Jump to content

partition recovery


ghell
 Share

Recommended Posts

I accidentally deleted an NTFS partition with gparted then, stupidly, tried to recreate it (with gparted) hoping that the files there would reappear, which of course they didn't.

I didn't make a backup image with dd but I have been able to scan the drive with various commercial Windows tools and it can still find all of the files, even the system file \$MFT. The problem is that even if I manually copy all of the files out of these tools to a blank hard drive, I can't boot Windows off it as I could before, its just a drive with a bunch of files on it.

DiskInternals, for example, scans the drive (taking about 2 hours) and when it is done, shows a list of partitions, with some numbers in the names. I think these numbers may be where the partition starts and I know exactly which one I want to recover (it was supposed to be the only partition on the drive but it also shows some 3mb "Boot" partitions that I have never seen before). However, all it lets me do is recover files to another hard drive rather than restoring the file system that it has found.

Is it possible to restore an old partition that has been deleted with dd (or anything else)? I think that all I want to recover is the MBR (if that's all that contains the partition table) and any NTFS data at the start of the disk and all of the files should just reappear after that.

Link to comment
Share on other sites

I accidentally deleted an NTFS partition with gparted then, stupidly, tried to recreate it (with gparted) hoping that the files there would reappear, which of course they didn't.

I didn't make a backup image with dd but I have been able to scan the drive with various commercial Windows tools and it can still find all of the files, even the system file \$MFT. The problem is that even if I manually copy all of the files out of these tools to a blank hard drive, I can't boot Windows off it as I could before, its just a drive with a bunch of files on it.

DiskInternals, for example, scans the drive (taking about 2 hours) and when it is done, shows a list of partitions, with some numbers in the names. I think these numbers may be where the partition starts and I know exactly which one I want to recover (it was supposed to be the only partition on the drive but it also shows some 3mb "Boot" partitions that I have never seen before). However, all it lets me do is recover files to another hard drive rather than restoring the file system that it has found.

Is it possible to restore an old partition that has been deleted with dd (or anything else)? I think that all I want to recover is the MBR (if that's all that contains the partition table) and any NTFS data at the start of the disk and all of the files should just reappear after that.

I've had really good luck with using Getdataback NTFS from runtime.org. It's ressurected a few drives. Free to try, pay to recover, it's well worth the license though.

Link to comment
Share on other sites

Will Getdataback NTFS and Testdisk be able to restore the deleted partition or just recover individual files? (because I can already just recover individual files)

I am currently running a deep scan with Testdisk from the latest gparted live CD. Before I started running the deep scan, it only found the new empty partition but now its 31% through the deep scan and nothing new has appeared yet.

Also, if you succesfully copied all of the files to another drive, it should be easy to make it bootable by using some windows repair tools.

I tried the Vista install DVD's "repair" feature but it wouldn't even detect it as a windows installation, so it wouldn't repair it.

I have tried installing a new copy of Vista to a new drive (so that the original is still as untouched as possible) that is the same size and then overwriting that entire installation with the recovered directories (I just used \Users, \Program Files, \Program Files (x86), \ProgramData and \Windows). When I boot off that disk it tells me that the boot loader is damaged, so I repair it with the installation CD and after a reboot, I get up to a login prompt. I type my password and the screen goes black, just showing a cursor. It is fine up to there but then goes back to the login screen. If I type my password again, it says "Logging out", goes black and then back to the login screen again. I don't know if this approach will work in the end but it is the furthest I have got so far. Does anyone know what would be causing it to stop where it is stopping (e.g. if my user does not have permissions to read its own user directory) or how to fix that to get it to at least log in?

Link to comment
Share on other sites

There's no need for that. I'm only asking for help. If you don't have anything nice (or useful) to say, don't say anything at all.

Testdisk did not find the partition correctly in the deep scan. It seemed to find it at first on a backup sector but when I tried to list the files, it only showed one small file.

Strangely, even fdisk seems to think that the gparted created NTFS partition is ext (83) at first and when I put a USB pen drive in to get the log file, it thought it was FAT16.

Here's the log (it wouldn't let me attach the file itself as a .log, .txt, .log.gz, .zip, etc so sorry about posting it in the big code block):

Fri Feb 20 14:58:14 2009
Command line: TestDisk

TestDisk 6.9, Data Recovery Utility, February 2008
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Linux version (ext2fs lib: 1.41.3, ntfs lib: 10:0:0, reiserfs lib: none, ewf lib: none)
Hard disk list
Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63, sector size=512 - ATA ST3250620AS

Disk /dev/sda - 250 GB / 232 GiB - ATA ST3250620AS
Partition table type: Intel

Analyse Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 83
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=2
Current partition structure:
No EXT2, JFS, Reiser, cramfs or XFS marker
 1 * Linux                    0   1  1 30400 254 63  488392002
 1 * Linux                    0   1  1 30400 254 63  488392002
Ask the user for vista mode
Computes LBA from CHS for Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63
Allow partial last cylinder : Yes
search_vista_part: 1

search_part()
Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63
NTFS at 0/1/1
filesystem size           488392002
sectors_per_cluster       8
mft_lcn                   4
mftmirr_lcn               30524500
clusters_per_mft_record   -10
clusters_per_index_record 1
   D HPFS - NTFS              0   1  1 30400 254 63  488392002
     NTFS, 250 GB / 232 GiB
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=2

Results
   * HPFS - NTFS              0   1  1 30400 254 63  488392002
     NTFS, 250 GB / 232 GiB
ntfs_device_testdisk_io_ioctl() unimplemented
ntfs_ucstoutf8: iconv_open failed


dir_partition inode=5
   * HPFS - NTFS              0   1  1 30400 254 63  488392002
     NTFS, 250 GB / 232 GiB
Directory /
      5 dr-xr-xr-x     0      0         0 18-Feb-2009 21:00 .
      5 dr-xr-xr-x     0      0         0 18-Feb-2009 21:00 ..

interface_write()
 1 * HPFS - NTFS              0   1  1 30400 254 63  488392002

search_part()
Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63
NTFS at 0/1/1
filesystem size           488392002
sectors_per_cluster       8
mft_lcn                   4
mftmirr_lcn               30524500
clusters_per_mft_record   -10
clusters_per_index_record 1
   D HPFS - NTFS              0   1  1 30400 254 63  488392002
     NTFS, 250 GB / 232 GiB
NTFS at 30400/254/63
filesystem size           488392002
sectors_per_cluster       8
mft_lcn                   4
mftmirr_lcn               30524500
clusters_per_mft_record   -10
clusters_per_index_record 1
   D HPFS - NTFS              0   1  1 30400 254 63  488392002
     NTFS found using backup sector!, 250 GB / 232 GiB
NTFS at 30401/42/41
filesystem size           488392704
sectors_per_cluster       8
mft_lcn                   786432
mftmirr_lcn               30524543
clusters_per_mft_record   -10
clusters_per_index_record 1
   D HPFS - NTFS              0  32 33 30401  42 41  488392704
     NTFS found using backup sector!, 250 GB / 232 GiB
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=2

Results
   D HPFS - NTFS              0   1  1 30400 254 63  488392002
     NTFS, 250 GB / 232 GiB
   D HPFS - NTFS              0  32 33 30401  42 41  488392704
     NTFS found using backup sector!, 250 GB / 232 GiB
ntfs_device_testdisk_io_ioctl() unimplemented
ntfs_device_testdisk_io_ioctl() unimplemented
NTFS filesystem need to be repaired.
ntfs_ucstoutf8: iconv_open failed


dir_partition inode=5
ntfs_readdir failed
   D HPFS - NTFS              0  32 33 30401  42 41  488392704
     NTFS found using backup sector!, 250 GB / 232 GiB
Directory /
      5 dr-xr-xr-x     0      0         0 23-Oct-2007 04:31 .
      5 dr-xr-xr-x     0      0         0 23-Oct-2007 04:31 ..
 141989 -r--r--r--     0      0      1934  8-Feb-2008 19:31 MPUsbSIn.log
ntfs_device_testdisk_io_ioctl() unimplemented
ntfs_ucstoutf8: iconv_open failed


