schnippy asked:
I’ve got an unresponsive Rackspace slice that has defied all attempts at accessing. I created an emergency image from this and deleted it, downloading the files that compromise the image to a local source. There are a number of files / assets I would still like to recover from this server if possible but not sure exactly what I can do with the image files, if anything.
Here’s the files I have, for what its worth:
emergency_########_######_cloudserver########.tar.gz.0 (5gb)
emergency_########_######_cloudserver########.tar.gz.1 (5gb)
emergency_########_######_cloudserver########.tar.gz.2 (5gb)
emergency_########_######_cloudserver########.tar.gz.3 (50mb)
emergency_########_######_cloudserver########.yml (25kb)
Is it possible to mount this image as a drive? Are there other forensic recovery options?
My answer:
If what you get after putting the .tar.gz back together and unpacking it results in a disk image, then you should be able to recover files from it.
To begin with, for best results you should be working from a Linux system, with plenty of drive space available (50GB or more). I’m not sure if this is even possible with Windows.
First put the file back together:
cat emergency*.tar.gz.* > image.tar.gz
Now unpack it:
tar -zxvf image.tar.gz
What comes next depends on what was in the tarball. Hopefully it’s a single file containing a disk image. In that case, inspect it with:
kpartx -l *imagefile*
(Where imagefile is the name of the disk image file that came out of the tarball.)
You should see what looks like a partition table. If all looks well with the partition table, run:
kpartx -v -a *imagefile*
This will map the partitions in the image to /dev/mapper/loop0p*.
You should then be able to mount these partitions and look at their contents. Remember to mount the filesystems read-only (-o ro) to prevent further damage.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.