LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 11-24-2006, 12:20 AM   #1
davcefai
Member
 
Registered: Dec 2004
Location: Malta
Distribution: Debian Sid
Posts: 764

Rep: Reputation: 32
Advice on recovering an NTFS filesystem please


My daughter was copying files over the network from her old computer (Win2K) to her new one (WinXP). Unfortunately she elected to use Cut and Paste rather than Copy and Paste. All her music files vanished from the old disc and did not appear on the new one.

I put the old disc (40GB ATA partitioned into 4 partitions, all NTFS formatted) into a Debian machine thinking to use ntfsundelete to recover the files. However the disc cannot be mounted and fdisk comes up with the partition table blank. Examining /dev shows that /dev/hda exists but there are no entries for hda1-4.

When I put the disc back into the Windows machine it refused to boot. Partition magic reports the first partition to be unformatted but can see the other three.

The lost files are (were) on the second partition and apparently only the d:\music directory was lost.

My question: How best can I get to mount the drive? If I recreate the lost partition will I lose data? Can I create /dev/hda2 manually?

Advice gratefully received. Teenager is devastated by her loss.
 
Old 11-24-2006, 12:28 AM   #2
nadroj
Senior Member
 
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539

Rep: Reputation: 58
can you use partition magic's undelete feature?
i dont know but i wouldnt think creating a new partition would remove the old stuff, but i dont know if that would find it either.
if you _need_ the data that was on it i would take it to a professional and see what they can do. now a days with high speed internet if she just had music (not important documents, etc) then i would say just format it and download them again.
 
Old 11-24-2006, 01:00 AM   #3
davcefai
Member
 
Registered: Dec 2004
Location: Malta
Distribution: Debian Sid
Posts: 764

Original Poster
Rep: Reputation: 32
Partition Magic is not offering undelete on this disc. I assume that the corruption extends to not indicating that there was data on partition 0.

Yes, one could reformat etc but not until I've tried everything else. Next time I meet this problem it could involve vital data - and how many Windows users perform backups?
 
Old 11-24-2006, 02:37 AM   #4
asquante
Member
 
Registered: Nov 2006
Location: horten, norway
Distribution: gentoo / slackware / suse / red hat
Posts: 30

Rep: Reputation: 15
Try Acronis Recovery Expert, it has a powerful undelete feature.
You can try to recreate the partition, but then it needs to be identical with the one that was there - otherwise you risk overwriting the info about the files on the harddrive.

mARGO
 
Old 11-24-2006, 09:05 AM   #5
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
You say "ATA", I am assuming "IDE", but unfortunately "ATA" is becoming ambiguous. Unwillingly, I am beginning to think we must always say either "SATA" or "PATA" to avoid confusion.

Can you confirm the part. table is indeed blank (w/ the prob. drive in a GNU/Linux box):
Code:
dd if=hdx bs=512 count=1 |hd |less
If so, gpart may help if Acronis can't. BTW, their Partition Editor, now Disk Director has worked very well for me for several years.
 
Old 11-24-2006, 10:28 AM   #6
davcefai
Member
 
Registered: Dec 2004
Location: Malta
Distribution: Debian Sid
Posts: 764

Original Poster
Rep: Reputation: 32
You're quite right, the drive is PATA. Unfortunately(?) I have got into the habit of using IDE and SATA. Reply to the question will be later this evening, when I get home.

Last edited by davcefai; 11-24-2006 at 11:14 AM.
 
Old 11-24-2006, 12:39 PM   #7
davcefai
Member
 
Registered: Dec 2004
Location: Malta
Distribution: Debian Sid
Posts: 764

Original Poster
Rep: Reputation: 32
This is the hex dump of my problem disc's boot sector. I don't know enough to interpret the partition table though.
Code:
00000000  33 c0 8e d0 bc 00 7c fb  50 07 50 1f fc be 1b 7c  |3.....|.P.P....||
00000010  bf 1b 06 50 57 b9 e5 01  f3 a4 cb bd be 07 b1 04  |...PW...........|
00000020  38 6e 00 7c 09 75 13 83  c5 10 e2 f4 cd 18 8b f5  |8n.|.u..........|
00000030  83 c6 10 49 74 19 38 2c  74 f6 a0 b5 07 b4 07 8b  |...It.8,t.......|
00000040  f0 ac 3c 00 74 fc bb 07  00 b4 0e cd 10 eb f2 88  |..<.t...........|
00000050  4e 10 e8 46 00 73 2a fe  46 10 80 7e 04 0b 74 0b  |N..F.s*.F..~..t.|
00000060  80 7e 04 0c 74 05 a0 b6  07 75 d2 80 46 02 06 83  |.~..t....u..F...|
00000070  46 08 06 83 56 0a 00 e8  21 00 73 05 a0 b6 07 eb  |F...V...!.s.....|
00000080  bc 81 3e fe 7d 55 aa 74  0b 80 7e 10 00 74 c8 a0  |..>.}U.t..~..t..|
00000090  b7 07 eb a9 8b fc 1e 57  8b f5 cb bf 05 00 8a 56  |.......W.......V|
000000a0  00 b4 08 cd 13 72 23 8a  c1 24 3f 98 8a de 8a fc  |.....r#..$?.....|
000000b0  43 f7 e3 8b d1 86 d6 b1  06 d2 ee 42 f7 e2 39 56  |C..........B..9V|
000000c0  0a 77 23 72 05 39 46 08  73 1c b8 01 02 bb 00 7c  |.w#r.9F.s......||
000000d0  8b 4e 02 8b 56 00 cd 13  73 51 4f 74 4e 32 e4 8a  |.N..V...sQOtN2..|
000000e0  56 00 cd 13 eb e4 8a 56  00 60 bb aa 55 b4 41 cd  |V......V.`..U.A.|
000000f0  13 72 36 81 fb 55 aa 75  30 f6 c1 01 74 2b 61 60  |.r6..U.u0...t+a`|
00000100  6a 00 6a 00 ff 76 0a ff  76 08 6a 00 68 00 7c 6a  |j.j..v..v.j.h.|j|
00000110  01 6a 10 b4 42 8b f4 cd  13 61 61 73 0e 4f 74 0b  |.j..B....aas.Ot.|
00000120  32 e4 8a 56 00 cd 13 eb  d6 61 f9 c3 49 6e 76 61  |2..V.....a..Inva|
00000130  6c 69 64 20 70 61 72 74  69 74 69 6f 6e 20 74 61  |lid partition ta|
00000140  62 6c 65 00 45 72 72 6f  72 20 6c 6f 61 64 69 6e  |ble.Error loadin|
00000150  67 20 6f 70 65 72 61 74  69 6e 67 20 73 79 73 74  |g operating syst|
00000160  65 6d 00 4d 69 73 73 69  6e 67 20 6f 70 65 72 61  |em.Missing opera|
00000170  74 69 6e 67 20 73 79 73  74 65 6d 00 00 00 00 00  |ting system.....|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001b0  00 00 00 00 00 2c 44 63  eb 23 1f aa cf c9 80 01  |.....,Dc.#......|
000001c0  01 00 07 fe ff ff 3f 00  00 00 3d 69 19 01 00 00  |......?...=i....|
000001d0  c1 ff 07 fe ff ff 7c 69  19 01 3b 8b 38 01 00 00  |......|i..;.8...|
000001e0  c1 ff 07 fe ff ff b7 f4  51 02 3b 8b 38 01 00 00  |........Q.;.8...|
000001f0  c1 ff 07 fe ff ff f2 7f  8a 03 04 c0 3a 01 55 aa  |............:.U.|
00000200
This was produced by:
Code:
dd if=/dev/hda bs=512 count=1 |hd > mbrdump
UPDATE: Weird happenings! I put the drive into a Debian Linux box. Same box as yesterday. The PC tried to boot from the drive (CMOS setup had IDE0 as first boot drive) Got a message "Error loading Operation System". However Linux can see and mount the partitions.
ntfsundelete found the missing MP3s
So without further ado I'm going to ntfsundelete the drive. Still would like to know if the Partition table is corrupt though.
 
Old 11-24-2006, 01:15 PM   #8
J.W.
LQ Veteran
 
Registered: Mar 2003
Location: Milwaukee, WI
Distribution: Mint
Posts: 6,642

Rep: Reputation: 69
Moved: This thread is more suitable in General and has been moved accordingly to help your thread/question get the exposure it deserves.

Mod note: Windows questions are better suited for the General forum.
 
Old 11-24-2006, 03:19 PM   #9
davcefai
Member
 
Registered: Dec 2004
Location: Malta
Distribution: Debian Sid
Posts: 764

Original Poster
Rep: Reputation: 32
I posted this as a Linux question. Windows trashed the disc. I don't trust Windows utilities to to fix it. Hence my posting here.

In fact, Linux fixed the problem in that I have recovered the files with ntfsundelete. However I would still appreciate input on the interpretation of the dump of the MBR and how to recover the first partition. The next time I encounter this problem it might be on more valuable data.
 
Old 11-25-2006, 02:28 AM   #10
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
You may use testdisk at http://www.cgsecurity.org/wiki/TestDisk to recreate the partition table. I bet there are other GPL tools. Gpart at http://www.stud.uni-hannover.de/user/76201/gpart/ saved my life once. Why not backup the disk with dd as it is so you can try different approachs ?
 