dir_partition inode=5
   D HPFS - NTFS              0   1  1 30400 254 63  488392002
     NTFS, 250 GB / 232 GiB
Directory /
      5 dr-xr-xr-x     0      0         0 18-Feb-2009 21:00 .
      5 dr-xr-xr-x     0      0         0 18-Feb-2009 21:00 ..
Change partition type:
   D HPFS - NTFS              0  32 33 30401  42 41  488392704
     NTFS found using backup sector!, 250 GB / 232 GiB
Change partition type:
   D HPFS - NTFS              0  32 33 30401  42 41  488392704
     NTFS found using backup sector!, 250 GB / 232 GiB

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Interface Advanced
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 83
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=2
 1 * Linux                    0   1  1 30400 254 63  488392002
Change partition type:
 1 * HPFS - NTFS              0   1  1 30400 254 63  488392002
New options :
 Dump : No
 Cylinder boundary : Yes
 Allow partial last cylinder : Yes
 Expert mode : No

TestDisk exited normally.

Link to comment
Share on other sites

What I am saying is that you have managed to foul up the system beyond all hope of repair. You can't just copy over files from another install of windows because of the way windows managed permissions with things called SID's and pretty much every step you have done has made it worse. The correct thing to do would have been recover the partition on the drive and mark it as active again. but this is no longer possible. What you need to do is get your data back, and reinstall the system again, then mark this one up to experience. The disk is probally fine, as is the partition, but the windows install is FUBAR hence this is the correct term.

Link to comment
Share on other sites

Thanks for the suggestions but I have tried copying all of the recovered files to a new hard drive, setting it as active and running windows repair from the Vista disk (it is Vista). It doesn't show up in the list for the Vista repair DVD so unless there is a command I can run from the repair command prompt, I don't think I can get that to work.

I will have a look at the ptdd.com link.

What I am saying is that you have managed to foul up the system beyond all hope of repair. You can't just copy over files from another install of windows because of the way windows managed permissions with things called SID's and pretty much every step you have done has made it worse. The correct thing to do would have been recover the partition on the drive and mark it as active again. but this is no longer possible. What you need to do is get your data back, and reinstall the system again, then mark this one up to experience. The disk is probally fine, as is the partition, but the windows install is FUBAR hence this is the correct term.

Every step I have done has not made it worse, as I said I am not actually writing anything new to the problematic hard drive. Everything I have done has been using recovered files onto a different hard drive.

Permissions would not be an issue if I could just fix the partition table at the start of the disk. I am assuming that when you delete a partition in gparted, all it does is overwrite the partition table so if I can recover that (probably only a few hundred bytes at the start of the disk), all the data should still be there, similar to having a pointer in C. If you delete the pointer, the data is still there even though you can't access it but if you recreate the pointer, you can use it again easily.

Link to comment
Share on other sites

Every step I have done has not made it worse, as I said I am not actually writing anything new to the problematic hard drive. Everything I have done has been using recovered files onto a different hard drive.

Permissions would not be an issue if I could just fix the partition table at the start of the disk. I am assuming that when you delete a partition in gparted, all it does is overwrite the partition table so if I can recover that (probably only a few hundred bytes at the start of the disk), all the data should still be there, similar to having a pointer in C. If you delete the pointer, the data is still there even though you can't access it but if you recreate the pointer, you can use it again easily.

The first thing you did (use gparted to 'recreate' the partition) was the big mistake. The only chance it had of working was if the partition start and end points are the same as they where before, but even then depending on how you deleted the partition, it may be not.

What you should have done instead is run testdisk. I'v fouled up in this way before and testdisk has saved me. Still, testdisk left the system unbooable, but that is only a minor problem compared to not having access to the data on the partition.

