Partially formatted NTFS file recovery from Linux

Partition table and Windows partition (NTFS) partially written over by other data. It has a lot of critically important information. Gigabytes of family photos for decades, taxes, currrent litigation for an attorney, documents for someone's current job, etc. I believe it was only one single 1.3 TB NTFS partition. I have it as a slave in a Linux machine now. I don't have a way to boot it as a slave under Windows although I might try to find a way if I can't find anything to use in Linux.

KDE Partiton Utility sees nothing.
TestDisk doesn't seem useful.

I'm currently downloading SystemRescueCD and Parted Magic in hopes that they'll be able to scan as effectively as Windows tools.

What other options are there? I'm good with Windows, ok with Linux, but I've never had to recover such a huge amount of data before, at least not without an MFT that could be recovered...

 

Here's a link to 5 or 6 windows live cd choices. Along with your SysRec and parted magic possibly another tool to try.

http://en.wikipedia.org/wiki/List_of_live_CDs#Microsoft_Windows-based

 

Aw man...been there & done that. It's been many years, but reading your post was a fresh reminder of what a PITA that moment was. There's no way to sugarcoat it...you're in for some tough sledding, and you're probably going to lose SOME data; and while you can recover MOST of it, it will look "different" when you recover it, so there will be a lot of file checking and renaming. For instance, that file called "Text.doc" will not be recovered with that name. You'll likely recover it, fully intact with content, formatting, etc..., but it will be identified by its "metadata" embedded in the file and will be named something to the effect of "file0000001.txt".

It's been over 5 years, and I did this ONCE, but to the best of my memory I used the tool PhotoRec in the TestDisk package. Don't let the name fool you; it was originally designed to recover deleted photos, but it actually recovers MANY data types and file extensions; a more accurate name would be "DataRec". If I recall correctly, Scalpel & Foremost are other tools, but the volume/quantity of your lost files makes PhotoRec a better candidate. Here's an explanation of the best tools available:

http://www.opensourceforu.com/2011/09/recover-deleted-files-in-linux/

My experience was with PhotoRec, and here's a more detailed article on how to use that for file recovery:

http://www.linux.org/threads/undelete-files-on-linux-systems.4316/

The PhotoRec webpage also has a step-by-step tutorial and useful links for file sorting, etc...
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

I think I read an article about this in Linux Format Magazine within the past few months. I'll see if I can find that in my bookshelf. (EDIT: Yep, last month, issue 190; page 68; data recovery with PhotoRec). As a matter of best practice, you should NOT use that disk/partition until you get this resolved. The files are still there (as long as you haven't written anything to that disk). When a file is deleted, the file is still there, while the "index entry" is removed in order to inform the file manager that the file space is now available for use and can be overwritten with new data, thereby creating a new and reserved "index entry" in the file manager. Once the file space is overwritten, it is GONE...never to be recovered again! If you write to the disk, you may overwrite the whole file, or just part of the file, allowing the rcovery of a corrupted file.

I would disconnect that slave disk/partition if possible. Also as a matter of best practice, it is typically recommended that you clone the disk/partition and work with the cloned data.

I feel for you. It won't be easy, but based on what you've lost, it's necessary. You just gotta do it. Sorry brotha, but good luck!

 

Did a quick google search to see if I could find that Linux Format article online in a PDF format for you. No luck, but I did find THIS:

http://www.howtogeek.com/howto/15761/recover-data-like-a-forensics-expert-using-an-ubuntu-live-cd/

This is an old tutorial (circa 2009 based on the version of Ubuntu used to demonstrate), but the process remains substantially the same. Note the use of TestDisk for recovery of entire partitions! There is a chance you might get lucky and recover your entire partition in one fell swoop!!!

And since you already have the TestDisk tool, you simply MUST try this first!!!! If it doesn't allow full recovery, you can still move on to PhotoRec or other tools. But if it provides a full recovery, or even a reasonably full recovery, you will have saved yourself hours, or tens of hours of laborious recovery efforts.

START WITH THE HOW TO GEEK ARTICLE!!!

 

I've also experienced that heart stopping moment when whole NTFS partitions disappear - more than once in fact. On both occasions the situation was recovered using the Partition Wizard Bootable CD. As Hedon says, if you can recover a partition then all its files are recovered at the same time.

It is critical not to attempt to write anything to the disk until recovery is completed.

 

Thanks for the quick responses. I really appreciate it at a time like this. I've helped other people out of the same situation many times, so it's time for some karma?

Also, the partition table and MFT were overwritten by a partially completed dd command, so no chance of recovery with Testdisk, etc., but I manually recreated a partition table as NTFS and photorec is able to locate a ton of files. That's good news.

How do I get photorec to scan for ALL files? I see a list of filetypes with check boxes, but none of them are wildcards or any other option for ALL files.

I might have a look at those Windows live CDs, but unless they can recover the files TO an ext3 or ext4 partition, I won't be able to save what I can find. Before I waste time trying them all, does anyone know already whether one of them can read/write Linux partitions?

 

Doesn't matter that the partition table was overwritten. Stop writing to the disk and allow Partition Wizard to scan the entire disk. There is still a chance that it will find partition markers and offer them to you to reinstate. Some may overlap so care is required in deciding how to treat the results.

 

You do know that step 1 is don't recover to that drive! You'll need a second drive to recover the data.
Use ddrescue (its in some rescue disks), then mount the img with osfmount and try to extract your files.
http://www.osforensics.com/tools/mount-disk-images.html

If you need that data bad, buy this http://www.prosofteng.com/products/data_rescue_pc.php

 

Yes, I'm aware to avoid writing anything to the drive. I've been down this road several times for others' computers. Also, there should only be one enormous partition on it, so rebuilding a partition table isn't an issue.

My problem now is that I don't believe that there's ANY way to recover directory structure since the MFT was delete. I think it was also overwritten but I'm not sure how to check.

So I guess I'll pick a recovery disc from many options, and then throw about 1 TB of files onto another drive and spend days sorting them, lol :cry

 

Recovery complete. Thread can be closed/archived/deleted. Thanks.

 

People having similar problems often use old threads for help, but this one won't help anyone unless you post how you finally managed to resolve your problem. It's also proper forum etiquette.

 

I have used Partition Wizard several times, and probably got very lucky, as, I, once managed to get back to the original Toshiba factory Setup as delivered new, on a laptop I was repairing. I had to choose which partition to 'lose' each time, but WOW - it is a brilliant tool. I use it to copy partitions, and whole hard drives, when I need it