Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Mar 2014 16:13:20 -0700
From:      Paul Beard <paulbeard@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   hard drive failure: file recovery forensics
Message-ID:  <135FEEC0-894A-466F-B167-580479403E8C@gmail.com>
next in thread | raw e-mail | index | archive | help 
I have a disk I assume is bad, as smartctl tells me it is. The system it =
was the root drive for crashed last night and I don=92t have any =
evidence it was the drive but I=92m working with that assumption.=20

Smartd is logging these:=20
Mar 28 03:04:13 shuttle smartd[2086]: Device: /dev/ad2, 1 Currently =
unreadable (pending) sectors

Smartctl reveals this:=20
  40 51 00 ee 6a d1 e1  Error: UNC at LBA =3D 0x01d16aee =3D 30501614

though no other test (the bad_blocks_scan script, for example) will find =
anything wrong. recoverdisk seems to be able to read that block just =
fine as I used it to clone the drive to a backup to boot from.=20

What I have been looking for is someway to find whatever file is on the =
part of the disk so I can find out what I am going to be missing and to =
verify that smartd knows what it=92s talking about.=20

I have read many HOWTOs on locating that block and from there, getting =
the inode and the file. But none of them get me very far. fsdb doesn=92t =
seem to like what I tell it.=20

bsdlabel gives me this:=20
# /dev/ad2s1:
8 partitions:
#          size     offset    fstype   [fsize bsize bps/cpg]
  a:    1048576          0    4.2BSD        0     0     0
  b:    4126336    1048576      swap                   =20
  c:  976773105          0    unused        0     0     # "raw" part, =
don't edit
  d:   10485760    5174912    4.2BSD        0     0     0
  e:    4194304   15660672    4.2BSD        0     0     0
  f:  956918129   19854976    4.2BSD        0     0     0

=46rom there I take the offset of the slice and the partition to get the =
block relative to the start of the partition:

echo "(30501614 - (19854976 - 63))" | bc=20
10646701

But then I seem to be stuck.=20
fsdb -r /dev/ad2s1f
[=85]
fsdb (inum: 2)> findblk 10646701 [time passes]=20
fsdb (inum: 2)>=20

Is there an extra step I need to take?=20=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?135FEEC0-894A-466F-B167-580479403E8C>