Быстрое восстановление загрузчика grub в ubuntu

Содержание:

Recover Grub
- The GUI Way: Reinstalling Grub
Finding your root partition
Lost Password
Update Failure
Imaging a damaged device, filesystem or drive
- Software choices
- Ran out of space while imaging the drive?
Lost Partition
Sleuth Kit and Autopsy
- Autopsy
- Sleuthkit
Cleaning up
Extract filesystem from recovered image
- Mounting partitions on the image
Guidelines

Recover Grub

If you install some other system, or change drives and lose your Grub bootloader. For more information please have a look at the Grub page.

Boot the Ubuntu Live CD.
Press Ctrl-Alt-F1
Find the partition where your /boot directory is (normally the root partition) check the previous tip for that.
sudo mount /dev/sda1 /mnt
sudo chroot /mnt
grub
find /boot/grub/stage1 (will output a partition name like (hd0,3) )
root (hd0,3)
setup (hd0)
quit
Now restart the system and remove the Live CD

The GUI Way: Reinstalling Grub

Boot your computer with the Ubuntu CD
Go through the installation process until you reach » Disk Partition»
Select Manual Partition
Mount your appropriate linux partions:
- /boot
- swap
- …
DO NOT FORMAT THEM.
Finish the manual partition
Say «Yes» when it asks you to save the changes
It will give you errors saying that «the system couldn’t install …..» after that
Ignore them, keep select «continue» until you get back to the Ubuntu installation menu
Jump to «Install Grub ….»
Once it is finished, just restart your computer

From: http://doc.gwos.org/index.php/Restore_Grub and http://ubuntuforums.org/showthread.php?t=76652

Finding your root partition

If you created a custom partition layout during the Ubuntu installation, your root partition is probably not /dev/sda1 or /dev/sda1. If you do not know which partition corresponds to your root partition you can use the following procedure to find your root partition. We assume you have booted the live cd and are at the terminal.

If you are not using a software raid setup or have setup your partitions using LVM/2 or EVMS your IDE/SATA/SCSI devices should be accessible through the files /dev/hd and /dev/sd. /dev/hda corresponds to the primary master device on your IDE bus, while /dev/sda is your first SCSI/SATA device. If you are using software raid, LVM, LVM2 or EVMS, your devices may be listed in the following directories:
```
/dev/evms/dm     if you are using software raid
/dev/evms/lvm    if you are using LVM
/dev/evms/lvm2   if you are using LVM2
/dev/evms        if you are using EVMS
```
with their device (software raid) or partition name. You can learn more about Linux partitions here: http://tldp.org/HOWTO/Partition
Now use the fdisk utility to list the partitions on a device. Let’s assume that you installed Ubuntu to the fist IDE disk. Type the following:
```
sudo fdisk -l /dev/sda
```

This will produce some output like this:

Password:

Disk /dev/sda: 120.0 GB, 120034123776 bytes
16 heads, 63 sectors/track, 232581 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1       13206     6655792+   7  HPFS/NTFS
/dev/sda2           13207      232581   110565000    5  Extended
/dev/sda5          228706      232484     1904616   82  Linux swap / Solaris
/dev/sda6           13207      228705   108611464+  83  Linux
/dev/sda7          232485      232581       48856+  83  Linux

Partition table entries are not in disk order

That means you have two standard Linux partitions on your disk: /dev/sda6 and /dev/sda7. You can now try to mount them and see if your Ubuntu installation is there. In this case /dev/sda7 is probably not the root partition, because it is only about 50MiB in size (see the Blocks column). Therefore we mount /dev/sda6:

sudo mount /dev/sda6 /mnt

Now show the files on the partition:

ls /mnt

If this command shows something like:

bin     dev      home      media     proc      sbin     tmp     var
boot    etc      lib       opt       root      sys      usr

it is a partition holding a Linux distribution. You can check if it really is Ubuntu (if you have multiple linux installations on your disk) using the following command:

cat /mnt/etc/lsb-release

That will give you some information about the distribution (if this file does not exist, it is probably not Ubuntu). If it is the wrong partition, just unmount it: sudo umount /mnt and try another partition on the same disk or choose a different partition on another disk (using fdisk as before).

Lost Password

Here is how you can use the Live CD to change the administrative password on your machine if you have lost/forgot the current password. Please note that you can usually boot into RecoveryMode and run the passwd command directly.

Boot the Ubuntu Live CD.
Press Ctrl-Alt-F1
sudo mount /dev/sda1 /mnt
If you created a custom partition layout when installing Ubuntu you have to find your root partition using the fdisk utility. See the section Finding your root partition.
sudo chroot /mnt

You can now use the passwd command to reset a password.

Note: In the mount command, /dev/sda1 will need to be replaced with the partition where the root of the file system resides.

Update Failure

If there was an update that made your system non-bootable and they have fixed it in the repositories, you can use the Live CD to run apt-get to get the new files to fix your system.

Boot the Ubuntu Live CD.
Press Ctrl-Alt-F1
sudo mount /dev/sda1 /mnt
sudo mount --bind /dev /mnt/dev
sudo mount --bind /proc /mnt/proc
sudo mount --bind /sys /mnt/sys
sudo chroot /mnt
apt update
apt upgrade

If you have trouble accessing your network after chroot, you probably use DHCP and can work around this by adding OpenDNS name servers to your /etc/resolv.conf after you use chroot:

nameserver 208.67.222.222
nameserver 208.67.220.220

Imaging a damaged device, filesystem or drive

Software choices

There are two different programs for making an image of a damaged device, in preparation for rescuing files. They are confusingly given the same name:

GNU ddrescue (packaged as gddrescue, though once installed the command is «ddrescue»)

This is the one you want. This documentation currently only applies to GNU ddrescue.
dd_rescue (packaged as ddrescue)

This is an older, slower shell script that needs to be run in combination with another script to do the same thing as the GNU version.

From /usr/share/doc/gnuddrescue/README

GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.

Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, using a logfile, it tries to fill in the gaps.

The basic operation of ddrescue is fully automatic. That is, you don’t have to wait for an error, stop the program, read the log, run it in reverse mode, etc.

If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.

Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies.

If the filesystem you are imaging is greater than 4 gigs in size, you will not be able to use an MSDOS (VFAT) filesystem (usually found on USB drives) to store the image, since there is a 4G limit to the maximum size of a file on such filesystems. Use EXT3 or another filesystem that can handle such file sizes.

Use any method to install the following package:

gddrescue

Run gnuddrescue like this:

ddrescue  infile outfile

So, if /dev/sda is unreadable, you will need to acquire another disk (or other media) onto which to save the output image. You will need to have more room on the new media than on the failed disk.

sudo ddrescue -r 3 /dev/sda /media/usbdrive/image /media/usbdrive/logfile

Run successive passes like this:

sudo ddrescue -r 3 -C /dev/sda /media/usbdrive/image /media/usbdrive/logfile

and gnuddrescue will use the log file to only read the gaps with errors. In both cases, the -r option determines the number of times gddrescue will try to read when it encounters an error (-1 = infinity).

From Forensics Wiki:

First you copy as much data as possible, without retrying or splitting sectors:

ddrescue —no-split /dev/hda1 imagefile logfile

Now let it retry previous errors 3 times, using uncached reads:

ddrescue —direct —max-retries=3 /dev/hda1 imagefile logfile

If that fails you can try again but retrimmed, so it tries to reread full sectors:

ddrescue —direct —retrim —max-retries=3 /dev/hda1 imagefile logfile

Other examples:

These two examples are taken directly from the ddrescue info pages.

Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2

ddrescue -r3 /dev/hda2 /dev/hdb2 logfile
e2fsck -v -f /dev/hdb2
mount -t ext2 -o ro /dev/hdb2 /mnt

Example 2: Rescue a CD-ROM in /dev/cdrom

ddrescue -b 2048 /dev/cdrom cdimage logfile

write cdimage to a blank CD-ROM

Ran out of space while imaging the drive?

Using Gnu ddrescue with a log file, you can continue imaging to another drive and then span the images. In this example, you have imaged some of the drive to a file on one drive, and the rest of the drive to a file on another drive. Here is how you put the pieces together:

sudo losetup /dev/loop1 /media/Drive1/image
sudo losetup /dev/loop2 /media/Drive2/image
sudo mdadm -B /dev/md0 -l linear -n 2 /dev/loop1 /dev/loop2

Your complete image fill be found at /dev/md0.

And then to take the array down:

sudo mdadm -S /dev/md0
sudo losetup -d /dev/loop1
sudo losetup -d /dev/loop2

An separate disk space concern is that /var/log/kern.log and /var/log/syslog can become extremely large due to frequent I/O errors. For a severely problematic drive, it may be necessary replace these logs with links to /dev/null during use of ddrescue to avoid the / filesystem from becoming full.

Lost Partition

If you made a mistake while partitioning and the partition no longer appears in the partition table, so long as you have not written data in that space, all your data is still there.

GNU Parted

Run Parted from the command line to recover your partition.

When changing the partition table on your hard drive, you must ensure that no partition on the disk is mounted. This includes swap space. The easiest way to accomplish this is to run the live cd. Parted is installed on the base Ubuntu system. Once at the desktop, open a terminal and run_:

sudo swapoff -a

Next run parted and tell it to use the device in question. For example, if your /dev/sda drive is the drive from which you want to recover, run:

sudo parted /dev/sda

Then, use the rescue option:

rescue START END

where Start is the area of the disk where you believe the partition began and END is its end. If parted finds a potential partition, it will ask you if you want to add it to the partition table.

Testdisk

Alternatively, the testdisk application may recover your partition. Use any method to install the testdisk package.

Run testdisk and it will scan your computer for media and offer you a menu-driven way to recover your partition.

sudo testdisk

Gpart

Another program that can scan drives and re-create a partition table based on «guesses» is Gpart. Use any method to install the package gpart.

To scan the first hard disk using default settings type

sudo gpart /dev/sda

sudo gpart /dev/hda

depending on your Ubuntu version.

You can restore the «guessed» partition table, only after checking it very carefully (you’re strongly advised to write to another device instead), using

sudo gpart -W /dev/sda /dev/sda

Sleuth Kit and Autopsy

(Obtained the following from http://www.sleuthkit.org/autopsy/desc.php)

The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).

The Sleuth Kit and Autopsy are both Open Source and run on UNIX platforms. As Autopsy is HTML-based, you can connect to the Autopsy server from any platform using an HTML browser. Autopsy provides a «File Manager»-like interface and shows details about deleted data and file system structures.

Autopsy

Autopsy can be run from the «live» CD, but you must specify an address to which you can connect remotely. You must also specify an external disk on which it can save the extracted information.

For example, assuming you have an external disk mounted to /media/disk with an autopsy folder on it and your IP address is 192.168.0.1, you can run:

sudo autopsy -d /media/disk/autopsy 192.168.0.1

Sleuthkit

Extract unallocated (deleted) blocks from a disk or disk image.

Example:

dls inputimage > outputimage

Use any data carving tool to search the output image for files.

List file and directory names in a forensic image. fls lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. This includes deleted files. If you have imaged your filesystem to a file named «loopfile», you can list the contents by running:

fls loopfile -r -f fat -i raw
r/r 3: test (Volume Label Entry)
r/r * 5: sample.docx
r/r * 7: sample.pptx
r/r * 9: sample.xlsx

Copy file by inode. icat opens the named image(s) and copies the file with the specified inode number to standard output.

Example:

fls has shown you the inode number of some files on an image. To recover a file by using th einode number run:

icat -r -f fat -i raw loopfile 5 > sample.docx

sorter — Sort files in an image into categories based on file type. Sorter is a Perl script that analyzes a file system to organize the allocated and unallocated files by file type.

Example: This will sort all the files found in /dev/sdc1 and put image files in a directory named «out»:

sudo sorter -h -s -i raw -f fat -d out -C /usr/share/sleuthkit/windows.sort /dev/sdc1

Here is a description of a script that will pull all files from an image using fls and icat:

Another, similar script which attempts to «rebuild» the filesystem directory structure plus file content:

Cleaning up

from:How to recover lost files after you accidentally wipe your hard drive

Sort certain types of files:

sudo mkdir recovery/VID recovery/JPG

find recovery/ -name "*.avi" | xargs -i mv {} recovery/VID/

find recovery/ -name "*.mpg" | xargs -i mv {} recovery/VID/

find recovery/ -name "*.jpg" | xargs -i mv {} recovery/JPG/

Eliminate small photos:

sudo mkdir recovery/SMALL

find recovery/JPG/ -name "*.jpg" -size -1024k | xargs -i mv {} recovery/SMALL/

Rename jpegs according to exif data:

find JPG/ -name "*.jpg" | xargs -i jhead  -nf%Y%m%d-%H%M%S {}

Then, remove duplicates.

find /var/recovery/JPG/ -name "*a.jpg" | xargs -i mv {} /var/recovery/JPG/DUPS/

Copy files with matching strings:

cd recovery
mkdir ../copy/
grep -l "enter the string of text here" *.doc | xargs -i cp {} ../copy/

Extract filesystem from recovered image

Now that the drive has been imaged, you can recover the filesystem from the image. If the filesystem is not recoverable, you can try to recover individual files.

Mounting partitions on the image

If you imaged the whole drive, you can mount the individual partitions on the image by using the «offset» option when mounting a loop filesystem. The Sleuth Kit can help.

Use any method to install the following package:

sleuthkit

mmls can show you the partitions found within an image:

$ mmls file -b
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Size    Description
00:  -----   0000000000   0000000000   0000000001   0512B   Primary Table (#0)
01:  -----   0000000001   0000000031   0000000031   0015K   Unallocated
02:  00:01   0000000032   0001646591   0001646560   0803M   DOS FAT16 (0x06)
03:  00:00   0001646592   0002013183   0000366592   0179M   DOS FAT16 (0x06)

This shows several partitions. In this example, we want to mount the DOS partition starting at block 32. To calculate the number of bytes, multiply by 512:

$ bc
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'. 
32 * 512
16384
quit

Mount the partition:

sudo mount -o loop,offset=16384 file mnt

(32 multiplied by 512 byte blocks = 16384)

For mounting a typical NTFS partition created by Windows use:

sudo mount -t ntfs -o r,force,loop,offset=32256 file mnt

(63 multiplied by 512 byte blocks = 32256)

Guidelines

The following software will passively try to recover your data from failed or failing hardware. If your data is not replaceable, do not attempt to write to the failed device if the following applications do not work but seek professional advice instead.

If your device is damaged, it is advisable to image the device and work on the image file for data recovery. (See below.) If hardware failure is not the problem, you can recover data directly from the device.

To recover data from a failed device, you will need another device of equal or greater storage onto which to save your data. If you need to make an image of the failed device, you will need yet another quantity of space. You should run these tools from another OS which resides on another disk or a «live» CD.

An Ubuntu Desktop CD will work fine. If you do not have a lot of ram, or do not have an internet connection on the failed computer, you can use SystemRescueCd, a live cd data recovery toolkit. It includes most of the software mentioned in this page.