[vox-tech] data recovery via linux

Mark K. Kim vox-tech@lists.lugod.org
Thu, 20 May 2004 21:24:21 -0700 (PDT) 

If you know what the partition should look like (i.e., One primary
partition that tapes up the entire hard drive), you can recreate it using
a non-destructive partitioning utility and get the data back.  That's
assuming the actual partition itself is intact.  I've done this using
`fdisk` under Linux to recover a partition, but each partitioning utility
is a little different, so using a partitioning utility to recover a
partition that wasn't originally used to create it could be a problem.
In my situation, the original partition *was* created using `fdisk` so
recreating it using `fdisk` didn't cause any problem.

Another option is to figure out where NTFS partition starts, then mount it
under Linux. Linux can do this without the partition table, as long as you
can tell it where the NTFS starts.  This is a little dirty process but
it's doable.  What's more, this is a good option because it's
non-destructive -- even if it turns out the method doesn't work, it
doesn't require writing to the hard drive so it won't damage the hard
drive as long as you don't accidentally write to it.  Here are the steps:

   1. Make sure you're using a Linux that has a NTFS reading capability.

   2. Figure out what the NTFS's partition header looks like.

   3. Find out where the NTFS paritition begins on the damaged
      hard drive.

   4. Mount it using `mount /dev/hdX /mnt -o offset=<offset>`, where
      <offset> is where the NTFS partition begins.

   5. Copy over any data you need.

I'll let you figure out #1.  #2 is the most complex part, and if you can't
find the information on the Internet, you can find it out yourself like
this:

   A. Get a hard drive with an accessible NTFS partition.

   B. Check its partition table to see where the NTFS partition starts.

   C. Grab the first few bytes from the beginning of the partition.
      That's the NTFS partition header (probably.)

Then in #3, you need to figure out where the NTFS header begins.  You'll
probably need to write a small program that walks through /dev/hdX and
find out where the header is.

#4 and #5 are self-explanatory.

I hope that makes sense.

If all else fails, you can run `strings /dev/hdX | less` to get some text
data.  Though much of it won't be contiguous, it's an option nonetheless.
Good luck!

-Mark


On Thu, 20 May 2004, dylan wrote:

> Hi!
>
>
> recently we had a mysterious problem at work:
>
> yesterday afternoon i used one of our win2k machines to do some regular
> stuff. in the morning the machine was off. when powered up it acted like
> there was no operating system installed. the dept. IT people took the hard
> drive to their office and ran some diagnostics on it... they said that the
> hard drives appears to be 'empty' to their tools.
>
> the disk is a 20Gb NTFS formatted drive, that has been at about 95% capacity
> for the last 5 months. i wonder if running at 95% capacity could have lead
> to fragmentation of the partition mac... i picked up this crazy idea reading
> a recent slashdot article:
> http://apple.slashdot.org/article.pl?sid=04/05/19/1531236&mode=thread&tid=17
> 9&tid=182&tid=185&tid=190
>
>
> so- i am wondering what the best plan of attack at recovering some of the
> files from the drive via unix/linux tools.
> 1. is there any way to get data off of a drive that has a hosed partition
> table?
> 2. if so, would it be possible to get non-text type files off?
>
> any ideas/comments/etc would be greatly appreciated!
>
> thanks!
>
> Dylan
>
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>

-- 
Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.jsp?id=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE
PGP key available on the homepage