Mar 24  2014 whiptail
lrwxrwxrwx 1 root       8 Jan 11  2015 ypdomainname -> hostname
-rwxr-xr-x 1 root    1939 Jan 10  2014 zcat
-rwxr-xr-x 1 root    1779 Jan 10  2014 zcmp
-rwxr-xr-x 1 root    5766 Jan 10  2014 zdiff
-rwxr-xr-x 1 root     142 Jan 10  2014 zegrep
-rwxr-xr-x 1 root     142 Jan 10  2014 zfgrep
-rwxr-xr-x 1 root    2133 Jan 10  2014 zforce
-rwxr-xr-x 1 root    5940 Jan 10  2014 zgrep
-rwxr-xr-x 1 root    2039 Jan 10  2014 zless
-rwxr-xr-x 1 root    1912 Jan 10  2014 zmore
-rwxr-xr-x 1 root    5049 Jan 10  2014 znew
      Last edited by Rod J; Mar 02, 2016, 05:43 AM.
      Desktop PC: Intel Core-i5-4670 3.40Ghz, 16Gb Crucial ram, Asus H97-Plus MB, 128Gb Crucial SSD + 2Tb Seagate Barracuda 7200.14 HDD running Kubuntu 18.04 LTS and Kubuntu 14.04 LTS (on SSD).
      Laptop: HP EliteBook 8460p Core-i5-2540M, 4Gb ram, Transcend 120Gb SSD, currently running Deepin 15.8 and Manjaro KDE 18.
      • Top
      • Bottom

      Comment

        #4
        Programs in /bin would not have any extensions to best of my knowledge. foremost and scalpel are designed to carve files based on file header for a given set of file extensions.
        Could not recover desired files since executable / binary file type is not supported. Any suggestion for tools that i can try apart from ones specified at https://help.ubuntu.com/community/DataRecovery

        I shall try magicrescue as specified in weblink above and thereafter as a last resort download latest kubuntu ISO to live boot and install sleuthkit + autopsy since 15.10 seems to have latest version of libtsk in repos which should support ext4 (with reference to info on http://www.sleuthkit.org/autopsy/history.php )
        • Top
        • Bottom

        Comment

          #5
          I could upload to my Dropbox a zip file containing the files in my 14.04 /bin directory then send you a link to download them via PM ... that would surely be a simpler solution. Let me know if that would be any use to you.
          Desktop PC: Intel Core-i5-4670 3.40Ghz, 16Gb Crucial ram, Asus H97-Plus MB, 128Gb Crucial SSD + 2Tb Seagate Barracuda 7200.14 HDD running Kubuntu 18.04 LTS and Kubuntu 14.04 LTS (on SSD).
          Laptop: HP EliteBook 8460p Core-i5-2540M, 4Gb ram, Transcend 120Gb SSD, currently running Deepin 15.8 and Manjaro KDE 18.
          • Top
          • Bottom

          Comment

            #6
            Originally posted by Rod J View Post
            I could upload to my Dropbox a zip file containing the files in my 14.04 /bin directory then send you a link to download them via PM ... that would surely be a simpler solution. Let me know if that would be any use to you.
            It would be really helpful but I have never used dropbox. I guess i just need to click on the link to download the zip file.
            • Top
            • Bottom

            Comment

              #7
              Yes, the link is unique ... you don't need Dropbox to use it. I will send the link to you via PM message.
              Desktop PC: Intel Core-i5-4670 3.40Ghz, 16Gb Crucial ram, Asus H97-Plus MB, 128Gb Crucial SSD + 2Tb Seagate Barracuda 7200.14 HDD running Kubuntu 18.04 LTS and Kubuntu 14.04 LTS (on SSD).
              Laptop: HP EliteBook 8460p Core-i5-2540M, 4Gb ram, Transcend 120Gb SSD, currently running Deepin 15.8 and Manjaro KDE 18.
              • Top
              • Bottom

