[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NTFS recovery

On Wed, 2005-10-19 at 09:12 -0500, Gary Smithe wrote:
> Hello all,
> I have a HDD from WinXP that has a messed up partition table.

Is it the partition table, filesystem or both?

I understand if it's the partition table, you might not be able to tell
if the filesystem is dorked up too.

> It causes Windows to lock up, and won't mount, even read-only, under
> Linux.

If the start of the filesystem cannot be determined due to the partition
table being messed up, then the filesystem might still be intact.  As
long as Linux knows the start of a filesystem (on a partition boundary),
it will access the exact filesystem (regardless of where the partition
boundary ends).

This is why I keep copies of my partition tables.  In fact, I purposely
use exacting off-sets (4000M, 8000M, 16000M, 32000M, 64000M) with fdisk
to guarantee I can "guess" the partition table with trial'n error.  I
just start creating partitions with 4000M, 8000M, etc... until one
mounts, then I look at its size, then I figure where the next one is.
The only issue is when I have an extended, LDM or LVM -- the extended I
can do something about (it's just a 512B sector off-set), but LDM or LVM
I can do little.

> Anything I do in windows gives me problems with this drive, so
> I'm hoping to find a Linux tool.

The best bet is to create a single partition starting with cylinder 1 to
the last.  Then try to mount it.  The first filesystem should start on
cylinder 1, and Linux will mount it if it does, regardless of where it
ends.  Once you mount it, you can find out its size and interpolate what
cylinder/head/sector the next partition starts, etc...

[ BTW, be sure to use the "-o ro" option to mount read-only. ]

> I decided to use dd_rhelp to make an image file.  The problem is, when
> I try to mount it, it complains about the FS.

You need to find where those partitions start so you know where the
filesystem starts.  Otherwise you're getting arbitrary disk sectors.

> I've seen where people making a DD from an ext2 FS have been able to
> do a fsck on the image file,

Again, you need to dd from the start of a partition, and therefore, a
filesystem before you even get to that point.

> but I don't think I can do that with NTFS.

*NEVER*, *EVER* CHKDSK a NTFS filesystem *EXCEPT* with the _exact_ NTFS
installation that created it.  There are links from the filesystem to
the Security/System Accounts Manager (SAM) which is part of the
registry, and that is NT installation _specific_.  Even on a dynamic
disk (LDM disk label, BIOS type 42h), which stores some SID info in
hidden parts of the disk, it does _not_ have enough to do a CHKDSK.

I'm not sure if the "Captive" user-space driver for Linux can safely
read the registry/SAM and recover.  But since it's a user-space driver,
it would be dog slow anyway.  It's best to try to define the NTFS
filesystem's boundaries, and then get a dd image of that.  Then put it
on another disk and attempt to see it boot and run CHKDSK.

If you get your data, then you can go back to the original disk and do a
sector-by-sector test with CHKDSK to see if it's failing.

> Does anyone have a thought of how I can get my files off this drive? 
> The drive isn't making any death noises, it just seems to have bad
> clusters, that have messed up the partition table and/or formatting
> information.

If you can find out where the filesystem begins and ends, you can let

Bryan J. Smith     b.j.smith@ieee.org     http://thebs413.blogspot.com
The best things in life are NOT free - which is why life is easiest if
you save all the bills until you can share them with the perfect woman

To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.