The OS is Ubuntu 17.10 and I've been trying to recover(undelete) with extundelete. (The File System is ext4.) This didn't work. So, I tried with extundelete /dev/mapper/ubuntu--vg-root --restore-file /home/chan/origol/routes/user.js And It worked. However, I got another problem. Loading filesystem metadata ... extundelete: Block bitmap checksum does not match bitmap when trying to examine filesystem I couldn't find any information about it. How can I solve this problem?

I've installed some version of the CUDA toolkit to /usr/local/cuda. Suppose I don't have access to any information about the system, like activity logs, package management state and such - I'm only inspecting the contents of files in /usr/local/cuda. I want to determine the CUDA release version of this directory, but - I want the update number as well, e.g. I want to distinguish 12.6 update 2 from 12.6 update 0. Now, if I could download and install back-versions of CUDA, I could achieve this by examining the nvcc --version output, since that usually has both a timestamp of the build and an X.Y.Z version string. Unfortunately, the third element of that string is a number different from the update number, e.g.V12.6.85 for CUDA 12.6 update 3. How do I know that 85 is the fourth value? What I tried: * version.json has all sorts of version info, but those values again don't have a trivial correspondence to the update number. * lib64/* are a bunch of library files, some with versions, but again - no clear correspondence to the update number * include/ - couldn't find something relevant inside the headers, but maybe I wasn't looking in the right place?

It has come to my attention that a server of mine has been hacked and infected with a known Chinese botnet. It was a prototype/testing virtual machine with its own static IP(US address) so no harm was caused(just took me a while to figure it out). Now I would like to know what IP/s was used for the intrusion to know if the attack originated from china. Is there a way to view a history of received connections on ssh on the server? Edit: The system is Linux Debian 7

I know to dump memory images in Windows. (eg-dumpit) But I don't know how to dump memory images in Linux. I want to get memory images in Linux and from Linux to Linux with ssh connection or something. How can I get in Linux?

I am trying to recover deleted footage from a DVR. I pulled the hdd(Toshiba DT01ABA100v) from the DVR to look at the data in the drive and run carving tools(foremost and scalpel). My problem is that I am unable to mount the hdd. The following are the outputs of some of the commands I tried file -s /dev/sdb /dev/sdb: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system", disk signature 0x26a0a7cf mount /dev/sdb /mnt/recdrive mount: wrong fs type, bad option, bad superblock on /dev/sdb, missing codepage or helper program, or other error Is there something I can use to find the file system and be able to mount the hdd?

I have a concerning adventure while trying to resize(shrink) my LUKS lvm partition. I wanted to shrink my partition so that I can easily copy my system to a new smaller sized drive. Before I started anything I deleted some files from my old disk to make some space available. Afterwards I booted from USB live ubuntu and I used the KDE partition manager to firstly unlock the LUKS partition. Afterwards I had my LVM root partition available and I used the resize option of the KDE partition manager to shrink it. This unfortunately resulted to the same issue as described here: https://unix.stackexchange.com/questions/565923/either-the-superblock-or-the-partition-table-is-likely-to-be-corrupt-after-pa And my problems started from a misunderstanding of one of the answers. So what I ended up doing is that I run the following command:

e2fsck -f /dev/the_unlocked_lvm_root

With the following selection of options:

e2fsck 1.45.5 (07-Jan-2020)
The filesystem size (according to the superblock) is 239771648 blocks
The physical size of the device is 125080576 blocks
Either the superblock or the partition table is likely to be corrupt!
Abort? no
Pass 1: Checking inodes, blocks, and sizes
Error reading block 126877728 (Input/output error) while getting next inode from scan.  Ignore error? yes
Force rewrite? yes

I pressed yes some times until I realized that I was not doing what I should. Right now I didn't restart my computer and I didn't do anything more. My question is basically how much damage I did, is the problem recoverable or did I loose all of my data? I am pretty concerned since when I stopped the e2fsck command it stated "Filesystem modified". Any feedback is appreciated!

I need to overwrite certain files in a raw disk image without modifying the disk image too much. Ideally, only certain strings should be overwritten, but this will probably not be possible. That is why I am now trying to overwrite the whole block. Thanks to Sleuthkit I was able to find the inode and the direct blocks of the file. I also know the offset of the volume that contains the partition system in sectors. Is there a way to overwrite all/one blocks with dd? I think it should be quite easy if i could calculate the block offset? Thank you very much

I am currently writing a tool that should scan a **readonly** raw disk image for a a given pattern. The task is to get the byte offset of the match. I am able to find simple text documents with grep -a -o -b -iE PATTERN IMAGE, but i can not find a way to search through excel, pdfs and word documents. I know that _grep_ is not suitable for this task. Is there an other tool i can use?

Imagine we have a shared ssh key/(username & password) between two users, We call them Bob and Alice. Bob has connected to the server and has executed some chain of commands that led to the deletion of some critical data on that host. Alice also connected to the same host, using the same shared credential just to run some updates. Although we have the sshd auth logs (/var/log/auth.log) and know that both users were connected during the incident, is there a way to distinguish which user (connection, as they contain the user's IP) was responsible for the chain of actions?

In GNU/Linux I have an issue with an application I have made. It works in my development environment, most of the components running in dockers or natively, but it randomly (often, but not always) fails in the server environment where it needs to be deployed. Infrastructure: [App in Ubuntu Server 20.04 host-1] [router+firewall] [Ubuntu Server 20.04 host-2] Both servers seem to have enough resources -4 CPUs, 4 GB RAM. The machine running the app has to connect to a RabbitMQ running in that host2, and both publish (I haven't seen failure here) and subscribe (which tends to fail) in different queues there. The issue: sometimes it works (there's a router + firewall, but the problem seems not to be there), but many other times, for some reason, both connections randomly fail. I checked MTU (1500, it works in other deployments), ulimit seems OK, etc. but I am not finding the issue... Many times Rabbit connections start, but then, eventually, I get Rabbit error messages: - AMQPConnector - reporting failure: AMQPConnectorAMQPHandshakeError: ProbableAuthenticationError [..]("ConnectionClosedByBroker: (403) 'ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.'" Which is not true, as the credentials I am 100% sure are OK, in fact, they work sometimes. The connection is retried, but no success. From Rabbit logs: [info] Closing all channels from connection 'xxx.yyy.zzz.kkk:41426 -> yyy.zzz.kkk.zzz:5672' because it has been closed [info] accepting AMQP connection (xxx.yyy.zzz.kkk:41430 -> yyy.zzz.kkk.zzz:5672) [error] Error on AMQP connection (xxx.yyy.zzz.kkk:41430 -> yyy.zzz.kkk.zzz:5672, state: starting): PLAIN login refused: user 'someuser' - invalid credentials I tried with a heartbeat of 500 and 90, and a blocked connection timeout of 300... For me, it seems that the heartbeats are not being received sometimes. I am pretty lost, I imagine it could be a performance or network issue, as in other controlled environments this works, so, what could I check?

There are two similar tools for a dd on bad hardware: * Kurt Garloff's dd_rescue * GNU ddrescue **What is the difference between dd_rescue and ddrescue, when to prefer which one?**

I have an old filesystem backup that I made and compressed into a squashfs. It was stored on an ext4 filesystem, and I suspect it suffered from some bitrot. I don't have a backup of the file. Is there any way I might be able to rescue this squashfs archive? $ unsquashfs olddrive.sfs Can't find a SQUASHFS superblock on olddrive.sfs Edit: Adding Info $ file olddrive.sfs olddrive.sfs: data $ sudo mount -t squashfs -o ro olddrive.sfs /tmp/sq mount: /tmp/sq: wrong fs type, bad option, bad superblock on /dev/loop10, missing codepage or helper program, or other error. Edit: Interestingly, running hexdump on the file shows that it starts entirely with zero's. Perhaps reading the file from disk had some bad sectors, and they were replaced with zero's? 0000000 0000 0000 0000 0000 0000 0000 0000 0000 * 0000060 8008 0000 0010 0008 0000 37fd 587a 005a 0000070 0100 2269 36de c003 ffa5 8003 4080 0121 0000080 0010 e48c b888 59ef efe8 5dfe 7500 0d80 0000090 8c81 25e2 b847 a0cc 766a b649 c919 3768 Conclusion: I tried copying (overwriting) several bytes from the head another good squashfs to the corrupted one, but with no luck. It appears I had 96 zero'd bytes at the head of my corrupted squashfs. There seems to be no redundant data for the superblock, and therefore if it is destroyed, then the archive is lost. If there were only a couple bytes damaged, then the solution by user K-att- may have fixed the problem. For anyone wishing to prevent such damage/loss, I recommend using par2 (Parchive). I did not know about par2 previously, but it can create a small file that is capable of recovering from minimally damaged files (when drive sectors go bad)

