Recovering data from NTFS disk

2010-01-07 Thread KS 
Hi all,

A friend of mine gave me his hard disk to try to rescue data from it. It
is a 500GB SATA drive which was in an USB enclosure. His machine
(Windows XP) is unable to detect it when the enclosure is connected.

I connected it in my machine (internal SATA) and just did a ddrescue of
the disk to a 1.5TB hard disk using a Sysrescue CD. The process tells me
that there were 37 errors totalling 151kB.

The ISO image generated is about 466GB. However, when I mount the image
using
mount -o loop -t iso9660 /path/to/image.iso /path/to/mntpt

it shows that the mntpt is just 121MB.
When I do a listing of the mntpt directory I get:

r...@sysresccd /root % ddrescue -v /dev/sdb1 /mnt/windows/rescueData.iso
/mnt/windows/rescueLog.txt


About to copy 500107 MBytes from /dev/sdb1 to /mnt/windows/rescueData.iso
Starting positions: infile = 0 B,  outfile = 0 B
Copy block size: 128 hard blocks
Hard block size: 512  bytes
Max_retries: 0
Direct: noSparse: noSplit: yesTruncate: no

Press Ctrl-C to interrupt
Initial status (read from logfile)
rescued:   471251 MB,  errsize:   3098 kB,  errors:  35
Current status
rescued:   500107 MB,  errsize:151 kB,  current rate:0 B/s
   ipos:   210521 MB,   errors:  37,average rate: 679 kB/s
   opos:   210521 MB, time from last successful read: 6.7 m
Finished
r...@sysresccd /root % man mount
r...@sysresccd /root % mkdir /mnt/windows/rescueDataDump
r...@sysresccd /root % ls /mnt
backup  cdrom  custom  floppy  gentoo  livecd  memory  windows
r...@sysresccd /root % mount -o loop -t iso9660
/mnt/windows/rescueData.iso /mnt/cdrom
r...@sysresccd /root % ls /mnt/cdrom
〰〹  䝎䑒噌慮?湩㬱
r...@sysresccd /root % du -sch /mnt/cdrom
13K /mnt/cdrom
13K total
r...@sysresccd /root % df -h
FilesystemSize  Used Avail Use% Mounted on
tmpfs 491M   25M  467M   6% /
/dev/sr0  121M  121M 0 100% /mnt/cdrom
/dev/loop0194M  194M 0 100% /mnt/livecd
tmpfs 491M   25M  467M   6% /mnt/memory
udev   10M  164K  9.9M   2% /dev
tmpfs 491M   13M  478M   3% /lib/firmware
/dev/sda1 1.4T  466G  932G  34% /mnt/windows
/mnt/windows/rescueData.iso
  121M  121M 0 100% /mnt/cdrom

Any advice on how to proceed from here? Or can someone suggest a better
method?

Thanks
.KS.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Recovering data from NTFS disk

2010-01-07 Thread Jochen Schulz 
KS:
> 
> r...@sysresccd /root % mount -o loop -t iso9660

Why do you mount the dump file from ddrescue as ISO image? Doesn't the
subject say it should actually contain an NTFS filesystem? I am
surprised that this actually works.

> /mnt/windows/rescueData.iso /mnt/cdrom
> r...@sysresccd /root % ls /mnt/cdrom
> 〰〹  䝎䑒噌慮?湩㬱

Do you expect this kind of characters or is it just "garbage" (from your
point if view)?

> Any advice on how to proceed from here? Or can someone suggest a better
> method?

It depends on what you want to achieve. If all you want is to rescue
personal documents, images and the like, I suggest you to try photorec
from the testdisk package. It can recover many files of different types
from otherwise unusable filesystems.

J.
-- 
I count my partner's eyelashes.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Recovering data from NTFS disk

2010-01-07 Thread John Hasler 
KS writes:
> I connected it in my machine (internal SATA) and just did a ddrescue
> of the disk to a 1.5TB hard disk using a Sysrescue CD. The process
> tells me that there were 37 errors totalling 151kB.

Ok...

> The ISO image generated is about 466GB.

"ISO"?  I thought you made an image of a NTFS drive.  Where did the ISO
come from?

> However, when I mount the image using mount -o loop -t iso9660
> /path/to/image.iso /path/to/mntpt

Why is that not "-t ntfs"?
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Recovering data from NTFS disk

2010-01-07 Thread KS 
John Hasler wrote:
> KS writes:
>> I connected it in my machine (internal SATA) and just did a ddrescue
>> of the disk to a 1.5TB hard disk using a Sysrescue CD. The process
>> tells me that there were 37 errors totalling 151kB.
> 
> Ok...
> 
>> The ISO image generated is about 466GB.
> 
> "ISO"?  I thought you made an image of a NTFS drive.  Where did the ISO
> come from?
> 
>> However, when I mount the image using mount -o loop -t iso9660
>> /path/to/image.iso /path/to/mntpt
> 
> Why is that not "-t ntfs"?

I tried -t ntfs (with and without errors=recover) and I also tried to
mount the bad HDD but the system couldn't find ntfs boot sector on either.

**without errors=recover ***
NTFS-fs error (device loop1): ntfs_fill_super(): Not an NTFS volume.
NTFS-fs warning (device loop1): is_boot_sector_ntfs(): Invalid boot
sector checksum.
NTFS-fs error (device loop1): read_ntfs_boot_sector(): Primary boot
sector is invalid.
NTFS-fs error (device loop1): read_ntfs_boot_sector(): Mount option
errors=recover not used. Aborting without trying to recover.

*** with errors=recover***
NTFS-fs error (device loop1): ntfs_fill_super(): Not an NTFS volume.
NTFS-fs warning (device loop1): is_boot_sector_ntfs(): Invalid boot
sector checksum.
NTFS-fs error (device loop1): read_ntfs_boot_sector(): Primary boot
sector is invalid.
NTFS-fs warning (device loop1): is_boot_sector_ntfs(): Invalid boot
sector checksum.
NTFS-fs error (device loop1): read_ntfs_boot_sector(): Could not find a
valid backup boot sector.
NTFS-fs error (device loop1): ntfs_fill_super(): Not an NTFS volume.

***bad hdd***
NTFS-fs warning (device sdb): is_boot_sector_ntfs(): Invalid boot sector
checksum.
NTFS-fs error (device sdb): read_ntfs_boot_sector(): Primary boot sector
is invalid.
NTFS-fs warning (device sdb): is_boot_sector_ntfs(): Invalid boot sector
checksum.
NTFS-fs error (device sdb): read_ntfs_boot_sector(): Could not find a
valid backup boot sector.
NTFS-fs error (device sdb): ntfs_fill_super(): Not an NTFS volume.

*badd hdd partition 1***
NTFS-fs warning (device sdb1): is_boot_sector_ntfs(): Invalid boot
sector checksum.
NTFS-fs error (device sdb1): read_ntfs_boot_sector(): Primary boot
sector is invalid.
NTFS-fs warning (device sdb1): is_boot_sector_ntfs(): Invalid boot
sector checksum.
NTFS-fs error (device sdb1): read_ntfs_boot_sector(): Could not find a
valid backup boot sector.
NTFS-fs error (device sdb1): ntfs_fill_super(): Not an NTFS volume.

I also tried scrounge-ntfs and it tells that the whole disk is a
partition. I think the disk had at least two partitions.

.KS.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Recovering data from NTFS disk

2010-01-07 Thread KS 
Jochen Schulz wrote:
> KS:
>> r...@sysresccd /root % mount -o loop -t iso9660
> 
> Why do you mount the dump file from ddrescue as ISO image? Doesn't the
> subject say it should actually contain an NTFS filesystem? I am
> surprised that this actually works.

I tried with ntfs flag too and it doesn't mount anything. Rather gives
errors. See my other reply in the thread.

>> /mnt/windows/rescueData.iso /mnt/cdrom
>> r...@sysresccd /root % ls /mnt/cdrom
>> 〰〹  䝎䑒噌慮?湩㬱
> 
> Do you expect this kind of characters or is it just "garbage" (from your
> point if view)?

Yes, it is garbage.

>> Any advice on how to proceed from here? Or can someone suggest a better
>> method?
> 
> It depends on what you want to achieve. If all you want is to rescue
> personal documents, images and the like, I suggest you to try photorec
> from the testdisk package. It can recover many files of different types
> from otherwise unusable filesystems.
> 
> J.

The person has lots of photos, movies, and software backups on the drive.

/KS


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Recovering data from NTFS disk

2010-01-07 Thread John Hasler 
The filesystem on the disk is clearly toast.  Mounting it as the wrong
type won't help.  Start looking at forensics packages:

magicrescue - recovers files by looking for magic bytes
myrescue - rescue data from damaged harddisks
scrounge-ntfs - Data recovery program for NTFS filesystems
autopsy - graphical interface to SleuthKit
dcfldd - enhanced version of dd for forensics and security
foremost - Forensics application to recover data
guymager - Forensic imaging tool based on Qt
sleuthkit - collection of tools for forensics analysis on volume and
file system data
tct - collection of forensics related utilities

There are, no doubt, others.
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Recovering data from NTFS disk

2010-01-07 Thread Rob Owens 
On Thu, Jan 07, 2010 at 08:12:27PM -0500, KS wrote:
> Jochen Schulz wrote:
> > KS:
> >> r...@sysresccd /root % mount -o loop -t iso9660
> > 
> > Why do you mount the dump file from ddrescue as ISO image? Doesn't the
> > subject say it should actually contain an NTFS filesystem? I am
> > surprised that this actually works.
> 
> I tried with ntfs flag too and it doesn't mount anything. Rather gives
> errors. See my other reply in the thread.
> 
> >> /mnt/windows/rescueData.iso /mnt/cdrom
> >> r...@sysresccd /root % ls /mnt/cdrom
> >> 〰〹  䝎䑒噌慮?湩㬱
> > 
> > Do you expect this kind of characters or is it just "garbage" (from your
> > point if view)?
> 
> Yes, it is garbage.
> 
> >> Any advice on how to proceed from here? Or can someone suggest a better
> >> method?
> > 
> > It depends on what you want to achieve. If all you want is to rescue
> > personal documents, images and the like, I suggest you to try photorec
> > from the testdisk package. It can recover many files of different types
> > from otherwise unusable filesystems.
> > 
> > J.
> 
> The person has lots of photos, movies, and software backups on the drive.
> 
I think photorec is the right tool for you.  It's part of the testdisk
package, which somebody mentioned already.  I've used photorec several
times to recover files (all kinds, not just photos) from drives that
were unreadable by other means.

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Recovering data from NTFS disk

2010-01-07 Thread KS 
Rob Owens wrote:
>
> I think photorec is the right tool for you.  It's part of the testdisk
> package, which somebody mentioned already.  I've used photorec several
> times to recover files (all kinds, not just photos) from drives that
> were unreadable by other means.
> 
> -Rob
> 
> 

I have already started testdisk and it is analysing the disk since the
last hour or so. Should be finished soon. It might give me an hint as to
what is the status of the disk.

Thanks,
KS.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Recovering data from NTFS disk

2010-01-07 Thread Jochen Schulz 
KS:
> 
> 
> I have already started testdisk and it is analysing the disk since the
> last hour or so. Should be finished soon.

Good luck!

> It might give me an hint as to what is the status of the disk.

Install smartmontools and try to run smartctl -a /dev/sdb on it. Then
post the output. It might be that smartctl doesn't work over USB. In
that case you would have to connect the disk directly via SATA/IDE.

J.
-- 
I often play sports / do exercise.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Recovering data from NTFS disk

2010-01-08 Thread KS 
Jochen Schulz wrote:
> KS:
>>
>> I have already started testdisk and it is analysing the disk since the
>> last hour or so. Should be finished soon.
> 
> Good luck!
> 
>> It might give me an hint as to what is the status of the disk.

No, it coudn't find any partition table after 2 passes.

I started photorec and it has found hundred's of files. It says it will
take around 20 more hours to finish.

> 
> Install smartmontools and try to run smartctl -a /dev/sdb on it. Then
> post the output. It might be that smartctl doesn't work over USB. In
> that case you would have to connect the disk directly via SATA/IDE.
> 

The HDD is connected to internal SATA connector. Sadly, the external USB
drives sold these days don't have the capability of reading SMART data.
I have an old WD external disk which does, but a newer Lacie does not
and it doesn't spin down the HDD either!

Waiting for photorec to finish.

/ks


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Recovering data from NTFS disk

2010-01-09 Thread Osamu Aoki 
Hi,

I made a list of forensics packages:
 
http://www.debian.org/doc/manuals/debian-reference/ch10.en.html#listofpackagesfoforensicanalysis

On Thu, Jan 07, 2010 at 07:30:37PM -0600, John Hasler wrote:
> The filesystem on the disk is clearly toast.  Mounting it as the wrong
> type won't help.  Start looking at forensics packages:

Although you missed most popular 

 testdisk

this list was a good one.

> myrescue - rescue data from damaged harddisks
> guymager - Forensic imaging tool based on Qt

I will add these :-)

Osamu


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org