Data Recovery: Access Data from fully encrypted Linux Mint System via USB-casing

[lopevi]

My Notebook is broken due to hot coffe incident. Now i got me a new one and i try to recover at least my data from the old, encrypted Linux Mint 16 KDE System. I had a fully encrypted Harddisk / Installation.

I use a USB-casing for SATA drive. Now i try to mount this Harddisk (sdb) / encrypted Partition which i connected via USB on my new Notebook (Linux Mint KDE 18) but it does not relly work:

Code: Select all

phoenix@phoenixzen ~ $ lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sdb              8:16   0 931.5G  0 disk  
├─sdb2           8:18   0   244M  0 part  /media/phoenix/eb0c1d75-7635-4340-9360-ef
├─sdb3           8:19   0 930.8G  0 part  
└─sdb1           8:17   0   512M  0 part  
sda              8:0    0   477G  0 disk  
├─sda2           8:2    0     1K  0 part  
├─sda5           8:5    0 476.5G  0 part  
│ └─sda5_crypt 253:0    0 476.5G  0 crypt 
│   ├─mint--vg-root
│   │          253:1    0 468.6G  0 lvm   /
│   └─mint--vg-swap_1
│              253:2    0   7.9G  0 lvm   [SWAP]
└─sda1           8:1    0   487M  0 part  /boot
phoenix@phoenixzen ~ $ cryptsetup luksOpen /dev/sdb3 Old_Encrypted_Partition
Device /dev/sdb3 doesn't exist or access denied.
phoenix@phoenixzen ~ $ 

How can identify which partition is the encrypted one? sdb is the old disk and i guess the data is in sdb3 because its the biggest partition.

Can anyone help me please?

[WharfRat]

Your linux partition is sda5_crypt.

You have to open the LUKS container first using your disk encrypted password - not your user password.

From the live media sudo /sbin/cryptsetup luksOpen /dev/sda5 sda5_crypt then sudo mount /dev/mapper/mint--vg-root /mnt

Your files will be available in /mnt.

[lopevi]

Thank you for helping me. But i think sda is the new system. sdb is the old Harddisk containing the old system.

I know it might be confusing...

[WharfRat]

If sdb is the old installation then there's no encrypted partition showing.

Can you paste back sudo blkid

[lopevi]

Thank you very much for your help.. much appreceated!

Code: Select all

phoenix@phoenixzen ~ $ sudo blkid
[sudo] password for phoenix: 
/dev/mapper/sda5_crypt: UUID="wWEugq-xEY1-mrAN-SYe3-y5et-KdQe-6vdWPZ" TYPE="LVM2_member"
/dev/mapper/mint--vg-root: UUID="49f77e4c-829a-4f97-8a4b-60a44f7f6ab3" TYPE="ext4"
/dev/sda1: UUID="c2de1c4d-21f5-40b2-a634-4d0a6786912a" TYPE="ext2" PARTUUID="231cb33f-01"
/dev/sda5: UUID="5638c16b-7473-453c-a1c3-c6e951673f48" TYPE="crypto_LUKS" PARTUUID="231cb33f-05"
/dev/mapper/mint--vg-swap_1: UUID="d4075988-da1e-486f-a8dc-5fa079548e51" TYPE="swap"
/dev/sdb1: UUID="18F8-8ABD" TYPE="vfat" PARTUUID="bfa69327-2972-4484-8cdc-d5d579c5f720"
/dev/sdb2: UUID="eb0c1d75-7635-4340-9360-efa0e23067a0" TYPE="ext2" PARTUUID="0d2cdf34-8e1e-4352-8500-c83793c53052"
/dev/sdb3: PARTUUID="72b05f37-fe76-4a1b-b371-92f438b48241"

and

Code: Select all

phoenix@phoenixzen ~ $ sudo blkid
[sudo] phoenix@phoenixzen ~ $ lsblk
NAME                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sdb                     8:16   0 931.5G  0 disk  
├─sdb2                  8:18   0   244M  0 part  
├─sdb3                  8:19   0 930.8G  0 part  
└─sdb1                  8:17   0   512M  0 part  
sda                     8:0    0   477G  0 disk  
├─sda2                  8:2    0     1K  0 part  
├─sda5                  8:5    0 476.5G  0 part  
│ └─sda5_crypt        253:0    0 476.5G  0 crypt 
│   ├─mint--vg-root   253:1    0 468.6G  0 lvm   /
│   └─mint--vg-swap_1 253:2    0   7.9G  0 lvm   [SWAP]
└─sda1                  8:1    0   487M  0 part  /boot

I think sdb is the USB Hard Disk there was the old system i know because i plugged in via USB and it was 1TB size.. so the new notebook only has 0.5 TB space.
Do you think there is any chance to get my data out of the encrypted old system?

[WharfRat]

Well, the only partition that's identified as crypto_LUKS is /dev/sda5 and it's most likely your current Mint installation.

Double-check that with df|grep -w /

Since /dev/sdb2 is ext2 that's usually setup as a boot partition when using an LVM setup.

What happens if you try to mount /dev/sdb3 with sudo mount -v /dev/sdb3 /mnt

Also what is returned with ls -lh /dev/mapper

[lopevi]

Thank you very much. Here i tried like you proposed:

[lopevi]

Yes here, now i copied correctly i hope

Code: Select all

phoenix@phoenixzen ~ $ sudo df|grep -w /
/dev/mapper/mint--vg-root 483514912 35782140 423148580   8% /
phoenix@phoenixzen ~ $ sudo mount -v /dev/sdb3 /mnt
mount: wrong fs type, bad option, bad superblock on /dev/sdb3,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.
phoenix@phoenixzen ~ $ ls -lh /dev/mapper
total 0
crw------- 1 root root 10, 236 Apr 25 22:42 control
lrwxrwxrwx 1 root root       7 Apr 25 22:42 mint--vg-root -> ../dm-1
lrwxrwxrwx 1 root root       7 Apr 25 22:42 mint--vg-swap_1 -> ../dm-2
lrwxrwxrwx 1 root root       7 Apr 25 22:42 sda5_crypt -> ../dm-0

[WharfRat]

You made a a mistake with sudo mount -v /dev/sdb3 /mt - it should be sudo mount -v /dev/sdb3 /mnt

It's best to copy and paste

So yes you are running on sda and /dev/mapper shows sda5_crypt

[WharfRat]

I see you fixed it before I posted

What does sudo tune2fs -l /dev/sdb3 show

[lopevi]

many thanks!

Code: Select all

phoenix@phoenixzen ~ $ sudo mount -v /dev/sdb3 /mnt
mount: wrong fs type, bad option, bad superblock on /dev/sdb3,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.

[lopevi]

Code: Select all

phoenix@phoenixzen ~ $ sudo tune2fs -l /dev/sdb3
tune2fs 1.42.13 (17-May-2015)
tune2fs: Bad magic number in super-block while trying to open /dev/sdb3
Couldn't find valid filesystem superblock.

[WharfRat]

That partition is fried.

Trying to recover anything from that partition would be very complicated and time consuming.

The only thing I can suggest is trying debugfs on that partition if you can even access it - it'a a very cryptic file system debugger.

An an example https://www.cs.montana.edu/courses/309/ ... ample.html

Good luck

[lopevi]

Thank you very much. I will definitely check this option you showed me. Because there are some private keys of a bitocin wallet on that specific partition which have not been backuped yet.. so it is worth investing some time into it. I work on linux for 3 years only but have no understanding of anything because i work using browsers only.. again thank you very much!! The good thing: I'm learning some stuff finally

[WharfRat]

Thank you very much. I will definitely check this option you showed me. Because there are some private keys of a bitocin wallet on that specific partition which have not been backuped yet.. so it is worth investing some time into it. I work on linux for 3 years only but have no understanding of anything because i work using browsers only.. again thank you very much!! The good thing: I'm learning some stuff finally

Here is another thing you can try https://ubuntuforums.org/showthread.php?t=1245536

[lopevi]

.. or can yI ask you is there any possibilit open the partition using ecryptfs-utils? I mean the whole disk is encrypted while installing linux mint few years ago. Maybe its another encryption, not LUKS.

.. and does it makes a difference if i try to reboot somehow from this disk, or reboot using a live cd?

[WharfRat]

If you're running Linux on sda then it's not going to make any difference if you run the live media.

LUKS is a Linux standard for disk encryption; It wouldn't use something else.

