trying to recover windows ntfs disk from xen hba / lvm vol

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: trying to recover windows ntfs disk from xen hba / lvm v

#11 Post by Fiona »

TestDisk can repair a boot sector using the backup of the boot sector and even rebuild a boot sector.
Also it's possible to create an image using TestDisk / Advanced / ImageCreation.
But a diagnose first mitght be most important.
Would it be possible to repeat your diagnose and copy and paste the content of the testdisk.log?
You can open your log file using a word processor like notepad.
I'd like to watch your disk selection menu, and the menu Analyse with your current partition table (partition structure).
If it's possible you can start a boot sector diagnose using the menu Advanced / Boot.
Info will follow.

Fiona.

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#12 Post by bbmitch »

Hi Fiona - I'm not sure I understand but here is what I did - I will attach the log. The file I opened is a working vhd.
The vhd contains a xen 10GB partition with about 1.5GB of data. The file which photorec recovered is 1686109696 bytes.
I can mount it as a vhd in a xen vm and I can open it with winimage. But I can't read it with testdisk.
I think if I can read this with testdisk then I can use testdisk to try to recover from a broken vhd.

First, I took the default Intel partition - I could write an image, but I couldn't navigate the NTFS partition.
Then I selected none, and the quick search found the partition, but I couldn't explore it because the type was none? The quick search showed me this:

Code: Select all

 The harddisk (1686 MB / 1607 MiB) seems too small! (< 929 GB / 865 GiB)
Check the harddisk size: HD jumpers settings, BIOS detection...

The following partitions can't be recovered:
PartitionStartEnd    Size in sectors
>  ext3                     0 134 15  1305 240 31   20971520 [root]
NTFS0 166 47  1305 175 30   20965376
ext30 202 35  1306  53 51   20971520 [root]
NTFS1   9 24  1306  18  7   20965376
HFS204 126 45 112949 170 49 1811251202 [D]
Then I corrected the number of cylinders and tried again...

Here's a copy of the vhd-util status:

Code: Select all

[root@ec-xen1 recup_dir.4403]# vhd-util check -n f771616896.vhd
primary footer invalid: invalid cookie
f771616896.vhd appears invalid; dumping metadata
VHD Footer Summary:
-------------------
Cookie              : conectix
Features            : (0x00000002) <RESV>
File format version : Major: 1, Minor: 0
Data offset         : 512
Timestamp           : Thu Dec 27 16:14:44 2012
Creator Application : 'tap'
Creator version     : Major: 1, Minor: 3
Creator OS          : Unknown!
Original disk size  : 10240 MB (10737418240 Bytes)
Current disk size   : 10240 MB (10737418240 Bytes)
Geometry            : Cyl: 20805, Hds: 16, Sctrs: 63
                    : = 10239 MB (10737377280 Bytes)
Disk type           : Dynamic hard disk
Checksum            : 0xfffff12c|0xfffff12c (Good!)
UUID                : 24ed5513-3345-42cf-aec4-516311617bfb
Saved state         : No
Hidden              : 1

VHD Header Summary:
-------------------
Cookie              : cxsparse
Data offset (unusd) : 18446744073709
Table offset        : 1536
Header version      : 0x00010000
Max BAT size        : 1048576
Block size          : 2097152 (2 MB)
Parent name         :
Parent UUID         : 00000000-0000-0000-0000-000000000000
Parent timestamp    : Sat Jan  1 00:00:00 2000
Checksum            : 0xfffff467|0xfffff467 (Good!)

VHD Batmap Summary:
-------------------
Batmap offset       : 4196352
Batmap size (secs)  : 256
Batmap version      : 0x00010002
Checksum            : 0xffff9f59|0xffff9f59 (Good!)
If you think it would help I could create sample vhd's from within xen to be tested / uploaded? Just tell me how you would want them prepared (i.e. empty or with some files / directories etc.)

If I haven't provided enough or the proper information please let me know?

Thank you again,

Mitch.
Attachments
testdisk.log.txt.zip
log attempting to access working xen vhd
(2.12 KiB) Downloaded 402 times

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#13 Post by bbmitch »

PS I am in UTC-7 (pacific daylight) but can stay up late / get up early if it will help resolve this :-) Thanks!

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: trying to recover windows ntfs disk from xen hba / lvm v

#14 Post by Fiona »

Especially abou the time, I assume might be 9 hours different?
In Stuttgart, it's 10:00 am! :)
The vhd contains a xen 10GB partition with about 1.5GB of data. The file which photorec recovered is 1686109696 bytes.
I think a file recovered using photorec doesn't help as much.
I still have some questions?
You wrote that your virtually disk size might be 10 GB?
The current size of your disk is about 1.7 GB.
Can you confirm that the size of your disk found by testdisk is correct?
In case you can try to make a boot sector diagnose using the menu Advanced.
If your partition appears as unknown in the menu advanced, you can mark the menu "Type" end press enter.
Press anter at confirm again.
Now at the right side your cursor will be blinking.
Type 07 for NTFS.
Press Enter to leave the menu "Type".
Check the menu Boot and press enter.
Please upload a screen!
If both, your boot sector and backup boot sector are bad, you don't see a menu List.
Then, have a try to run Rebuild BS to have a try to rebuild your boot sector.
If it finishes successful you see the menu List.
Please check it and press enter to have a try to list your data.
Until yet, you didn't change anything and all has been for diagnosis purposes.
Don't use the menu Write or Repair NTFS.
As long as you don't use it, you're not going to change anything to your vhd disk!
Only if it would be successful, you should use testdisk to copy/backup your data and then consider to have a try to repair/write any boot sector.

Fiona

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#15 Post by bbmitch »

I am pretty sure. I did all that last night / thought it would have been included in the log.

I can try again. I'll also post a link to a working vhd file which I have trouble reading through testdisk too. Thanks!

M

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: trying to recover windows ntfs disk from xen hba / lvm v

#16 Post by Fiona »

I didn't see that you used the menu Advanced and Type.
Your partition appeared as Unknown.
Using the menu Type, you can change your "Unknown" partition to NTFS, like in your description, it has been a NTFS partition.
Then it might be possible to use the menu Boot to make a boot sector diagnose.
On an Unknown partition you cannot use the menu Boot to check or have a try to rebuild your boot sector.
Are you sure, that you did it?

This is all I got from you using the menu Advanced;
Interface Advanced
P Unknown 0 0 1 204 252 47 3293183
Image created successfully.
Looks like that you only created an image?
If you'd like to use an image, here are some instructions;
http://www.cgsecurity.org/wiki/Media_Image

Fiona

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#17 Post by bbmitch »

I think I tried it again after I changed the CHS information.
I have to change the CHS information because testdisk somehow doesn't see the real size - possibly because it doesn't see the partition table - but it has to be there as it works - doesn't it?
I think I have tried all the combinations. I will prepare a small test vhd people can try. I don't have direct control of the CHS - but I will keep it small and only put a few files in it as a test. That way you can see what I mean directly. And if I'm misunderstanding something it might be easier for you to tell me what I'm missing?

Thanks!

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#18 Post by bbmitch »

So I'm starting this process by creating a new xen VHD.
Size: 1GB
I will format this with NTFS and place some files on it once I have done so.

At creation time:

Code: Select all

-rw-r--r--    1 admin    administ     5120 Apr 23 19:56 /share/XenSRtest/9e8a12e6-9fe4-9e56-7209-fe8d82f1d2ca/277b1393-b896-407d-adee-6c0e2495262b.vhd _before_format
When I boot windows, it sees this disk and asked me to initialize it with MBR of GPT. I chose MBR.

Code: Select all

-rw-r--r--    1 admin    administ    12288 Apr 23 20:00 /share/XenSRtest/9e8a12e6-9fe4-9e56-7209-fe8d82f1d2ca/277b1393-b896-407d-adee-6c0e2495262b.vhd
Then I made a new simple volume in Windows 2008R2 – the maximum size was 1021MB
I set the volume label to NewFiona and formatted with NTFS (quick format).

Code: Select all

-rw-r--r--    1 admin    administ 35979264 Apr 23 20:04 /share/XenSRtest/9e8a12e6-9fe4-9e56-7209-fe8d82f1d2ca/277b1393-b896-407d-adee-6c0e2495262b.vhd
Then I made a folder called Fiona’sFiles – no change in the file size noted.

Code: Select all

-rw-r--r--    1 admin    administ 35979264 Apr 23 20:04 /share/XenSRtest/9e8a12e6-9fe4-9e56-7209-fe8d82f1d2ca/277b1393-b896-407d-adee-6c0e2495262b.vhd
Then I created a txt file called Fiona.txt and put 150 bytes of txt content in the file – still no change in file size:

Code: Select all

-rw-r--r--    1 admin    administ 35979264 Apr 23 20:04 /share/XenSRtest/9e8a12e6-9fe4-9e56-7209-fe8d82f1d2ca/277b1393-b896-407d-adee-6c0e2495262b.vhd
Then I copied a few zip files to the folder to force the vhd to grow.
The folder now contains:
  • 7z920-x64 (2).exe
    7x920-x64.exe
    portable-pn2342350 (2).zip
    portable-pn2342350 (2).zip
    testdisk-6.14-WIP.win (2).zip
    testdisk-6.14-WIP.win.zip
    Fiona.txt

Code: Select all

-rw-r--r--    1 admin    administ 51032064 Apr 23 20:11 /share/XenSRtest/9e8a12e6-9fe4-9e56-7209-fe8d82f1d2ca/277b1393-b896-407d-adee-6c0e2495262b.vhd
Then I shut down the vm:

Code: Select all

-rw-r--r--    1 admin    administ 52535808 Apr 23 20:15 /share/XenSRtest/9e8a12e6-9fe4-9e56-7209-fe8d82f1d2ca/277b1393-b896-407d-adee-6c0e2495262b.vhd
Then I ran testdisk :
/root/testdisk-6.14-WIP/testdisk_static /log 277b1393-b896-407d-adee-6c0e2495262b_with_data.vhd

Testdisk incorrectly reports the “size” of the media:
Select a media (use Arrow keys, then press Enter):
>Disk 277b1393-b896-407d-adee-6c0e2495262b_with_data.vhd - 52 MB / 50 MiB

I select Intel – it shows:

Code: Select all

Disk 277b1393-b896-407d-adee-6c0e2495262b_with_data.vhd - 52 MB / 50 MiB
     CHS 7 255 63 - sector size=512
Analyze tells me:

Code: Select all

Partition sector doesn't have the endmark 0xAA55
I did a quick search. If found nothing.

I did a deeper search. It found nothing.

So I quit. Then I went to Geometry.

I changed the cylinders. I guessed at what to set. If 50Mb = 7 cylinders, and my drive should be around 1024, then the cylinders should be around 140. From previous experience I know testdisk thinks the drive is invalid if the partition table exceeds set geometry so I’ll set it to 150 cylinders.

Code: Select all

Disk 277b1393-b896-407d-adee-6c0e2495262b_with_data.vhd - 1233 MB / 1176 MiB - CHS 150 255 63, sector size=512
Back to analyze – quick search showed nothing.

Deep seach showed nothing.

So I quit, and then changed the partition type to none.

Initially it displays:

Code: Select all

   P Unknown                  0   0  1   149 254 63    2409750
A quick search updates this to:

Code: Select all

>P NTFS                     0   2 19   130  42 56    2091008
However pressing P returns:

Code: Select all

   P NTFS                     0   2 19   130  42 56    2091008

Can't open filesystem. Filesystem seems damaged.
A deeper search returns:

Code: Select all

>P NTFS                     0   2 19   130  42 56    2091008
 P NTFS                     2  45 59   132  86 33    2091008

Can't open filesystem. Filesystem seems damaged.
For both of these as well.

Now here’s my problem. I should NOT have to FIX this image. It’s a new image. It works.

I don’t think testdisk understands xen.

Then I went to file system.

Code: Select all

>   P Unknown                  0   0  1   149 254 63    2409750
I tried setting type to NTFS.

Still can’t open the file system – but this makes sense – the file system will not start here.

I put both the “empty” and “used” vhd files into an archive called fiona_test.tar.gz

I’ll try to attach or failing that will send you a PM with a download link.

Hopefully this helps as I’m sure I won’t be the only one trying to open xen VHD’s

Thanks!

Mitch.
Attachments
testdisk.zip
the log file
(1.29 KiB) Downloaded 310 times

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: trying to recover windows ntfs disk from xen hba / lvm v

#19 Post by Fiona »

Would it be possible to test partition table type None and Advanced (using Type to add the file system) / Boot and Rebuild BS?
It's a try to rebuild a boot sector.
Rebuilding a boot sector examines your file system and will search for your MFT and data.
Otherwise I'll recreate your situation to check, does it support VMWare or not.
I'll do it as early as possible and should be finished friday or saturday.

Fiona

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#20 Post by bbmitch »

Thanks Fiona - I've never tried to use a xen vhd under vmware - I've heard it's similar to VirtualPC and can be accessed (when it works) using WinImage which is a downloadable tool under windows which can open various disk images. The test I sent the link to works in Xen as well as WinImage - so far any combination I've tried including rebuilding bootsectors etc seems to render the image unusable and does not allow me to access the data.

If testdisk can read this format (either by knowing the steps or by adding the feature) it might help a lot of people less persistent than I am - I've seen a number of posts of people trying to recover / access xen vhd images who are told to try testdisk and then told to give up - I haven't given up yet though...

Thank you for your help. Did you receive the image ok? Mitch.

Locked