              Comment

                #8
                If you extract the zip file to your /bin directory check the permissions are correct. I see a few of them have the 'set UID' permission (rws). The file list I gave in post #3 has the exact permissions in my /bin. I think the linked files should be the same on your system.
                Desktop PC: Intel Core-i5-4670 3.40Ghz, 16Gb Crucial ram, Asus H97-Plus MB, 128Gb Crucial SSD + 2Tb Seagate Barracuda 7200.14 HDD running Kubuntu 18.04 LTS and Kubuntu 14.04 LTS (on SSD).
                Laptop: HP EliteBook 8460p Core-i5-2540M, 4Gb ram, Transcend 120Gb SSD, currently running Deepin 15.8 and Manjaro KDE 18.
                • Top
                • Bottom

                Comment

                  #9
                  Originally posted by Rod J View Post
                  Yes, the link is unique ... you don't need Dropbox to use it. I will send the link to you via PM message.
                  Thanks Rod received the zip file with executables.
                  • Top
                  • Bottom

                  Comment

                    #10
                    Originally posted by Rod J View Post
                    If you extract the zip file to your /bin directory check the permissions are correct. I see a few of them have the 'set UID' permission (rws). The file list I gave in post #3 has the exact permissions in my /bin. I think the linked files should be the same on your system.
                    What permissions i must set for /bin itself. Would it be rwx-r-x-r-x (owner-group-other) with owner ship to root
                    • Top
                    • Bottom

                    Comment

                      #11
                      Yes, that's the right permissions for /bin: rwxr-xr-x with root being the owner.
                      Desktop PC: Intel Core-i5-4670 3.40Ghz, 16Gb Crucial ram, Asus H97-Plus MB, 128Gb Crucial SSD + 2Tb Seagate Barracuda 7200.14 HDD running Kubuntu 18.04 LTS and Kubuntu 14.04 LTS (on SSD).
                      Laptop: HP EliteBook 8460p Core-i5-2540M, 4Gb ram, Transcend 120Gb SSD, currently running Deepin 15.8 and Manjaro KDE 18.
                      • Top
                      • Bottom

                      Comment

                        #12
                        There is a program in the repository called "snapshot". It was written for the btrfs but has been expanded to include ext4 and other filesystems. You can snapshot "/" and "/home". As you install or remove things you can add new snapshots and delete old one. In your case, you could have mounted a LiveCD and then mounted your HD and copies /bin from the snapshot to root. Then remove the livecd and rebooted.
                        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                        – John F. Kennedy, February 26, 1962.
                        • Top
                        • Bottom

                        Comment

                          #13
                          That's a great tip GreyGeek, thanks.

                          I didn't know it was possible to snapshot that way in ext4. I guess it's all to do with hard links, etc which ext4 certainly has. I'll definitely have to have a look at that program as I've wished I could do just that in the past just before installing some critical updates, etc or when making some blunder such as the topic of this thread!
                          Desktop PC: Intel Core-i5-4670 3.40Ghz, 16Gb Crucial ram, Asus H97-Plus MB, 128Gb Crucial SSD + 2Tb Seagate Barracuda 7200.14 HDD running Kubuntu 18.04 LTS and Kubuntu 14.04 LTS (on SSD).
                          Laptop: HP EliteBook 8460p Core-i5-2540M, 4Gb ram, Transcend 120Gb SSD, currently running Deepin 15.8 and Manjaro KDE 18.
                          • Top
                          • Bottom

                          Comment

                            #14
                            There is also BackInTime, which works VERY well on EXT4 and without the complexities of configuration that Snapshot has. In his case he could have booted from a live cd, mounted his root partition and copied /bin over from his most recent backup. It's the one I use. It has a Dolphin like interface and a KDE GUI. Uses rsync and is fast, but not as fast as Snapshot, which is almost instantaneous. Last night I did a backup of my home account and root. Took about 15 minutes. If you put the BackInTime snapshots on externally mounted drives those eggs won't be in the same basket as your system.
                            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                            – John F. Kennedy, February 26, 1962.
                            • Top
                            • Bottom

                            Comment

                              #15
                              copying files received from Rod helped. I am able to boot the system to KDM GUI login prompt.
                              Also tried copying /bin from live boot session for 14.04 and it also worked well.
                              • Top
                              • Bottom

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X