NTFS data recovery

Polytropon freebsd at edvax.de
Mon Jul 9 16:54:46 UTC 2012

On Mon, 9 Jul 2012 16:01:56 +0000, Graeme Dargie wrote:
> Hi All,
> I have been given a laptop to look at for a friend, the hard disk
> is close to death with a SMART error on POST. My initial thought
> was to just mount it on an Windows 7 machine and grab what I can
> from the drive.

Bad idea. You cannot fully make sure that the disk's content
isn't altered. There's no "mount -o ro" in "Windows". Even
worse, it might lead to more corruption during attempts to
"repair" it.

> No joy Windows insists that the partition is RAW and I need to
> format it.

Don't format it, it will massively decrease your chances for
data recovery. Work with what you have, touch it as few as
possible, use the proper tools. You won't find them on "Windows".

> I can however mount it under FreeBSD without any problems, the
> directory structure appears to be intact but there are no files
> in the places I would expect to find them under the Users directory,
> I am guessing that these have somehow been deleted or perhaps
> the victim of a partial OEM recovery process.

That's quite possible. Check df vs. du output and see if it
"magically fits", e. g. that the data "is somewhere".

> Is there a way to scan the drive for deleted files from the
> command line or something from the ports tree that anyone can
> recommend to fulfil this requirement.

Because it's about NTFS recovery, things are a bit complicated,
but not impossible. I'd suggest to first make a copy of the
disk using dd, then work with that copy. Do _NOT_ fiddle with
the original disks!

If dd doesn't work, try ddrescue and dd_rescue.

There are programs in the sysutils/ntfsprogs port will be
surely useful to dealing with the NTFS content.

Then of course you'll find The Sleuth Kit very helpful. It's
programs fls, dls and ils might be what you're searching for.
Sadly the documentation has been moved into a web page. :-(

Additionally, you may try magicrescue, recoverjpeg and foremost,
maybe fatback (but I doubt it). Those are acting "outside of
the FS".

For missing files, maybe you can find a differing MFT to
check? I know there was something related in the documentation
of the older versions of TSK, but as I said, that situation
has disimproved. :-(

Note that data recovery is a dirty job, it takes time and
is therefore quite expensive if delegated to a company. In
your case it means you'll have to invest MUCH TIME into
getting the data back. I hope the files are worth it.
The absence of a backup seems to imply the opposite. :-)

Anyway, good luck!

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list