help recovering dat...
 
Notifications
Clear all

help recovering data from a partially formatted disk

16 Posts
7 Users
0 Reactions
1,237 Views
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
Topic starter  

Hi all )
no, this is not another spambot thread, i just need some suggestions couse i'm having trouble,
i've made countless data recovery and undelete process on NTFS filesystems but what's happening today is pretty weird.

the "customer" (actually a friend of mine ) gave me this HD saying that he accidentally "started formatting it".

he said he wanted to format the USB thumb drive but chose the wrong device and started formatting the HDD, and when he noticed he immediatelly stopped the process.

the problem is that i've tried the following softwares

- ftk imager
- testdisk
- The Sleuthkit + autopsy

and the result is the following
testdisk says that "no partition is found", the bootloader is damaged.
FTK and TSK finds the partition but they are both unable to read it.

strange that running fstat returns the NTFS partition, but then it just says it's raw, so no file analysis.

using testdisk i also tried to recover the bootloader, and accessing the $MFT mirror but with no luck.

The problem is that running a datacarving on this drive wouldn't produce any suitable result, becouse it's fit with large files that are mostly fragmented so… if data is unisable it's not worth extracting partial content.

considering this is not for forensics purposes, are you aware of other way i can try to recover data from that drive?


   
Quote
(@robinsage)
Eminent Member
Joined: 17 years ago
Posts: 28
 

Hi,

These have all worked for us but YMMV. They are free to download "try before you buy" versions so write/save disabled.

DiskInternals, http//www.diskinternals.com/partition-recovery,
Active Data Recovery, http//www.partition-recovery.com/download.htm
Stellar http//www.stellarinfo.com/partition-recovery.htm
R-Tools Technology http//www.r-studio.com/#rstudio

Good luck


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
Topic starter  

many ppl told gave me good feedback about stellar, but the point is that i dunno what these software do more then free ones?


   
ReplyQuote
(@c-colina)
New Member
Joined: 16 years ago
Posts: 4
 

If I happen to recall correctly, a copy of the partition superblock and other initial data are backed up at the _end_ of an ntfs partition.

Didn't verify that, but possibly you could nail down the partition boundaries with that.

On the other hand, image the drive (with FTK-Imager-Lite for example), verify and then insert the drive into the computer it was partitioned with initially, use e.g. Ubuntu or Trinity FDISK to recreate the partitiontable.

Good luck.

C. Colina


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
Topic starter  

i'm already working on the image, so that i don't screw up things on the original drive


   
ReplyQuote
JSkier
(@jskier)
Eminent Member
Joined: 17 years ago
Posts: 24
 

If the files are large and mostly fragmented, you won't get much back at all period, especially without MFT or FAT. Testdisk will carve without a partition table (just use the whole disk method).

I don't know what the pay tools do differently, but your situation with any type of software based recovery seems very dire and unlikely.

Good luck,


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
Topic starter  

the $MFT mirror should be available…. but testdisk says it's damaged -.-'


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
Topic starter  

what a weird thing )
this is the first time that something like this happens to me.
i managed to find the $MFT mirror and make a recovery of it, now i can access informations about deleted files, but i can't access informations about files actually stored on the device.

result, i can only see ( and restore ) files that are flagged as deleted D


   
ReplyQuote
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
 

I would start by scanning the disk to see if there are any MFTs left. On many disks, the MFT starts at sector 0x60003f, ie about 3GB into the disk. This is rather close to the start, and would need a fairly quick 'abort' not to erase it.

Your luck may be in the MFT has been fragmented, and there are still areas of it left on the disk.

If it was a FAT disk, then the FAT will have been erased, but you may still beable to scan for directory entries. Fragmented files would not be recovered straight off.

You need to determine how much has been formatted, and then work out if the above two methods will help.


   
ReplyQuote
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
 

I would start by scanning the disk to see if there are any MFTs left. On many disks, the MFT starts at sector 0x60003f, ie about 3GB into the disk. This is rather close to the start, and would need a fairly quick 'abort' not to erase it.

Your luck may be in the MFT has been fragmented, and there are still areas of it left on the disk.

If it was a FAT disk, then the FAT will have been erased, but you may still beable to scan for directory entries. Fragmented files would not be recovered straight off.

You need to determine how much has been formatted, and then work out if the above two methods will help. Final solution is just data carving


   
ReplyQuote
Page 1 / 2
Share: