0

I went away from the Linux world for a decade or so. Now that I'm trying my way back, that nice little warning that told me that I would lost all my files when replacing Windows XP failed to be clear in that it would not only replace the partition where my old windows was (10 GB), but also any and all other partitions of the same hard disk (my 200 and some GB collection made from pure MP3 and JPG files). This is so not cool for a migration that had to run smooth.

So I tooked the 250 GB HD and placed on a PC with Ubuntu 14, installed TestDisk, went to all the Deep Search process, and got into a NTFS file system with only like 1% of the files in it (well, all of the files of that sole folder). There was none of my other 99 folders on it (number aproximated).

I really need a hand with this. It's not like anything has overwritten those files, and I would understand that some 10GB of data is lost. But 90% of it, from one simple formatting and repartitioning process? Really?

Hermes Villafuerte
  • 1

2 Answers2

0

I had a damaged hard drive that was not readable via a file system some time ago and was able to recover that data that was not already corrupted by using ddrescue utility. I used an external hard drive that was empty and had a larger capacity than the hard drive that I wanted to copy. I then installed ddrescue to my ix system and ran a script that copied the entire contents of one drive to the external. it took a VERY long time, but it accomplished what i intended and was able to recover what i could from the corrupted drive.

Please be advised that ddrescue may irreversibly wipe the contents of your drive so be very careful and FOLLOW instructions carefully. I created a bootable usb with ubuntu rescue mix and made sre that ddrescue was installed on it... if not install it from the repos then I followed the instructions on the main ddrescue gnu page...

http://www.gnu.org/software/ddrescue/

---hope this helps

gingamann
  • 393
  • side notes:

    1. the corrupted drive was ntfs - i was able to have the output of the ddrescue format to ntfs/fat

    2. the original corrupted drive is still in the same condition it was before i ran ddrescue

     – gingamann Nov 05 '14 at 23:26
  • Thank you gingamann, I'll try that. Just to be sure, ¿Did it recover your files with names, timestamp and filestructure? Sinces there are a lot of songs I use for a Jukebox, it's pointless to use something that cannot recover the names of the files since I would have to open every song and rename it, and that will take a longer time than just recover them with such utility. – Hermes Villafuerte Nov 06 '14 at 12:18
  • So I have done a backup of 'hdb1'. But I think this is not the entire drive (which I beleive would be 'hdb'), since I have hdb2 and hdb3 of the new Ubuntu file table. Now I'm using Sleuthkit, but when mounting the image with

    $ mmls file -b

    I get the 'unknown argument error' followed by a message that I require tu use the -b argument XD. Well, I guess it is because the sintaxis is now 'mmls -b file', bu then I get an error of sector size (must be positive). I suppose I should tell it the sector size XD like 512 or something

     – Hermes Villafuerte Nov 07 '14 at 20:12
  • I'm just guessing that this command was wrong sudo ddrescue --no-split /dev/sdb1 /media/user1/3C9FD1452BA6CC99/rescatepol logfile and that I have to restart everthing with something like sudo ddrescue -n --force /dev/sdb /dev/sdh rescue.log

    in order to get the entire drive imaged.

    I only hope.

     – Hermes Villafuerte Nov 07 '14 at 21:05
  • I'll just keep describing in case someone with a similar problem make it here. It tunrs out that I was right about being wrong. The previous commands only created a backup of one current partition of the formatted drive, so I followed the instructions here http://derflounder.wordpress.com/2012/01/31/using-ddrescue-on-a-failing-hard-drive/ to backup the entire disk. Syntaxis is important you know. Now I can't mount that image so I'll get my hands on that issue, since it is apparent that I have to restore the old partition table to recover my files, or use backup to scan file by file (dont know) – Hermes Villafuerte Nov 08 '14 at 18:23
  • Currently checking this http://askubuntu.com/questions/296109/need-to-recover-data-from-a-data-hard-disk-that-i-used-testdisk-on-in-my-attempt – Hermes Villafuerte Nov 08 '14 at 18:30
  • Got to mount the drive with testdisk. Nothing different so far. The list of partitions detected is the same after the quick scan Linux Linuxswap I had already deepsearched Linux on the drive itself, now I'll try with Linuxswap. Maybe my Windows partion was not 10GB like I remembered, maybe it was 5GB and the 8GB required for Ubuntu installation erased more of the previos partition table than I supposed in the first place. (It's an old PC, maybe it was 5GB, maybe 10GB, with 220GB of extended partition where the files were stored). – Hermes Villafuerte Nov 08 '14 at 18:47
  • Found nothing. Restarting deep search with first partition (again). Remember I already recovered about 1% of the data with this option but directly fron de hard drive, not the image like I'm doing now. – Hermes Villafuerte Nov 08 '14 at 19:17
  • All came out empty. I'll continue with some other alternative to testdisk and the image file obtained with ddrescue (GNU). This is BS. I think I'll go back to Redhat or something. ¿Does that still exists? XD – Hermes Villafuerte Nov 08 '14 at 19:49
  • Using disktest with the drive resulted in a partial recovery, but using the image made with ddrescue resulted in nothing. I decided to run Sleuthkit with Autopsy, but it recommends making the image file with dd, and says nothing about ddrescue. For what I understand until now, it should be exactly the same, so running dd instead of ddrescue could prove another waist of time. Or maybe not? Anyway, I'm copying the ddrescue image to a third drive, so maybe I can use the second to get the individual files. My current ubuntu drive is 40GB so I don't know if Seluthkit will work (redirecting output) – Hermes Villafuerte Nov 08 '14 at 20:48
  • dd and ddrescue are pretty much the same, ddrescue has recovery attributes and fault tolerance that dd does not have, they are both a "copy and convert" type program... I recommended it because the filesystem has been overwritten. When I ran it i based my syntax off the first example in the manual (http://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html#Examples) When I ran it I added (-R or --reverse) as a tag- I stopped it about a day into it and saw that some things were recovered - logfile-lets you restart where u stopped -the thing is that it literally ran for about 3 days – gingamann Nov 09 '14 at 00:26
  • not too familiar with sleuthkit or testdisk - though both seem to be recommended for data carving - your doing good... this is what I would be doing too... if one tool didnt find all that i lost i would have saved those results and moved on to other tools – gingamann Nov 09 '14 at 01:08
  • something I found poking around is ntfsprogs - and a utility within called ntfsundelete... dont know much about it other than it was replaced with a package called ntfs-3g for 13.04 and on... – gingamann Nov 09 '14 at 01:10
  • redhat is still around but you would have probably encountered same issue when installing - its a good idea to keep the os directory structure on a smaller and separate partition from your data - similar to what you had setup with windows - to avoid dataloss... – gingamann Nov 09 '14 at 02:21
  • Using Sleuthkit now. I really don't know how to make it use my 320GB drive to save any recovered data, since my Linux hardrive is only 40GB and the documentation recommends that this should be larger than the original. XD – Hermes Villafuerte Nov 10 '14 at 18:54
  • I'll give a look to the ntfs-3g, but still running Sleuth. Thanks alot man you have been very helpful with your advices. – Hermes Villafuerte Nov 10 '14 at 21:21
0

you can try this - anytime i work with datarecovery I prefer to work with it externally - though this will increase the processing time spent working with it - i find it a more logical approach - use a usb thumb with bootable image for say.. ubuntu rescue mix as an example.. regardless how you want to approach it..

execute: sudo apt-get install ntfs-3g

though, this is probably already installed.

1) unmount said partition to carve

Execute: sudo umount /dev/sdwhatever

2) I'd create a list of all deleted files that this tool can find that are recoverable (the -p 100 tag defines 100% recoverable - leave it out of you want)

Execute: sudo ntfsundelete /dev/sdwhatever -m '*.mp3' -p 100 > deletedmusicwhatever.txt

3) review the list - the directory you are in when the command is executed is where the text file will be created ~/home/deletedmusicwhatever.txt - I dont know off the top of my head if something like: '*.wav''*.mp4''*.mp3' to search for multiple files types at once will work. May be a better idea to work with one at a time...

4) provided there are recoverable files that meet expectations then copy the files to an external drive

Execute: sudo ntfsundelete /dev/sdwhatever -u -m '*.mp3' -p 100 -d /media/nameofexternaldrive/recoveredmusicfolder

gingamann
  • 393
  • I'm afraid ntfsundelete wants the file system to be already NTFS, but it is obviously formatted with Ubuntu. I imagine TestDisk could somehow restore it, even if the image has no info, or the hard disk has only one folder. Maybe that way it would work? – Hermes Villafuerte Nov 11 '14 at 19:01
  • Yea.. testdisk is going to be your best bet.. I found this article illustrating the process in more detail. (http://askubuntu.com/questions/286181/how-do-i-recover-my-accidentally-lost-windows-partitions-after-installing-ubuntu) - if this helps the poster: Takkat for the excellent detailed walk through – gingamann Nov 13 '14 at 01:07
  • Thanks gingamann, still trying to figure out if writing the ntfs partition table using only the image would result equally good than if writing it directly to the formatted drive. – Hermes Villafuerte Dec 01 '14 at 15:35