[vox-tech] data recovery via linux
Daniel Hurt
vox-tech@lists.lugod.org
Fri, 21 May 2004 00:30:35 -0700
If you are looking to recreate the parition and not adverse at working
in a windows environment: I know that I personally erased a windows NTFS
partition on accident that had data that I needed and was able to
recreate the partition information with some difficulty following M$
article. I know this process worked for getting the partition backup and
running.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;153973
http://www.sometips.com/tips/microsoft/226.htm
Dan
PS - I know that this is a linux list, but I have not done this with
linux tools, just M$ sorry ;-(
Mark K. Kim wrote:
> BTW, all standard disclaimers apply... But that goes without saying for
> every advice we give on this list, right? =P
>
> -Mark
>
>
> On Thu, 20 May 2004, Mark K. Kim wrote:
>
>
>>If you know what the partition should look like (i.e., One primary
>>partition that tapes up the entire hard drive), you can recreate it using
>>a non-destructive partitioning utility and get the data back. That's
>>assuming the actual partition itself is intact. I've done this using
>>`fdisk` under Linux to recover a partition, but each partitioning utility
>>is a little different, so using a partitioning utility to recover a
>>partition that wasn't originally used to create it could be a problem.
>>In my situation, the original partition *was* created using `fdisk` so
>>recreating it using `fdisk` didn't cause any problem.
>>
>>Another option is to figure out where NTFS partition starts, then mount it
>>under Linux. Linux can do this without the partition table, as long as you
>>can tell it where the NTFS starts. This is a little dirty process but
>>it's doable. What's more, this is a good option because it's
>>non-destructive -- even if it turns out the method doesn't work, it
>>doesn't require writing to the hard drive so it won't damage the hard
>>drive as long as you don't accidentally write to it. Here are the steps:
>>
>> 1. Make sure you're using a Linux that has a NTFS reading capability.
>>
>> 2. Figure out what the NTFS's partition header looks like.
>>
>> 3. Find out where the NTFS paritition begins on the damaged
>> hard drive.
>>
>> 4. Mount it using `mount /dev/hdX /mnt -o offset=<offset>`, where
>> <offset> is where the NTFS partition begins.
>>
>> 5. Copy over any data you need.
>>
>>I'll let you figure out #1. #2 is the most complex part, and if you can't
>>find the information on the Internet, you can find it out yourself like
>>this:
>>
>> A. Get a hard drive with an accessible NTFS partition.
>>
>> B. Check its partition table to see where the NTFS partition starts.
>>
>> C. Grab the first few bytes from the beginning of the partition.
>> That's the NTFS partition header (probably.)
>>
>>Then in #3, you need to figure out where the NTFS header begins. You'll
>>probably need to write a small program that walks through /dev/hdX and
>>find out where the header is.
>>
>>#4 and #5 are self-explanatory.
>>
>>I hope that makes sense.
>>
>>If all else fails, you can run `strings /dev/hdX | less` to get some text
>>data. Though much of it won't be contiguous, it's an option nonetheless.
>>Good luck!
>>
>>-Mark
>>
>>
>>On Thu, 20 May 2004, dylan wrote:
>>
>>
>>>Hi!
>>>
>>>
>>>recently we had a mysterious problem at work:
>>>
>>>yesterday afternoon i used one of our win2k machines to do some regular
>>>stuff. in the morning the machine was off. when powered up it acted like
>>>there was no operating system installed. the dept. IT people took the hard
>>>drive to their office and ran some diagnostics on it... they said that the
>>>hard drives appears to be 'empty' to their tools.
>>>
>>>the disk is a 20Gb NTFS formatted drive, that has been at about 95% capacity
>>>for the last 5 months. i wonder if running at 95% capacity could have lead
>>>to fragmentation of the partition mac... i picked up this crazy idea reading
>>>a recent slashdot article:
>>>http://apple.slashdot.org/article.pl?sid=04/05/19/1531236&mode=thread&tid=17
>>>9&tid=182&tid=185&tid=190
>>>
>>>
>>>so- i am wondering what the best plan of attack at recovering some of the
>>>files from the drive via unix/linux tools.
>>>1. is there any way to get data off of a drive that has a hosed partition
>>>table?
>>>2. if so, would it be possible to get non-text type files off?
>>>
>>>any ideas/comments/etc would be greatly appreciated!
>>>
>>>thanks!
>>>
>>>Dylan
>>>
>>>_______________________________________________
>>>vox-tech mailing list
>>>vox-tech@lists.lugod.org
>>>http://lists.lugod.org/mailman/listinfo/vox-tech
>>>
>>
>>--
>>Mark K. Kim
>>AIM: markus kimius
>>Homepage: http://www.cbreak.org/
>>Xanga: http://www.xanga.com/vindaci
>>Friendster: http://www.friendster.com/user.jsp?id=13046
>>PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE
>>PGP key available on the homepage
>>_______________________________________________
>>vox-tech mailing list
>>vox-tech@lists.lugod.org
>>http://lists.lugod.org/mailman/listinfo/vox-tech
>>
>
>