Yesterday I discovered a 400G hard drive in a swappable drive bay I was giving away. This kind of occurrence is more common than I like to admit - I have spare hardware sitting around the place, and sometimes people give me their old hardware to tinker with. The question of the day is, how do I find out what's on that drive? The obvious answer is "mount the drive and look at the files," but when it was hooked up to a computer, the computer never offered to mount any partitions. So what's going on?
First test:
# blkid
/dev/sda1: LABEL="System" UUID="5CE8A02BEAA9146C" TYPE="ntfs" PARTUUID="62f3aa9d-01"
/dev/sda2: LABEL="S3A9943D112" UUID="B41CC0A31DDF5EDD" TYPE="ntfs" PARTUUID="62f3aa9d-02"
/dev/sda3: LABEL="HDDRECOVERY" UUID="50BCF591BCF5A2D0" TYPE="ntfs" PARTUUID="62f3aa9d-03"
/dev/sda6: UUID="101d4c7b-9f9b-4f78-85f6-3be3b2afe6ef" TYPE="ext4" PARTUUID="62f3aa9d-06"
/dev/sda7: UUID="e254a40f-4cec-43d5-0d7d-9d937960af4f" TYPE="ext4" PARTUUID="62f3aa9d-07"
/dev/sda9: UUID="bcb65d9b-a28f-43c8-a827-6e496aa673b3" TYPE="crypto_LUKS" PARTUUID="62f3aa9d-09"
/dev/sda10: UUID="b94bf75b-152d-4b57-cf6f-d4d0fecc1e35" SEC_TYPE="ext2" TYPE="ext3" PARTUUID="62f3aa9d-0a"
/dev/mapper/home_crypt: UUID="7cd9cefc-5e07-50a8-8e02-1c3ccca9eceb" TYPE="ext3"
/dev/block/8:8: LABEL="fedorakde" UUID="6ffdc98d-5fc7-367b-ac20-8121600c0921" TYPE="ext4" PARTUUID="62f3aa9d-08"
/dev/block/8:5: LABEL="swap" UUID="12069a91-95ac-452f-820f-14007af0048f" TYPE="swap" PARTUUID="62f3aa9d-05"
/dev/sda8: LABEL="fedorakde" UUID="6ffdc98d-5fc7-367b-ac20-8121600c0921" TYPE="ext4" PARTUUID="62f3aa9d-08"
/dev/sda5: LABEL="swap" UUID="12069a91-95ac-452f-820f-14007af0048f" TYPE="swap" PARTUUID="62f3aa9d-05"
/dev/sdb1: LABEL="Verbatim32SLOW" UUID="9F44-F43A" TYPE="exfat" PARTUUID="c2073e18-01"
This shows one hard drive (/dev/sda) and one USB stick (/dev/sdb1 aka Verbatim32SLOW). And we have file types for all partitions - note that Verbatim32SLOW is formatted as exfat. (The mystery drive wasn't hooked up to this computer at the time.)
Let's look at the output of dmesg on the computer the mystery drive was attached to:
# dmesg
...
[21950.032332] usb 8-6: new high-speed USB device number 3 using ehci-pci
[21950.168119] usb 8-6: New USB device found, idVendor=152d, idProduct=2338
[21950.168131] usb 8-6: New USB device strings: Mfr=1, Product=2, SerialNumber=5
[21950.168138] usb 8-6: Product: USB to ATA/ATAPI Bridge
[21950.168143] usb 8-6: Manufacturer: JMicron
[21950.168148] usb 8-6: SerialNumber: 152D203380B6
[21950.169842] usb-storage 8-6:1.0: USB Mass Storage device detected
[21950.169999] scsi5 : usb-storage 8-6:1.0
[21951.170179] scsi 5:0:0:0: Direct-Access PQ: 0 ANSI: 2 CCS
[21951.172529] sd 5:0:0:0: Attached scsi generic sg2 type 0
[21951.175969] sd 5:0:0:0: [sdb] Test WP failed, assume Write Enabled
[21951.177015] sd 5:0:0:0: [sdb] Asking for cache data failed
[21951.177021] sd 5:0:0:0: [sdb] Assuming drive cache: write through
[21951.181498] sd 5:0:0:0: [sdb] Attached SCSI disk
...
So the computer detected the drive ... but didn't see any partitions. Another test:
# file -s /dev/sdb
... empty ...
I've lost the output to history, but it definitely involved the word "empty." Presumably this is what a never-formatted drive would look like? I can't test that: I don't have an unformatted drive available. Happily, I doubted this message and attached the mystery drive to another computer (in this case, Fedora 25 - the previous one was Debian jessie), which yielded alarmingly different results, immediately telling me there were two partitions on the drive and offering to mount the one that wasn't swap.
# dmesg
...
[773887.006827] usb 3-4.4: new high-speed USB device number 55 using xhci_hcd
[773887.097714] usb 3-4.4: New USB device found, idVendor=152d, idProduct=2338
[773887.097718] usb 3-4.4: New USB device strings: Mfr=1, Product=2, SerialNumber=5
[773887.097721] usb 3-4.4: Product: USB to ATA/ATAPI Bridge
[773887.097723] usb 3-4.4: Manufacturer: JMicron
[773887.097725] usb 3-4.4: SerialNumber: 222231202103
[773887.099117] usb-storage 3-4.4:1.0: USB Mass Storage device detected
[773887.099425] scsi host7: usb-storage 3-4.4:1.0
[773888.115114] scsi 7:0:0:0: Direct-Access ST340062 0AS C PQ: 0 ANSI: 2 CCS
[773888.116165] sd 7:0:0:0: Attached scsi generic sg3 type 0
[773888.116399] sd 7:0:0:0: [sdc] 781422768 512-byte logical blocks: (400 GB/373 GiB)
[773888.116912] sd 7:0:0:0: [sdc] Write Protect is off
[773888.116917] sd 7:0:0:0: [sdc] Mode Sense: 00 38 00 00
[773888.117398] sd 7:0:0:0: [sdc] Asking for cache data failed
[773888.117405] sd 7:0:0:0: [sdc] Assuming drive cache: write through
[773888.154946] sdc: sdc1 sdc2
[773888.157398] sd 7:0:0:0: [sdc] Attached SCSI disk
...
Note that second last line: "sdc: sdc1 sdc2" showing that it detected two partitions.
# blkid
...
/dev/sdc1: LABEL="ADO1" UUID="1c3a3361-729c-4014-9b93-55a746c05e04" TYPE="ext3" PARTUUID="9754fe87-01"
/dev/sdc2: UUID="38367df9-0a24-4afa-8a0c-4881d7bb162e" TYPE="swap" PARTUUID="9754fe87-02"
# lsblk
...
sdc 8:32 0 372.6G 0 disk
├─sdc2 8:34 0 35.6G 0 part
└─sdc1 8:33 0 337.1G 0 part /run/media/giles/ADO1
On this machine, file yields very different results:
# file -s /dev/sdc
/dev/sdc: DOS/MBR boot sector MS-MBR XP english at offset 0x12c "Invalid
partition table" at offset 0x144 "Error loading operating system" at offset
0x163 "Missing operating system", disk signature 0x9754fe87; partition 1 :
ID=0x83, start-CHS (0x0,1,1), end-CHS (0x3ff,254,63), startsector 63,
706843872 sectors; partition 2 : ID=0x82, start-CHS (0x3ff,254,63), end-CHS
(0x3ff,254,63), startsector 706843935, 74573730 sectors
# file -s /dev/sdc1
/dev/sdc1: Linux rev 1.0 ext3 filesystem data,
UUID=1c3a3361-729c-4014-9b93-55a746c05e04, volume name "ADO1" (needs
journal recovery) (large files)
# file -s /dev/sdc2
/dev/sdc2: Linux/i386 swap file (new style), version 1 (4K pages), size
9321715 pages, no label, UUID=38367df9-0a24-4afa-8a0c-4881d7bb162e
Now when I attach the formerly-mystery drive to the Debian computer, it detects the two partitions and is prepared to mount them - not sure what happened there.
file output for the exfat USB stick:
# file -s /dev/sdb
/dev/sdb: DOS/MBR boot sector MS-MBR XP english at offset 0x12c "Invalid
partition table" at offset 0x144 "Error loading operating system" at offset
0x163 "Missing operating system", disk signature 0xc3072e18; partition 1 :
ID=0x7, start-CHS (0x1,0,1), end-CHS (0x26b,89,26), startsector 8064,
62800000 sectors
# file -s /dev/sdb1
/dev/sdb1: DOS/MBR boot sector
Notice we can't identify the partition type, although it gets us in the neighbourhood.
And here's a weird beast - a PNY USB stick that has the raw device as a partition:
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdb 8:16 1 119.2G 0 disk
...
# blkid
...
/dev/sdb: LABEL="USB30FD" UUID="13F9-3D5D" TYPE="vfat"
# file -s /dev/sdb
/dev/sdb: DOS/MBR boot sector, code offset 0x5a+2, OEM-ID "MSDOS5.0",
sectors/cluster 64, Media descriptor 0xf8, sectors/track 63, heads 255,
sectors 249999360 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 30511,
serial number 0x13f93d5d, unlabeled
...
[776193.346753] usb 4-1: new SuperSpeed USB device number 19 using xhci_hcd
[776193.359151] usb 4-1: New USB device found, idVendor=154b, idProduct=fa64
[776193.359156] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[776193.359158] usb 4-1: Product: USB 3.0 FD
[776193.359160] usb 4-1: Manufacturer: PNY Technologies
[776193.359162] usb 4-1: SerialNumber: IN1311120000000000000001
[776193.360045] usb-storage 4-1:1.0: USB Mass Storage device detected
[776193.360387] scsi host6: usb-storage 4-1:1.0
[776194.390778] scsi 6:0:0:0: Direct-Access PNY USB 3.0 FD 1.00 PQ: 0 ANSI: 6
[776194.391490] sd 6:0:0:0: Attached scsi generic sg2 type 0
[776194.391720] sd 6:0:0:0: [sdb] 249999360 512-byte logical blocks: (128 GB/119 GiB)
[776194.391926] sd 6:0:0:0: [sdb] Write Protect is off
[776194.391930] sd 6:0:0:0: [sdb] Mode Sense: 23 00 00 00
[776194.392097] sd 6:0:0:0: [sdb] Write cache: disabled, read cache: disabled, doesn't support DPO or FUA
[776194.394205] sdb:
[776194.395015] sd 6:0:0:0: [sdb] Attached SCSI removable disk
...
Note an important and unfortunately subtle distinction here: when partitions are detected, we get a line like [773888.154946] sdc: sdc1 sdc2, but this drive has the whole device formatted and we get the line [776194.394205] sdb:, whereas a drive where NOTHING is detected has no such line at all. Not an easy thing to notice.
The more I mess with this, the more it seems advisable to A) look at mystery drives with several tools, and B) if in doubt, attach it to another computer.