I made an image of /dev/sdc. The free space before the first partition isn't reporting the same byte sizes, but why? The start position is reported as 1024B on the drive and 16384B on the image? # parted /dev/sdc u b p free Model: ASMT 2105 (scsi) Disk /dev/sdc: 500107862016B Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 1024B 1048575B 1047552B Free Space 1 1048576B 500107862015B 500106813440B primary btrfs # parted d1/drive1.sdc.img u b p free Model: (file) Disk /mnt/4/d1/drive1.sdc.img: 500107862016B Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 16384B 1048575B 1032192B Free Space 1 1048576B 500107862015B 500106813440B primary btrfs Edit: I created the image like so # pv /dev/sdc > d1/drive1.sdc.img Edit2: After running md5sum on both, they show same hash # dd if=/dev/sdc | md5sum; pv d1/drive1.sdc.img | md5sum

one of my friend accidently deleted all files (jpg and pdf) from file server by using rm -rf command .is there is a way to recover those files with actual file names? key points - 1. there is no backups for restore 2. partition format is ext4 we tried following solutions. 1. testdisk - recovered few files only (with actual file name) 2. photorec - recovered lots of files with useless .txt files (without actual file names) 3. foremost - recovered pdfs and jpgs without file names

I need to mount a BTRFS partition in 100% read-only mode, i.e. no hidden writes onto the disk whatsoever. The "ro" setting is not enough. I tried some settings. The settings "ro,nologreplay" don't stop the writes.

I have an dd image of a partition that once had a Windows 10 NTFS filesystem and then got accidentally formatted (or so I assume) and now has a pretty empty NTFS with only an empty Windows directory on it. Is it possible to recover at least some files by scanning the binary dump for Magic Bytes? I tried testdisk, foremost and some other tools without finding *any* file so I'm wondering if NTFS somehow works that different than FAT or ext where the contents can be found even if the filesystem is not readable any more.

When I connect the external hard drives to my computer(with FreeBSD or other Unix systems) and copy files from the first external hard drive to the second hard drive, are the files on the second hard drive the same as the files from the source (first external hard drive)? I know there is a hash (checksum). I read somewhere that copying from different volumes will result in different files(since they are 2 different volumes). Only when I copy a file to the same volume, I can guarantee it is the same file. **What is the recommendation for copying, and will my files stay the same?**

To investigate within logs, I am trying to find the very first time a vulnerability in a workflow has been exploited. The pattern is on multiple lines. The pattern would be AAAAAAAAA BBBBBBBBB CCCCCCCCC The problem is that AAAAAAAAA or BBBBBBBBB or CCCCCCCCC Can be found anywhere indivdually in the log without showing the vulnerability; it is the exact pattern in this exact order that will help me. For example grep -Ei "AAAAAAAAA|BBBBBBBBB|CCCCCCCCC" logfile does not help me since all the lines with individual occurence of AAAAAAAAA BBBBBBBBB CCCCCCCCC will be there. How can I solve this?

Which software and commands are required, to undelete a file on a btrfs filesystem?

For the purpose of a forensic mission, we must get a docker image without using the famous export from a docker command. Does copy and paste of the folder ***/var/lib/docker/containers*** in **another server** allow us to retrieve information **without any corrupted data**? Thanks.