NTFS data recovery
Hi All, I have been given a laptop to look at for a friend, the hard disk is close to death with a SMART error on POST. My initial thought was to just mount it on an Windows 7 machine and grab what I can from the drive. No joy Windows insists that the partition is RAW and I need to format it. I can however mount it under FreeBSD without any problems, the directory structure appears to be intact but there are no files in the places I would expect to find them under the Users directory, I am guessing that these have somehow been deleted or perhaps the victim of a partial OEM recovery process. Is there a way to scan the drive for deleted files from the command line or something from the ports tree that anyone can recommend to fulfil this requirement. Regards Graeme ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NTFS data recovery
On Mon, 9 Jul 2012 16:01:56 +, Graeme Dargie wrote: Hi All, I have been given a laptop to look at for a friend, the hard disk is close to death with a SMART error on POST. My initial thought was to just mount it on an Windows 7 machine and grab what I can from the drive. Bad idea. You cannot fully make sure that the disk's content isn't altered. There's no mount -o ro in Windows. Even worse, it might lead to more corruption during attempts to repair it. No joy Windows insists that the partition is RAW and I need to format it. Don't format it, it will massively decrease your chances for data recovery. Work with what you have, touch it as few as possible, use the proper tools. You won't find them on Windows. I can however mount it under FreeBSD without any problems, the directory structure appears to be intact but there are no files in the places I would expect to find them under the Users directory, I am guessing that these have somehow been deleted or perhaps the victim of a partial OEM recovery process. That's quite possible. Check df vs. du output and see if it magically fits, e. g. that the data is somewhere. Is there a way to scan the drive for deleted files from the command line or something from the ports tree that anyone can recommend to fulfil this requirement. Because it's about NTFS recovery, things are a bit complicated, but not impossible. I'd suggest to first make a copy of the disk using dd, then work with that copy. Do _NOT_ fiddle with the original disks! If dd doesn't work, try ddrescue and dd_rescue. There are programs in the sysutils/ntfsprogs port will be surely useful to dealing with the NTFS content. Then of course you'll find The Sleuth Kit very helpful. It's programs fls, dls and ils might be what you're searching for. Sadly the documentation has been moved into a web page. :-( Additionally, you may try magicrescue, recoverjpeg and foremost, maybe fatback (but I doubt it). Those are acting outside of the FS. For missing files, maybe you can find a differing MFT to check? I know there was something related in the documentation of the older versions of TSK, but as I said, that situation has disimproved. :-( Note that data recovery is a dirty job, it takes time and is therefore quite expensive if delegated to a company. In your case it means you'll have to invest MUCH TIME into getting the data back. I hope the files are worth it. The absence of a backup seems to imply the opposite. :-) Anyway, good luck! -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NTFS data recovery
On Mon, 9 Jul 2012 18:54:37 +0200 Polytropon articulated: On Mon, 9 Jul 2012 16:01:56 +, Graeme Dargie wrote: Hi All, I have been given a laptop to look at for a friend, the hard disk is close to death with a SMART error on POST. My initial thought was to just mount it on an Windows 7 machine and grab what I can from the drive. Bad idea. You cannot fully make sure that the disk's content isn't altered. There's no mount -o ro in Windows. Even worse, it might lead to more corruption during attempts to repair it. I have seen this work, but not on Windows 7. (based on Windows 2003 SP2) 1) switch off automount using the mountvol.exe command 2) present disk to Windows 2003 SP2 3) do not mount the disk 4) launch diskpart 5) do a list disk and list volume 6) note down the correct volume number 7) in diskpart do a select volume X (where X is the correct volume number) 8) then in diskpart doa att vol set readonly 9) then in diskpart do a detail vol and ensure the readonly bit is set 10) then you can mount the volume, the volume will be readonly Interestingly enough, only a few months ago, I used SpinRite 6 to recover an 80 Gb disk that was supposedly fried. If the HD can be seen by the system hardware, SpinRite has a fighting chance of recovering it. It took a week but it got all of the data back. I did take the HD out of the original PC and put it into a backup unit since I could not tie that PC up for an extended time. SpinRite does not need a super high speed machine to work off of. Good luck, you'll need it. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ This is supposed to be a happy occasion. Let's not BICKER and ARGUE over who killed who! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NTFS data recovery
Graeme Dargie arab at tangerine-army.co.uk writes: ... Is there a way to scan the drive for deleted files from the command line or something from the ports tree that anyone can recommend to fulfil this requirement. testdisk http://www.freebsd.org/cgi/url.cgi?ports/sysutils/testdisk/pkg-descr I would suggest you compile it before use (otherwise grab a package). jb ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NTFS data recovery
jb jb.1234abcd at gmail.com writes: ... ntfs utilities http://www.freebsd.org/cgi/url.cgi?ports/sysutils/ntfsprogs/pkg-descr I would suggest you compile it before use (otherwise grab a package). jb ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NTFS data recovery
I have been given a laptop to look at for a friend, the hard disk is close to death with a SMART error on POST. My initial thought was to just mount it on an Windows 7 machine and grab what I can from the drive. No joy Windows insists that the partition is RAW and I need to format it. I can however mount it under FreeBSD without any problems, the directory structure appears to be intact but there are no files in the places I would expect to find them under the Users directory, I am guessing that these have somehow been deleted or perhaps the victim of a partial OEM recovery process. Is there a way to scan the drive for deleted files from the command line or something from the ports tree that anyone can recommend to fulfil this requirement. get other disk or just use free space on large filesystem and do dd if=/dev/baddisk of=file bs=64k conv=noerror,sync then - after having backup, try to salvage things ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
