ghell Posted February 20, 2009 Share Posted February 20, 2009 I accidentally deleted an NTFS partition with gparted then, stupidly, tried to recreate it (with gparted) hoping that the files there would reappear, which of course they didn't. I didn't make a backup image with dd but I have been able to scan the drive with various commercial Windows tools and it can still find all of the files, even the system file \$MFT. The problem is that even if I manually copy all of the files out of these tools to a blank hard drive, I can't boot Windows off it as I could before, its just a drive with a bunch of files on it. DiskInternals, for example, scans the drive (taking about 2 hours) and when it is done, shows a list of partitions, with some numbers in the names. I think these numbers may be where the partition starts and I know exactly which one I want to recover (it was supposed to be the only partition on the drive but it also shows some 3mb "Boot" partitions that I have never seen before). However, all it lets me do is recover files to another hard drive rather than restoring the file system that it has found. Is it possible to restore an old partition that has been deleted with dd (or anything else)? I think that all I want to recover is the MBR (if that's all that contains the partition table) and any NTFS data at the start of the disk and all of the files should just reappear after that. Quote Link to comment Share on other sites More sharing options...
beakmyn Posted February 20, 2009 Share Posted February 20, 2009 I accidentally deleted an NTFS partition with gparted then, stupidly, tried to recreate it (with gparted) hoping that the files there would reappear, which of course they didn't. I didn't make a backup image with dd but I have been able to scan the drive with various commercial Windows tools and it can still find all of the files, even the system file \$MFT. The problem is that even if I manually copy all of the files out of these tools to a blank hard drive, I can't boot Windows off it as I could before, its just a drive with a bunch of files on it. DiskInternals, for example, scans the drive (taking about 2 hours) and when it is done, shows a list of partitions, with some numbers in the names. I think these numbers may be where the partition starts and I know exactly which one I want to recover (it was supposed to be the only partition on the drive but it also shows some 3mb "Boot" partitions that I have never seen before). However, all it lets me do is recover files to another hard drive rather than restoring the file system that it has found. Is it possible to restore an old partition that has been deleted with dd (or anything else)? I think that all I want to recover is the MBR (if that's all that contains the partition table) and any NTFS data at the start of the disk and all of the files should just reappear after that. I've had really good luck with using Getdataback NTFS from runtime.org. It's ressurected a few drives. Free to try, pay to recover, it's well worth the license though. Quote Link to comment Share on other sites More sharing options...
Emeryth Posted February 20, 2009 Share Posted February 20, 2009 You should also try Testdisk, which is open source. Also, if you succesfully copied all of the files to another drive, it should be easy to make it bootable by using some windows repair tools. Quote Link to comment Share on other sites More sharing options...
ghell Posted February 20, 2009 Author Share Posted February 20, 2009 Will Getdataback NTFS and Testdisk be able to restore the deleted partition or just recover individual files? (because I can already just recover individual files) I am currently running a deep scan with Testdisk from the latest gparted live CD. Before I started running the deep scan, it only found the new empty partition but now its 31% through the deep scan and nothing new has appeared yet. Also, if you succesfully copied all of the files to another drive, it should be easy to make it bootable by using some windows repair tools. I tried the Vista install DVD's "repair" feature but it wouldn't even detect it as a windows installation, so it wouldn't repair it. I have tried installing a new copy of Vista to a new drive (so that the original is still as untouched as possible) that is the same size and then overwriting that entire installation with the recovered directories (I just used \Users, \Program Files, \Program Files (x86), \ProgramData and \Windows). When I boot off that disk it tells me that the boot loader is damaged, so I repair it with the installation CD and after a reboot, I get up to a login prompt. I type my password and the screen goes black, just showing a cursor. It is fine up to there but then goes back to the login screen. If I type my password again, it says "Logging out", goes black and then back to the login screen again. I don't know if this approach will work in the end but it is the furthest I have got so far. Does anyone know what would be causing it to stop where it is stopping (e.g. if my user does not have permissions to read its own user directory) or how to fix that to get it to at least log in? Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 20, 2009 Share Posted February 20, 2009 FUBAR - Learn what this means and how it applies to your situation. Then reinstall Windows and start again as you have fucked up all the SIDs. Quote Link to comment Share on other sites More sharing options...
