Recovering large files from overwritten NTFS

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
ria4
Posts: 6
Joined: 10 Oct 2019, 18:49
Location: Vincennes, France

Recovering large files from overwritten NTFS

#1 Post by ria4 »

Hi,

I accidentally deleted a NTFS filesystem with mkfs -t ext4. That's bad.
Testdisk could not rebuild the boot sector nor the MFT. These parts (and their backups) seem to have been overwritten when creating the EXT4 filesystem.

I'm trying to recover raw camera files (CR2) sizing approximately 10Mo, so I tried running PhotoRec for TIF files. It returned 17 unreadable files of 100Mo. Since I had way more images (about 100Go), that seems like a dead-end anyway.
However, PhotoRec can be run for JPG files, and recover many thumbnails which were actually embedded in the CR2 files.

It is my understanding of NTFS that 10Mo files would usually be split across different blocks, with data runs in the MFT describing where to look for the different parts of each file.

1. Is there a way PhotoRec could recover these large files without the MFT?
2. Could I salvage bits of the MFT even though it cannot be fully rebuilt, and then maybe find back some of these files?

Thanks for your help!

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recovering large files from overwritten NTFS

#2 Post by cgrenier »

If the files weren't fragmented on the NTFS filesystem, PhotoRec should be able to recover them.
Unfortunately when the partition has been reformated as ext4, backup superblock has been written a little bit everywhere.
They may have overwritten lost cr2 files.
Run PhotoRec, choose Other instead of [ext2/ext3], in FileOpts, disable jpg files, do you recover more valid cr2 files ?

ria4
Posts: 6
Joined: 10 Oct 2019, 18:49
Location: Vincennes, France

Re: Recovering large files from overwritten NTFS

#3 Post by ria4 »

Thank you for your answer. The 17 large TIF (non)files were actually recovered after a PhotoRec run with the options you suggested. I guess this confirms that the ~10Mo files were actually fragmented.

I'm in the process of understanding NTFS and EXT4 layouts. My hope is that even though ~20 superblock backups have been written everywhere, they overwrote small parts of CR2 data, so I could still recover most pictures with minor corruption.

I already grepped some XMP info here and there (these are sidecar files used for CR2 development). It's going to be a long process but I'll keep working on it. If you have any general tips about searching a very large partition for specific sequence of bytes, I'd be happy to hear it.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Recovering large files from overwritten NTFS

#4 Post by recuperation »

ria4 wrote: 12 Oct 2019, 11:16 If you have any general tips about searching a very large partition for specific sequence of bytes, I'd be happy to hear it.
Every hex editor will do so.
But why reinvent the wheel?!

https://www.cgsecurity.org/wiki/Add_you ... o_PhotoRec

ria4
Posts: 6
Joined: 10 Oct 2019, 18:49
Location: Vincennes, France

Re: Recovering large files from overwritten NTFS

#5 Post by ria4 »

So I found what very much seems to be the boot sector backup at the end of a smaller adjacent partition. This in turn helped me to locate what seems to be the MFT mirror file in the main partition, or at least part of it. I'm still in the process of learning how it's encoded. Not sure why the 'search MFT' feature of TestDisk could not find it before, though. :S I want to understand this a bit more before I dd the boot sector back in place at the beginning of the partition.

@recuperation I'll try using PhotoRec signatures if/when this found MFT reveals to be unusable, thanks.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Recovering large files from overwritten NTFS

#6 Post by recuperation »

ria4 wrote: 12 Oct 2019, 19:09 Not sure why the 'search MFT' feature of TestDisk could not find it before, though.
Have you read your logfile?
It tells a lot.
Maybe there is no valid information anymore at the location of the MFT.

I doubt that Testdisk would fail to find the bootsector and the linked information - if there is any left.

ria4
Posts: 6
Joined: 10 Oct 2019, 18:49
Location: Vincennes, France

Re: Recovering large files from overwritten NTFS

#7 Post by ria4 »

I could not find anything useful in the log file yet, but I'll check it more regularly.

The $MFTMirr was not corrupted, but unfortunately it lacked maybe half of the file records, because the allocated 4 sectors were not sufficient to hold the whole list. As to the original $MFT, it was indeed overwritten during formatting (mostly with EXT4 group descriptors). So the CR2 signature search seems like the only way to go.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Recovering large files from overwritten NTFS

#8 Post by recuperation »

ria4 wrote: 13 Oct 2019, 01:29 I could not find anything useful in the log file yet, but I'll check it more regularly.
I was refering to the Testdisk log file.

ria4
Posts: 6
Joined: 10 Oct 2019, 18:49
Location: Vincennes, France

Re: Recovering large files from overwritten NTFS

#9 Post by ria4 »

That's what I understood.

ria4
Posts: 6
Joined: 10 Oct 2019, 18:49
Location: Vincennes, France

Re: Recovering large files from overwritten NTFS

#10 Post by ria4 »

So as I said before, the JPG+TIF joint recovery failed the CR2 files, but it turns out that scanning the disk exclusively for TIF files recovered most of them. :) Then I was able to extract EXIF data to rename them.

I did not dive deep into the code, but I guess it might have something to do with PhotoRec not anticipating that one same sector could belong to a JPG file and a CR2 file at the same time...?

In any case, massive thanks for your work on the software.

Locked