|
If I know the sector position and file size, is this sufficient to recover a file?
Hello...
I am in the process of recovering my brother's 200GB harddrive which is formatted as NTFS. The need for recovery has developed as a result of a corrupted MFT.
Initially I backed up the drive using a a RAW read under linux. Now though, using Windows XP, I have nearly identified all of the MFT entries that are recoverable on the drive via a sector level scan of the drive which produces a report detailing all the recoverable files and sector position they start at, their size, name, etc...
On looking at the report it has raised my interest as to whether I could take the report and use the comma de-limited information contained within to recover the files using linux, more out of academic interest than anything else!
So for example imagine I had a hard drive and it contained 2 files. Assume also that I know the starting sector position on the drive that each file begins, say sector 246,519 and sector 2,952,055. Also assume that I know the size of each file, say 157,775 bytes and 203,488 bytes respectively. Could I use, for example, the dd command to successfully retrieve the missing files that I have start sector and file size details for? If I could, how would I structure the command using a starting sector and file size? Or are there alternative methods?
I am unsure whether this would work in practice as I am unsure whether a file that starts in a given sector will necessarily be stored sequentially based on the file size or whether in reality it is much more likely that the file will be fragmented across non-sequential sectors with the only know sector being the starting sector!
Any comments would be very welcome.
Thanks
Jamie.
|
