Using TestDisk to undelete files
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read
https://www.cgsecurity.org/testdisk.pdf
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#1
Post
by mesajflaviu » 20 Jan 2020, 14:09
I have running under debug the code source on Win10 64 bit. Wanting to read deleted file from an NTFS USB stick. And the debugging had stopped here:
Code: Select all
// bootsect.c (from NTFS library)
BOOL ntfs_boot_sector_is_ntfs(NTFS_BOOT_SECTOR *b)
{
u32 i;
BOOL ret = FALSE;
ntfs_log_debug("Beginning bootsector check.\n");
ntfs_log_debug("Checking OEMid, NTFS signature.\n");
if (b->oem_id != const_cpu_to_le64(0x202020205346544eULL)) // "NTFS "
{
ntfs_log_error("NTFS signature is missing.\n"); // <-- here is entered my code
goto not_ntfs;
}
....
How to "translate" this error message ?
NTFS signature is missing
recuperation
Posts: 2729 Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)
#2
Post
by recuperation » 20 Jan 2020, 14:28
Dear mesajflaviu,
this string is an identifier for a NTFS boot sector.
As I told you at least once before, you can't learn the internals of file systems just by looking at the code of Testdisk.
You have to read external sources about it and run disk editors that do interpret data to get an understanding of the relevant file system.
Once you understand how the file system in question works you will understand what Christoph Grenier programmed.
You would be even able to find errors - if there are any.
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#3
Post
by mesajflaviu » 20 Jan 2020, 15:43
And if this string seem to be missing, what could I understand that ?
recuperation
Posts: 2729 Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)
#4
Post
by recuperation » 20 Jan 2020, 19:08
If this string is missing the sector is either
1. no NTFS boot sector OR
2. a broken NTFS boot sector
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#5
Post
by mesajflaviu » 21 Jan 2020, 08:46
I guess is the first case, because this is happen in two different USB sticks formatted as EXFAT.
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#6
Post
by mesajflaviu » 21 Jan 2020, 09:16
I am thinking that this issue is not necessary an error though ... right ?
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#7
Post
by mesajflaviu » 21 Jan 2020, 09:49
On a test stick, oem_id has 8804685062176 value. Where oem_id is part of:
Code: Select all
typedef struct {
u8 jump[3]; /* Irrelevant (jump to boot up code).*/
le64 oem_id; /* Magic "NTFS ". */
/*0x0b*/BIOS_PARAMETER_BLOCK bpb; /* See BIOS_PARAMETER_BLOCK. */
u8 physical_drive; /* 0x00 floppy, 0x80 hard disk */
u8 current_head; /* zero */
u8 extended_boot_signature; /* 0x80 */
u8 reserved2; /* zero */
/*0x28*/sle64 number_of_sectors; /* Number of sectors in volume. Gives
maximum volume size of 2^63 sectors.
Assuming standard sector size of 512
bytes, the maximum byte size is
approx. 4.7x10^21 bytes. (-; */
sle64 mft_lcn; /* Cluster location of mft data. */
sle64 mftmirr_lcn; /* Cluster location of copy of mft. */
s8 clusters_per_mft_record; /* Mft record size in clusters. */
u8 reserved0[3]; /* zero */
s8 clusters_per_index_record; /* Index block size in clusters. */
u8 reserved1[3]; /* zero */
le64 volume_serial_number; /* Irrelevant (serial number). */
le32 checksum; /* Boot sector checksum. */
/*0x54*/u8 bootstrap[426]; /* Irrelevant (boot up code). */
le16 end_of_sector_marker; /* End of bootsector magic. Always is
0xaa55 in little endian. */
/* sizeof() = 512 (0x200) bytes */
}NTFS_BOOT_SECTOR;
from NTFS library, layout.h file.
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#8
Post
by mesajflaviu » 21 Jan 2020, 09:59
Plus, going the code by here, I got memory leaks:
Code: Select all
Detected memory leaks!
Dumping objects ->
{26571} normal block at 0x03FB87D0, 65536 bytes long.
Data: < R NTFS > EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00
Object dump complete.