Thank you very much Arno, you've been of great help! Since luks headers are fine, my next step will be to try to modify the partition end information, to make it end where it should and not only 8MB far from the beginning. Luis 2012/1/15 Arno Wagner <arno@xxxxxxxxxxx>: > On Sat, Jan 14, 2012 at 11:46:13PM +0000, Luis P. Mendes wrote: > [...] >> > Good question. Did you do the damage while the LUKS containers >> > were mapped? Otherwise the LUKS headers should have been >> > overwritten. >> The damage was done when I booted the laptop with OpenBSD distro. >> All the partitions of /dev/sda were not mounted, and /dev/sda{1,6,7} >> were also not decrypted. > > Ok. > >> > >> > Lets jdo more tests first. Look at hexdumps of the LUKS-opened >> > devices, e.g. with >> > ?? hd /dev/mapper/<dev> | less >> > or some other hexdump tool. >> > >> > If this all (!) looks random, then decryption did actually not work. >> > If there is some structure in, then this is not a LUKS problem, >> > but normal filesystem damage caused by overwriting. But it depends >> > on the actuall damage. Anything non-random looking means >> > the LUKS mapping is intact. >> >> For /dev/sda6, I found many examples of text, like this: >> # hexdump -C /dev/mapper/encriptado | less >> 0070e030 78 6d 70 70 2d 63 61 70 73 2e 78 6d 6c 00 00 00 |xmpp-caps.xml...| >> 0070e040 1d 40 20 00 14 00 09 01 62 6c 69 73 74 2e 78 6d |.@ .....blist.xm| >> 0070e050 6c 00 00 00 82 89 12 00 14 00 0a 01 73 74 61 74 |l...........stat| >> 0070e060 75 73 2e 78 6d 6c 00 00 c0 83 12 00 14 00 0c 01 |us.xml..???.......| >> 0070e070 61 63 63 6f 75 6e 74 73 2e 78 6d 6c 95 81 12 00 |accounts.xml....| >> 0070e080 10 00 06 01 61 63 63 65 6c 73 00 00 96 81 12 00 |....accels......| >> 0070e090 14 00 0c 02 63 65 72 74 69 66 69 63 61 74 65 73 |....certificates| >> 0070e0a0 b3 83 12 00 14 00 09 01 70 72 65 66 73 2e 78 6d |???.......prefs.xm| >> 0070e0b0 6c 00 00 00 9f 81 12 00 10 00 07 02 73 6d 69 6c |l...........smil| >> 0070e0c0 65 79 73 00 06 a1 12 00 0c 00 04 02 6c 6f 67 73 |eys..???......logs| >> 0070e0d0 5b 40 20 00 0c 00 02 01 69 64 65 65 c9 a1 12 00 |[@ .....idee??..| >> 0070e0e0 14 00 0b 01 70 6f 75 6e 63 65 73 2e 78 6d 6c 00 |....pounces.xml.| >> 0070e0f0 67 40 20 00 10 00 07 01 69 64 2e 70 72 69 76 6d |g@ .....id.privm| >> 0070e100 68 40 20 00 14 00 0a 01 6b 6e 6f 77 6e 5f 6b 65 |h@ .....known_ke| >> 0070e110 79 73 0e 01 40 40 20 00 ec 0e 0e 01 62 6c 69 73 |ys..@@ .???...blis| >> 0070e120 74 2e 78 6d 6c 2e 73 61 76 65 61 76 65 65 12 00 |t.xml.saveavee..| >> 0070e130 d4 0e 0e 01 70 72 65 66 73 2e 78 6d 6c 2e 73 61 |???...prefs.xml.sa| >> 0070e140 76 65 61 76 65 89 12 00 24 89 12 00 b8 0e 0e 01 |veave...$...???...| >> 0070e150 70 72 65 66 73 2e 78 6d 6c 2e 73 61 76 65 00 00 |prefs.xml.save..| >> 0070e160 36 40 20 00 a0 0e 10 01 70 6f 75 6e 63 65 73 2e |6@ .???...pounces.| >> 0070e170 78 6d 6c 2e 73 61 76 65 00 00 00 00 00 00 00 00 |xml.save........| >> 0070e180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| >> >> For /dev/sda7, I only found recognizable text in some places, like this: >> # hexdump -C /dev/mapper/opt | less >> 00603040 01 40 a3 00 0c 00 02 02 67 61 37 31 01 20 02 00 |.@???.....ga71. ..| >> 00603050 14 00 03 07 62 69 6e 00 0c 00 03 02 62 69 6e 00 |....bin.....bin.| >> 00603060 01 c0 6f 00 20 00 06 02 73 65 64 61 69 74 00 00 |.???o. ...sedait..| >> 00603070 01 60 00 00 10 00 05 07 6c 61 6d 70 70 00 00 00 |.`......lampp...| >> 00603080 02 80 70 00 0c 00 03 02 6e 66 73 00 1e a5 71 00 |..p.....nfs..???q.| >> 00603090 10 00 08 02 6f 70 65 6e 66 69 72 65 29 c0 0b 00 |....openfire)???..| >> 006030a0 30 00 10 02 6d 79 73 71 6c 5f 69 6d 70 6f 72 74 |0...mysql_import| >> 006030b0 61 64 6f 73 01 a0 40 00 18 00 10 02 6d 79 73 71 |ados.???@.....mysq| >> 006030c0 6c 5f 64 61 74 61 62 61 73 65 73 32 05 80 70 00 |l_databases2..p.| >> 006030d0 1c 00 12 02 4f 70 65 6e 50 72 69 6e 74 69 6e 67 |....OpenPrinting| >> 006030e0 2d 53 70 6c 69 58 00 00 01 40 64 00 10 00 07 02 |-SpliX...@d.....| >> >> For /dev/sda1, the one I cannot mount, I cannot find text. But I had >> two virtual machines in this partition and maybe no other files. >> # hexdump -C /dev/mapper/crypt1 | less >> 003a6000 a6 83 00 00 a6 83 01 00 a6 83 02 00 a6 83 03 00 |???...???...???...???...| >> 003a6010 a6 83 04 00 a6 83 0c 00 a6 83 0d 00 a6 83 18 00 |???...???...???...???...| >> 003a6020 a6 83 28 00 a6 83 3e 00 a6 83 79 00 00 00 00 00 |???.(.???.>.???.y.....| >> 003a6030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| >> > > Ok, for all three, this is not a LUKS problem, LUKS header and > at least the keyslots you used are intact. Decrypting anything > but data encrypted with the same key results in random data, i.e. > equally distributed, no patterns. We have clear patterns in all > three, so they get decrypted with the right keys. > > I suspect that OpenBSD wrote stuff somewhere in the encrypted > partitions. > > The further steps are now as you would do on non-encrypted partitions, > but on the /dev/mapper/<somthing> containers. I am sorry, but > I cannot really help here, this never has happened to me so far. > Best guess is to look into what e2fsck and maybe other ext2 recovery > tools can do for you. > > There is also the possibility that the small partitions do create > problems. To check that, use dd to copy the decrypted devices to > files (right size or a bit lather than the original partition), > losetup them and try to mount. Come to think of it, that > would probably also be easiest for anything else from here onwards, > as keeping the decryption layer is not necessary. > > Arno > > > > >> >> Luis >> >> >> >> >> 2012/1/14 Arno Wagner <arno@xxxxxxxxxxx>: >> >> > Hi Luis, >> >> > >> >> > first thing is to check that the LUKS headers are still there: >> >> > >> >> > ??cryptsetup isLuks <device> >> >> > >> >> > If that succeeds, you can still manually map the LUKS containers >> >> > and mount the filesystems inside (best only as "ro", i.e. >> >> > read-only) to get your data off. ??LUKS and the filesystems >> >> > actually do not care about the partitioning (well, the >> >> > filesystems care about it but only on creation). Your >> >> > partitioning is shot to hell though, so after you rescue your >> >> > data, you should at the very least remove sda6/7/8 and recreate >> >> > them (with fsidk or cfsisk). ??This may or may not repair the damage. >> >> > To be on the safe side, I would recommend you to with the whole >> >> > installation and recreate it from backup. >> >> > >> >> > If the isLuks test fails, then there are several options, >> >> > making an image before running testdisk was definitely the >> >> > right thing to do. One option will be to seach the LUKS >> >> > headers and map them with offset (no partitions needed >> >> > for that). >> >> > >> >> > Arno >> >> > >> >> > >> >> > On Sat, Jan 14, 2012 at 08:40:19PM +0000, Luis P. Mendes wrote: >> >> >> Hi, >> >> >> >> >> >> Maybe you can help me on this. >> >> >> >> >> >> My problem started when I booted my laptop with an OpenBSD CD that I >> >> >> was trying to install to a SD card. OpenBSD installer didn't detect my >> >> >> SD card, but went to partition my disk (/dev/sda). >> >> >> I didnt' confirm any change to the partition table of my disk but the >> >> >> installer changed the partition table of /dev/sda and I lost the >> >> >> configuration. >> >> >> As I didn't have a backup for the MBR of /dev/sda, I used testdisk >> >> >> http://www.cgsecurity.org/ and recovered the structure of the disk. >> >> >> >> >> >> Right now, fdisk reports: >> >> >> # fdisk -l /dev/sda >> >> >> >> >> >> Disk /dev/sda: 320.1 GB, 320072933376 bytes >> >> >> 255 heads, 63 sectors/track, 38913 cylinders, total 625142448 sectors >> >> >> Units = sectors of 1 * 512 = 512 bytes >> >> >> Sector size (logical/physical): 512 bytes / 512 bytes >> >> >> I/O size (minimum/optimal): 512 bytes / 512 bytes >> >> >> Disk identifier: 0x4483617d >> >> >> >> >> >> Device Boot Start End Blocks Id System >> >> >> /dev/sda1 63 16064 8001 83 Linux >> >> >> /dev/sda2 * 81915435 112631714 15358140 83 Linux >> >> >> /dev/sda3 112631715 259080254 73224270 f W95 Ext'd (LBA) >> >> >> /dev/sda5 112631778 115700129 1534176 82 Linux swap >> >> >> /dev/sda6 115700193 115716194 8001 83 Linux >> >> >> /dev/sda7 259064253 259080254 8001 83 Linux >> >> >> >> >> >> and cfdisk reports: >> >> >> cfdisk (util-linux 2.19) >> >> >> >> >> >> Disk Drive: /dev/sda >> >> >> Size: 320072933376 bytes, 320.0 GB >> >> >> Heads: 255 Sectors per Track: 63 Cylinders: 38913 >> >> >> >> >> >> Name Flags Part Type FS Type [Label] Size (MB) >> >> >> -------------------------------------------------------------------------- >> >> >> sda1 Primary crypto_LUKS 8.23 >> >> >> Primary Free Space 41932.48 >> >> >> sda2 Boot Primary ext3 15726.74 >> >> >> sda5 Logical Linux swap 1571.03 >> >> >> sda6 Logical crypto_LUKS 8.23 >> >> >> Logical Free Space 73394.18 >> >> >> sda7 Logical crypto_LUKS 8.23 >> >> >> Pri/Log Free Space 187423.85* >> >> >> >> >> >> >> >> >> I can boot the machine (/dev/sda2) but the encrypted partitions are >> >> >> not available: /home (/dev/sda6), /opt (/dev/sda7) and /mnt/cr1 >> >> >> (/dev/sda1). >> >> >> >> >> >> As you can see, for each of the three encrypted partitions, testdisk >> >> >> recovered the partition as having only circa 8MB and left the rest of >> >> >> the original partition as 'Free Space'. >> >> >> >> >> >> What can I do to have each one of these partitions consider all the >> >> >> 'Free Space" next to them as belonging to them? >> >> >> >> >> >> As a note, I did a 'dd' of the whole disk before using testdisk to a file. >> >> >> >> >> >> Luis >> >> >> _______________________________________________ >> >> >> dm-crypt mailing list >> >> >> dm-crypt@xxxxxxxx >> >> >> http://www.saout.de/mailman/listinfo/dm-crypt >> >> >> >> >> > >> >> > -- >> >> > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx >> >> > GnuPG: ??ID: 1E25338F ??FP: 0C30 5782 9D93 F785 E79C ??0296 797F 6B50 1E25 338F >> >> > ---- >> >> > One of the painful things about our time is that those who feel certainty >> >> > are stupid, and those with any imagination and understanding are filled >> >> > with doubt and indecision. -- Bertrand Russell >> >> > _______________________________________________ >> >> > dm-crypt mailing list >> >> > dm-crypt@xxxxxxxx >> >> > http://www.saout.de/mailman/listinfo/dm-crypt >> >> _______________________________________________ >> >> dm-crypt mailing list >> >> dm-crypt@xxxxxxxx >> >> http://www.saout.de/mailman/listinfo/dm-crypt >> > >> > -- >> > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx >> > GnuPG: ??ID: 1E25338F ??FP: 0C30 5782 9D93 F785 E79C ??0296 797F 6B50 1E25 338F >> > ---- >> > One of the painful things about our time is that those who feel certainty >> > are stupid, and those with any imagination and understanding are filled >> > with doubt and indecision. -- Bertrand Russell >> > _______________________________________________ >> > dm-crypt mailing list >> > dm-crypt@xxxxxxxx >> > http://www.saout.de/mailman/listinfo/dm-crypt >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F > ---- > One of the painful things about our time is that those who feel certainty > are stupid, and those with any imagination and understanding are filled > with doubt and indecision. -- Bertrand Russell > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt