Attachments prohibited, so resending with no attachment.... -------- Forwarded Message -------- From: 16 2015 <> X-Mozilla-Status: 0001 X-Mozilla-Status2: 00800000 X-Mozilla-Keys: Message-ID: <56544b36.3050...@wanadoo.fr> Date: Tue, 24 Nov 2015 12:34:14 +0100 From: Jean-Pierre André <jean-pierre.an...@wanadoo.fr> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0 SeaMonkey/2.30 MIME-Version: 1.0 To: Sebastian Sproesser <sebast...@sproesser.name>, ntfs-3g-de...@lists.sf.net Subject: Re: [ntfs-3g-devel] Problem with corrupt image References: <caoo9ygytdajwv5z7sy_of_drs-oju99ldsxm--1gsnoagz0...@mail.gmail.com> In-Reply-To: <caoo9ygytdajwv5z7sy_of_drs-oju99ldsxm--1gsnoagz0...@mail.gmail.com> Content-Type: multipart/mixed; boundary="------------050800030508030006080201"
Sebastian Sproesser wrote: > Hi, > > sorry in advance if this is a little bit long, but I think I could > need a little help and/or some pointers here. > > About a year ago I made an image of a Windows XP-PC using Clonezilla. > ntfsclone was used to dump the contents of the hard drive and then it > was compressed with bzip2. > > Now I tried to recover some files from the image and apparently in the > meantime the bzip2ed image got corrupted (I guess by a failing hard > drive from which I falsely thought I rescued all data in time, but I > can't know that for sure). > > After some trial and error with bzip2recover, 17 blocks of the bzip2ed > data turned out to be corrupted. I managed to extract the rest and now > I have 48GB of ntfsclone-encoded data in 17 files with gaps of more or > less unknown size inbetween. Five of those files are larger than > 500MB. The ntfsclone-header is intact as are the first ~9GB of the > data. > > I already tried to restore data from just the first part but that > fails (understandably) because at about 19% there's no more data to > read. Also, before reading and starting to understand your ntfsclone > code, I tried to just concatenate all the files together and decode > that, but that, of course, failed too, because now I know that my file > gaps don't line up with the control commands and clusters. Decoding > any other of the files except the first fails too, because there's no > ntfsclone-image header at the beginning and they very likely all start > in the middle of a cluster. > > When I tried to mount the file I got from extracting just the first > part with ntfs-3g, I got > > | ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 > usa_ofs: 0 usa_count: 65535: Invalid argument > | ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 > usa_ofs: 0 usa_count: 65535: Invalid argument > | ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 > usa_ofs: 0 usa_count: 65535: Invalid argument > | ntfs_mst_post_read_fixup_warn: magic: 0x00000000 size: 1024 > usa_ofs: 0 usa_count: 65535: Invalid argument Basically these errors mean some needed records were not initialized because they were not restored (or they were restored to a wrong location). > | $MFTMirr does not match $MFT (record 0). > | Failed to mount 'image.img': Input/output error > | NTFS is either inconsistent, or there is a hardware fault, or it's a > | SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows > | then reboot into Windows twice. The usage of the /f parameter is very > | important! If the device is a SoftRAID/FakeRAID then first activate > | it and mount a different device under the /dev/mapper/ directory, (e.g. > | /dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation > | for more details. > > The way I see it (and please correct me if I'm wrong), it should be > possible to ntfsclone-decode the vast majority of the other bigger > chunks and then I could try some other tools to try to recover data > from them or maybe (well, probably not) even stitch some of them > together so I get a partially coherent NTFS image that hopefully > contains the files I'm looking for. Yes, theorically, you should be able to restore most of your data and have chkdsk fix what it can, to get usable files. The tricky part here is to fill the gaps. The ntfsclone images suffer from a bad design in storing the identification of clusters : cluster offsets are used instead of cluster numbers, so an image part is unusable if not correctly positioned in the sequence. > > To do this I should find the first control command (CMD_GAP 0x00 or > CMD_NEXT 0x01) in each file that leads to a chain of valid control > commands: Either CMD_GAP followed by 8 bytes or CMD_NEXT followed by > 4096 bytes, followed by another control command and so on. If I find a > chain of, say, 10, I should be reasonably certain I have indeed found > valid clusters and can start to extract from the first control > command. That is what I did for someone who had a similar problem. Luckily in this case, the relative positions of the image parts were known and there were no cluster gaps in between. > Now, before I start to dive deeper and code something along those > thoughts, please tell me: Do I suffer from "Not invented here" - maybe > someone already solved a similar problem and I just haven't been able > to find it? Is my planned approach somewhat reasonable? And - as I'm > pretty new in dealing with the inner workings of NTFS, are there some > things I should keep in mind that could help or hinder me? I am attaching the two "quick and dirty" programs I used : chkimg.c locates the first sequencing error, and fiximg.c helps to stuff the gap (but this is not automated : you have to enter the stuffing data). You have to first concatenate the parts, and you may have to fill some space between them, so that an integer count of clusters fits in the invalid region. From experience this is too difficult to do remotely without having the full image in hands. I attach what I have (too bad if your email is wrong and the list removes attachments). HTH Jean-Pierre ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 _______________________________________________ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
