Using TestDisk to undelete files
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read
https://www.cgsecurity.org/testdisk.pdf
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#1
Post
by mesajflaviu 20 Jan 2020, 14:09
I have running under debug the code source on Win10 64 bit. Wanting to read deleted file from an NTFS USB stick. And the debugging had stopped here:
Code: Select all
// bootsect.c (from NTFS library)
BOOL ntfs_boot_sector_is_ntfs(NTFS_BOOT_SECTOR *b)
{
u32 i;
BOOL ret = FALSE;
ntfs_log_debug("Beginning bootsector check.\n");
ntfs_log_debug("Checking OEMid, NTFS signature.\n");
if (b->oem_id != const_cpu_to_le64(0x202020205346544eULL)) // "NTFS "
{
ntfs_log_error("NTFS signature is missing.\n"); // <-- here is entered my code
goto not_ntfs;
}
....
How to "translate" this error message ?
NTFS signature is missing
recuperation
Posts: 2729 Joined: 04 Jan 2019, 09:48Location: Hannover, Deutschland (Germany, Allemagne)
#2
Post
by recuperation 20 Jan 2020, 14:28
Dear mesajflaviu,
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#3
Post
by mesajflaviu 20 Jan 2020, 15:43
And if this string seem to be missing, what could I understand that ?
recuperation
Posts: 2729 Joined: 04 Jan 2019, 09:48Location: Hannover, Deutschland (Germany, Allemagne)
#4
Post
by recuperation 20 Jan 2020, 19:08
If this string is missing the sector is either
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#5
Post
by mesajflaviu 21 Jan 2020, 08:46
I guess is the first case, because this is happen in two different USB sticks formatted as EXFAT.
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#6
Post
by mesajflaviu 21 Jan 2020, 09:16
I am thinking that this issue is not necessary an error though ... right ?
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#7
Post
by mesajflaviu 21 Jan 2020, 09:49
On a test stick, oem_id has 8804685062176 value. Where oem_id is part of:
Code: Select all
typedef struct {
u8 jump[3]; /* Irrelevant (jump to boot up code).*/
le64 oem_id; /* Magic "NTFS ". */
/*0x0b*/BIOS_PARAMETER_BLOCK bpb; /* See BIOS_PARAMETER_BLOCK. */
u8 physical_drive; /* 0x00 floppy, 0x80 hard disk */
u8 current_head; /* zero */
u8 extended_boot_signature; /* 0x80 */
u8 reserved2; /* zero */
/*0x28*/sle64 number_of_sectors; /* Number of sectors in volume. Gives
maximum volume size of 2^63 sectors.
Assuming standard sector size of 512
bytes, the maximum byte size is
approx. 4.7x10^21 bytes. (-; */
sle64 mft_lcn; /* Cluster location of mft data. */
sle64 mftmirr_lcn; /* Cluster location of copy of mft. */
s8 clusters_per_mft_record; /* Mft record size in clusters. */
u8 reserved0[3]; /* zero */
s8 clusters_per_index_record; /* Index block size in clusters. */
u8 reserved1[3]; /* zero */
le64 volume_serial_number; /* Irrelevant (serial number). */
le32 checksum; /* Boot sector checksum. */
/*0x54*/u8 bootstrap[426]; /* Irrelevant (boot up code). */
le16 end_of_sector_marker; /* End of bootsector magic. Always is
0xaa55 in little endian. */
/* sizeof() = 512 (0x200) bytes */
}NTFS_BOOT_SECTOR;
from NTFS library, layout.h file.
mesajflaviu
Posts: 37 Joined: 12 Sep 2019, 19:54
#8
Post
by mesajflaviu 21 Jan 2020, 09:59
Plus, going the code by here, I got memory leaks:
Code: Select all
Detected memory leaks!
Dumping objects ->
{26571} normal block at 0x03FB87D0, 65536 bytes long.
Data: < R NTFS > EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00
Object dump complete.