Recover original partition after using Windows Disk Management

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
MattWright
Posts: 5
Joined: 27 Jun 2018, 16:10

Recover original partition after using Windows Disk Management

#1 Post by MattWright »

Hi all, I could really use some help here.

We have a computer that dual boots Ubuntu and Windows. We had an external harddrive in there that was visible in Ubuntu. It is 8TB so I assume its partition table was GPT although I do not know for sure. Someone tried to access this drive from Windows recently. They went through the Disk Management utility and used the Initialize Disk menu to initialize a logical disk using the GPT option. Screen shot below is from another website showing the same situation but it is reflective of what was done here (the event wasn't recorded here). Now the disk reads as empty by both Windows and Ubuntu. The data on the disk was extremely sensitive and its extremely important that I figure out how to recover it.

I started a scan with testdisk. In the menu that offers a [Quick Search] the partition is recognized as being Microsoft Reserved. If I start the scan with the [Intel] option selected for the partition table type it shows the same Linux partition listed several times with the correct harddrive name. This does not make sense to me since an 8TB harddrive should have been using a GPT from the beginning and I understood that the [Intel] option searched for MBR partitions. If we run the scan using the [EFI GPT] option selected, then the partitions are found elsewhere and are labelled as MS Data.

How can I retreieve my original data??

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recover original partition after using Windows Disk Management

#2 Post by cgrenier »

Using the key "p", can you list the content of the listed partitions ?
If the partitions are valid, set them to P(rimary) and on next screen, choose Write, confirm, Quit and restart your computer.

MattWright
Posts: 5
Joined: 27 Jun 2018, 16:10

Re: Recover original partition after using Windows Disk Management

#3 Post by MattWright »

The scans are still running and look like they will take several hours. I believe TestDisk is scanning the entire disk, even though I am confident it has already found all it will find (the disks only ever had a single partition). Is it possible to stop the scans and try to list the partitions' contents before the scan has completed?

MattWright
Posts: 5
Joined: 27 Jun 2018, 16:10

Re: Recover original partition after using Windows Disk Management

#4 Post by MattWright »

And could you possibly explain a little bit more what is happening when I scan with different table options, ie. why [Intel] produces partitions labelled "Linux" and [EFI GPT] produces partitions labelled "MS Data"?

MattWright
Posts: 5
Joined: 27 Jun 2018, 16:10

Re: Recover original partition after using Windows Disk Management

#5 Post by MattWright »

During the scan, several Linux partitions were listed at a CHS Start of 0 0 1, as I hoped. These even had the correct name that we had assigned to the drive listed at the right. I was waiting until the scan finished to try to view the files in these. However, once the scan finished, the only partition listed was FAT16 LBA at CHS Start of 366887 132 61. I was looking forward to testing the Linux partition and it has disappeared in the scan results.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recover original partition after using Windows Disk Management

#6 Post by cgrenier »

An ext4 filesystem will be in a Linux (83) partition when using using a PC Intel partition table and an MS Data (the same used by an NTFS filesystem) when using a EFI GPT partition table.
Please provide a copy/paste of the testdisk.log file content if you will information about testdisk results.

MattWright
Posts: 5
Joined: 27 Jun 2018, 16:10

Re: Recover original partition after using Windows Disk Management

#7 Post by MattWright »

For sure. Sorry I have been unable to follow up for a few days. The forum will not let me attach the image so I am pasting it here.

This is from a run where I killed test disk knowing where it would end up. By the time it was killed it had already listed the Linux partition.



Thu Jun 28 11:29:03 2018
Command line: TestDisk

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 4.13.0-45-generic (#50~16.04.1-Ubuntu SMP Wed May 30 11:18:27 UTC 2018) x86_64
Compiler: GCC 5.3
ext2fs lib: 1.42.13, ntfs lib: libntfs-3g, reiserfs lib: none, ewf lib: none, curses lib: ncurses 6.0
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 1953525168 sectors
/dev/sda: user_max 1953525168 sectors
/dev/sda: native_max 1953525168 sectors
/dev/sdb: LBA, HPA, LBA48, DCO support
/dev/sdb: size 15628053168 sectors
/dev/sdb: user_max 15628053168 sectors
/dev/sdb: native_max 15628053168 sectors
/dev/sdc: LBA, HPA, LBA48, DCO support
/dev/sdc: size 15628053168 sectors
/dev/sdc: user_max 15628053168 sectors
/dev/sdc: native_max 15628053168 sectors
/dev/sdd: LBA, LBA48 support
/dev/sdd: size 1025610768 sectors
/dev/sdd: user_max 1025610768 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - 0 sectors, sector size=512
Hard disk list
Disk /dev/sda - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512 - ST1000DM003-1CH162, S/N:S1DBH6AM, FW:CC56
Disk /dev/sdb - 8001 GB / 7452 GiB - CHS 972801 255 63, sector size=512 - HGST HDN728080ALE604, S/N:R6GSALDY, FW:A4GNW91X
Disk /dev/sdc - 8001 GB / 7452 GiB - CHS 972801 255 63, sector size=512 - HGST HDN728080ALE604, S/N:R6GS5P6Y, FW:A4GNW91X
Disk /dev/sdd - 525 GB / 489 GiB - CHS 63841 255 63, sector size=512 - Crucial_CT525MX300SSD1, S/N:164914EE6EC5, FW:M0CR031

Partition table type (auto): None
Disk /dev/sdc - 8001 GB / 7452 GiB - HGST HDN728080ALE604
Partition table type: Intel

Analyse Disk /dev/sdc - 8001 GB / 7452 GiB - CHS 972801 255 63
Geometry from i386 MBR: head=256 sector=63
check_part_i386 1 type EE: no test
Current partition structure:
1 P EFI GPT 0 0 2 267349 89 4 4294967295

Warning: Bad ending head (CHS and LBA don't match)
No partition is bootable

search_part()
Disk /dev/sdc - 8001 GB / 7452 GiB - CHS 972801 255 63

block_group_nr 1

recover_EXT2: "e2fsck -b 32768 -B 4096 device" may be needed
recover_EXT2: s_block_group_nr=1/59616, s_mnt_count=0/4294967295, s_blocks_per_group=32768, s_inodes_per_group=4096
recover_EXT2: s_blocksize=4096
recover_EXT2: s_blocks_count 1953506646
recover_EXT2: part_size 15628053168
Linux 0 0 1 972801 80 63 15628053168 [AMI Data 4]
ext4 blocksize=4096 Large_file Sparse_SB Backup_SB, 8001 GB / 7452 GiB
Partition not added.

block_group_nr 3

recover_EXT2: "e2fsck -b 98304 -B 4096 device" may be needed
recover_EXT2: s_block_group_nr=3/59616, s_mnt_count=0/4294967295, s_blocks_per_group=32768, s_inodes_per_group=4096
recover_EXT2: s_blocksize=4096
recover_EXT2: s_blocks_count 1953506646
recover_EXT2: part_size 15628053168
Linux 0 0 1 972801 80 63 15628053168 [AMI Data 4]
ext4 blocksize=4096 Large_file Sparse_SB Backup_SB, 8001 GB / 7452 GiB
Partition not added.

block_group_nr 5

recover_EXT2: "e2fsck -b 163840 -B 4096 device" may be needed
recover_EXT2: s_block_group_nr=5/59616, s_mnt_count=0/4294967295, s_blocks_per_group=32768, s_inodes_per_group=4096
recover_EXT2: s_blocksize=4096
recover_EXT2: s_blocks_count 1953506646
recover_EXT2: part_size 15628053168
Linux 0 0 1 972801 80 63 15628053168 [AMI Data 4]
ext4 blocksize=4096 Large_file Sparse_SB Backup_SB, 8001 GB / 7452 GiB
Partition not added.

block_group_nr 7

recover_EXT2: "e2fsck -b 229376 -B 4096 device" may be needed
recover_EXT2: s_block_group_nr=7/59616, s_mnt_count=0/4294967295, s_blocks_per_group=32768, s_inodes_per_group=4096
recover_EXT2: s_blocksize=4096
recover_EXT2: s_blocks_count 1953506646
recover_EXT2: part_size 15628053168
Linux 0 0 1 972801 80 63 15628053168 [AMI Data 4]
ext4 blocksize=4096 Large_file Sparse_SB Backup_SB, 8001 GB / 7452 GiB
Partition not added.

block_group_nr 9

recover_EXT2: "e2fsck -b 294912 -B 4096 device" may be needed
recover_EXT2: s_block_group_nr=9/59616, s_mnt_count=0/4294967295, s_blocks_per_group=32768, s_inodes_per_group=4096
recover_EXT2: s_blocksize=4096
recover_EXT2: s_blocks_count 1953506646
recover_EXT2: part_size 15628053168
Linux 0 0 1 972801 80 63 15628053168 [AMI Data 4]
ext4 blocksize=4096 Large_file Sparse_SB Backup_SB, 8001 GB / 7452 GiB
Partition not added.
Search for partition aborted

Results
SIGINT detected! TestDisk has been killed.

Locked