More drives with Windows 10 coming up RAW

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
JayDubyah
Posts: 1
Joined: 03 Jan 2018, 01:51

More drives with Windows 10 coming up RAW

#1 Post by JayDubyah »

It is interesting that several of us are having this problem on Windows 10. My daughter has a Lenovo G50 with 1T hdd WD Blue. It and a external drive a 3T Toshiba 3.5" drive on USB 3 were wiped in a similar fashion. Both show information regarding the partitions, but when DrivePart and other programs look at the disk including TestDisk 7.0 from Linux was run on them, the 1T drive showed:

* 1 partition Unknown EFI SYSTM_DRV 260 M no file system note: I think this has the info that the system uses to tell this drive is the C: drive and the EFI info
* 2 " RAW MS Reserved 16 M HFS note: the info on TestDisk says this is HFS
C 3 " RAW MS Data 886.5 G NTFS note: this is mostly unreadable
* 4 " NTFS MS Data Lenovo 25 G NTFS note: none of partitions showed a drive letter except 3 which was totally unreadable but recognized as C:
* 5 " NTFS Windows Recovery 1 G NTFS
WINRE_DRV
* 6 " NTFS Windows Recovery 17 G NTFS
LENOVO_PART
* 7 " NTFS Boot LRS_ESP 1 G NTFS

I purchased a new 1T WD Blue and a new 3T Toshiba, hoping that I could get an image, but after trying GPart, TestDisk, Recuva, and Easeus, I went ahead and reloaded everything on the original 1T (Windows 10 etc. but I am still trying to recover her data. The interesting thing is that the new drive formatted under Windows 10 (of course all of the Lenovo stuff is gone) but it has all of the partitions formatted in NTFS (not surprising either) but I forget what it called the first partition, but it wasn't 260 M, it is 500 M. and the rest were significantly different.

I was able to locate 20Gig using Easeus on the 3T drive after about 48 hours only to find that they would only allow me 500 M of it unless I paid $70 (I thought I had the license, but I had ToDo which is different.)

So I used Recuva on the other drive and it found, it claimed, a bunch of stuff, but then when I tried to transfer it to the new 3T drive, it hung and died. I won't talk much about that one since I paid for the license to have it work and have an issue with them.

Now I am trying GPart on linux using cgsecurity's disk loader download. I ran TestDisk 7 from there on the 1T and it said something like 'Recover boot something or other' I said sure and it did. But now the drive is no longer an EFI drive it is MS - I think I did something wrong, but my guess is that TestDisk believed it to be formatted with a FAT-like because the data on it could be read, just didn't work right. After that the entire drive was blank. So I put it back on TestDisk and told it to make an EFI type partition out of the first one and it did it. Now I can read some of it again as before but it still isn't right. I tried selecting without writing the various file systems and then used NTFS to run a long partition search - it is still working on that. It is coming up with Warning number of heads/cylinder mismatches 16 (NTFS) !=255 (HD) and Warning number of sectors per track mismatches 2 (NTFS) !=63 (HD)

It found a potential MSDATA partition named System_DRV at 2048 - 534527 same warnings - this is only 530 K
another MSDATA partition at 15737083 - 15743256 same warnings - this is only 6K
another MSDATA partition at 15743256 - 15749429 with no warnings called Boot - 6K
another HFS partition at 17539882 - 285145939 with the same warnings that is where I think the partition 2 of the original should be. it is about 267.5 M though rather than 16 M.
and another MSDATA partition from 309080683 - 309086856 same warnings - 6K
another MSDATA partition from 309086856 - 309093029 called Boot with no warnings - 6K

The data appears to be quite meaningless. It has nothing else to do but it is about 43% after about 36 hours - I think I am wasting my time.

The table at the top was compiled and might have insinuated guesses (if there is such a thing) for example the HFS I seem to recall was mentioned on the system virtual disk program
but after the change to the drive by TestDisk 7, I can no longer see the drive there. Plus it shows up on the partition search on TestDisk 7 I am currently doing but it is the wrong size.

I would think that a person should be able to find a simple chart somewhere that describes how these data structures are setup - somehow the parsers are able to determine where the stuff goes and what it expects to find. The drives are not all the same of course, but if it is generally known what should be there, a simple tweak might put it back on the straight and narrow. I used to work on NRZI and this kind of stuff would happen, but we could trace it down. If I know how big the structure is I should be able to trace where the things are located, but it appears that only certain people are allowed to know these things, yet the virus writers seem to be able to find out and go into these areas to muck them up. Anyone know where I can find that detail or do I have to purchase manuals from MS.

Any suggestions are solicited. Be nice :D

Locked