Page 1 of 1

recover files from NTFS partition after CHKDSK

Posted: 29 Sep 2015, 04:36
by dspear99ca
First off, I apologize if this particular question has been asked and answered on this forum... I spent several hours reading and still am finding no joy, so here goes:

I've got a 1.5TB external USB drive which I use for a variety of tasks, including storage of a lot of family archival photos... like scanned images from the past 100 years, some of the originals no longer exist. There is one partition on the disk formatted NTFS. I've used it on both PC's and Macs using NTFS-3G... it worked flawlessly. For the record, the drive has realistically been hooked up and used less than 50 times although it's several years old.

At any rate, a few weeks ago I had it at a customer site, plugged it in (to a Windows machine) and got an error message that the drive was not readable. I brought it home and hooked it up to my Mac and it would not mount in my finder. Disk Utility could see it, read the volume label and knew the size, but I could not mount it.

So, after doing some reading on the internet, I figured that somehow the partition had somehow gotten corrupted, maybe by an unclean unmount while using NTFS-3G which seems to be known to cause such problems. I plugged the drive into a PC today and ran CHKDSK /F and a few screens of "deleting index entry..." flew by. The drive now mounts cleanly but there are no files, no directories. Nothing, in short.

I tried running Testdisk, it sees an NTFS partition, it sees that the MFT and MFT mirror are identical and OK, when I choose Undelete, however, it only shows one file: /System Volume Information/14{long string of HEX} of size 8176kb. I've done a Deep Search for other partitions, but none have been found by Testdisk.

Can anyone shed some light on what's going on, and any suggestions for me to recover what's on this disk? I have a testdrive log if that would be helpful.

Thanks so much for any replies.

Re: recover files from NTFS partition after CHKDSK

Posted: 29 Sep 2015, 06:16
by cgrenier
To recover the original filename, you can try
Otherwise use PhotoRec

Re: recover files from NTFS partition after CHKDSK

Posted: 29 Sep 2015, 16:27
by dspear99ca
Thanks for your quick reply. So, I ran PhotoRec last night... it ran for ~15 hours. It was able to recover 174 files, about half of which were single-page PDF's of various language copies of a legal disclaimer for some software package. It did get a few video clips and pictures as well.

In the interest of expediency, I also started running Recuva software last night about 2 hours into to the PhotoRec run. It is still going, estimating 7 more hours, but says it's identified 470,000+ files. I'd say there were upwards of 10,000 files on the drive but half a million seems, um, a bit high. I am hoping it is able to recover some of the directory structure as it could fill up a pretty good chunk of time going through that many files "by hand".

Would you know of any tutorial I could read about how hard drive storage works? I am a former UNIX sysadmin so my level of knowledge is pretty good with hardware, just never got into the level of detail required to understand or execute data recovery strategies (drive failure or corruption --> restore from backup, EASY). I read through the recovery examples and there are some "jumps of logic" from one step to the next on some of them (particularly the partition recover) that illustrate the gaps in my knowledge.

Thanks again for your help.


Re: recover files from NTFS partition after CHKDSK

Posted: 02 Oct 2015, 16:11
by cgrenier
scrounge-ntfs contains the logic to recover the filename.

Can you rerun latest PhotoRec 7.1-WIP (updated yesterday), choose [Whole], not [Free] after selecting the partition. Do you recover more files ?

Re: recover files from NTFS partition after CHKDSK

Posted: 05 Feb 2016, 02:22
by DigitalCoke
What is the difference in running Free VS Whole. I usually run one of each. am i wasting my time?

Re: recover files from NTFS partition after CHKDSK

Posted: 05 Feb 2016, 09:22
by cgrenier
[Free] should only be used for non-corrupted filesystem.