Weird problem and questions

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
neurowork
Posts: 2
Joined: 24 Nov 2013, 17:37

Weird problem and questions

#1 Post by neurowork »

Hi,

So I have this 1Tb usb harddrive which GPT table was overwritten. I had on my todo list to backup that damn table but it was low priority.
Any way, I remember the layout of the drive:
EFI
HFS+
Apple CoreStorage Encrypted Drive
HFS+
exFAT

When I first ran testdisk, it didn't find the first partition, but found the HFS+ partition. Creating the GPT entry with the value givent by Testdisk didn't work.
However, I remembered that I created the partition table through Apple's DiskUtility which always starts with a 200mb EFI partition on sector 40. So I went ahead and created the entry in the GPT and reran testdisk.

This time, it found like a 100 HFS+ with different start sector but always with the same size. I'm not sure why but well.
Taking the hint, I created a HFS+ entry right after the EFI partition with the size given by testdisk and bam! I was able to recove the first HFS+ partition.

Now, I keep going with testdisk and now, it shows something weird as follows :
Mac HFS 409640 939695887 939286248
Unknown 1037724327 3088301167372966 3088300129648640 [^Xn 9^O~V]

My first question is :
Any idea why I get such entry ?

Now last question :
I'm only running at 62% after hours, is there a way to start search from a specific cylinder ? I'm pretty sure that if I manage to find that last exFat partition, I can recover the rest.

By the way, I tried running on Mac OSX, Linux Ubuntu and Windows 8.
I got the same Unknown stuff on all. Windows version is painfully slow, Linux is the fastest.

Thanks.

C.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Weird problem and questions

#2 Post by cgrenier »

Each time TestDisk find an HFS+ superblock, it may be the beginning of a new partition or a backup of the superblock. So if you have a partition and 99 superblock backup, TestDisk will list 100 partitions. It has no way to know which one is the correct one.

The testdisk.log file should contains some information about this mysterious "Unknown partition".

neurowork
Posts: 2
Joined: 24 Nov 2013, 17:37

Re: Weird problem and questions

#3 Post by neurowork »

Thanks for your kind answer.

I hear what you are saying about finding the superblocks however, The verify first time I ran Testdisk, it reported a single HFS+ entry at 478081 while the partition actually started at 409640 (I found that out later).
After I created the EFI entry in the GPT and reran the scan, it still couldn't find the EFI partition but gave me the 100 HFS+ entries, all mentioning the same size though. Same size that the first scan reported. And I used that to successfully recover the partition. I'm really grateful for that despite its not finding then proper first sector.

Some development happened over night. I let it run through the night. And it magically found the second HFS+ partition and the exfat partition with the proper values !! This time though, it found the HFS+ without generating those 100 entries. Just one correct entry :)

Kudos to you guys for making such a useful tool.

Now, I'm left with the Apple Core Storage partition. I tried to create an AF05 partition with the space in between both HFS+ partitions but no luck. There may have been some padding before and after. I'm not sure how to proceed with that. Would you have any ideas by any chance ?

Good thing is, I have a slightly outdated backup of the data but I'd rather recover that partition if I can.

Now, about that mysterious partition, here an snippet of the log referring to it :

Code: Select all

search_part()
Disk /dev/rdisk2 - 1000 GB / 931 GiB - 1953458176 sectors (RO)

HFS+ magic value at 478081/0/1
part_size 939286248
     Mac HFS                   478081  939764328  939286248
     HFS+ blocksize=4096, 480 GB / 447 GiB

SYSV4 Marker at 1037724327/0/1

recover_sysv4
     Unknown               1037724327 3088301167372966 3088300129648640 [n­9–]
     SysV4, 1581209 TB / 1438101 TiB
If that means anything to you I'd be grateful to hear it :)

Thanks a lot anyways, for everything. Lesson learned ?? Keep a backup of MBR and GPT always :)

C.

Locked