Recovery procedures of NTFS filesystem
D. Hugh Redelmeier
hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Mon Jun 30 21:34:14 UTC 2008
| From: William Muriithi <william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Robert's point deserves repetition:
If you hope to recover this, DON'T write to it at all.
Buy a new disk drive and use dd to copy the whole volume. Then play
only with the copy. (If the partition in question fits in another
disk you already have, then buying a new one isn't necessary.)
If you don't care very much, give up now. There is a lot of work
needed to do a good recovery at this point I would guess.
| Thanks for encouragement. I am progressing very carefully from here. A
| question, what exactly does mkfsext3 do? Does it go over all the
| sectors putting down marking or does it just mess up with partition
| table? What the main difference between mkfs and formatting?
Onward to your question.
The simplest positive step might be using the fdisk t command to set
the partition type to an appropriate one for NTFS. Maybe 0x07.
This does not change the contents at all.
mkfsext3 writes only a small percentage of the partition. It puts
superblocks a few places. It probably zeros-out inodes. I don't
remember how freelists are represented (probably bitmasks) but those
datastructures will be initialized. Space allocated for data blocks
is probably untouched.
So: the NTFS file system will have a bunch of holes punched in it.
Most of the data will remain. Accessing it through the normal metadata
will probably not work well.
Recovery may depend on your ability to distinguish your data from
junk. For some folks, something like "strings /dev/sda3" might do the
job.
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list