Быстрое восстановление загрузчика grub в ubuntu
Содержание:
Recover Grub
If you install some other system, or change drives and lose your Grub bootloader. For more information please have a look at the Grub page.
- Boot the Ubuntu Live CD.
-
Press Ctrl-Alt-F1
- Find the partition where your /boot directory is (normally the root partition) check the previous tip for that.
-
sudo mount /dev/sda1 /mnt
-
sudo chroot /mnt
-
grub
-
find /boot/grub/stage1 (will output a partition name like (hd0,3) )
-
root (hd0,3)
-
setup (hd0)
-
quit
- Now restart the system and remove the Live CD
The GUI Way: Reinstalling Grub
- Boot your computer with the Ubuntu CD
- Go through the installation process until you reach » Disk Partition»
- Select Manual Partition
- Mount your appropriate linux partions:
- /boot
- swap
- …
-
DO NOT FORMAT THEM.
- Finish the manual partition
- Say «Yes» when it asks you to save the changes
- It will give you errors saying that «the system couldn’t install …..» after that
- Ignore them, keep select «continue» until you get back to the Ubuntu installation menu
- Jump to «Install Grub ….»
- Once it is finished, just restart your computer
From: http://doc.gwos.org/index.php/Restore_Grub and http://ubuntuforums.org/showthread.php?t=76652
Finding your root partition
If you created a custom partition layout during the Ubuntu installation, your root partition is probably not /dev/sda1 or /dev/sda1. If you do not know which partition corresponds to your root partition you can use the following procedure to find your root partition. We assume you have booted the live cd and are at the terminal.
-
If you are not using a software raid setup or have setup your partitions using LVM/2 or EVMS your IDE/SATA/SCSI devices should be accessible through the files /dev/hd and /dev/sd. /dev/hda corresponds to the primary master device on your IDE bus, while /dev/sda is your first SCSI/SATA device. If you are using software raid, LVM, LVM2 or EVMS, your devices may be listed in the following directories:
/dev/evms/dm if you are using software raid /dev/evms/lvm if you are using LVM /dev/evms/lvm2 if you are using LVM2 /dev/evms if you are using EVMS
with their device (software raid) or partition name. You can learn more about Linux partitions here: http://tldp.org/HOWTO/Partition
-
Now use the fdisk utility to list the partitions on a device. Let’s assume that you installed Ubuntu to the fist IDE disk. Type the following:
sudo fdisk -l /dev/sda
This will produce some output like this:
Password: Disk /dev/sda: 120.0 GB, 120034123776 bytes 16 heads, 63 sectors/track, 232581 cylinders Units = cylinders of 1008 * 512 = 516096 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 13206 6655792+ 7 HPFS/NTFS /dev/sda2 13207 232581 110565000 5 Extended /dev/sda5 228706 232484 1904616 82 Linux swap / Solaris /dev/sda6 13207 228705 108611464+ 83 Linux /dev/sda7 232485 232581 48856+ 83 Linux Partition table entries are not in disk order
That means you have two standard Linux partitions on your disk: /dev/sda6 and /dev/sda7. You can now try to mount them and see if your Ubuntu installation is there. In this case /dev/sda7 is probably not the root partition, because it is only about 50MiB in size (see the Blocks column). Therefore we mount /dev/sda6:
sudo mount /dev/sda6 /mnt
Now show the files on the partition:
ls /mnt
If this command shows something like:
bin dev home media proc sbin tmp var boot etc lib opt root sys usr
it is a partition holding a Linux distribution. You can check if it really is Ubuntu (if you have multiple linux installations on your disk) using the following command:
cat /mnt/etc/lsb-release
That will give you some information about the distribution (if this file does not exist, it is probably not Ubuntu). If it is the wrong partition, just unmount it: sudo umount /mnt and try another partition on the same disk or choose a different partition on another disk (using fdisk as before).
Lost Password
Here is how you can use the Live CD to change the administrative password on your machine if you have lost/forgot the current password. Please note that you can usually boot into RecoveryMode and run the passwd command directly.
- Boot the Ubuntu Live CD.
-
Press Ctrl-Alt-F1
-
sudo mount /dev/sda1 /mnt
-
If you created a custom partition layout when installing Ubuntu you have to find your root partition using the fdisk utility. See the section Finding your root partition.
-
sudo chroot /mnt
You can now use the passwd command to reset a password.
Note: In the mount command, /dev/sda1 will need to be replaced with the partition where the root of the file system resides.
Update Failure
If there was an update that made your system non-bootable and they have fixed it in the repositories, you can use the Live CD to run apt-get to get the new files to fix your system.
- Boot the Ubuntu Live CD.
-
Press Ctrl-Alt-F1
-
sudo mount /dev/sda1 /mnt
-
sudo mount --bind /dev /mnt/dev
-
sudo mount --bind /proc /mnt/proc
-
sudo mount --bind /sys /mnt/sys
-
sudo chroot /mnt
-
apt update
-
apt upgrade
If you have trouble accessing your network after chroot, you probably use DHCP and can work around this by adding OpenDNS name servers to your /etc/resolv.conf after you use chroot:
nameserver 208.67.222.222 nameserver 208.67.220.220
Imaging a damaged device, filesystem or drive
Software choices
There are two different programs for making an image of a damaged device, in preparation for rescuing files. They are confusingly given the same name:
-
GNU ddrescue (packaged as gddrescue, though once installed the command is «ddrescue»)
This is the one you want. This documentation currently only applies to GNU ddrescue.
-
dd_rescue (packaged as ddrescue)
This is an older, slower shell script that needs to be run in combination with another script to do the same thing as the GNU version.
From /usr/share/doc/gnuddrescue/README
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, using a logfile, it tries to fill in the gaps.
The basic operation of ddrescue is fully automatic. That is, you don’t have to wait for an error, stop the program, read the log, run it in reverse mode, etc.
If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies.
If the filesystem you are imaging is greater than 4 gigs in size, you will not be able to use an MSDOS (VFAT) filesystem (usually found on USB drives) to store the image, since there is a 4G limit to the maximum size of a file on such filesystems. Use EXT3 or another filesystem that can handle such file sizes.
Use any method to install the following package:
gddrescue
Run gnuddrescue like this:
ddrescue infile outfile
So, if /dev/sda is unreadable, you will need to acquire another disk (or other media) onto which to save the output image. You will need to have more room on the new media than on the failed disk.
sudo ddrescue -r 3 /dev/sda /media/usbdrive/image /media/usbdrive/logfile
Run successive passes like this:
sudo ddrescue -r 3 -C /dev/sda /media/usbdrive/image /media/usbdrive/logfile
and gnuddrescue will use the log file to only read the gaps with errors. In both cases, the -r option determines the number of times gddrescue will try to read when it encounters an error (-1 = infinity).
From Forensics Wiki:
First you copy as much data as possible, without retrying or splitting sectors:
ddrescue —no-split /dev/hda1 imagefile logfile
Now let it retry previous errors 3 times, using uncached reads:
ddrescue —direct —max-retries=3 /dev/hda1 imagefile logfile
If that fails you can try again but retrimmed, so it tries to reread full sectors:
ddrescue —direct —retrim —max-retries=3 /dev/hda1 imagefile logfile
Other examples:
These two examples are taken directly from the ddrescue info pages.
Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
ddrescue -r3 /dev/hda2 /dev/hdb2 logfile e2fsck -v -f /dev/hdb2 mount -t ext2 -o ro /dev/hdb2 /mnt
Example 2: Rescue a CD-ROM in /dev/cdrom
ddrescue -b 2048 /dev/cdrom cdimage logfile
write cdimage to a blank CD-ROM
Ran out of space while imaging the drive?
Using Gnu ddrescue with a log file, you can continue imaging to another drive and then span the images. In this example, you have imaged some of the drive to a file on one drive, and the rest of the drive to a file on another drive. Here is how you put the pieces together:
sudo losetup /dev/loop1 /media/Drive1/image sudo losetup /dev/loop2 /media/Drive2/image sudo mdadm -B /dev/md0 -l linear -n 2 /dev/loop1 /dev/loop2
Your complete image fill be found at /dev/md0.
And then to take the array down:
sudo mdadm -S /dev/md0 sudo losetup -d /dev/loop1 sudo losetup -d /dev/loop2
An separate disk space concern is that /var/log/kern.log and /var/log/syslog can become extremely large due to frequent I/O errors. For a severely problematic drive, it may be necessary replace these logs with links to /dev/null during use of ddrescue to avoid the / filesystem from becoming full.
Lost Partition
If you made a mistake while partitioning and the partition no longer appears in the partition table, so long as you have not written data in that space, all your data is still there.
GNU Parted
Run Parted from the command line to recover your partition.
When changing the partition table on your hard drive, you must ensure that no partition on the disk is mounted. This includes swap space. The easiest way to accomplish this is to run the live cd. Parted is installed on the base Ubuntu system. Once at the desktop, open a terminal and run_:
sudo swapoff -a
Next run parted and tell it to use the device in question. For example, if your /dev/sda drive is the drive from which you want to recover, run:
sudo parted /dev/sda
Then, use the rescue option:
rescue START END
where Start is the area of the disk where you believe the partition began and END is its end. If parted finds a potential partition, it will ask you if you want to add it to the partition table.
Testdisk
Alternatively, the testdisk application may recover your partition. Use any method to install the testdisk package.
Run testdisk and it will scan your computer for media and offer you a menu-driven way to recover your partition.
sudo testdisk
Gpart
Another program that can scan drives and re-create a partition table based on «guesses» is Gpart. Use any method to install the package gpart.
To scan the first hard disk using default settings type
sudo gpart /dev/sda
or
sudo gpart /dev/hda
depending on your Ubuntu version.
You can restore the «guessed» partition table, only after checking it very carefully (you’re strongly advised to write to another device instead), using
sudo gpart -W /dev/sda /dev/sda
Sleuth Kit and Autopsy
(Obtained the following from http://www.sleuthkit.org/autopsy/desc.php)
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).
The Sleuth Kit and Autopsy are both Open Source and run on UNIX platforms. As Autopsy is HTML-based, you can connect to the Autopsy server from any platform using an HTML browser. Autopsy provides a «File Manager»-like interface and shows details about deleted data and file system structures.
Autopsy
Autopsy can be run from the «live» CD, but you must specify an address to which you can connect remotely. You must also specify an external disk on which it can save the extracted information.
For example, assuming you have an external disk mounted to /media/disk with an autopsy folder on it and your IP address is 192.168.0.1, you can run:
sudo autopsy -d /media/disk/autopsy 192.168.0.1
Sleuthkit
Extract unallocated (deleted) blocks from a disk or disk image.
Example:
dls inputimage > outputimage
Use any data carving tool to search the output image for files.
List file and directory names in a forensic image. fls lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. This includes deleted files. If you have imaged your filesystem to a file named «loopfile», you can list the contents by running:
fls loopfile -r -f fat -i raw r/r 3: test (Volume Label Entry) r/r * 5: sample.docx r/r * 7: sample.pptx r/r * 9: sample.xlsx
Copy file by inode. icat opens the named image(s) and copies the file with the specified inode number to standard output.
Example:
fls has shown you the inode number of some files on an image. To recover a file by using th einode number run:
icat -r -f fat -i raw loopfile 5 > sample.docx
sorter — Sort files in an image into categories based on file type. Sorter is a Perl script that analyzes a file system to organize the allocated and unallocated files by file type.
Example: This will sort all the files found in /dev/sdc1 and put image files in a directory named «out»:
sudo sorter -h -s -i raw -f fat -d out -C /usr/share/sleuthkit/windows.sort /dev/sdc1
Here is a description of a script that will pull all files from an image using fls and icat:
Another, similar script which attempts to «rebuild» the filesystem directory structure plus file content:
Cleaning up
from:How to recover lost files after you accidentally wipe your hard drive
Sort certain types of files:
sudo mkdir recovery/VID recovery/JPG find recovery/ -name "*.avi" | xargs -i mv {} recovery/VID/ find recovery/ -name "*.mpg" | xargs -i mv {} recovery/VID/ find recovery/ -name "*.jpg" | xargs -i mv {} recovery/JPG/
Eliminate small photos:
sudo mkdir recovery/SMALL find recovery/JPG/ -name "*.jpg" -size -1024k | xargs -i mv {} recovery/SMALL/
Rename jpegs according to exif data:
find JPG/ -name "*.jpg" | xargs -i jhead -nf%Y%m%d-%H%M%S {}
Then, remove duplicates.
find /var/recovery/JPG/ -name "*a.jpg" | xargs -i mv {} /var/recovery/JPG/DUPS/
Copy files with matching strings:
cd recovery mkdir ../copy/ grep -l "enter the string of text here" *.doc | xargs -i cp {} ../copy/
Extract filesystem from recovered image
Now that the drive has been imaged, you can recover the filesystem from the image. If the filesystem is not recoverable, you can try to recover individual files.
Mounting partitions on the image
If you imaged the whole drive, you can mount the individual partitions on the image by using the «offset» option when mounting a loop filesystem. The Sleuth Kit can help.
Use any method to install the following package:
sleuthkit
mmls can show you the partitions found within an image:
$ mmls file -b DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Size Description 00: ----- 0000000000 0000000000 0000000001 0512B Primary Table (#0) 01: ----- 0000000001 0000000031 0000000031 0015K Unallocated 02: 00:01 0000000032 0001646591 0001646560 0803M DOS FAT16 (0x06) 03: 00:00 0001646592 0002013183 0000366592 0179M DOS FAT16 (0x06)
This shows several partitions. In this example, we want to mount the DOS partition starting at block 32. To calculate the number of bytes, multiply by 512:
$ bc bc 1.06 Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. 32 * 512 16384 quit
Mount the partition:
sudo mount -o loop,offset=16384 file mnt
(32 multiplied by 512 byte blocks = 16384)
For mounting a typical NTFS partition created by Windows use:
sudo mount -t ntfs -o r,force,loop,offset=32256 file mnt
(63 multiplied by 512 byte blocks = 32256)
Guidelines
The following software will passively try to recover your data from failed or failing hardware. If your data is not replaceable, do not attempt to write to the failed device if the following applications do not work but seek professional advice instead.
If your device is damaged, it is advisable to image the device and work on the image file for data recovery. (See below.) If hardware failure is not the problem, you can recover data directly from the device.
To recover data from a failed device, you will need another device of equal or greater storage onto which to save your data. If you need to make an image of the failed device, you will need yet another quantity of space. You should run these tools from another OS which resides on another disk or a «live» CD.
An Ubuntu Desktop CD will work fine. If you do not have a lot of ram, or do not have an internet connection on the failed computer, you can use SystemRescueCd, a live cd data recovery toolkit. It includes most of the software mentioned in this page.