|
Accidentally deleted NTFS partition with GParted
I meant to delete the partition on a USB stick using GParted, instead I made the big mistake of deleting the NTFS partition on my 500gb external drive. I desperately need to fix this; the external is my central storage and contains a massive amount of files I would really hate to lose. I know I could data carve if worst comes to worst; but, restoring the partition table data would save me hours and hours of work. I have heard a lot of mention about testdisk; however, it does not seem to find any partitions when I run the search. Does anyone have any other suggestions?
|
You can also try using gpart (not to be confused with GParted).
|
Did you also format a new partition on it?
If you only repartitioned, you could use "losetup" to try to mount the ntfs partition. If it was the first partition on the disk, try: sudo /sbin/losetup -fs </dev/sd#> -o $((63*512)) Use the device node for the disk, such as /dev/sdb. This command will respond with which loop device was used. For Windows XP and Linux, the first partition nearly always starts on block 63. Let's assume that it replies "loop0". sudo file -s /dev/loop0 This will indicate the filesystem of the partition. If it says bootable partition or NTFS, you can try mounting the loop device. sudo mkdir /mnt/recover sudo mount -t ntfs /dev/loop0 /mnt/recover If there is more than one partition on the disk, you can use: df /mnt/recover or df /dev/loop0 to get the size of the first partition. The next one will be above it, but may start rounded up at the next cylinder. One tip is to use a block size of 512 for both fdisk and df. This is especially important for the first partition, because it doesn't start on a cylinder boundary. Write down the offsets used for losetup for each partition. They can be used with "fdisk -u" to repair the partition table. |
I did this before, only I was working with ipodlinux... Blech, I'd say get some raw data readers and try to recover files.... Normally you don't get everything, but if you do it before using the drive again you can get quite a bit. I've recovered hdds that even had a quick format done, believe me when you delete the data isn't usually gone. Though if you use a zeroing program...
|
Thanks so much for your response! I grabbed GPart, it gives me a seek failure error when trying to run it with the -f option though.
|
jschiwal, thanks so much for your comments. When I ran testdisk it said it found a backup NTFS partition, I choose to restore it. In addition, it asked to rebuild the boot table, I think. Unfortunately, this didn't work. I am afraid this might have even done more damage, I am not sure. I got GPart to work correctly and it is scanning right now. I know the data is still there, what I don't know is what was deleted when I misused GPartition and/or what was overwritten when I tried to repair using testdisk. This drive contains years worth of files, organized on top of that. Restoring this partition would be so much better for me than data carving it. In addition, I would really like to do it for the learning experience. Any comments that could point me in the somewhat right direction would be so greatly appreciated!
|
Well depending on your resources, you might have wanted to do a HDD dump, I know 500G is a large dump, but with the size of HDDs these days it can be done, that way you could have ran other programs to "fix it" and if things went bad just use a program to do a re-write... Though I know in all honesty this may not be helpful in your case. Just if you ever have something like this happen on a smaller HDD you might be able to do it. I remember when back when I used to do dumps of Xbox HDDs so I could insert files, you always made a 10G dump of the HDD, incase the file insertion to fatx didn't work. =S But yeah, that's only a method you can do if you have the resources.
|
I actually do have the resources. I should NOT have used the testdisk program last night. I got ansy thinking it would work after hearing so many people talk about it recovering their partitions. Right now I am in our school's computer forensics lab imaging the hdd onto a 1 TB hdd (using FTK imager). I will definitely wait for it to image before I try anything else. I do need some insight on where to go from here though. I am beginning to think data carving is going to be my only option. If that is the case I could really use some suggestions on software.
|
I've typically used foremost and photorec to recover files. The major downside is that you get a bunch of files named with random strings of numbers and an extention like "124234321.doc". Sometimes you can run scripts to search through the file metadata and restore filenames that way. So it works really well for photos since most cameras just name them gibberish anyway. But for documents it's more painful to go through each document to figure out what it is.
|
Quote:
Quote:
|
unSpawn, My mistake. I was definitely not trying to disrespect the program. I was just stating I should not have used it before first imaging the hard drive. Testdisk did not find a partition with quick search; however, it found a backup ntfs partition with deep search. I then hit enter on the ntfs partition. It wrote it and asked me to restart. Unfortunately it did not fix the problem which leaves me wondering if I may have done something wrong, in which case I probably did more damage. If I load the hdd in FTK Imager I see a file tree consisting of a Partition 5, which has an unrecognized file system that contains 488,384,001 KB of unallocated space. The hex shows that this space definitely contains data. Also I see an Unpartitioned Space which contains a 0KB unallocated space folder and a 1KB MBR. I am not sure if this is the MBR for my file system before I deleted it, or if it is something testdisk wrote.
|
Quote:
Quote:
|
Isn't so that when you delete a partition, the partition table is changed and nothing else? I am not sure about more sophisticated programs like GParted, but I remember simpler programs like cfdisk. When I deleted a partition and recreated it, all my data was still there. A partition table is nothing more than a set of pointer to the first sector of a partition. Is is possible just to recreate that NTFS partition? Of course you should NOT format it. As a matter of fact only the start sector is relevant, so even if you can't remember the exact size it wouldn't do much damage.
jlinkels |
Yeah, you're right, it should work that way provided nothing else was overwritten. Somehow I got Partition Table trouble during testing at which point ntfs-3g didn't want to mount it, ntfsinfo didn't see no NTFS and wndws decided to show the partition as the dreaded "RAW". Retesting it by letting Gparted delete the partition and restoring the PT from within testdisk did show a healthy and mountable NTFS partition. Beats me...
|
Has happened to me before. When it did, I used testdisk to determine the start and end of the deleted partition, then I restored those manually using fdisk.
Deleting a partition only removes it from the partition table, nothing bad has happened until you overwrite it with a new filesystem. |
| All times are GMT -5. The time now is 09:32 AM. |