-1

I found some info to help me recover an overwritten file. It was overwritten by using rsync in the wrong direction after making a bunch of changes. Following the info I found, I type this to see a lot of entries containing the text of my script:

root@ip-172-31-18-244:/code/sc# grep -a -b "package sc::object::cron::qbo" /dev/xvda1
<snip>
874419155:package sc::object::cron::qbo;
<snip>

After that, the next step is supposed to be as follows, but I am receiving an error:

root@ip-172-31-18-244:~/recover# dd if=/dev/xvda1 count=1 skip=$(expr 874419155  512)
expr: syntax error
dd: invalid number ââ

Can anyone help me accomplish recovery of the file? The file was changed yesterday, I was backing up using rsync and made the critical mistake this morning before starting more work on the script. This is on an Ubuntu 14.04.1 LTS server.

rwfitzy
  • 233
  • 5
  • 16

1 Answers1

1

You can either calculate the location manually by dividing the byte offset from grep by 512, and then using the sector number for dd skip argument.

Or, you can check how to exactly calculate the sector number with the expr tool.

Remember that the dd command line only copies one sector from the offset you specify in skip argument. It cannot copy the complete file, since it has no knowledge on all file block locations.

You might want to use testdisk or similar tool to recover the files.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Tried to use testdisk and it is saying 'No harddisk found'. This is an AWS instance. I'm trying to go through testdisk docs and see if it is an option. Thanks for any help. – rwfitzy Aug 09 '17 at 13:54
  • I tried your first solution to manually divide the offset and it ran, but the file looks the same. Does dd replace the existing file name? – rwfitzy Aug 09 '17 at 13:59
  • I got testdisk to work by giving passing the partition as an argument and found only one 'red' instance of the file and copied out to find it is the same. – rwfitzy Aug 09 '17 at 14:08
  • I added of= to the dd command and open the file only to find 'Syntax OK' followed by a bunch of '^@^@^@^@^@^@^@^@'. – rwfitzy Aug 09 '17 at 14:54
  • You can specify an output for the file with `of` argument. However, it also can be that the original file contents have been overwritten by rsync, and then the contents cannot be restored. – Tero Kilkanen Aug 09 '17 at 15:33
  • Well, I did add text to the grep command in my op that is specific to the changes I made and it returns a ton of offset entries. Just can't find a way to restore to file successfully. – rwfitzy Aug 09 '17 at 16:10
  • Never mind, I did the same calculation for the last offset reported by the grep command and passed to dd skip. I got a very valuable snippet of the code changes I did. Hopefully, I will be able to piece it together by searching for specific terms in my memory from yesterdays changes. – rwfitzy Aug 09 '17 at 16:16