Trying to recover filesystem with backup boot sector

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
xurxoham
Posts: 3
Joined: 10 Jun 2014, 06:39

Trying to recover filesystem with backup boot sector

#1 Post by xurxoham »

Hello,
I am trying to recover the filesystem of one of my external drives: Seagate Expansion 2TB
The disk works correctly, the problem is that, while trying to write an ISO image (with OpenSuse live dvd) to a my usb flash memory), I accidentally wrote onto the disk instead (using dd command).

I know the portion of the disk that is already overwritten is unrecoverable, but I would like to know if the rest of the files that were in the disk could be recoverable if I manage to restore the backup sector. I scanned with testdisk and it didn't found any, could a bad geometry disk specification in testdisk be the reason for that?

Some (maybe useful) info:
Disk drive: Seagate Expansion (2TB)
The disk had the default geometry, partitions and fileystems.
Old number of partitions: 1
Old FileSystem (what i'm trying to restore): NTFS
New filesystem: raw iso dvd image.
Copied with dd if=(iso file) of=/dev/sdX (X was the corresponding disk character)

For security, I've created a disk image, in case the disk was damaged or the information was lost while trying to recover it.

The log file:

Code: Select all


Fri May  2 11:46:28 2014
Command line: TestDisk

TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 3.8.0-19-generic (#29-Ubuntu SMP Wed Apr 17 18:19:42 UTC 2013) i686
Compiler: GCC 4.7
Compilation date: 2013-02-16T06:54:06
ext2fs lib: 1.42.5, ntfs lib: libntfs-3g, reiserfs lib: none, ewf lib: none
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size       976771055 sectors
/dev/sda: user_max   976771055 sectors
/dev/sda: native_max 976773168 sectors
/dev/sda: dco        976773168 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
Hard disk list
Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63, sector size=512 - SAMSUNG HD502IJ, S/N:S13TJ1KQ504864, FW:1AA01112
Disk /dev/sdb - 2000 GB / 1863 GiB - CHS 1907729 64 32, sector size=512 - Seagate External, FW:SG12

Partition table type (auto): None
Disk /dev/sdb - 2000 GB / 1863 GiB - Seagate External
Partition table type: None

Interface Advanced
   P ISO                      0   0  1 1907729   5 12 3907029164 [openSUSE 13.1 KDE Live]
     ISO9660, 2000 GB / 1863 GiB
Change partition type:
   P NTFS                     0   0  1 1907729   5 12 3907029164 [openSUSE 13.1 KDE Live]
     ISO9660, 2000 GB / 1863 GiB

ntfs_boot_sector
   P NTFS                     0   0  1 1907729   5 12 3907029164 [openSUSE 13.1 KDE Live]
     ISO9660, 2000 GB / 1863 GiB
filesystem size           14497481767095041276 1
sectors_per_cluster       144 0
mft_lcn                   1365660518 0
mftmirr_lcn               3193095566 0
clusters_per_mft_record   6 0
clusters_per_index_record -13 0
Boot sector
Status: Bad

Backup boot sector
Status: Bad

Sectors are not identical.

A valid NTFS Boot sector must be present in order to access
any data; even if the partition is not bootable.
rebuild_NTFS_BS
mft at 6291519, seq=1, main=0 res=1
read_mft_info failed
ntfs_find_mft: sectors_per_cluster invalid
ntfs_find_mft: mft_lcn             786432
ntfs_find_mft: mftmirr_lcn         244189004
ntfs_find_mft: mft_record_size     1024

mft at 1953512095, seq=1, main=0 res=1
read_mft_info failed
ntfs_find_mft: sectors_per_cluster invalid
ntfs_find_mft: mft_lcn             786432
ntfs_find_mft: mftmirr_lcn         244189004
ntfs_find_mft: mft_record_size     1024

Potential partition:
   P NTFS                     0   1 32 1907729   7 11 3907029164 [openSUSE 13.1 KDE Live]
     ISO9660, 2000 GB / 1863 GiB
Failed to rebuild NTFS boot sector.

ntfs_boot_sector
   P NTFS                     0   0  1 1907729   5 12 3907029164 [openSUSE 13.1 KDE Live]
     ISO9660, 2000 GB / 1863 GiB
filesystem size           14497481767095041276 1
sectors_per_cluster       144 0
mft_lcn                   1365660518 0
mftmirr_lcn               3193095566 0
clusters_per_mft_record   6 0
clusters_per_index_record -13 0
Boot sector
Status: Bad

Backup boot sector
Status: Bad

Sectors are not identical.

A valid NTFS Boot sector must be present in order to access
any data; even if the partition is not bootable.
Boot sector                        Backup boot sector
0000 33ed9090 90909090   3.......  00000000 00000000   ........
0008 90909090 90909090   ........  00000000 00000000   ........
0010 90909090 90909090   ........  00000000 00000000   ........
0018 90909090 90909090   ........  00000000 00000000   ........
0020 33edfa8e d5bc007c   3......|  00000000 00000000   ........
0028 fbfc6631 db6631c9   ..f1.f1.  00000000 00000000   ........
0030 66536651 06578edd   fSfQ.W..  00000000 00000000   ........
0038 8ec552be 007cbf00   ..R..|..  00000000 00000000   ........
0040 06b90001 f3a5ea4b   .......K  00000000 00000000   ........
0048 06000052 b441bbaa   ...R.A..  00000000 00000000   ........
0050 5531c930 f6f9cd13   U1.0....  00000000 00000000   ........
0058 721681fb 55aa7510   r...U.u.  00000000 00000000   ........
0060 83e10174 0b66c706   ...t.f..  00000000 00000000   ........
0068 f106b442 eb15eb00   ...B....  00000000 00000000   ........
0070 5a51b408 cd1383e1   ZQ......  00000000 00000000   ........
0078 3f5b510f b6c64050   ?[Q...@P  00000000 00000000   ........
0080 f7e15352 50bb007c   ..SRP..|  00000000 00000000   ........
0088 b9040066 a1b007e8   ...f....  00000000 00000000   ........
0090 44000f82 80006640   D.....f@  00000000 00000000   ........
0098 80c702e2 f266813e   .....f.>  00000000 00000000   ........
00A0 407cfbc0 78707509   @|..xpu.  00000000 00000000   ........
00A8 fabcec7b ea447c00   ...{.D|.  00000000 00000000   ........
00B0 00e88300 69736f6c   ....isol  00000000 00000000   ........
00B8 696e7578 2e62696e   inux.bin  00000000 00000000   ........
00C0 206d6973 73696e67    missing  00000000 00000000   ........
00C8 206f7220 636f7272    or corr  00000000 00000000   ........
00D0 7570742e 0d0a6660   upt...f`  00000000 00000000   ........
00D8 6631d266 0306f87b   f1.f...{  00000000 00000000   ........
00E0 661316fc 7b665266   f...{fRf  00000000 00000000   ........
00E8 5006536a 016a1089   P.Sj.j..  00000000 00000000   ........
00F0 e666f736 e87bc0e4   .f.6.{..  00000000 00000000   ........
00F8 0688e188 c592f636   .......6  00000000 00000000   ........
0100 ee7b88c6 08e141b8   .{....A.  00000000 00000000   ........
0108 01028a16 f27bcd13   .....{..  00000000 00000000   ........
0110 8d641066 61c3e81e   .d.fa...  00000000 00000000   ........
0118 004f7065 72617469   .Operati  00000000 00000000   ........
0120 6e672073 79737465   ng syste  00000000 00000000   ........
0128 6d206c6f 61642065   m load e  00000000 00000000   ........
0130 72726f72 2e0d0a5e   rror...^  00000000 00000000   ........
0138 acb40e8a 3e6204b3   ....>b..  00000000 00000000   ........
0140 07cd103c 0a75f1cd   ...<.u..  00000000 00000000   ........
0148 18f4ebfd 00000000   ........  00000000 00000000   ........
0150 00000000 00000000   ........  00000000 00000000   ........
0158 00000000 00000000   ........  00000000 00000000   ........
0160 00000000 00000000   ........  00000000 00000000   ........
0168 00000000 00000000   ........  00000000 00000000   ........
0170 00000000 00000000   ........  00000000 00000000   ........
0178 00000000 00000000   ........  00000000 00000000   ........
0180 00000000 00000000   ........  00000000 00000000   ........
0188 00000000 00000000   ........  00000000 00000000   ........
0190 00000000 00000000   ........  00000000 00000000   ........
0198 00000000 00000000   ........  00000000 00000000   ........
01A0 00000000 00000000   ........  00000000 00000000   ........
01A8 00000000 00000000   ........  00000000 00000000   ........
01B0 d80c0000 00000000   ........  00000000 00000000   ........
01B8 c1ad5a67 00008033   ..Zg...3  00000000 00000000   ........
01C0 0900833f e0866806   ...?..h.  00000000 00000000   ........
01C8 00009831 1c000000   ...1....  00000000 00000000   ........
01D0 00000000 00000000   ........  00000000 00000000   ........
01D8 00000000 00000000   ........  00000000 00000000   ........
01E0 00000000 00000000   ........  00000000 00000000   ........
01E8 00000000 00000000   ........  00000000 00000000   ........
01F0 00000000 00000000   ........  00000000 00000000   ........
01F8 00000000 000055aa   ......U.  00000000 00000000   ........

ntfs_boot_sector
   P NTFS                     0   0  1 1907729   5 12 3907029164 [openSUSE 13.1 KDE Live]
     ISO9660, 2000 GB / 1863 GiB
filesystem size           14497481767095041276 1
sectors_per_cluster       144 0
mft_lcn                   1365660518 0
mftmirr_lcn               3193095566 0
clusters_per_mft_record   6 0
clusters_per_index_record -13 0
Boot sector
Status: Bad

Backup boot sector
Status: Bad

Sectors are not identical.

A valid NTFS Boot sector must be present in order to access
any data; even if the partition is not bootable.
Boot sector                        Backup boot sector
0000 33ed9090 90909090   3.......  00000000 00000000   ........
0008 90909090 90909090   ........  00000000 00000000   ........
0010 90909090 90909090   ........  00000000 00000000   ........
0018 90909090 90909090   ........  00000000 00000000   ........
0020 33edfa8e d5bc007c   3......|  00000000 00000000   ........
0028 fbfc6631 db6631c9   ..f1.f1.  00000000 00000000   ........
0030 66536651 06578edd   fSfQ.W..  00000000 00000000   ........
0038 8ec552be 007cbf00   ..R..|..  00000000 00000000   ........
0040 06b90001 f3a5ea4b   .......K  00000000 00000000   ........
0048 06000052 b441bbaa   ...R.A..  00000000 00000000   ........
0050 5531c930 f6f9cd13   U1.0....  00000000 00000000   ........
0058 721681fb 55aa7510   r...U.u.  00000000 00000000   ........
0060 83e10174 0b66c706   ...t.f..  00000000 00000000   ........
0068 f106b442 eb15eb00   ...B....  00000000 00000000   ........
0070 5a51b408 cd1383e1   ZQ......  00000000 00000000   ........
0078 3f5b510f b6c64050   ?[Q...@P  00000000 00000000   ........
0080 f7e15352 50bb007c   ..SRP..|  00000000 00000000   ........
0088 b9040066 a1b007e8   ...f....  00000000 00000000   ........
0090 44000f82 80006640   D.....f@  00000000 00000000   ........
0098 80c702e2 f266813e   .....f.>  00000000 00000000   ........
00A0 407cfbc0 78707509   @|..xpu.  00000000 00000000   ........
00A8 fabcec7b ea447c00   ...{.D|.  00000000 00000000   ........
00B0 00e88300 69736f6c   ....isol  00000000 00000000   ........
00B8 696e7578 2e62696e   inux.bin  00000000 00000000   ........
00C0 206d6973 73696e67    missing  00000000 00000000   ........
00C8 206f7220 636f7272    or corr  00000000 00000000   ........
00D0 7570742e 0d0a6660   upt...f`  00000000 00000000   ........
00D8 6631d266 0306f87b   f1.f...{  00000000 00000000   ........
00E0 661316fc 7b665266   f...{fRf  00000000 00000000   ........
00E8 5006536a 016a1089   P.Sj.j..  00000000 00000000   ........
00F0 e666f736 e87bc0e4   .f.6.{..  00000000 00000000   ........
00F8 0688e188 c592f636   .......6  00000000 00000000   ........
0100 ee7b88c6 08e141b8   .{....A.  00000000 00000000   ........
0108 01028a16 f27bcd13   .....{..  00000000 00000000   ........
0110 8d641066 61c3e81e   .d.fa...  00000000 00000000   ........
0118 004f7065 72617469   .Operati  00000000 00000000   ........
0120 6e672073 79737465   ng syste  00000000 00000000   ........
0128 6d206c6f 61642065   m load e  00000000 00000000   ........
0130 72726f72 2e0d0a5e   rror...^  00000000 00000000   ........
0138 acb40e8a 3e6204b3   ....>b..  00000000 00000000   ........
0140 07cd103c 0a75f1cd   ...<.u..  00000000 00000000   ........
0148 18f4ebfd 00000000   ........  00000000 00000000   ........
0150 00000000 00000000   ........  00000000 00000000   ........
0158 00000000 00000000   ........  00000000 00000000   ........
0160 00000000 00000000   ........  00000000 00000000   ........
0168 00000000 00000000   ........  00000000 00000000   ........
0170 00000000 00000000   ........  00000000 00000000   ........
0178 00000000 00000000   ........  00000000 00000000   ........
0180 00000000 00000000   ........  00000000 00000000   ........
0188 00000000 00000000   ........  00000000 00000000   ........
0190 00000000 00000000   ........  00000000 00000000   ........
0198 00000000 00000000   ........  00000000 00000000   ........
01A0 00000000 00000000   ........  00000000 00000000   ........
01A8 00000000 00000000   ........  00000000 00000000   ........
01B0 d80c0000 00000000   ........  00000000 00000000   ........
01B8 c1ad5a67 00008033   ..Zg...3  00000000 00000000   ........
01C0 0900833f e0866806   ...?..h.  00000000 00000000   ........
01C8 00009831 1c000000   ...1....  00000000 00000000   ........
01D0 00000000 00000000   ........  00000000 00000000   ........
01D8 00000000 00000000   ........  00000000 00000000   ........
01E0 00000000 00000000   ........  00000000 00000000   ........
01E8 00000000 00000000   ........  00000000 00000000   ........
01F0 00000000 00000000   ........  00000000 00000000   ........
01F8 00000000 000055aa   ......U.  00000000 00000000   ........

ntfs_boot_sector
   P NTFS                     0   0  1 1907729   5 12 3907029164 [openSUSE 13.1 KDE Live]
     ISO9660, 2000 GB / 1863 GiB
filesystem size           14497481767095041276 1
sectors_per_cluster       144 0
mft_lcn                   1365660518 0
mftmirr_lcn               3193095566 0
clusters_per_mft_record   6 0
clusters_per_index_record -13 0
Boot sector
Status: Bad

Backup boot sector
Status: Bad

Sectors are not identical.

A valid NTFS Boot sector must be present in order to access
any data; even if the partition is not bootable.

TestDisk exited normally.
Any hint or help would be really appreciated.
Thanks

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Trying to recover filesystem with backup boot sector

#2 Post by Fiona »

Do you have any idea how much did you write into your previous file system?
The menu advanced doesn't help as much either, because it recognizes only your openSUSE 13.1 KDE Live-ISO and not your previous NTFS-partition.
TestDisk is a partition recovery tool, it's only useful as long as your file system is healthy or perhaps your file system is slightly damaged and testdisk would be still capable to list your data.
Running testdisk Deeper Search (not Quick Search) could find your previous partition using the backup of your boot sector, which is at the end of your partition/disk.
So it might be possible to have a try to list your data
If you try to list your data and you'll ge a message that your file system is damaged, you'll need datarecovery software.
Only useful, if you didn't write too far into your file system?
Partition table type Intel should be chosen.

Did you select your physically disk in PhotoRec and were you running a scan using the whole space?

Fiona

xurxoham
Posts: 3
Joined: 10 Jun 2014, 06:39

Re: Trying to recover filesystem with backup boot sector

#3 Post by xurxoham »

Do you have any idea how much did you write into your previous file system?
I didn't write much, around 100MB, so there is still lots of files that I could recover.
Running testdisk Deeper Search (not Quick Search) could find your previous partition using the backup of your boot sector, which is at the end of your partition/disk.
Which is the difference between QuickSearch and Deeper Search? I think I used both, since the Quick didn't found anything (ran in a couple of seconds) and the Deeper Search lasted like 24 hours or so. None of them found anything.
I read in the doc and it says the same, that the backup boot sector is at the end of the disk. I'm really sure I did not overwrite that since, if I remember correctly dd writes from the first sector upwards (so it would be only possible to overwrite that by writting the whole disk).
Partition table type Intel should be chosen.
Ok. Maybe I will give another try using this option, since I really don't remember which partition table type I chose.
Did you select your physically disk in PhotoRec and were you running a scan using the whole space?
I tried to use PhotoRec with the disk but it only returned junk data (in addition to the files i can read from the portion of the ISO written. It returned mostly txt files with binary data and some text that seem to belong to some audio files' ID3 tags, so that was not very usefull.

I attach some screenshots I did while soing some of the scans, in case they have some use.

Thanks for your quick answer.
Attachments
partition check scan
partition check scan
check.png (85.53 KiB) Viewed 5017 times
boot sector scan
boot sector scan
scan.png (55.84 KiB) Viewed 5017 times
boot sector dump
boot sector dump
1.png (73.92 KiB) Viewed 5017 times

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Trying to recover filesystem with backup boot sector

#4 Post by Fiona »

100 MB is definitely to much.
Especially at the beginning of a partition there are most of folder, directories and data.
So I assume that your file system is damaged.
In case datarecovery software might help.
I'm not sure, did you scan your whole disk using PhotoRec?
In case there might be a description like Unknown and whole disk?
PhotoRec doesn't keep folder, directories and file names.
You can use the menu FileOpt and pressing s to deselect all file types and only checking these file types. where you'd like to recover.
Info:
http://www.cgsecurity.org/wiki/PhotoRec
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

Currently it's difficult to estimate your current situation about yor directories and file names too!
To get a an overview, you could download a trial of commercial software and scan your disk.

Fiona

xurxoham
Posts: 3
Joined: 10 Jun 2014, 06:39

Re: Trying to recover filesystem with backup boot sector

#5 Post by xurxoham »

I didn't scan the while disk, maybe about 10% of it, only.
I knew it can't recover directory and filename information but what I tried to explain is that the content itself ot the recovered files was not consistent (I hadn't any .txt files and most of the recovered files had that suffix).

I'll try with PhotoRec again in case I can recover something.

Could you recommend me any commercial software I can start trying?

Again, thanks so much.

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Trying to recover filesystem with backup boot sector

#6 Post by Fiona »

If you use FileOpt within PhotoRec and if you press s, you can deselect all file types and only check these file types, where you'd like to recover.
It can avoid to recover txt-files and another unnecessary stuff.
You can try for example Restorer Ultimate and file scavenger as affordable software.
But each datarecovery software works different, so it's depend on you to test it.

Fiona

Locked