I am in the middle of a failing drive data recovery process (see How can I find out which files are lost through a ddrescue recovery atempt?). I must say that I have no experience with disk management at this level. Following the accepted answer there, I have done this:
- Made a copy of the failing disk with
ddrescueand processed the mapfile to use withtestbindebugfs. I counted 248 block checks. - Upon running all those
testbcommands I found that 236 were "not in use" and 12 "marked in use". This was the first surprising result, since the disk was almost full. - I did
icheckon those 12 blocks and found, to my greater surprise, that 8 of them gave a "block not found" output. I haven't been able to find out what this means, since people mention reading errors and whatnot, but I am doing all this on the new disk. - Of the remaining 4 blocks, I obtained the inodes and with
ncheckfound the 3 supposedly corrupted files (two files were the same because two bad used blocks had the same inode).
Assuming that my code and calculations are correct (you can find the data and Python code in https://filebin.ca/3KZLnN60uZrl/rescue2.7z if you are curious), is the final result of 3 corrupted files correct? Or at some step things don't mean what I thought and there may be other files that I can only locate with a different procedure?
e2fsck? If yes, and if a block with metadata was corrupted and corrected, something like this may happen. Usehexdumpto make sure you have the right address for the bad blocks (assumingddrescuefills bad blocks with zeros), and read up on the filesystem layout to get an idea which parts were damaged. Also, you can try toddrescuejust the partition, to avoid the partition offset problem. – dirkt Apr 28 '17 at 05:37e2fsckbefore. The output of that (see previous linked question) indicated that something happened to 9 blocks, that I could also try to check. Another idea I had now is to try the wholedebugfsthing on the old disk, I will report on the two things in a couple of days. – David Sevilla Apr 28 '17 at 10:01hexdumpon one of the files. I assumed there would be 512 bytes or 256 times0000in hex; but when I didgrep "0000 0000 0000"to the output ofhexdumpI only found a few lines, far from such a long chain. – David Sevilla Apr 28 '17 at 17:09icheck, so exactly the same three files as before. I doubt they are very wrong; when the disk started acting weird I run a few GParted checks and one of the files that was problematic is in my list of three. – David Sevilla Apr 28 '17 at 17:10hexdumpby default "compresses" identical lines by showing only an excerpt. If yougrep, be careful on what you are filtering. :) – Andrea Lazzarotto Apr 28 '17 at 22:10dd if=image_file_or_device bs=512 count=1 skip=position_in_bytes | hexdump -Cto check for contents of (bad) blocks, position in decimal. It's entirely possible a block with inodes is damaged, possibly resulting in block not found foricheck. One need to read up on the exact layout of the filesystem, and compare with the bad sectors. – dirkt Apr 29 '17 at 06:32hexdump -vto one of the files and indeed there are large chunks of zeros. So those three files are damaged for sure. Next I will try to find out about the damaged inode block thing. – David Sevilla Apr 29 '17 at 09:09