Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org> https://www.cgsecurity.org
Disk /dev/sdb - 4000 GB / 3726 GiB - CHS 486401 255 63
Partition Start End Size in sectors
>P Linux filesys. data 1046287267 1053821026 7533760 [^K~M27n1ҥ %~JMM-7D]
That's not a good sign. It means that testdisk found nothing but the existing partition with unidentifiable content.
If you have the hexedit command available, then rather than fussing with testdisk it's a lot easier just to run "hexedit -s /dev/sdb" (preferably in a window with at least 36 lines so that a complete sector can be shown) and search for the hex string "4C554B53BABE". That's the ASCII characters "LUKS" followed by the hex bytes 0xBA and 0xBE. It would take quite a while to search the whole disk, but if it doesn't find that string in the first few minutes then there is little chance of finding your LUKS header.
That's not a good sign. It means that testdisk found nothing but the existing partition with unidentifiable content.
If you have the hexedit command available, then rather than fussing with testdisk it's a lot easier just to run "hexedit -s /dev/sdb" (preferably in a window with at least 36 lines so that a complete sector can be shown) and search for the hex string "4C554B53BABE". That's the ASCII characters "LUKS" followed by the hex bytes 0xBA and 0xBE. It would take quite a while to search the whole disk, but if it doesn't find that string in the first few minutes then there is little chance of finding your LUKS header.
Going through the manual I didn't get smarter. Thank you, I thought I maybe didn't understand something.
I'll try hexedit (does it make sense to pipe it through grep?), but now I really want to know what happened, as I am sure a simply accidentally formatted disk wouldn't be such a head scratcher.
Going through the manual I didn't get smarter. Thank you, I thought I maybe didn't understand something.
I'll try hexedit (does it make sense to pipe it through grep?), but now I really want to know what happened, as I am sure a simply accidentally formatted disk wouldn't be such a head scratcher.
Don't try to pipe hexedit output through anything. It's an interactive editor. Just type the "/" key to enter the search function and then enter the string "4c554b53babe" (without the quotes). You want to find that sequence at the start of a sector, which will be a hex address ending in n00, where n is an even number. If it finds that somewhere else, just type "/" and <enter> to continue the search. If your encrypted partition really was the only partition on the disk, that sequence should be found almost immediately.
Don't try to pipe hexedit output through anything. It's an interactive editor. Just type the "/" key to enter the search function and then enter the string "4c554b53babe" (without the quotes). You want to find that sequence at the start of a sector, which will be a hex address ending in n00, where n is an even number. If it finds that somewhere else, just type "/" and <enter> to continue the search. If your encrypted partition really was the only partition on the disk, that sequence should be found almost immediately.
Out of luck, it seems
Last edited by Jackson111; 05-11-2024 at 09:38 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.