The file permissions would have been an issue. A new install of XP/Vista would have generated new UID's which wouldn't match those on your existing files.

Link to comment
Share on other sites

It really is odd to see how much effort people go to recovering their broken OS install when all that really matters is the actual data. A fully setup install of Windows takes but a few hours to setup. Learn from this, and the next time it happens you will know to try and recover the partition, and if that fails just recover your data and reinstall/reimage.

A good thing to do would be to setup your new machine the way you want it, then sys-prep and capture an image using DD, Ghost or Imagex (I prefer imagex, but thats because I use it on a daily basis at work). Then, setting up your new computer the next time it breaks will be a simple matter of dumping an image on the disk and re-creating your user account settings. You can automate this step with microsofts user state migration tool which captures your account settings for a wipe-and-load or side-by-side migration.

You may well be able to fix this if you spend a week or so playing with the system, but from my point of view I'd rather be doing a million other things than attempting to nail your franken-windows back together.

Link to comment
Share on other sites

The first thing you did (use gparted to 'recreate' the partition) was the big mistake. The only chance it had of working was if the partition start and end points are the same as they where before, but even then depending on how you deleted the partition, it may be not.

What you should have done instead is run testdisk. I'v fouled up in this way before and testdisk has saved me. Still, testdisk left the system unbooable, but that is only a minor problem compared to not having access to the data on the partition.

It was stupid by my own admission (see first post) but before this thread, I was completely oblivious to testdisk's existence, let alone knowing what it did (the name doesn't really imply anything to do with recovery, I had assumed it was something closer to fsck) so I panicked and set up the partition again with gparted, with exactly the same geometry (as you said) but it didn't work. I expect gparted overwrote part of the filesystem data when I did this, even though I left it on no filesystem when I made the partition.

The file permissions would have been an issue. A new install of XP/Vista would have generated new UID's which wouldn't match those on your existing files.

They would have been an issue with copying the files over an existing installation but not if I could have just recovered the partition table and any filesystem metadata that probably lives right at the start of the partition. However, I could get up to the login prompt fine by copying recovered files over an existing installation (even getting my screen resolution correct, so it must have loaded my graphics drivers properly from the recovered data). It seems to start logging in but then goes back to the login screen rather than showing a desktop (but it must still be logged in because I can hear it loading away on my hard drive and if I try to log in again, it logs out as if it is switching users).

The reason I was (I've all but given up now) trying so hard to get it back to a working partition rather than copying files over was that I had spent 2 years without formatting that Windows installation and I had everything exactly as I wanted. Even though the disk has not been written to since I messed it up, there were a couple of files here and there (roughly 1 in every 1000 files) that had holes in or were missing when I recovered them too. Annoyingly, one of these was also a directory so I couldn't recover anything in that directory (which seems odd to me, as that recovery software will recover deleted files and directories fine so I would have thought that it would be able to see at least the files inside there even if the directory itself had a problem.

I also assume that $MFT (which recovered fully) contains the information for the whole file system on that partition, so if the recovery software looked in there, wouldn't it be able to recover everything quickly without having to deep scan for anything else?

Link to comment
Share on other sites

Try these tools:

http://www.forensicswiki.org/index.php?tit...s:Data_Recovery

Your in file carving territory here to get the missing data back but it is possible. You should take an raw image of the drive to work from though.

Windows isn't that robust so the odd things your seeing are to be expected, you should see if you can access the event logs to throw some light on the issues but I would skip this test and go straight to a forensic recovery of the data.

Link to comment
Share on other sites

Try these tools:

http://www.forensicswiki.org/index.php?tit...s:Data_Recovery

Your in file carving territory here to get the missing data back but it is possible. You should take an raw image of the drive to work from though.

Windows isn't that robust so the odd things your seeing are to be expected, you should see if you can access the event logs to throw some light on the issues but I would skip this test and go straight to a forensic recovery of the data.

Thanks, I'll take a look.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...