Wednesday, 2 May 2018

ntfs - Data recovery on a corrupted 3TB disk


Short version



  • I probably need software to run a deep-scan recovery (ideally on Linux) to find files on NTFS filesystem.

  • The file data is intact, but the references are no longer present.

  • Analogous to recovering data from a "quick-formatted" partition.

  • Hopefully there is a smarter way available than deep-scan, one which would recover filenames and possibly paths.

  • Just under 2TB of data went missing on a 3TB disk. I will be using a second disk to dump the recovered files obviously, and will be mounting the source filesystem read-only if the best solution can run on Linux (or if someone can tell me how to make Windows mount a filesystem read-only).



Long version


I have a 3TB disk containing a load of backups. Windows 7 SP1 refused to detect the disk when plugged in directly via SATA, so I put it on a USB/SATA adaptor which seemed to work at first.


The SATA/USB adaptor probably does not support disks over 2.2TB though. Windows first asked me if I wanted to 'format' the disk, then later showed me most of the contents but some folder were inaccessible. I stupidly decided to run a CHKDSK on my backup disk, which made the folders accessible but also left them empty.


I connected this disk via SATA to my main PC (Arch Linux). I tried:



  • testdisk

  • ntfsundelete

  • ntfsfix --no-action (to look for diagnostically relevant faults, disk was "OK" though)


to no avail as the files references in the tables had presumably been zeroed out by CHKDSK, rather than using a typical journal'd deletion).


If it is useful at all, a majority of the files that I want to recover are JPEG, Photoshop PSD, and MPEG-3/MPEG-4/AVI/MKV files. If worst comes to worst, I'll just design my own sector scanner and use some simple heuristic-driven analysis to recover raw binary blocks of data from the disk which appears to match the structures of the above file types.


I am unfamiliar with the exact workings of NTFS but used to be proficient at recovering FAT32 systems with just a hex-editor, so I can provide any useful diagnostic information if you let me know how to find it!



My priorities in ascending order of importance for choosing the accepted answer:



  • Restores directory structure

  • Recovers many filenames in addition to the file data

  • Is free / very cheap

  • Runs on Linux

  • Recovers a majority of file data


The last point is the most important, but the more of the higher points you match the more rep you'll probably get :)



UPDATE X-Ways and Auslogics are running on images of the disk, the former doing some fancy forensic stuff and the latter probably doing the MFT-scanning and bit-tweaking that we could once do by hand when recovering FAT filesystems...



Answer



I've used photorec to recover files from a drive that windows saw as unformatted.
Unfortunately it doesn't satisfy your top 2 priorities, but it satisfies the rest of the priorities.


It will require a 2nd disk to store all of your recovered data on as well as it doesn't modify the original disk.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...