LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 09-08-2007, 11:43 AM   #1
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Rep: Reputation: 38
Need to recover corrupt NTFS partition


I was working on my wife's normally operating XP box, preparing to back up her data (which I currently only have on that machine; you know nothing important, just family pictures, source code, financial information ) ...

"Drive C: is corrupt". Uh, oh!

I restarted the computer and now it doesn't boot. I attempted to use the XP CD recovery tools, but it chkdsk says there are unrecoverable errors.

fdisk (Knoppix) says the following:
Code:
Disk sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
  sda1   *           1       19454   156264223+   7  HPFS/NTFS
But using gpart:
Code:
root@Knoppix:~# gpart /dev/sda

Begin scan...
End scan.

Checking partitions...
Ok.

Guessed primary partition table:
Primary partition(1)
   type: 000(0x00)(unused)
   size: 0mb #s(0) s(0-0)
   chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Primary partition(2)
   type: 000(0x00)(unused)
   size: 0mb #s(0) s(0-0)
   chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Primary partition(3)
   type: 000(0x00)(unused)
   size: 0mb #s(0) s(0-0)
   chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Primary partition(4)
   type: 000(0x00)(unused)
   size: 0mb #s(0) s(0-0)
   chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r
So, fdisk recognizes it, but gpart does not. What does this mean? What are my options?
 
Old 09-08-2007, 12:39 PM   #2
Lenard
Senior Member
 
Registered: Dec 2005
Location: Indiana
Distribution: RHEL/CentOS/SL 5 i386 and x86_64 pata for IDE in use
Posts: 4,790

Rep: Reputation: 56
Google for Bart PE and/or ntfs-3g
 
Old 09-08-2007, 01:21 PM   #3
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
This is quite like what happened to me the other day. I was mounting a Vista ntfs partition with ntfs-3g. Upon mount it said it was not shutdown cleanly and I could force it to mount. I did a force mount and copied the needed files to it and unmounted. Upon booting Vista it started to boot and then stopped. I used vista recovery to chkdsk the partition . It said issues with it and would try to fix. But after waiting 2 hours and no drive activity light I had to forget it. Tried chkdsk from a bootdisk and it starts but hangs immediately. Finally result was wipe and load. Had to format the ntfs partition before vista would even reinstall on it. First Vista install and was more for a learning experience. At least got rid of a lot of preinstalled stuff on the notebook.

So in future never force mount a dirty ntfs partition with ntfs-3g or at any point mount read-only. Never write to it. Maybe Windows could fix itself if not trashed.

Brian
 
Old 09-08-2007, 07:08 PM   #4
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
Before attempting anything else, you need to take an image of that partition. I suggest using dd and copying it someplace safe.

chkdsk said "unrecoverable errors????"

There ARE no unrecoverable errors, unless you have a bad hard drive. AFTER making the image, try running chkdsk in surface scan mode and see if it finds any bad blocks.

IF you do find bad blocks on the drive, then the drive has failed or is in the process of failing. In this case, try mounting the image you took with dd and see if you can read it from linux (maybe...). If not, and if the data is important to you, I would suggest you obtain SpinRite from grc.com and give it a try. I will vouch for it; if the drive will spin and the heads move, there is a simply excellent chance that SpinRite will bring it back to life at least long enough to recover everything from it.
 
Old 09-08-2007, 07:21 PM   #5
Junior Hacker
Senior Member
 
Registered: Jan 2005
Location: North America
Distribution: Debian testing Mandriva Ubuntu
Posts: 2,687

Rep: Reputation: 59
You should have taken the hard drive out of the machine and hook it up to another Windows XP Pro or Vista Business computer as slave and copied all your data to your back up medium. Even when Windows can't boot up, you can still cruise the file system from another operating system and get your data before re-building. You need either of the two operating systems as above if the documents you want are in the user with administrator privileges account, where you need to take ownership of the files as administrator of the other operating system to be able to access these files not accessible by a normal user.
EDIT: Here's how to take ownership of protected files.

Last edited by Junior Hacker; 09-08-2007 at 07:27 PM.
 
Old 09-08-2007, 08:16 PM   #6
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by Junior Hacker View Post
You should have taken the hard drive out of the machine and hook it up to another Windows XP Pro or Vista Business computer as slave and copied all your data to your back up medium. Even when Windows can't boot up, you can still cruise the file system from another operating system and get your data before re-building. You need either of the two operating systems as above if the documents you want are in the user with administrator privileges account, where you need to take ownership of the files as administrator of the other operating system to be able to access these files not accessible by a normal user.
EDIT: Here's how to take ownership of protected files.
At my IT job, I do that sort of thing all the time. The issue is not that the machine simply doesn't boot. The issue is that while fdisk recognizes the NTFS partition, the data on the partition is unreadable. Hooking it up to another XP machine yielded that the partition is not formatted.

I'm trying to determine if there is a way to access the data on the partition, that I haven't thought of yet. (I really need the data!)
 
Old 09-08-2007, 08:57 PM   #7
Junior Hacker
Senior Member
 
Registered: Jan 2005
Location: North America
Distribution: Debian testing Mandriva Ubuntu
Posts: 2,687

Rep: Reputation: 59
I do data recovery for a living, the first rule in data recovery when you have file system issues is to do what was mentioned earlier: Get an image ASAP of the drive or partition. Then chase the data off a copy of the original image if you can't get the OS up and running.

