[vox-tech] data recovery via linux

Mark K. Kim vox-tech@lists.lugod.org
Thu, 20 May 2004 21:26:04 -0700 (PDT) 

BTW, all standard disclaimers apply...  But that goes without saying for
every advice we give on this list, right? =P

-Mark


On Thu, 20 May 2004, Mark K. Kim wrote:

> If you know what the partition should look like (i.e., One primary
> partition that tapes up the entire hard drive), you can recreate it using
> a non-destructive partitioning utility and get the data back.  That's
> assuming the actual partition itself is intact.  I've done this using
> `fdisk` under Linux to recover a partition, but each partitioning utility
> is a little different, so using a partitioning utility to recover a
> partition that wasn't originally used to create it could be a problem.
> In my situation, the original partition *was* created using `fdisk` so
> recreating it using `fdisk` didn't cause any problem.
>
> Another option is to figure out where NTFS partition starts, then mount it
> under Linux. Linux can do this without the partition table, as long as you
> can tell it where the NTFS starts.  This is a little dirty process but
> it's doable.  What's more, this is a good option because it's
> non-destructive -- even if it turns out the method doesn't work, it
> doesn't require writing to the hard drive so it won't damage the hard
> drive as long as you don't accidentally write to it.  Here are the steps:
>
>    1. Make sure you're using a Linux that has a NTFS reading capability.
>
>    2. Figure out what the NTFS's partition header looks like.
>
>    3. Find out where the NTFS paritition begins on the damaged
>       hard drive.
>
>    4. Mount it using `mount /dev/hdX /mnt -o offset=<offset>`, where
>       <offset> is where the NTFS partition begins.
>
>    5. Copy over any data you need.
>
> I'll let you figure out #1.  #2 is the most complex part, and if you can't
> find the information on the Internet, you can find it out yourself like
> this:
>
>    A. Get a hard drive with an accessible NTFS partition.
>
>    B. Check its partition table to see where the NTFS partition starts.
>
>    C. Grab the first few bytes from the beginning of the partition.
>       That's the NTFS partition header (probably.)
>
> Then in #3, you need to figure out where the NTFS header begins.  You'll
> probably need to write a small program that walks through /dev/hdX and
> find out where the header is.
>
> #4 and #5 are self-explanatory.
>
> I hope that makes sense.
>
> If all else fails, you can run `strings /dev/hdX | less` to get some text
> data.  Though much of it won't be contiguous, it's an option nonetheless.
> Good luck!
>
> -Mark
>
>
> On Thu, 20 May 2004, dylan wrote:
>
> > Hi!
> >
> >
> > recently we had a mysterious problem at work:
> >
> > yesterday afternoon i used one of our win2k machines to do some regular
> > stuff. in the morning the machine was off. when powered up it acted like
> > there was no operating system installed. the dept. IT people took the hard
> > drive to their office and ran some diagnostics on it... they said that the
> > hard drives appears to be 'empty' to their tools.
> >
> > the disk is a 20Gb NTFS formatted drive, that has been at about 95% capacity
> > for the last 5 months. i wonder if running at 95% capacity could have lead
> > to fragmentation of the partition mac... i picked up this crazy idea reading
> > a recent slashdot article:
> > http://apple.slashdot.org/article.pl?sid=04/05/19/1531236&mode=thread&tid=17
> > 9&tid=182&tid=185&tid=190
> >
> >
> > so- i am wondering what the best plan of attack at recovering some of the
> > files from the drive via unix/linux tools.
> > 1. is there any way to get data off of a drive that has a hosed partition
> > table?
> > 2. if so, would it be possible to get non-text type files off?
> >
> > any ideas/comments/etc would be greatly appreciated!
> >
> > thanks!
> >
> > Dylan
> >
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> >
>
> --
> Mark K. Kim
> AIM: markus kimius
> Homepage: http://www.cbreak.org/
> Xanga: http://www.xanga.com/vindaci
> Friendster: http://www.friendster.com/user.jsp?id=13046
> PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE
> PGP key available on the homepage
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>

-- 
Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.jsp?id=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE
PGP key available on the homepage