Help Repairing a 3TB Western Digital Disk from an Image...Several Questions of Clarification...

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
Recovera
Posts: 6
Joined: 31 May 2021, 22:24

Help Repairing a 3TB Western Digital Disk from an Image...Several Questions of Clarification...

#1 Post by Recovera »

Hi. I am sorry this is quite lengthy but I am trying to provide as much background information as possible for the sake of clarity. :) If you want to skip reading what I did to arrive at a decrypted drive image file to work on in testdisk, skip to the dotted line like this ------------------------- :)

I have a 3TB drive I use under Windows that suddenly presented as RAW. It was an encrypted Western Digital Mybook Essentials external drive. (I have decrypted it before you tell me this is impossible). I outline the steps I have followed so far in my attempt to regain access to my data.

1. I made a clone of the entire original faulty encrypted 3TB drive to an empty 4TB drive under Linux using ddrescue through the terminal. The cloning process went pretty well, revealing that there is only a TINY amount of damage to the disk (about 5Meg of unrecoverable material in about 3 areas out of 3TB). Over 99.99% of data was recovered to the clone successfully.

2. I decrypted the cloned drive to a 3TB drive image file ie. (.img file) and stored it on an empty 4TB partition of another 8TB drive using ‘really mine’ through the Linux terminal. My drive is decryptable with this tool as it has the right type of Jmicron chip. This took nearly 9 DAYS! The reason for this step is that I am uncertain if the drive’s original nasty hardware encryption/decryption SATA bridge is working properly and therefore if it is capable of running and translating the drive properly.

3. As this 3TB decrypted drive image file took nearly 9 days to make, I then took the precaution of making a copy of this decrypted image file onto the other second empty 4TB partition on the same 8TB drive so as to have something safe to work on that would take less than 24hrs to replace if I did something wrong/stupid in trying to repair its structure.

4. Attempted to mount the this second decrypted image under Linux just to test if it would actually mount under Linux without any repair. I tried both mounting it directly using:

$ sudo mount /media/<username>/<partition>/<file>.img /mnt/<directory>

and also as a loop device ie.:

$ sudo losetup -o 1048576 -f /media/<username>/<partition>/<file>.img
$ sudo mount /dev/loop<x> /mnt/<directory>

Neither method succeeded and both threw errors. I assumed they would but you have to check these things before doing unnecessary work.

5. Having done all this, and realising the disk structure needed repair, I opened this second copy of the decrypted image file in testdisk (still in the Linux terminal) to start work on it.

---------------------------------------------------------------------------------------------------------------------

Although I have not used testdisk before, I have read the instructions and also followed through the examples. Despite this, I am confused by a number of issues and still have a few questions.

My original disk disk uses a DOS/MBR type file system NOT GPT and has only one NTFS partition spanning the entire disk. I was initially confused as to how this was possible as I believed DOS/MBR only allows for drive up to 2.2TB but have since learnt that Advanced Formatting (512e and 4Kn) allow drives up to around 16TB with DOS/MBR. So, I’m fairly sure I have this part right.

The good news is, although testdisk initially reports my drive is showing some weird arrangement of two copies of the same NTFS partition (similar to that in the repair walk-through example), the quick-search option almost instantly finds 1 copy of this NTFS partition, named [MYBOOK], which spans the entire disk size and which it reports is primary and bootable and more importantly ‘ok’.

HOWEVER, I do not feel I can proceed with the repair any further as yet as there are two things worrying me:

a) The testdisk manual states very plainly NOT to overwrite the partition table with the new results if your personal files do not show up in the partition. I have checked and there are only two entries in the partition other than ‘.’ and ‘..’ namely:
$RECYCLE.BIN & a dll system file that I am told is in the root directory of most drives.

Opening the $RECYCLE.BIN folder shows many files and folders some of which can be treed down and opened too revealing more files and folders… but my root level folders with my regular personal data files are NOT shown.

Now, I have read that FAT partitions only show the first 10 clusters in testdisk and that many of your personal files will appear to be missing but that they will be there in the drive in Linux once repair and mounting is complete… however, although it might belong to a similar family, my partition is NTFS NOT FAT.

So, my first question is:

QUESTION 1: Should I be concerned these files don’t show or is this normal for NTFS too?

b) I have grave concerns as to what on earth I should put for the drive geometry which I am led to believe is all important to recovery success.

QUESTION 2: Do I need to enter the geometry of the original failed drive (I assume this is the correct choice), the geometry of the new drive upon which the image file resides or the geometry of the image file, itself??? Do image files even have disk geometry??? I have no idea.

QUESTION 3: Testdisk is reporting that the values that it has chosen as standard for Intel MBR and NTFS do not match those of the drive… but then, it tells me that the drive has some very suspect and odd values ie. It reports 1 cylinder and 1 head… could that possibly be correct?

QUESTION 4: It is my understanding that CHS values have zero correspondence to the real number of cylinders heads and sectors of a drive and any drive can have any number (within bounds) for these values. Thus, how can you ever KNOW the right values if they are not published by the drive manufacturer??? ...AND THEY APPEAR NOT TO BE! Perhaps I have missed something but I’ve been scouring the internet looking for these values for my drive model and found NOTHING. Given this, how can you ever get this right??

QUESTION 5: Further to this, how do Advanced 512e and 4Kn formatting affect the values entered? Apparently, 512e sectors are really 4096 bytes on the disk but report as 512 bytes to the computer (I think I have that the right way around). What would you then enter?? 512? 4096? Can testdisk even deal with Advanced Format 512e and 4Kn disks??

Any light anyone can shed on these issues would be GREATLY appreciated. :) Again, sincerest apologies for the long post. :)

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Help Repairing a 3TB Western Digital Disk from an Image...Several Questions of Clarification...

#2 Post by cgrenier »

Disk images have no geometry. You have to set the geometry for them.
A good idea will be to test if the decryption has work correctly by running PhotoRec on the decrypted image.

Recovera
Posts: 6
Joined: 31 May 2021, 22:24

Re: Help Repairing a 3TB Western Digital Disk from an Image...Several Questions of Clarification...

#3 Post by Recovera »

Ok, thankyou for the prompt reply, cgrenier. :) That's a good idea. I will try that.

Recovera
Posts: 6
Joined: 31 May 2021, 22:24

Re: Help Repairing a 3TB Western Digital Disk from an Image...Several Questions of Clarification...

#4 Post by Recovera »

Ok. I have followed your suggestion and I am completely satisfied that the disk decryption has worked 100% perfectly. In just a few seconds after running Photorec on the decrypted drive image file, hundreds of my personal photos, wavs, movies, mp3s and other data were found and saved. To make absolutely sure, I left Photorec running for about 45 mins and literally 1000's of my personal data files came pouring out of the drive like magic. So, there is nothing wrong with the decryption. :)

I have now tried to find the right CHS and sector size values for my drive by plugging the original faulty drive in and running testdisk on it.

Your github page says that you welcome suggestions and corrections. Perhaps the manual already contains a section on this and I missed it, but if not, may I propose that this suggestion should be added to the tesdisk manual for users attempting to recover using clones or images (as everyone should) and who are struggling with the concept of how they are going to guess these magical unknowable numbers by chance. Perhaps a section dedicated to this and other methods of working out disk geometry would be of benefit. I think it will save a lot of people having to contact the forum and waste your time. :)

Now, having said that, I am still confused.

When I examine the original damaged drive in testdisk through its original Western Digital encrypting/decrypting SATA bridge (which may or may not be fully working) the C,H,S,SectorSize numbers testdisk gives me are:

Code: Select all

732558081, 1, 1, 4096
Which is actually the same as I get when I run testdisk on the decrypted drive image file which you say has no geometry... I assume the image must retain information about the geometry as they match 100% perfectly. These feel like strange numbers, though...

However, when I examine the original damaged drive in test disk through a regular SATA bridge (which can't decrypt the contents) the numbers it gives me are:

Code: Select all

2861588, 64, 32, 512
My drive reports through the linux fdisk command that the start sector of partition 1 is sector is 256.

Code: Select all

$ sudo fdisk /dev/sdd
Command (m for help): i

Selected partition 1
         Device: /dev/sdf1
          Start: 256
            End: 732558335
        Sectors: 732558080
      Cylinders: 732558081
           Size: 2.7T
             Id: 7
           Type: HPFS/NTFS/exFAT
    Start-C/H/S: 256/0/1
      End-C/H/S: 1023/0/1
If I run testdisk on the decrypted image and I put the second set of CHS and sector size numbers into testdisk (which appear more normal to me), the start sector is reported incorrectly. If I put the first set of CHS and sector size numbers into testdisk, then the start sector is reported correctly as 256... So, I have to assume that is correct, however, I still cannot see my personal files and folders when I press 'P' as you describe happens with a FAT disk rather than an NTFS disk.

Am I missing something? Is it safe to move forward and write the partition to disk? Or does this look fishy still?

recuperation
Posts: 2718
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Help Repairing a 3TB Western Digital Disk from an Image...Several Questions of Clarification...

#5 Post by recuperation »

If you can't see your content using the p-key there is no reason to modify your img file.
You would use either Photorec or any other commercial recovery software.

Recovera
Posts: 6
Joined: 31 May 2021, 22:24

Re: Help Repairing a 3TB Western Digital Disk from an Image...Several Questions of Clarification...

#6 Post by Recovera »

Oh... :( That's immensely disappointing... but thankyou. :) I've been working on this for 6 months :(

Locked