Extended NTFS Recovery Assistance, Please can you help? :(

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
bridgey
Posts: 2
Joined: 02 Dec 2017, 23:26

Extended NTFS Recovery Assistance, Please can you help? :(

#1 Post by bridgey »

Greetings reader. I've a major, MAJOR problem hopefully you can help me with. But first a bit of background to explain how I got here. I've been learning linux in more detail from a bootable usb for a little while and decided it was time for me to commit and install a distro on one of my hard drives. I lacked available space so using gparted in linux I deleted what I thought was an unused, hidden partition on hard disk 3 totaling around 16GB and formatted it as ext4 ready to install. However to my horror I booted into windows first to check everything was alright and my Data drive 3 (1.8TB) was completely inaccessible and missing. Windows disk management displayed the correct ntfs partition size. I decided to reboot and let windows run its disk checker through. When windows booted in again I could now see the drive - however it would not grant access with error "access denied". Googling, I found an article instructing me to access the drive properties and use the security screen to add Authenticated User as full control. Having doing this I could then access - not my data partition - but it seems an old 150GB partition I had deleted last year in order to extend my data drive's storage. To extend my data drive last year I had used windows disk manager to extend my Data drive on to the newly created ntfs drive appropriated from the deleted partition. This partition contained an old windows folder, old user folders, basically nothing in it as I'd abandoned this partition last year.

What I have lost amounts to 15 years of history, tens of thousands of my personal photos of my daughter growing up, my friends and family which I cannot ever replace and my entire music collection. To say I am absolutely gutted is the understatement of the year. I hold no backups because backup drives for all my data (4TB) were too expensive; I have been so careful for so long I did not think I needed one.

At first I booted into linux to see if I could see the missing partition here and recover the files. Though fdisk -l lists the correct partition size in the detailed drive information as 1.8T Microsoft basic data, the file manager program only allowed me to access the old abandoned 150GB ntfs partition. I tried using gparted's partition recovery feature but it was unable to find anything. Immediately I read up on partition recovery which led me to testdisk. I followed the instructions to scan the disk and report on its findings. After around three hours my 1.8TB ntfs partition was no where to found, so I proceeded to run the detailed scan. Another three hours passed and again I did not find the correctly sized partition. However I did locate a large partition sized at 850GB but it was labeled by testdisk as a Mac HFS partition. I cannot be certain but this may be the used storage size of the partition I am missing as there was free space available it was not full. I am not a mac user and have never created such a partition. The software would not browse the files stating the file system was not compatible. I aborted because I did not want to write anything else to disk and destroy any further chance of recovery.

I plead with you, please, does anyone have any experience to shared on this type of problem. In summary if I have not explained well above, an ntfs partition was extended in windows to take advantage of free space, I may have deleted part of the extension but not the main 'area' of the partition, now it all seems gone. Is there any way I can restore the partition or retrieve my files? I cannot bear the thought that I have lost my digital history that means so much to me..

I have a 256GB SSD drive for Windows operating system. A 2TB drive full with video which thankfully is still accessible. And my 2TB drive which is the subject of this cry for help.

TestDisk's initial menu displays the correct drive information:

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.

Select a media (use Arrow keys, then press Enter):
Disk /dev/sda - 2000 GB / 1863 GiB - ST2000DM001-9YN164
>Disk /dev/sdb - 2000 GB / 1863 GiB - TOSHIBA DT01ACA200
Disk /dev/sdc - 240 GB / 223 GiB - Kingston SHPM2280P2H/240G
Disk /dev/sdd - 160 GB / 149 GiB - Iomega Iomega USB2/1394

The Toshiba drive is the problem.

fdisk -l lists correct partition sizes. Here is the full output. sdb5 is the problem drive.

root@kali:/# fdisk -l
Disk /dev/sdc: 223.6 GiB, 240057409536 bytes, 468862128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 66F27BC9-3713-45D8-97B4-2B5B7B4E8A4C

Device Start End Sectors Size Type
/dev/sdc1 2048 534527 532480 260M EFI System
/dev/sdc2 534528 796671 262144 128M Microsoft reserved
/dev/sdc3 796672 466915327 466118656 222.3G Microsoft basic data
/dev/sdc4 466915328 467836927 921600 450M Windows recovery environment
/dev/sdc5 467836928 468860927 1024000 500M Windows recovery environment


Disk /dev/sda: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0xa94fc22a

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 3907026943 3907024896 1.8T 7 HPFS/NTFS/exFAT


Disk /dev/sdb: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 845688A6-10E8-4913-A780-3F84E58C190B

Device Start End Sectors Size Type
/dev/sdb5 2435072 3874002943 3871567872 1.8T Microsoft basic data




Disk /dev/sdd: 149.1 GiB, 160041885696 bytes, 312581808 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0608d9fe

Device Boot Start End Sectors Size Id Type
/dev/sdd1 * 2048 312581807 312579760 149.1G c W95 FAT32 (LBA)


Disk /dev/loop0: 2.5 GiB, 2646646784 bytes, 5169232 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Why then, if labeled as 1.8TB Microsoft basic data, can I not access this data, the 160GB 'old' partition is not even listed by fdisk yet it is accessible right now in both operating systems. I am desperate. Please can you help me or point me in the right direction. Should I forget about the partition itself and proceed to a file recovery approach using PhotoRec or similar?

I will hold fire with any further action on this drive until I have spoken to an expert. If I need to take the drive in to a data recovery specialist here in the UK it is something I will have to do. I was hoping to recover it myself because I do not think the data has been overridden. I am grateful for any advice you can give me. Really appreciate you reading this far.

Best Regards,
Scott

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Extended NTFS Recovery Assistance, Please can you help? :(

#2 Post by cgrenier »

Run "cmd" (right click run administrator) and run "chkdsk /f d:" (replace d: by the correct drive letter).
Are there any remaining errors ?
Using the file explorer, select the disk and use "Take Ownership" ( https://www.windowscentral.com/how-take ... windows-10 ) if you still have the permission denied problem.

bridgey
Posts: 2
Joined: 02 Dec 2017, 23:26

Re: Extended NTFS Recovery Assistance, Please can you help? :(

#3 Post by bridgey »

Hi, thanks for your reply. I took ownership of the drive however - windows disk checker appears to have resurrected a long gone ntfs partition where an old windows installation once lived. That is my only explanation. I formatted over it last year for extra space. Only this partition is visible to operating systems, not my more recent 1.8TB storage partition with all my data. The chkdisk /f command reports no problems and gives data regarding the empty partition.

As I have not had any luck restoring the partition I have managed to use PhotoRec, which is a phenomenal tool by the way, to restore my photos and home videos. I believe I have every single one of them. The only caveat being some of the dates and file information is missing so 8 year old videos appear with last months but to have them back at all - I can certainly live with that!

I am still pining after my enormous mp3 collection. PhotoRec wouldnt do me much favours here by not restoring the file information. I may just have to live with the fact I gone fucked up and start it again.

Locked