I accidentally burned an ISO onto the system that was running at the time.

14 replies [Last post]
panties
Offline
Joined: 02/02/2021

As I mentioned in another thread, I burned the Trisquel Live System onto the HDD I was using as the base of my system at the time. And immediately the system became unusable.
Is it possible to rescue/recover the original data from this HDD?
I have experienced a similar situation before and have asked the question here. I can't remember the exact situation now and I can't find the thread now. But Magic Bakana showed me how to rescue data using GParted and I was able to rescue some data, some were broken, some were gone forever. I don't remember if the disk was (full) encrypted or not.
The target of this data rescue is the HDD, which was full disk encrypted.
In the meantime, I am currently trying to rescue the data using GPared. I've just read a few threads of similar users and Testdisk seems to be useful/reliable so I'm going to try that after I run GParted.
My concern is that this HDD is full disk encrypted. Even if I can rescue some files, they should be encrypted, and fortunately I am absolutely sure what the passphrase of the system used on that HDD was, but I don't know if I can decrypt the extracted files individually. Is it possible?
If this is a futile attempt, please tell me so. I should change my mind and get a new system and accounts instead of sticking with the old system or old data or whatever and start over my life from scratch.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I may have recommended PhotoRec, provided by the "testdisk" package: https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

That said, I do not think it works with encrypted filesystems. After overwroting the partition (rather than only delete it) with an ISO, I fear there is not much you can do but, of course, recovering your latest backup. You regularly backup the user files, don't you?

panties
Offline
Joined: 02/02/2021

> I may have recommended PhotoRec, provided by the "testdisk" package: https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

I don't remember... maybe it was GParted. But I may be wrong. This situation first reminded me of the word "fdisk" but it was wrong. Fdisk was useless and while searching the server, I remembered it was GParted. Trisquel repo has no PhotoRec and the terminal suggested to install testdisk instead, so I installed it. Is PhotoRec better than testdisk?

> That said, I do not think it works with encrypted filesystems.

Damn! But I think at least /home partition was encrypted then and I think I must have rescued the files from /home... it wasn't a USB drive, but was a HDD, wasn't it?

Anyway, I will see what happens after running both programs.

> After overwroting the partition (rather than only delete it) with an ISO, I fear there is not much you can do but, of course, recovering your latest backup. You regularly backup the user files, don't you?

I'm not sure what the user files mean but as I told you, yes I did backup, with BackInTime. But the backup file wasn't on the HDD, but only on a USB drive... was it? Anyway the backup file is encrypted and I seem not to be able to remember the passphrase. I should write down passphrases from now on. I got too old to memorize them.

nadebula.1984
Offline
Joined: 05/01/2018

testdisk is used for partition table recovery whereas photorec is used for file scanning. Generally, you'd like to first try testdisk to see whether the partition structure is recoverable. If not, then try photorec.

However, whether you could successfully recover your data depends on more factors such as full disk encryption (FDE) and logical volume management (LVM). If you wiped out an FDE disk and don't have a copy of LUKS header backup, then you needn't to try anything, just bid farewell to all your data and accept it peacefully.

panties
Offline
Joined: 02/02/2021

> If you wiped out an FDE disk and don't have a copy of LUKS header backup, then you needn't to try anything, just bid farewell

I created a start-up disk (Trisquel live system USB) on the FDEed HDD. I am not sure if that is "wiped out" or not. I think "overwritten" is more accurate, but it could indeed be wiped out, since the installer must have been written after the wipeout all my data. I think Trisquel should warn if it is going to overwrite the base system which itself depends.

amenex
Offline
Joined: 01/04/2015

As long as user data is kept out of the operating system files, then rescuing one's system
is just a matter of reinstalling the operating system. That's one reason why I'm not a fan
of leaving the outputs of applications (like icedove) in the /home folder.

panties
Offline
Joined: 02/02/2021

If you view the hidden files in your home folder, you will see several files starting with "." such as .cache, .icedove, .gnupg, etc. There are also several documents beginning with ".".
Are these what you call user files?
As mentioned in the other thread, I've had experiences where backing up a home folder and replacing it with the untouched home folder on a fresh installed system didn't work, which is why I've never been able to back a Trisquel system up.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

What I call "user files" is essentially everything but system files, which can be reinstalled. For most users, everything under /home.

panties
Offline
Joined: 02/02/2021

I'm not sure what you mean, but does it mean that I should make a separate backup for Icedove (including GPG), but not for other data (including system files)?
I really don't understand. DDG search "linux system file" hits only explains what about the Linux file system.
For example, under / on my current system, I have the following files:

bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
initrd.img
initrd.img.old
vmlinuz
vmlinuz.old

Do you mean that everything in this list except home is system files?
If so, replacing old /home with new /home should be work.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Regularly backup /home (and, if you change system configuration, /etc). The rest can be reinstalled.

panties
Offline
Joined: 02/02/2021

What do you mean by system configuration? Such as system language or Mate Tweak or brightness of the screen?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I mean configuration files in /etc, that affect the whole system, not an individual user. For instance, you may enable GRUB's recovery mode menu entries by editing /etc/default/grub, what requires administration privileges, because it is a system file. On the contrary, whatever you do in MATE Tweak does not require any administration privileges because it only affects your own configuration (not that of the remaining users, if there are any), which is hidden in your home folder (typically in ~/.config).

panties
Offline
Joined: 02/02/2021

I don't understand why you need to hide it in my folder.

Even though I have several backup sources this time, too bad I can't get my data back.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

It is in your home folder because it is your own configuration: every user can choose a different one. It is hidden so that the files you actually work on are not lost in the crowd: open your home folder with your favorite file manager, display the hidden files (Ctrl+H should do it) and see. Also, ~/.config is typically a folder you do not want to accidentally delete: hiding helps.

panties
Offline
Joined: 02/02/2021

I remembered one of those passwords!
I think I'll hide the password in my home folder as you advised so I don't forget it. Thank you :M
I'm glad that there was data which is quite precious than I thought.