I've been providing free computer recovery services in exchange for a testimonial and recommendation.
I have a client with a 500 GB hard drive that originally had an NTFS partition for about the first 370 GB and a Linux partition for the rest. He tried to install Ubuntu on the Linux partition. But for some reason, the installer reformatted the entire drive as ext4. He then reformatted the first 370 GB or so as NTFS to get the original formatting back so he could recover the Windows files from the original partition. However, the original Windows files did not appear, and Iolo Search and Recover couldn't find the files either.
What do you suggest for recovering the files? PhotoRec will take 100 hours and does NOT recover filenames or the directory structure. I'll end up with numerous files with random names, and many of these files will be system files rather than personal files. What alternatives to PhotoRec do you suggest? I need something that's both faster AND that saves filenames and the directory structure.
This is so much more difficult than recovering files from a bad Windows installation, which merely requires booting up a Linux live CD and copying the files to an external drive.
This is so much more difficult than recovering files from a bad hard drive. I've found that if PhotoRec can read the hard drive (which it always has as long as the drive spins), Puppy Linux can do so as well. Thus, Puppy Linux is my favorite tool for copying files from a bad hard drive to a good drive. It takes a long time, but it works well and even preserves filenames and directories.
Im no expert on nixy style file systems, but has this process overwritten both the MFTs? If so, nothing short of wandering down to the shire, finding gandalf the grey and asking him to get the filenames back will do it.
First, you are going to have to see if there are remnants of the Master File Table present. If not, you aren't going to be able to do much to recreate file paths.
Also, the Ubuntu install includes an option to "erase entire disk" which does exactly what it says. Are you sure that he didn't select this instead of the partition that he had reserved for Linux?
Anyway, you can also look for file signatures or, as you suggested, use PhotoRec or The Sleuthkit. If the MFT is gone you don't have many other options.
Do not expect a quick fix. With 500GB of data, the process will take many hours.
You need to scan the drive for all remaining MFTs, and this has to be the whole disk as the new install will have created a smaller $MFT file and will not be aware of older existing entries. You will need to determine where the original partition started, most likely at 0x3f or 0x800. A program that does this should beable to receover many file names, and directory structure. The level of recovery will depend on how much data was written with the ext4 install.
If all else fails, the data carving will at least find photos.
NB, try and find out if the user used NTFS compression, if used you must allow for this when carving the disk
How do I find the Master File Tables or at least remnants of them?
Easiest way is to do a search for "FILE0" without the quotes.
Thanks so much for your explanations and suggestions.
How do I scan the drive for those MFTs? And how do I search for "FILE0"?
I've never done this before.
You can also check out TestDisk http//
Good reference to it
http//
Well, Photorec can scan for filetypes (I don't think that your client personal data is stored inside .dll's and .exe's wink ).
TESTDISK won't be able to do much if the $MFT has been (as it should) been overwritten.
Sometimes I wonder why people don't ask for help when the problem happens (and not after senselessly trying to resolve it themselves). roll
You do not specify the actual OS used to re-format the disk.
If the OS was Vista or 7, since I doubt your client used the /q switch, you (actually he) can kiss the data goodbye.
Better suitable tools are (as I see it) DMDE (free version available - but you will need the Commercial version for actually recovering files - if any - "en masse")
http//softdm.com/
NTFSWalker
http//
or it's Commercial version diskdigger
http//
or FileScavenger (Commercial)
http//
jaclaz
If this is not a test case, or where your client has already given up, and you are simply offering a minuscule hope . . . (that is they are relying on you to restore the data in your professional capacity)
. . . why are you doing something that you are not qualified to do?
Would it not be more prudent and ethical to experiment with various test scenarios, instead of on a client's system?
Your failed attempts may destroy the chance to recover the data by someone with the knowledge . . .
I know this may sound a wee bit harsh, but our work must always be viewed from an ethical point first in my opinion, specially that it sounds like you are attempting to a start new business.
