Date: Mon, 9 Jul 2012 18:54:37 +0200 From: Polytropon <freebsd@edvax.de> To: Graeme Dargie <arab@tangerine-army.co.uk> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: Re: NTFS data recovery Message-ID: <20120709185437.3e747d46.freebsd@edvax.de> In-Reply-To: <4C0F7421AA759346AF17299922AD57EB06286449@Mercury.universe.galaxy.lcl> References: <4C0F7421AA759346AF17299922AD57EB06286449@Mercury.universe.galaxy.lcl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 9 Jul 2012 16:01:56 +0000, Graeme Dargie wrote: > Hi All, > > I have been given a laptop to look at for a friend, the hard disk > is close to death with a SMART error on POST. My initial thought > was to just mount it on an Windows 7 machine and grab what I can > from the drive. Bad idea. You cannot fully make sure that the disk's content isn't altered. There's no "mount -o ro" in "Windows". Even worse, it might lead to more corruption during attempts to "repair" it. > No joy Windows insists that the partition is RAW and I need to > format it. Don't format it, it will massively decrease your chances for data recovery. Work with what you have, touch it as few as possible, use the proper tools. You won't find them on "Windows". > I can however mount it under FreeBSD without any problems, the > directory structure appears to be intact but there are no files > in the places I would expect to find them under the Users directory, > I am guessing that these have somehow been deleted or perhaps > the victim of a partial OEM recovery process. That's quite possible. Check df vs. du output and see if it "magically fits", e. g. that the data "is somewhere". > Is there a way to scan the drive for deleted files from the > command line or something from the ports tree that anyone can > recommend to fulfil this requirement. Because it's about NTFS recovery, things are a bit complicated, but not impossible. I'd suggest to first make a copy of the disk using dd, then work with that copy. Do _NOT_ fiddle with the original disks! If dd doesn't work, try ddrescue and dd_rescue. There are programs in the sysutils/ntfsprogs port will be surely useful to dealing with the NTFS content. Then of course you'll find The Sleuth Kit very helpful. It's programs fls, dls and ils might be what you're searching for. Sadly the documentation has been moved into a web page. :-( Additionally, you may try magicrescue, recoverjpeg and foremost, maybe fatback (but I doubt it). Those are acting "outside of the FS". For missing files, maybe you can find a differing MFT to check? I know there was something related in the documentation of the older versions of TSK, but as I said, that situation has disimproved. :-( Note that data recovery is a dirty job, it takes time and is therefore quite expensive if delegated to a company. In your case it means you'll have to invest MUCH TIME into getting the data back. I hope the files are worth it. The absence of a backup seems to imply the opposite. :-) Anyway, good luck! -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120709185437.3e747d46.freebsd>