I need a windows ntfs file system expert to help me out

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
bjohnson
Posts: 1
Joined: 05 Dec 2015, 11:49

I need a windows ntfs file system expert to help me out

#1 Post by bjohnson »

UPDATE: Here are screen shots http://ge.tt/1eFvlPT2?c


Ok here is a new one as I can't seem to find any solution anywhere else. First off I am very proficient with computers however there are some with a greater understanding of hard drives then I so I am asking for help. First a bit about the system second what brought me to this point and third what I have done so far and what results they have yielded me.

First here are the specs of the hardware. Zero issues with the hardware and the system has been tested hard in the last 6 months. Here are the specs.

Computer:
Computer Type ACPI x64-based PC
Operating System Microsoft Windows 7 Professional
OS Service Pack Service Pack 1
Internet Explorer 11.0.9600.18097
DirectX DirectX 11.1
Computer Name PLEX
User Name USER
Logon Domain PLEX
Date / Time 2015-12-05 / 03:08

Motherboard:
CPU Type QuadCore Intel Xeon X5560, 3066 MHz (23 x 133)
Motherboard Name Hewlett-Packard HP Z400 Workstation
Motherboard Chipset Intel Tylersburg X58, Intel Nehalem
System Memory 12272 MB (DDR3-1066 DDR3 SDRAM)
DIMM1: Samsung M391B5673EH1-CF8 2 GB DDR3-1066 ECC DDR3 SDRAM (8-7-7-20 @ 533 MHz) (7-7-7-20 @ 533 MHz) (6-6-6-18 @ 457 MHz)
DIMM2: SK Hynix HMT125U7AFP8C-G7 2 GB DDR3-1066 ECC DDR3 SDRAM (8-7-7-20 @ 533 MHz) (7-7-7-20 @ 533 MHz) (6-6-6-18 @ 457 MHz)
DIMM3: Micron 18JSF25672AZ-1G1F1 2 GB DDR3-1066 ECC DDR3 SDRAM (8-7-7-20 @ 533 MHz) (7-7-7-20 @ 533 MHz) (6-6-6-18 @ 457 MHz) (5-5-5-15 @ 380 MHz)
DIMM4: Micron 18JSF25672AZ-1G1F1 2 GB DDR3-1066 ECC DDR3 SDRAM (8-7-7-20 @ 533 MHz) (7-7-7-20 @ 533 MHz) (6-6-6-18 @ 457 MHz) (5-5-5-15 @ 380 MHz)
DIMM5: Samsung M391B5673DZ1-CF8 2 GB DDR3-1066 ECC DDR3 SDRAM (8-7-7-20 @ 533 MHz) (7-7-7-20 @ 533 MHz) (6-6-6-18 @ 457 MHz)
DIMM6: Micron 18JSF25672AY-1G1D1 2 GB DDR3-1066 ECC DDR3 SDRAM (8-7-7-20 @ 533 MHz) (7-7-7-20 @ 533 MHz) (6-6-6-18 @ 457 MHz) (5-5-5-15 @ 380 MHz)
BIOS Type Compaq (07/15/13)

Display:
Video Adapter ATI Radeon HD 4600 Series (1 GB)
Video Adapter ATI Radeon HD 4600 Series (1 GB)
3D Accelerator ATI Radeon HD 4670 (RV730)
Monitor Philips 273PQPY (273P3QPY) [27" LCD] (AU11207001878)
Monitor PnP-Monitor (Standard) [NoDB] (0)

Multimedia:
Audio Adapter Asus Xonar DG Sound Card
Audio Adapter ATI Radeon HDMI @ ATI RV710/730/740 - High Definition Audio Controller

Storage:
Storage Controller Intel Chipset SATA RAID Controller
Disk Drive Generic- Compact Flash USB Device
Disk Drive Generic- MS/MS-Pro USB Device
Disk Drive Generic- SD/MMC USB Device
Disk Drive Generic- SM/xD-Picture USB Device
Disk Drive KINGSTON SH103S3120G SCSI Disk Device (120 GB, SATA-III)
Disk Drive ST3000DM 001-1CH166 SCSI Disk Device (3000 GB, 7200 RPM, SATA-III)
Disk Drive WD WD3001FFSX-68JNU SCSI Disk Device (2794 GB)
Disk Drive WD WD3001FFSX-68JNU SCSI Disk Device (2794 GB)
Disk Drive WD WD3001FFSX-68JNU SCSI Disk Device (2794 GB)
SMART Hard Disks Status OK

Partitions:
C: (NTFS) 111.7 GB (11.9 GB free)
Y: (NTFS) 2794.5 GB (1654.2 GB free)
Total Size 2906.2 GB (1666.1 GB free)

Input:
Keyboard HID Keyboard Device
Keyboard Standard PS/2 Keyboard
Mouse HID-compliant mouse
Mouse HID-compliant mouse
Mouse PS/2 Compatible Mouse

Network:
Primary IP Address 192.168.112.50
Primary MAC Address F4-6D-04-5D-B1-27
Network Adapter ASUS USB-N53 802.11a/b/g/n Network Adapter (192.168.112.50)
Network Adapter TAP-Windows Adapter V9

Peripherals:
USB1 Controller Intel 82801JB ICH10 - USB Universal Host Controller
USB1 Controller Intel 82801JB ICH10 - USB Universal Host Controller
USB1 Controller Intel 82801JB ICH10 - USB Universal Host Controller
USB1 Controller Intel 82801JB ICH10 - USB Universal Host Controller
USB1 Controller Intel 82801JB ICH10 - USB Universal Host Controller
USB1 Controller Intel 82801JB ICH10 - USB Universal Host Controller
USB2 Controller Intel 82801JB ICH10 - USB2 Enhanced Host Controller
USB2 Controller Intel 82801JB ICH10 - USB2 Enhanced Host Controller
USB Device ASUS USB-N53 802.11a/b/g/n Network Adapter
USB Device Generic USB Hub
USB Device USB Composite Device
USB Device USB Input Device
USB Device USB Input Device
USB Device USB Input Device
USB Device USB Input Device
USB Device USB Mass Storage Device
USB Device USB Mass Storage Device

DMI:
DMI BIOS Vendor Hewlett-Packard
DMI BIOS Version 786G3 v03.57
DMI System Manufacturer Hewlett-Packard
DMI System Product HP Z400 Workstation
DMI System Version
DMI System Serial Number 2UA0260LP2
DMI System UUID E0A49BDD-DF84DF11-BBDAD1D6-EBA978E7
DMI Motherboard Manufacturer Hewlett-Packard
DMI Motherboard Product 0B4Ch
DMI Motherboard Version D
DMI Motherboard Serial Number 2UA0260LP2
DMI Chassis Manufacturer Hewlett-Packard
DMI Chassis Version
DMI Chassis Serial Number 2UA0260LP2
DMI Chassis Asset Tag 2UA0260LP2
DMI Chassis Type Mini Tower


The system has 3 identical 3 TB WD RED Pro NAS drives connected thru an older intel raid onboard controller but not being used as raid just sata connections. The 3 drives are identical in their setup and installation. They were all a single partition setup thru disk manager. One 3 TB partition of each. The OS is on an Kingston SSD and a 4th Seagate 3TB drive had a strange anomaly that might be the key to it all. Now the 3 WD drives are bound together using flexraid. Let me explain its not real raid its just snapshot raid at the file level. Essentially it leaves the files system alone and simply analyzes data from drive 1 and 2 to create a parity block on drive 3. It's a scheduled parity check/write that happens once a day or week or month. Its designed for big data drives that have fairly static content which these did essentially it was a 6TB media plex media pc reaching 4 TB total size. Think of it as a 2 drive storage pool with a 3rd drive parity but its not realtime raid. The drives at any time could be read on their own for what data was stored on them. Meaning it never split a file ever. It would store a file of any size in its entirety to one drive and it would even out the space used. Meaning if you had copied two files 3GB and 4GB files equaling 7GB of total data copied to the pool then went and explored each drive on their own then WD1 would have the 3GB file and WD2 would have the 4GB file and WD3 would have 7 x 1GB parity files. All files where readable regardless of flex raid. It simply created a single point of storage and a cheap way to add some parity incase u lost a drive. The content was being added very slowly over months and never had any issues like I said If anyone needs more claification of flexraid let me know.

What started the events actually occurred on the fourth 3TB drive not part of flexraid at all. I was copying data to this 4th 3TB drive to give to another system but there was something wrong. It would copy just fine if I copied 10-100-1000 GB no issues. But if I set it up to copy over 2TB the copy would freeze or crash and all the data previously was gone. I formatted and tested the drive and it always checked out. Then I was reading about drives that would loop over the 2 GB limit older systems had. This system being on the edge of that time frame of 2TB limitations. Then I read the intel controller used Intel RST drivers and anything prior to a certain version would only see 2 TB drives if you updated you would see 3TB. So I updated and it asked for a reboot. Upon reboot boottime chkdsk kicked in and it would not let me cancel. So I shut the system down just as it began checking WD1. So I unplugged WD1 and booted again this time chkdsk kicked in again I could not cancel it so I shut it down. I know your not suppose to but it started flying up deleted orphaned files and I thought no way am I losing nearly 4 TB of my library. This time I unplugged all drive but the ssd booted into windows just fine. Went to cancel the boot time chkdsk but it had to be canceled while the drive was present. I learned this after but the HP system bios did not recognize USB keyboards during that critical press any key to cancel chkdsk. Regardless I booted windows withmy ssd and prevented chkdsk from running on boot on any drive for any reason thru the registry. Reconnected all 3 of the my WD's (i only unplugged the power so no position change on sata) and my 4th stand alone 3tb drive. System booted into windows but when the storage pool went to mount it failed. I had a look in disk manager and the WD1 and WD2 drives were no longer NTFS but instead the partition said RAW for both. The WD3 and the 4th stand alone drives showed up normally. First thing I did was roll the driver back to the older version and rebooted no change still said raw. At this point I decide to leave the system on the older driver because I was just reaching 2TB on both drives and no issues until I upgraded the controller driver version. I figured get the partition back to an ntfs file system that was reading writing just fine with the older driver long enough to get the data onto another NAS unit I had standby. So I left original drive in the rolled back state and focused on the partitions and file systems. At first I thought just get data off so run some deep scans which I did and I used ontrack, easeus, getdataback with poor results. Surprisingly I recovered 1TB of usable data to the 4th non storage ppol stand alone drive with a program called active partition recovery. It strangely saw the drives as belonging to a storage pool and also allowed me to use a hex editor built in to compare the the 3 drives. All 3 drives had the exact position for the partitions and the mft and it made it really easy to compare the 2 raw drives against the last good drive to see the partitions were still there and data intact. Thats when I turned to testdisk and began running running scans. I will attach a link to where all the screen shots can be found. I can also produce hex data from all 3 drives showing the exact same sector the partition starts and ends on all 3 drives and where the data is different, the 3rd drive showing ntfs boot sector and the other 2 show data in that exact same location but not marked as ntfs. Structurally the the drives look like they are in good shape I just need help getting the drives back into an ntfs state and perhaps utilize parity drive to solve any corruption issues. Test disk did complete its scan of the WD1 drive (100 hours) and it saw the exact size of the drive and exact start sector and sector for the partition and saw the correct size of the partition when I compared the numbers against the last good drive WD3. So it see a partition and after the scan was done I tried to see any files and couldn't see a file system. So I started a deeper scan which is running now. The first scan showed a few other partitions but they were kicking errors and none of them relevant in size so I picked the only partition that had correct start and finish and total size for the partition just no file system. I just need to know what is the next step to recover the file system on both the drives in order to get one or both mounted back into the snapshot raid and recover what data I can and rebuild from scratch. I will upload the screen shots and update this post with their location. I just wanted to get this posted now before I lost all what I wrote :) Ya I am a lil cautious ever since :P

Locked