Depending on what kind of data you're after, running the command: photorec on a drive or image from a live CD or after installing testdisk in a running Linux will get all kinds of data. Make sure to run the command from within a directory with allot of free space as photorec will pull out lots of data. It does all Microsoft Office files, some may need you to change the extension as they all have the same header and photorec may name most of them with .doc extension. If word can't open the file and you know you have power point files, change the name so it has the .pps extension and try to open it, and so on. Photorec recovers most mp3s, jpeg, bitmap etc. You can stop it part way by hitting Ctrl + C, to get rid of a bunch of useless findings if you are running out of disk space and resume searching where you left off.
Photorec is a data carver that looks for the headers of files regardless of the file system inconsistencies or if partitions are lost or have been replaced by a new partitioning and format job.
File formats recovered by photorec.
I usually exclude .txt format as that will increase the amount of useless text files you probably don't need.
 
Old 09-08-2007, 09:45 PM   #8
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
Quote:
Originally Posted by SlowCoder View Post
At my IT job, I do that sort of thing all the time. The issue is not that the machine simply doesn't boot. The issue is that while fdisk recognizes the NTFS partition, the data on the partition is unreadable. Hooking it up to another XP machine yielded that the partition is not formatted.

I'm trying to determine if there is a way to access the data on the partition, that I haven't thought of yet. (I really need the data!)
Again, establish whether the HD is failing (sounds like it). If so, try SpinRite. It'll cost $$$, but it works.
 
Old 09-09-2007, 07:04 PM   #9
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
My task today was to dd the hard drive to a twin computer that I'm not currently using. Now I have *2* broken computers!

I doubt, though cannot rule out, there is hardware failure. Since fdisk sees the NTFS partition, I'm leaning toward MFT corruption.

So, I've got a couple questions:
- If I use Linux fdisk to rewrite the partition table of that drive, what would that do to the data in the partition? Effectively, I just want to open fdisk for that drive, then "w" it. No partition deletes/changes, just a rewrite.
- Rewriting the MBR wouldn't make any difference, would it?

Last edited by SlowCoder; 09-09-2007 at 07:19 PM.
 
Old 09-09-2007, 07:30 PM   #10
Junior Hacker
Senior Member
 
Registered: Jan 2005
Location: North America
Distribution: Debian testing Mandriva Ubuntu
Posts: 2,687

Rep: Reputation: 59
Quote:
Originally Posted by SlowCoder View Post
I doubt, though cannot rule out, there is hardware failure. Since fdisk sees the NTFS partition, I'm leaning toward MFT corruption.
I doubt it is the MFT as there is a spare in the middle of the drive which will be used if the first one is corrupt, plus the MFT has nothing to do with file system errors, it's only job is to keep track of what sectors/clusters belong to which files, and file attributes, directory structures. It is possible for both MFTs to be corrupt also, but important system files are in a protected area of the MFT.
Quote:
Originally Posted by SlowCoder View Post
Rewriting the MBR wouldn't make any difference, would it?
You did not mention you tried fixmbr or fixboot when you were in recovery console, doing so should not harm anything.
As Leonard suggested earlier, you should do some reading here also and try some of the tools.
 
Old 09-09-2007, 07:54 PM   #11
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
Doesn't the MFT relate to the FAT? Same idea, different file system?
 
Old 09-09-2007, 08:05 PM   #12
Junior Hacker
Senior Member
 
Registered: Jan 2005
Location: North America
Distribution: Debian testing Mandriva Ubuntu
Posts: 2,687

Rep: Reputation: 59
Quote:
Originally Posted by SlowCoder View Post
Doesn't the MFT relate to the FAT? Same idea, different file system?
Yes, except the NTFS MFT is not as vulnerable as FAT, the two FATs are adjacent to each other near the beginning of the partition slightly after the partition boot sector, usually at offset 63 for the first FAT in FAT32. And the Fat does not contain as much information as the MFT, like file attributes, all clusters belonging to a file. The FAT only keeps a record of the first sector of a file, the other sector positions are recorded within the prior sector, sort of like chain loading logical partitions, making it harder to recover fragmented files.
FAT = File Allocation Table
MFT = Master File Table

Last edited by Junior Hacker; 09-09-2007 at 08:07 PM.
 
Old 09-09-2007, 08:45 PM   #13
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
So in my situation, assuming it's not hardware failure, what would you say is my problem? My partition table obviously exists. But it's like the data within is unreadable. Basically, both MFTs have somehow been destroyed?

(I'm currently compiling the UBCD4Win disk now ...)
 
Old 09-09-2007, 09:25 PM   #14
Junior Hacker
Senior Member
 
Registered: Jan 2005
Location: North America
Distribution: Debian testing Mandriva Ubuntu
Posts: 2,687

Rep: Reputation: 59
It's most likely something written to the NTFS journal that prevents access by any OS, at least this is where I would point the finger. Because the journal is sort of the starting point in an NTFS file system where OSs look to see if everything's cool and able to mount it. There's a good chance there is nothing wrong with most of the partition or file system, just the contents of the journal may be reporting something distasteful. Try looking there if any tools on that disk have the ability.
I remember vaguely something about some software that can interpret the entries in the journal, specifically the latter ones and possibly making recommendations as to what course of action one could take. As mentioned, "vague".
 
Old 09-10-2007, 05:57 PM   #15
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
Well, carry on and best of luck to you.

But your symptoms are most consistent with either a HD or a controller failure. Might also be incorrect jumpers if these are IDE drives (not SATA).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
corrupt ext3 partition - need to recover whysyn Linux - Hardware 8 07-02-2010 09:30 AM
need help for recover NTFS partition! taiwf Linux - Hardware 20 11-25-2006 07:22 PM
Recover NTFS partition jshellman Linux - Desktop 2 11-15-2006 08:44 AM
corrupt NTFS partition kermitthefrog91 Linux - Software 3 08-14-2005 09:59 PM
Deleted ntfs partition - added linux partition in its place - corrupt! eklhad Linux From Scratch 2 06-28-2005 02:31 AM


All times are GMT -5. The time now is 10:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration