LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Need to recover corrupt NTFS partition (https://www.linuxquestions.org/questions/linux-general-1/need-to-recover-corrupt-ntfs-partition-583156/)

SlowCoder 09-08-2007 10:43 AM
Need to recover corrupt NTFS partition
 
I was working on my wife's normally operating XP box, preparing to back up her data (which I currently only have on that machine; you know nothing important, just family pictures, source code, financial information :cry:) ...

"Drive C: is corrupt". Uh, oh!

I restarted the computer and now it doesn't boot. I attempted to use the XP CD recovery tools, but it chkdsk says there are unrecoverable errors.

fdisk (Knoppix) says the following:
Code:
Disk sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start        End      Blocks  Id  System
  sda1  *          1      19454  156264223+  7  HPFS/NTFS
But using gpart:
Code:
root@Knoppix:~# gpart /dev/sda

Begin scan...
End scan.

Checking partitions...
Ok.

Guessed primary partition table:
Primary partition(1)
  type: 000(0x00)(unused)
  size: 0mb #s(0) s(0-0)
  chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Primary partition(2)
  type: 000(0x00)(unused)
  size: 0mb #s(0) s(0-0)
  chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Primary partition(3)
  type: 000(0x00)(unused)
  size: 0mb #s(0) s(0-0)
  chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Primary partition(4)
  type: 000(0x00)(unused)
  size: 0mb #s(0) s(0-0)
  chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r
So, fdisk recognizes it, but gpart does not. What does this mean? What are my options?

Lenard 09-08-2007 11:39 AM
Google for Bart PE and/or ntfs-3g

Brian1 09-08-2007 12:21 PM
This is quite like what happened to me the other day. I was mounting a Vista ntfs partition with ntfs-3g. Upon mount it said it was not shutdown cleanly and I could force it to mount. I did a force mount and copied the needed files to it and unmounted. Upon booting Vista it started to boot and then stopped. I used vista recovery to chkdsk the partition . It said issues with it and would try to fix. But after waiting 2 hours and no drive activity light I had to forget it. Tried chkdsk from a bootdisk and it starts but hangs immediately. Finally result was wipe and load. Had to format the ntfs partition before vista would even reinstall on it. First Vista install and was more for a learning experience. At least got rid of a lot of preinstalled stuff on the notebook.

So in future never force mount a dirty ntfs partition with ntfs-3g or at any point mount read-only. Never write to it. Maybe Windows could fix itself if not trashed.

Brian

jiml8 09-08-2007 06:08 PM
Before attempting anything else, you need to take an image of that partition. I suggest using dd and copying it someplace safe.

chkdsk said "unrecoverable errors????"

There ARE no unrecoverable errors, unless you have a bad hard drive. AFTER making the image, try running chkdsk in surface scan mode and see if it finds any bad blocks.

IF you do find bad blocks on the drive, then the drive has failed or is in the process of failing. In this case, try mounting the image you took with dd and see if you can read it from linux (maybe...). If not, and if the data is important to you, I would suggest you obtain SpinRite from grc.com and give it a try. I will vouch for it; if the drive will spin and the heads move, there is a simply excellent chance that SpinRite will bring it back to life at least long enough to recover everything from it.

Junior Hacker 09-08-2007 06:21 PM
You should have taken the hard drive out of the machine and hook it up to another Windows XP Pro or Vista Business computer as slave and copied all your data to your back up medium. Even when Windows can't boot up, you can still cruise the file system from another operating system and get your data before re-building. You need either of the two operating systems as above if the documents you want are in the user with administrator privileges account, where you need to take ownership of the files as administrator of the other operating system to be able to access these files not accessible by a normal user.
EDIT: Here's how to take ownership of protected files.

SlowCoder 09-08-2007 07:16 PM
Quote:
Originally Posted by Junior Hacker (Post 2885966)
You should have taken the hard drive out of the machine and hook it up to another Windows XP Pro or Vista Business computer as slave and copied all your data to your back up medium. Even when Windows can't boot up, you can still cruise the file system from another operating system and get your data before re-building. You need either of the two operating systems as above if the documents you want are in the user with administrator privileges account, where you need to take ownership of the files as administrator of the other operating system to be able to access these files not accessible by a normal user.
EDIT: Here's how to take ownership of protected files.
At my IT job, I do that sort of thing all the time. The issue is not that the machine simply doesn't boot. The issue is that while fdisk recognizes the NTFS partition, the data on the partition is unreadable. Hooking it up to another XP machine yielded that the partition is not formatted.

I'm trying to determine if there is a way to access the data on the partition, that I haven't thought of yet. (I really need the data!)

Junior Hacker 09-08-2007 07:57 PM
I do data recovery for a living, the first rule in data recovery when you have file system issues is to do what was mentioned earlier: Get an image ASAP of the drive or partition. Then chase the data off a copy of the original image if you can't get the OS up and running.

Depending on what kind of data you're after, running the command: photorec on a drive or image from a live CD or after installing testdisk in a running Linux will get all kinds of data. Make sure to run the command from within a directory with allot of free space as photorec will pull out lots of data. It does all Microsoft Office files, some may need you to change the extension as they all have the same header and photorec may name most of them with .doc extension. If word can't open the file and you know you have power point files, change the name so it has the .pps extension and try to open it, and so on. Photorec recovers most mp3s, jpeg, bitmap etc. You can stop it part way by hitting Ctrl + C, to get rid of a bunch of useless findings if you are running out of disk space and resume searching where you left off.
Photorec is a data carver that looks for the headers of files regardless of the file system inconsistencies or if partitions are lost or have been replaced by a new partitioning and format job.
File formats recovered by photorec.
I usually exclude .txt format as that will increase the amount of useless text files you probably don't need.

jiml8 09-08-2007 08:45 PM
Quote:
Originally Posted by SlowCoder (Post 2886009)
At my IT job, I do that sort of thing all the time. The issue is not that the machine simply doesn't boot. The issue is that while fdisk recognizes the NTFS partition, the data on the partition is unreadable. Hooking it up to another XP machine yielded that the partition is not formatted.

I'm trying to determine if there is a way to access the data on the partition, that I haven't thought of yet. (I really need the data!)
Again, establish whether the HD is failing (sounds like it). If so, try SpinRite. It'll cost $$$, but it works.

SlowCoder 09-09-2007 06:04 PM
My task today was to dd the hard drive to a twin computer that I'm not currently using. Now I have *2* broken computers! :D

I doubt, though cannot rule out, there is hardware failure. Since fdisk sees the NTFS partition, I'm leaning toward MFT corruption.

So, I've got a couple questions:
- If I use Linux fdisk to rewrite the partition table of that drive, what would that do to the data in the partition? Effectively, I just want to open fdisk for that drive, then "w" it. No partition deletes/changes, just a rewrite.
- Rewriting the MBR wouldn't make any difference, would it?

Junior Hacker 09-09-2007 06:30 PM
Quote:
Originally Posted by SlowCoder (Post 2886921)
I doubt, though cannot rule out, there is hardware failure. Since fdisk sees the NTFS partition, I'm leaning toward MFT corruption.
I doubt it is the MFT as there is a spare in the middle of the drive which will be used if the first one is corrupt, plus the MFT has nothing to do with file system errors, it's only job is to keep track of what sectors/clusters belong to which files, and file attributes, directory structures. It is possible for both MFTs to be corrupt also, but important system files are in a protected area of the MFT.
Quote:
Originally Posted by SlowCoder (Post 2886921)
Rewriting the MBR wouldn't make any difference, would it?
You did not mention you tried fixmbr or fixboot when you were in recovery console, doing so should not harm anything.
As Leonard suggested earlier, you should do some reading here also and try some of the tools.

SlowCoder 09-09-2007 06:54 PM
Doesn't the MFT relate to the FAT? Same idea, different file system?

Junior Hacker 09-09-2007 07:05 PM
Quote:
Originally Posted by SlowCoder (Post 2886957)
Doesn't the MFT relate to the FAT? Same idea, different file system?
Yes, except the NTFS MFT is not as vulnerable as FAT, the two FATs are adjacent to each other near the beginning of the partition slightly after the partition boot sector, usually at offset 63 for the first FAT in FAT32. And the Fat does not contain as much information as the MFT, like file attributes, all clusters belonging to a file. The FAT only keeps a record of the first sector of a file, the other sector positions are recorded within the prior sector, sort of like chain loading logical partitions, making it harder to recover fragmented files.
FAT = File Allocation Table
MFT = Master File Table

SlowCoder 09-09-2007 07:45 PM
So in my situation, assuming it's not hardware failure, what would you say is my problem? My partition table obviously exists. But it's like the data within is unreadable. Basically, both MFTs have somehow been destroyed?

(I'm currently compiling the UBCD4Win disk now ...)

Junior Hacker 09-09-2007 08:25 PM
It's most likely something written to the NTFS journal that prevents access by any OS, at least this is where I would point the finger. Because the journal is sort of the starting point in an NTFS file system where OSs look to see if everything's cool and able to mount it. There's a good chance there is nothing wrong with most of the partition or file system, just the contents of the journal may be reporting something distasteful. Try looking there if any tools on that disk have the ability.
I remember vaguely something about some software that can interpret the entries in the journal, specifically the latter ones and possibly making recommendations as to what course of action one could take. As mentioned, "vague".

jiml8 09-10-2007 04:57 PM
Well, carry on and best of luck to you.

But your symptoms are most consistent with either a HD or a controller failure. Might also be incorrect jumpers if these are IDE drives (not SATA).

SlowCoder 10-11-2007 09:18 AM
Well ... an update!
I feel so lucky! I used Photorec (Knoppix LiveCD) and was able to recover the vast majority of my photos (around 4000), many of my documents, and a number of zips containing my source code.

Of the data recovered, there was about a 1/100 ratio of corrupted/overwritten files. It wasn't perfect, but I ain't complaining!

I've since then used UBCD4Win and PhotoRec to recover data from corrupted drives at work.

Thank you all for your input! I learned more new stuff!


All times are GMT -5. The time now is 09:56 AM.