ghell Posted February 20, 2009 Author Share Posted February 20, 2009 There's no need for that. I'm only asking for help. If you don't have anything nice (or useful) to say, don't say anything at all. Testdisk did not find the partition correctly in the deep scan. It seemed to find it at first on a backup sector but when I tried to list the files, it only showed one small file. Strangely, even fdisk seems to think that the gparted created NTFS partition is ext (83) at first and when I put a USB pen drive in to get the log file, it thought it was FAT16. Here's the log (it wouldn't let me attach the file itself as a .log, .txt, .log.gz, .zip, etc so sorry about posting it in the big code block): Fri Feb 20 14:58:14 2009 Command line: TestDisk TestDisk 6.9, Data Recovery Utility, February 2008 Christophe GRENIER <grenier@cgsecurity.org> http://www.cgsecurity.org Linux version (ext2fs lib: 1.41.3, ntfs lib: 10:0:0, reiserfs lib: none, ewf lib: none) Hard disk list Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63, sector size=512 - ATA ST3250620AS Disk /dev/sda - 250 GB / 232 GiB - ATA ST3250620AS Partition table type: Intel Analyse Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63 Geometry from i386 MBR: head=255 sector=63 check_part_i386 failed for partition type 83 get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=1 get_geometry_from_list_part_aux head=16 nbr=1 get_geometry_from_list_part_aux head=32 nbr=1 get_geometry_from_list_part_aux head=64 nbr=1 get_geometry_from_list_part_aux head=128 nbr=1 get_geometry_from_list_part_aux head=240 nbr=1 get_geometry_from_list_part_aux head=255 nbr=2 Current partition structure: No EXT2, JFS, Reiser, cramfs or XFS marker 1 * Linux                    0  1  1 30400 254 63  488392002 1 * Linux                    0  1  1 30400 254 63  488392002 Ask the user for vista mode Computes LBA from CHS for Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63 Allow partial last cylinder : Yes search_vista_part: 1 search_part() Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63 NTFS at 0/1/1 filesystem size          488392002 sectors_per_cluster      8 mft_lcn                  4 mftmirr_lcn              30524500 clusters_per_mft_record  -10 clusters_per_index_record 1   D HPFS - NTFS              0  1  1 30400 254 63  488392002     NTFS, 250 GB / 232 GiB get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=1 get_geometry_from_list_part_aux head=16 nbr=1 get_geometry_from_list_part_aux head=32 nbr=1 get_geometry_from_list_part_aux head=64 nbr=1 get_geometry_from_list_part_aux head=128 nbr=1 get_geometry_from_list_part_aux head=240 nbr=1 get_geometry_from_list_part_aux head=255 nbr=2 Results   * HPFS - NTFS              0  1  1 30400 254 63  488392002     NTFS, 250 GB / 232 GiB ntfs_device_testdisk_io_ioctl() unimplemented ntfs_ucstoutf8: iconv_open failed dir_partition inode=5   * HPFS - NTFS              0  1  1 30400 254 63  488392002     NTFS, 250 GB / 232 GiB Directory /       5 dr-xr-xr-x    0      0        0 18-Feb-2009 21:00 .       5 dr-xr-xr-x    0      0        0 18-Feb-2009 21:00 .. interface_write() 1 * HPFS - NTFS              0  1  1 30400 254 63  488392002 search_part() Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63 NTFS at 0/1/1 filesystem size          488392002 sectors_per_cluster      8 mft_lcn                  4 mftmirr_lcn              30524500 clusters_per_mft_record  -10 clusters_per_index_record 1   D HPFS - NTFS              0  1  1 30400 254 63  488392002     NTFS, 250 GB / 232 GiB NTFS at 30400/254/63 filesystem size          488392002 sectors_per_cluster      8 mft_lcn                  4 mftmirr_lcn              30524500 clusters_per_mft_record  -10 clusters_per_index_record 1   D HPFS - NTFS              0  1  1 30400 254 63  488392002     NTFS found using backup sector!, 250 GB / 232 GiB NTFS at 30401/42/41 filesystem size          488392704 sectors_per_cluster      8 mft_lcn                  786432 mftmirr_lcn              30524543 clusters_per_mft_record  -10 clusters_per_index_record 1   D HPFS - NTFS              0  32 33 30401  42 41  488392704     NTFS found using backup sector!, 250 GB / 232 GiB get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=1 get_geometry_from_list_part_aux head=16 nbr=1 get_geometry_from_list_part_aux head=32 nbr=1 get_geometry_from_list_part_aux head=64 nbr=1 get_geometry_from_list_part_aux head=128 nbr=1 get_geometry_from_list_part_aux head=240 nbr=1 get_geometry_from_list_part_aux head=255 nbr=2 Results   D HPFS - NTFS              0  1  1 30400 254 63  488392002     NTFS, 250 GB / 232 GiB   D HPFS - NTFS              0  32 33 30401  42 41  488392704     NTFS found using backup sector!, 250 GB / 232 GiB ntfs_device_testdisk_io_ioctl() unimplemented ntfs_device_testdisk_io_ioctl() unimplemented NTFS filesystem need to be repaired. ntfs_ucstoutf8: iconv_open failed dir_partition inode=5 ntfs_readdir failed   D HPFS - NTFS              0  32 33 30401  42 41  488392704     NTFS found using backup sector!, 250 GB / 232 GiB Directory /       5 dr-xr-xr-x    0      0        0 23-Oct-2007 04:31 .       5 dr-xr-xr-x    0      0        0 23-Oct-2007 04:31 .. 141989 -r--r--r--    0      0      1934  8-Feb-2008 19:31 MPUsbSIn.log ntfs_device_testdisk_io_ioctl() unimplemented ntfs_ucstoutf8: iconv_open failed dir_partition inode=5   D HPFS - NTFS              0  1  1 30400 254 63  488392002     NTFS, 250 GB / 232 GiB Directory /       5 dr-xr-xr-x    0      0        0 18-Feb-2009 21:00 .       5 dr-xr-xr-x    0      0        0 18-Feb-2009 21:00 .. Change partition type:   D HPFS - NTFS              0  32 33 30401  42 41  488392704     NTFS found using backup sector!, 250 GB / 232 GiB Change partition type:   D HPFS - NTFS              0  32 33 30401  42 41  488392704     NTFS found using backup sector!, 250 GB / 232 GiB interface_write() No partition found or selected for recovery simulate write! write_mbr_i386: starting... write_all_log_i386: starting... No extended partition Interface Advanced Geometry from i386 MBR: head=255 sector=63 check_part_i386 failed for partition type 83 get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=1 get_geometry_from_list_part_aux head=16 nbr=1 get_geometry_from_list_part_aux head=32 nbr=1 get_geometry_from_list_part_aux head=64 nbr=1 get_geometry_from_list_part_aux head=128 nbr=1 get_geometry_from_list_part_aux head=240 nbr=1 get_geometry_from_list_part_aux head=255 nbr=2 1 * Linux                    0  1  1 30400 254 63  488392002 Change partition type: 1 * HPFS - NTFS              0  1  1 30400 254 63  488392002 New options : Dump : No Cylinder boundary : Yes Allow partial last cylinder : Yes Expert mode : No TestDisk exited normally. Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 20, 2009 Share Posted February 20, 2009 What I am saying is that you have managed to foul up the system beyond all hope of repair. You can't just copy over files from another install of windows because of the way windows managed permissions with things called SID's and pretty much every step you have done has made it worse. The correct thing to do would have been recover the partition on the drive and mark it as active again. but this is no longer possible. What you need to do is get your data back, and reinstall the system again, then mark this one up to experience. The disk is probally fine, as is the partition, but the windows install is FUBAR hence this is the correct term. Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted February 20, 2009 Share Posted February 20, 2009 Is this Vista or XP? Recover all of your files onto the partition and set the partition as active. If XP, boot from your XP disk and do a repair install. If Vista, boot from your Vista disk and do startup repair. Quote Link to comment Share on other sites More sharing options...
psydT0ne Posted February 20, 2009 Share Posted February 20, 2009 can this help at all? u may need to put ur hdd into another working pc first...altho there might be a bootable cd version http://www.ptdd.com/rpt.htm Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 20, 2009 Share Posted February 20, 2009 can this help at all? u may need to put ur hdd into another working pc first...altho there might be a bootable cd version http://www.ptdd.com/rpt.htm That should have been the first thing to try. Quote Link to comment Share on other sites More sharing options...
digip Posted February 21, 2009 Share Posted February 21, 2009 Backup the files, reinstall, then restore the files. Quote Link to comment Share on other sites More sharing options...
ghell Posted February 21, 2009 Author Share Posted February 21, 2009 Thanks for the suggestions but I have tried copying all of the recovered files to a new hard drive, setting it as active and running windows repair from the Vista disk (it is Vista). It doesn't show up in the list for the Vista repair DVD so unless there is a command I can run from the repair command prompt, I don't think I can get that to work. I will have a look at the ptdd.com link. What I am saying is that you have managed to foul up the system beyond all hope of repair. You can't just copy over files from another install of windows because of the way windows managed permissions with things called SID's and pretty much every step you have done has made it worse. The correct thing to do would have been recover the partition on the drive and mark it as active again. but this is no longer possible. What you need to do is get your data back, and reinstall the system again, then mark this one up to experience. The disk is probally fine, as is the partition, but the windows install is FUBAR hence this is the correct term. Every step I have done has not made it worse, as I said I am not actually writing anything new to the problematic hard drive. Everything I have done has been using recovered files onto a different hard drive. Permissions would not be an issue if I could just fix the partition table at the start of the disk. I am assuming that when you delete a partition in gparted, all it does is overwrite the partition table so if I can recover that (probably only a few hundred bytes at the start of the disk), all the data should still be there, similar to having a pointer in C. If you delete the pointer, the data is still there even though you can't access it but if you recreate the pointer, you can use it again easily. Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 21, 2009 Share Posted February 21, 2009 Every step I have done has not made it worse, as I said I am not actually writing anything new to the problematic hard drive. Everything I have done has been using recovered files onto a different hard drive. Permissions would not be an issue if I could just fix the partition table at the start of the disk. I am assuming that when you delete a partition in gparted, all it does is overwrite the partition table so if I can recover that (probably only a few hundred bytes at the start of the disk), all the data should still be there, similar to having a pointer in C. If you delete the pointer, the data is still there even though you can't access it but if you recreate the pointer, you can use it again easily. The first thing you did (use gparted to 'recreate' the partition) was the big mistake. The only chance it had of working was if the partition start and end points are the same as they where before, but even then depending on how you deleted the partition, it may be not. What you should have done instead is run testdisk. I'v fouled up in this way before and testdisk has saved me. Still, testdisk left the system unbooable, but that is only a minor problem compared to not having access to the data on the partition. The file permissions would have been an issue. A new install of XP/Vista would have generated new UID's which wouldn't match those on your existing files. Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 21, 2009 Share Posted February 21, 2009 It really is odd to see how much effort people go to recovering their broken OS install when all that really matters is the actual data. A fully setup install of Windows takes but a few hours to setup. Learn from this, and the next time it happens you will know to try and recover the partition, and if that fails just recover your data and reinstall/reimage. A good thing to do would be to setup your new machine the way you want it, then sys-prep and capture an image using DD, Ghost or Imagex (I prefer imagex, but thats because I use it on a daily basis at work). Then, setting up your new computer the next time it breaks will be a simple matter of dumping an image on the disk and re-creating your user account settings. You can automate this step with microsofts user state migration tool which captures your account settings for a wipe-and-load or side-by-side migration. You may well be able to fix this if you spend a week or so playing with the system, but from my point of view I'd rather be doing a million other things than attempting to nail your franken-windows back together. Quote Link to comment Share on other sites More sharing options...
ghell Posted February 22, 2009 Author Share Posted February 22, 2009 The first thing you did (use gparted to 'recreate' the partition) was the big mistake. The only chance it had of working was if the partition start and end points are the same as they where before, but even then depending on how you deleted the partition, it may be not. What you should have done instead is run testdisk. I'v fouled up in this way before and testdisk has saved me. Still, testdisk left the system unbooable, but that is only a minor problem compared to not having access to the data on the partition. It was stupid by my own admission (see first post) but before this thread, I was completely oblivious to testdisk's existence, let alone knowing what it did (the name doesn't really imply anything to do with recovery, I had assumed it was something closer to fsck) so I panicked and set up the partition again with gparted, with exactly the same geometry (as you said) but it didn't work. I expect gparted overwrote part of the filesystem data when I did this, even though I left it on no filesystem when I made the partition. The file permissions would have been an issue. A new install of XP/Vista would have generated new UID's which wouldn't match those on your existing files. They would have been an issue with copying the files over an existing installation but not if I could have just recovered the partition table and any filesystem metadata that probably lives right at the start of the partition. However, I could get up to the login prompt fine by copying recovered files over an existing installation (even getting my screen resolution correct, so it must have loaded my graphics drivers properly from the recovered data). It seems to start logging in but then goes back to the login screen rather than showing a desktop (but it must still be logged in because I can hear it loading away on my hard drive and if I try to log in again, it logs out as if it is switching users). The reason I was (I've all but given up now) trying so hard to get it back to a working partition rather than copying files over was that I had spent 2 years without formatting that Windows installation and I had everything exactly as I wanted. Even though the disk has not been written to since I messed it up, there were a couple of files here and there (roughly 1 in every 1000 files) that had holes in or were missing when I recovered them too. Annoyingly, one of these was also a directory so I couldn't recover anything in that directory (which seems odd to me, as that recovery software will recover deleted files and directories fine so I would have thought that it would be able to see at least the files inside there even if the directory itself had a problem. I also assume that $MFT (which recovered fully) contains the information for the whole file system on that partition, so if the recovery software looked in there, wouldn't it be able to recover everything quickly without having to deep scan for anything else? Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 22, 2009 Share Posted February 22, 2009 Try these tools: http://www.forensicswiki.org/index.php?tit...s:Data_Recovery Your in file carving territory here to get the missing data back but it is possible. You should take an raw image of the drive to work from though. Windows isn't that robust so the odd things your seeing are to be expected, you should see if you can access the event logs to throw some light on the issues but I would skip this test and go straight to a forensic recovery of the data. Quote Link to comment Share on other sites More sharing options...
ghell Posted February 22, 2009 Author Share Posted February 22, 2009 Try these tools: http://www.forensicswiki.org/index.php?tit...s:Data_Recovery Your in file carving territory here to get the missing data back but it is possible. You should take an raw image of the drive to work from though. Windows isn't that robust so the odd things your seeing are to be expected, you should see if you can access the event logs to throw some light on the issues but I would skip this test and go straight to a forensic recovery of the data. Thanks, I'll take a look. Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted February 22, 2009 Share Posted February 22, 2009 A re-installs probably best (and probably what you'll need to do than), but if you still want to try to recover it look manually recovering the Vista bootloader code and adding a new entry for Vista here. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.