From owner-freebsd-questions@FreeBSD.ORG Mon Jul 9 16:54:46 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 230F9106566B for ; Mon, 9 Jul 2012 16:54:46 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id D5DB18FC15 for ; Mon, 9 Jul 2012 16:54:45 +0000 (UTC) Received: from r56.edvax.de (port-92-195-60-31.dynamic.qsc.de [92.195.60.31]) by mx01.qsc.de (Postfix) with ESMTP id B92613CE61; Mon, 9 Jul 2012 18:54:37 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id q69GsbPi004223; Mon, 9 Jul 2012 18:54:37 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 9 Jul 2012 18:54:37 +0200 From: Polytropon To: Graeme Dargie Message-Id: <20120709185437.3e747d46.freebsd@edvax.de> In-Reply-To: <4C0F7421AA759346AF17299922AD57EB06286449@Mercury.universe.galaxy.lcl> References: <4C0F7421AA759346AF17299922AD57EB06286449@Mercury.universe.galaxy.lcl> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: "'freebsd-questions@freebsd.org'" Subject: Re: NTFS data recovery X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 16:54:46 -0000 On Mon, 9 Jul 2012 16:01:56 +0000, Graeme Dargie wrote: > Hi All, > > I have been given a laptop to look at for a friend, the hard disk > is close to death with a SMART error on POST. My initial thought > was to just mount it on an Windows 7 machine and grab what I can > from the drive. Bad idea. You cannot fully make sure that the disk's content isn't altered. There's no "mount -o ro" in "Windows". Even worse, it might lead to more corruption during attempts to "repair" it. > No joy Windows insists that the partition is RAW and I need to > format it. Don't format it, it will massively decrease your chances for data recovery. Work with what you have, touch it as few as possible, use the proper tools. You won't find them on "Windows". > I can however mount it under FreeBSD without any problems, the > directory structure appears to be intact but there are no files > in the places I would expect to find them under the Users directory, > I am guessing that these have somehow been deleted or perhaps > the victim of a partial OEM recovery process. That's quite possible. Check df vs. du output and see if it "magically fits", e. g. that the data "is somewhere". > Is there a way to scan the drive for deleted files from the > command line or something from the ports tree that anyone can > recommend to fulfil this requirement. Because it's about NTFS recovery, things are a bit complicated, but not impossible. I'd suggest to first make a copy of the disk using dd, then work with that copy. Do _NOT_ fiddle with the original disks! If dd doesn't work, try ddrescue and dd_rescue. There are programs in the sysutils/ntfsprogs port will be surely useful to dealing with the NTFS content. Then of course you'll find The Sleuth Kit very helpful. It's programs fls, dls and ils might be what you're searching for. Sadly the documentation has been moved into a web page. :-( Additionally, you may try magicrescue, recoverjpeg and foremost, maybe fatback (but I doubt it). Those are acting "outside of the FS". For missing files, maybe you can find a differing MFT to check? I know there was something related in the documentation of the older versions of TSK, but as I said, that situation has disimproved. :-( Note that data recovery is a dirty job, it takes time and is therefore quite expensive if delegated to a company. In your case it means you'll have to invest MUCH TIME into getting the data back. I hope the files are worth it. The absence of a backup seems to imply the opposite. :-) Anyway, good luck! -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...