Did you try fsck with an alternative superblock

[lopevi]

Ok, I am here again. I try to learn more about the linux file system, encryption and more. But its not easy for me i am not familiar using bash, but i try to learn profoundly.

--> It must be the large sdb3 which is the encrypted partition:
https://imgur.com/a/J1Nh0Xa

So you suggest me to do the following:

1. Try to fix the file szstem using fdisk / debugfs?

Code: Select all

phoenix@phoenixzen ~ $ sudo debugfs /dev/sdb3
[sudo] password for phoenix: 
Sorry, try again.
[sudo] password for phoenix: 
debugfs 1.42.13 (17-May-2015)
/dev/sdb3: Bad magic number in super-block while opening filesystem
debugfs:  ls
ls: Filesystem not open
debugfs:  

.. and I tried 2fsck:

Code: Select all

phoenix@phoenixzen ~ $ sudo e2fsck -f /dev/sdb3
e2fsck 1.42.13 (17-May-2015)
ext2fs_open2: Bad magic number in super-block
e2fsck: Superblock invalid, trying backup blocks...
e2fsck: Bad magic number in super-block while trying to open /dev/sdb3

The superblock could not be read or does not describe a valid ext2/ext3/ext4
filesystem.  If the device is valid and it really contains an ext2/ext3/ext4
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
    e2fsck -b 8193 <device>
 or
    e2fsck -b 32768 <device>

and now i try e2fsk:

Code: Select all

phoenix@phoenixzen ~ $ sudo e2fsck -f /dev/sdb3
e2fsck 1.42.13 (17-May-2015)
ext2fs_open2: Bad magic number in super-block
e2fsck: Superblock invalid, trying backup blocks...
e2fsck: Bad magic number in super-block while trying to open /dev/sdb3

The superblock could not be read or does not describe a valid ext2/ext3/ext4
filesystem.  If the device is valid and it really contains an ext2/ext3/ext4
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
    e2fsck -b 8193 <device>
 or
    e2fsck -b 32768 <device>

phoenix@phoenixzen ~ $ sudo mke2fs -n /dev/sdb3
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 243996672 4k blocks and 61005824 inodes
Filesystem UUID: ccd2210a-20d0-4442-a0b7-23f353a670af
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
        102400000, 214990848

--> My Idea is now to fix the file system like this:

Code: Select all

# e2fsck -f -b 32768 /dev/sda3

I tried but:

Code: Select all

phoenix@phoenixzen ~ $ sudo e2fsck -f -b 32768 /dev/sdb3
e2fsck 1.42.13 (17-May-2015)
e2fsck: Bad magic number in super-block while trying to open /dev/sdb3

The superblock could not be read or does not describe a valid ext2/ext3/ext4
filesystem.  If the device is valid and it really contains an ext2/ext3/ext4
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
    e2fsck -b 8193 <device>
 or
    e2fsck -b 32768 <device>

--> If you have an input that would be highly appreceatet.. I think i dont do a backup due of lack of storage. I just try, cannot get much worse i guess.


2. Restore the system using another superblock?

--> I try to find out anything about the partition (as you said, the sdb3 is probably the encrypted partition)

Code: Select all

phoenix@phoenixzen ~ $ sudo dumpe2fs /dev/sdb3 | grep superblock
dumpe2fs 1.42.13 (17-May-2015)
dumpe2fs: Bad magic number in super-block while trying to open /dev/sdb3
Couldn't find valid filesystem superblock.

I found here an example.. but its difficult for me due lack of understanding of bash and filesystem
https://www.cyberciti.biz/tips/survivin ... lures.html

Do you have maybe an example?

[WharfRat]

After further review of this I think the problem is the LUKS conatiner and not necessarily the filesystem as you have to open the LUKS container first in order to get to the underlying filesystem.

I suspect that you have a corrupt LUKS header.

Does this give any meaningful results sudo cryptsetup -v luksDump /dev/sdb3

[lopevi]

Thank you.

Result:

Code: Select all

phoenix@phoenixzen ~ $ sudo cryptsetup -v luksDump /dev/sdb3
[sudo] password for phoenix: 
Device /dev/sdb3 is not a valid LUKS device.
Command failed with code 22: Device /dev/sdb3 is not a valid LUKS device.