Hi, sorry in advance if this is a little bit long, but I think I could need a little help and/or some pointers here.
About a year ago I made an image of a Windows XP-PC using Clonezilla. ntfsclone was used to dump the contents of the hard drive and then it was compressed with bzip2. Now I tried to recover some files from the image and apparently in the meantime the bzip2ed image got corrupted (I guess by a failing hard drive from which I falsely thought I rescued all data in time, but I can't know that for sure). After some trial and error with bzip2recover, 17 blocks of the bzip2ed data turned out to be corrupted. I managed to extract the rest and now I have 48GB of ntfsclone-encoded data in 17 files with gaps of more or less unknown size inbetween. Five of those files are larger than 500MB. The ntfsclone-header is intact as are the first ~9GB of the data. I already tried to restore data from just the first part but that fails (understandably) because at about 19% there's no more data to read. Also, before reading and starting to understand your ntfsclone code, I tried to just concatenate all the files together and decode that, but that, of course, failed too, because now I know that my file gaps don't line up with the control commands and clusters. Decoding any other of the files except the first fails too, because there's no ntfsclone-image header at the beginning and they very likely all start in the middle of a cluster. When I tried to mount the file I got from extracting just the first part with ntfs-3g, I got | ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 usa_ofs: 0 usa_count: 65535: Invalid argument | ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 usa_ofs: 0 usa_count: 65535: Invalid argument | ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 usa_ofs: 0 usa_count: 65535: Invalid argument | ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 usa_ofs: 0 usa_count: 65535: Invalid argument | $MFTMirr does not match $MFT (record 0). | Failed to mount 'image.img': Input/output error | NTFS is either inconsistent, or there is a hardware fault, or it's a | SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows | then reboot into Windows twice. The usage of the /f parameter is very | important! If the device is a SoftRAID/FakeRAID then first activate | it and mount a different device under the /dev/mapper/ directory, (e.g. | /dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation | for more details. The way I see it (and please correct me if I'm wrong), it should be possible to ntfsclone-decode the vast majority of the other bigger chunks and then I could try some other tools to try to recover data from them or maybe (well, probably not) even stitch some of them together so I get a partially coherent NTFS image that hopefully contains the files I'm looking for. To do this I should find the first control command (CMD_GAP 0x00 or CMD_NEXT 0x01) in each file that leads to a chain of valid control commands: Either CMD_GAP followed by 8 bytes or CMD_NEXT followed by 4096 bytes, followed by another control command and so on. If I find a chain of, say, 10, I should be reasonably certain I have indeed found valid clusters and can start to extract from the first control command. Now, before I start to dive deeper and code something along those thoughts, please tell me: Do I suffer from "Not invented here" - maybe someone already solved a similar problem and I just haven't been able to find it? Is my planned approach somewhat reasonable? And - as I'm pretty new in dealing with the inner workings of NTFS, are there some things I should keep in mind that could help or hinder me? TIA, Sebastian ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 _______________________________________________ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
