Notifications

Clear all

help recovering data from a partially formatted disk

Rampage · 2010-06-14T14:27:12Z

Hi all )no, this is not another spambot thread, i just need some suggestions couse i'm having trouble,i've made countless data recovery and undelete process on NTFS filesystems but what's happening today is pretty weird.the "customer" (actually a friend of mine ) gave me this HD saying that he accidentally "started formatting it".he said he wanted to format the USB thumb drive but chose the wrong device and started formatting the HDD, and when he noticed he immediatelly stopped the process.the problem is that i've tried the following softwares- ftk imager- testdisk- The Sleuthkit + autopsyand the result is the followingtestdisk says that "no partition is found", the bootloader is damaged.FTK and TSK finds the partition but they are both unable to read it.strange that running fstat returns the NTFS partition, but then it just says it's raw, so no file analysis.using testdisk i also tried to recover the bootloader, and accessing the $MFT mirror but with no luck.The problem is that running a datacarving on this drive wouldn't produce any suitable result, becouse it's fit with large files that are mostly fragmented so… if data is unisable it's not worth extracting partial content.considering this is not for forensics purposes, are you aware of other way i can try to recover data from that drive?

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Rampage 15 years ago

16 Posts

7 Users

0 Reactions

1,239 Views

RSS

Rampage

(@rampage)

Reputable Member

Joined: 17 years ago

Posts: 354

Topic starter 15/06/2010 4:01 pm

I would start by scanning the disk to see if there are any MFTs left. On many disks, the MFT starts at sector 0x60003f, ie about 3GB into the disk. This is rather close to the start, and would need a fairly quick 'abort' not to erase it.

Your luck may be in the MFT has been fragmented, and there are still areas of it left on the disk.

If it was a FAT disk, then the FAT will have been erased, but you may still beable to scan for directory entries. Fragmented files would not be recovered straight off.

You need to determine how much has been formatted, and then work out if the above two methods will help. Final solution is just data carving

i thought that the MFT mirror would help… but…

ReplyQuote

binarybod

(@binarybod)

Reputable Member

Joined: 17 years ago

Posts: 272

15/06/2010 5:50 pm

i thought that the MFT mirror would help… but…

My understanding is that the $MFTMirr is just a copy of the first 4096 bytes of the $MFT (4 records). If you have lost more than 4 records then it's pretty useless.

Paul

ReplyQuote

Rampage

(@rampage)

Reputable Member

Joined: 17 years ago

Posts: 354

Topic starter 15/06/2010 6:24 pm

ok thanks.. then i'm pretty errr… f.. D

ReplyQuote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

15/06/2010 11:44 pm

With the $MFTMirr you will be able to tell where the $MFT has been stored. Determine which area of the disk has been formatted, and you will see if any $MFT is still available

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

18/06/2010 7:49 pm

@Rampage

Testdisk is a good tool to recover a drive that has been accidentally re-partitioned, can't do much about re-formatted.

But something can be done nonetheless.
http//www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair

$MFT and $MFT mirror location is connected to the size (and cluster size) of the actual partition, so, by recreating an image with the same size you should get the right location of both the $MFT and $MFTmirror.

The $MFTmirror is actually 4 sectors long
http//www.ntfs.com/ntfs-system-files.htm
but it is enough to access the actual $MFT (if it is still existing and/or the single MFT entries, whch most probably are still largely there).

However, what you may want to try is FILE-based recovery, besides PHOTOREC, that probably won't be useful in your case, you can try
http//memberwebs.com/stef/software/scrounge/

or, among the Commercial software, I can recommend you FileScavenger
http//www.quetek.com/prod02.htm

Check this wink
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5353

jaclaz

ReplyQuote

Rampage

(@rampage)

Reputable Member

Joined: 17 years ago

Posts: 354

Topic starter 19/06/2010 8:52 pm

thanks jaclaz, it looks like getdataback is working fine.

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
243 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed