On 2014-07-01 17:36, linuxrecon wrote:
>
> robin_listas;2651900 Wrote:
>>
>> My guess is simply that you created that sdb at the current 2 MB size,
>> and there never was more.
>>
>
> I can say for 100% that this is not the fact but anyway, I understand
> what you’re trying to say.
Well, you see, several LVM creation tools do just that, on purpose.
> Thanks for your help so far. I think I just go for my last backup now
> … it’s a little bit older but as you said, on encrypted devices it is
> nearly impossible to recover data … I think using the backup is the
> much more simpler way
Absolutely.
You see, a data mining recovery tool, such as photorec, recovers files
by looking for patterns. As the filesystem is encrypted, it is
impossible to search on the raw device and find anything at all, because
it is giberish, on purpose.
It is only possible to search for files on the decrypted filesystem, ie,
on “/dev/mapper/crypt/”, and this one is only 2 MB of size. Maybe it was
bigger before, but now it is 2 MB, and there is no way of going beyond.
You can, arbitrarily, recreate the partition to the entire disk, but
unless you get the exact same sector count and placement, it is useless.
If you can place it there, and the manual call to cryptosetup to open an
existing device in there succeeds, then and only then you can attempt
recovery.
As to finding the partition layout… on a traditional mbr disk, sdb5 is
a logical partition. There is a pointer on the previous partition that
says where #5 starts, and #5 has a pointer to #6 if it exists. I guess
that testdisk may scan the entire sector count trying to find the
pattern that says “this is a logical partition first sector” or “this is
the last sector of a partition”. Maybe it get clues from other patterns
on the data. But the data is giberish… because it was encrypted.
Which explains, more or less, why testdisk can not find any bigger
partition, accepting your claim that it was in there.
On a GPT table, the table entries are fixed, and the old one was erased.
I don’t know if it is possible to scan the disk and find a possible old
partition layout.
I hope I managed to explain it somewhat… :-?
If this is at all possible, try “guespart”. I think the actual name is
gpart.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)