Old 11-25-2006, 02:33 AM   #11
vharishankar
Senior Member
 
Registered: Dec 2003
Posts: 3,142
Blog Entries: 4

Rep: Reputation: 121Reputation: 121
If I might make a suggestion, rather than fiddling about it yourself and risking wiping out or overwriting the raw data on the disk, I would suggest taking it to a professional data recovery expert.

It might cost a bit, but the end result might be well worth it...
 
Old 11-25-2006, 07:48 AM   #12
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
This may be the explanation you're looking for:
http://www.win.tue.nl/~aeb/partition..._tables-2.html

"Unwrapping" your posted MBR, your part. table is:
Code:
*
00 00 00 00 00 2c 44 63  eb 23 1f aa cf c9 

Bt|beg  CHS|Tp|end  CHS|Part.  start|Part.  size
80 01 01 00 07 fe ff ff 3f 00  00 00 3d 69 19 01 
00 00 c1 ff 07 fe ff ff 7c 69  19 01 3b 8b 38 01 
00 00 c1 ff 07 fe ff ff b7 f4  51 02 3b 8b 38 01 
00 00 c1 ff 07 fe ff ff f2 7f  8a 03 04 c0 3a 01 

55 aa
As for "how to recover the first partition", all the recent suggestions have merit. I have played w/ both gpart & TestDisk, and certainly the idea of making a copy of the target is very sound. (We might tongue-in-cheek ascribe "Second, do no more harm." to Hippocrates, Jr.)

If you can at least mount that 1st part., you can dd it into a file & then mount the result via the loopback interface.

Last edited by archtoad6; 11-25-2006 at 07:54 AM. Reason: typo
 
Old 11-25-2006, 04:24 PM   #13
davcefai
Member
 
Registered: Dec 2004
Location: Malta
Distribution: Debian Sid
Posts: 764

Original Poster
Rep: Reputation: 32
Testdisk recovered the partition in the sense that it now shows up in fdisk.
Code:
Disk /dev/hda: 40.9 GB, 40982151168 bytes
255 heads, 63 sectors/track, 4982 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1        1148     9221278+   7  HPFS/NTFS
/dev/hda2            1149        2423    10241437+   7  HPFS/NTFS
/dev/hda3            2424        3698    10241437+   7  HPFS/NTFS
/dev/hda4            3699        4982    10313730    7  HPFS/NTFS
However the partition cannot be mounted
Code:
davcefai:/home/david# mount /dev/hda1 /mnt/taradisc -t ntfs
mount: wrong fs type, bad option, bad superblock on /dev/hda1,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so
Code:
davcefai:/home/david# dmesg|tail
NTFS-fs error (device hda1): ntfs_fill_super(): Not an NTFS volume.
NTFS volume version 3.0.
NTFS-fs warning (device hda1): is_boot_sector_ntfs(): Invalid boot sector checksum.
NTFS-fs error (device hda1): read_ntfs_boot_sector(): Primary boot sector is invalid.
NTFS-fs error (device hda1): read_ntfs_boot_sector(): Mount option errors=recover not used. Aborting without trying to recover.
NTFS-fs error (device hda1): ntfs_fill_super(): Not an NTFS volume.
NTFS-fs warning (device hda1): is_boot_sector_ntfs(): Invalid boot sector checksum.
NTFS-fs error (device hda1): read_ntfs_boot_sector(): Primary boot sector is invalid.
NTFS-fs error (device hda1): read_ntfs_boot_sector(): Mount option errors=recover not used. Aborting without trying to recover.
NTFS-fs error (device hda1): ntfs_fill_super(): Not an NTFS volume.
Well, since this has become a little bit of an academic exercise as I did manage to copy the lost files I shall run powermax on the disc in case it has been physically damaged.

Luckily the disc failed at the least critical time. Lecture notes etc were copied over OK. I'll post again with any test results in case anybody will find them useful in future.

Thanks to all who contributed.
 
  


Reply

Tags
file, ntfs, ntfsundelete, recovery, undelete


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Advice for recovering from a Synaptic crash blaroe Fedora 8 11-30-2007 03:41 AM
Recovering Files From Another Filesystem eklitzke Linux - General 3 03-14-2005 11:39 AM
Recovering file on Ext3 filesystem. the_rydster Slackware 1 07-17-2004 01:04 PM
Recovering Filesystem aig Linux - General 3 06-21-2004 11:41 PM
recovering bad xfs filesystem? ss59 Linux - Newbie 0 05-04-2004 01:38 PM


All times are GMT -5. The time now is 01:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration