Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I meant to delete the partition on a USB stick using GParted, instead I made the big mistake of deleting the NTFS partition on my 500gb external drive. I desperately need to fix this; the external is my central storage and contains a massive amount of files I would really hate to lose. I know I could data carve if worst comes to worst; but, restoring the partition table data would save me hours and hours of work. I have heard a lot of mention about testdisk; however, it does not seem to find any partitions when I run the search. Does anyone have any other suggestions?
If you only repartitioned, you could use "losetup" to try to mount the ntfs partition. If it was the first partition on the disk, try:
sudo /sbin/losetup -fs </dev/sd#> -o $((63*512))
Use the device node for the disk, such as /dev/sdb. This command will respond with which loop device was used. For Windows XP and Linux, the first partition nearly always starts on block 63. Let's assume that it replies "loop0".
sudo file -s /dev/loop0
This will indicate the filesystem of the partition. If it says bootable partition or NTFS, you can try mounting the loop device.
sudo mkdir /mnt/recover
sudo mount -t ntfs /dev/loop0 /mnt/recover
If there is more than one partition on the disk, you can use:
df /mnt/recover
or
df /dev/loop0
to get the size of the first partition. The next one will be above it, but may start rounded up at the next cylinder.
One tip is to use a block size of 512 for both fdisk and df. This is especially important for the first partition, because it doesn't start on a cylinder boundary. Write down the offsets used for losetup for each partition. They can be used with "fdisk -u" to repair the partition table.
I did this before, only I was working with ipodlinux... Blech, I'd say get some raw data readers and try to recover files.... Normally you don't get everything, but if you do it before using the drive again you can get quite a bit. I've recovered hdds that even had a quick format done, believe me when you delete the data isn't usually gone. Though if you use a zeroing program...
Last edited by mushroomboy; 08-05-2009 at 09:45 PM.
jschiwal, thanks so much for your comments. When I ran testdisk it said it found a backup NTFS partition, I choose to restore it. In addition, it asked to rebuild the boot table, I think. Unfortunately, this didn't work. I am afraid this might have even done more damage, I am not sure. I got GPart to work correctly and it is scanning right now. I know the data is still there, what I don't know is what was deleted when I misused GPartition and/or what was overwritten when I tried to repair using testdisk. This drive contains years worth of files, organized on top of that. Restoring this partition would be so much better for me than data carving it. In addition, I would really like to do it for the learning experience. Any comments that could point me in the somewhat right direction would be so greatly appreciated!
Well depending on your resources, you might have wanted to do a HDD dump, I know 500G is a large dump, but with the size of HDDs these days it can be done, that way you could have ran other programs to "fix it" and if things went bad just use a program to do a re-write... Though I know in all honesty this may not be helpful in your case. Just if you ever have something like this happen on a smaller HDD you might be able to do it. I remember when back when I used to do dumps of Xbox HDDs so I could insert files, you always made a 10G dump of the HDD, incase the file insertion to fatx didn't work. =S But yeah, that's only a method you can do if you have the resources.
I actually do have the resources. I should NOT have used the testdisk program last night. I got ansy thinking it would work after hearing so many people talk about it recovering their partitions. Right now I am in our school's computer forensics lab imaging the hdd onto a 1 TB hdd (using FTK imager). I will definitely wait for it to image before I try anything else. I do need some insight on where to go from here though. I am beginning to think data carving is going to be my only option. If that is the case I could really use some suggestions on software.
I've typically used foremost and photorec to recover files. The major downside is that you get a bunch of files named with random strings of numbers and an extention like "124234321.doc". Sometimes you can run scripts to search through the file metadata and restore filenames that way. So it works really well for photos since most cameras just name them gibberish anyway. But for documents it's more painful to go through each document to figure out what it is.
I should NOT have used the testdisk program last night. I got ansy thinking it would work after hearing so many people talk about it recovering their partitions.
Best not disrespect an application because it didn't work once and in your case. Especially not since sofar you haven't posted an exact account of what you've done.
Quote:
Originally Posted by theblang
Right now I am in our school's computer forensics lab imaging the hdd onto a 1 TB hdd (using FTK imager). I will definitely wait for it to image before I try anything else. I do need some insight on where to go from here though. I am beginning to think data carving is going to be my only option. If that is the case I could really use some suggestions on software.
Kinda odd. If you know FTK Imager then you also know you that when you open a disk or image you can peruse the file tree in wndws explorer stylee. With that you would have a first assessment of the disks partitioning and the partitions "health". And you would like to have one because carving really is a last ditch effort.
unSpawn, My mistake. I was definitely not trying to disrespect the program. I was just stating I should not have used it before first imaging the hard drive. Testdisk did not find a partition with quick search; however, it found a backup ntfs partition with deep search. I then hit enter on the ntfs partition. It wrote it and asked me to restart. Unfortunately it did not fix the problem which leaves me wondering if I may have done something wrong, in which case I probably did more damage. If I load the hdd in FTK Imager I see a file tree consisting of a Partition 5, which has an unrecognized file system that contains 488,384,001 KB of unallocated space. The hex shows that this space definitely contains data. Also I see an Unpartitioned Space which contains a 0KB unallocated space folder and a 1KB MBR. I am not sure if this is the MBR for my file system before I deleted it, or if it is something testdisk wrote.
I was just stating I should not have used it before first imaging the hard drive.
True but depending on the disk layout and what you did all may not be lost...
Quote:
Originally Posted by theblang
Testdisk did not find a partition with quick search
BTW, you having access to your schools computer forensics lab, does that imply you get trained in forensics? Anyway. Once you successfully made your backup load testdisk again, select Intel Partitioning, Analyse but don't hit enter yet. At the bottom of the screen select "Backup", say no to Vista, and let testdisk run. Depending on how many partitions the disk contained testdisk will seek for the backup MFT (located at the end of the partition). If it found the copy then at the bottom of the result screen select "Write" and quit testdisk. If all went well then running 'ntfsinfo -v -mft /dev/devicenamepartition' should now return the MFT's contents and ntfs-3g will mount the partition without problems.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
Isn't so that when you delete a partition, the partition table is changed and nothing else? I am not sure about more sophisticated programs like GParted, but I remember simpler programs like cfdisk. When I deleted a partition and recreated it, all my data was still there. A partition table is nothing more than a set of pointer to the first sector of a partition. Is is possible just to recreate that NTFS partition? Of course you should NOT format it. As a matter of fact only the start sector is relevant, so even if you can't remember the exact size it wouldn't do much damage.
Yeah, you're right, it should work that way provided nothing else was overwritten. Somehow I got Partition Table trouble during testing at which point ntfs-3g didn't want to mount it, ntfsinfo didn't see no NTFS and wndws decided to show the partition as the dreaded "RAW". Retesting it by letting Gparted delete the partition and restoring the PT from within testdisk did show a healthy and mountable NTFS partition. Beats me...
Has happened to me before. When it did, I used testdisk to determine the start and end of the deleted partition, then I restored those manually using fdisk.
Deleting a partition only removes it from the partition table, nothing bad has happened until you overwrite it with a new filesystem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.