Windows "recovered" my NTFS volume by overwriting it

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
roelvdh
Posts: 7
Joined: 14 Aug 2018, 17:03
Location: Leiderdorp, NL

Windows "recovered" my NTFS volume by overwriting it

#1 Post by roelvdh »

I have a windows volume that actually resides as a loop device on an external Linux computer. Everything worked well untill I got a communication problem that was soon resolved. At that point Windows decided it should check the disk of my volume. Doing that there must have been an advice to reformat the volume and I must have agreed, but I cannot quite remember as I (stupidly) didn't bother much about the Windows side, being focused on the Linux side. Anyway, the NTFS volume was reformatted. After that I have saved the loop device image just to be sure not to lose anything more. I tried TestDisk and found the freshly created new partition with a correct but empty NTFS file system. My old data must still be there but how do I get access to it? Thanks for any help.

recuperation
Posts: 2719
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Windows "recovered" my NTFS volume by overwriting it

#2 Post by recuperation »

roelvdh wrote: 13 May 2022, 09:31 I have a windows volume that actually resides as a loop device on an external Linux computer. Everything worked well untill I got a communication problem that was soon resolved. At that point Windows decided it should check the disk of my volume. Doing that there must have been an advice to reformat the volume and I must have agreed, but I cannot quite remember as I (stupidly) didn't bother much about the Windows side, being focused on the Linux side. Anyway, the NTFS volume was reformatted. After that I have saved the loop device image just to be sure not to lose anything more. I tried TestDisk and found the freshly created new partition with a correct but empty NTFS file system. My old data must still be there but how do I get access to it? Thanks for any help.
I don't understand your configuration. How did a windows installation delete a windows volume on a separate computer?

Another point you missed is the time needed for the "reformat" operation which will determine the recovery chances.

You basically successfully wrote an empty partition exactly over a used one. Testdisk won't help you to get the content back because Testdisk finds your new empty volume and is able to navigate across it.
As for your old data, try Photorec or any other recovery software that does more than fingerprinting like Photorec.

roelvdh
Posts: 7
Joined: 14 Aug 2018, 17:03
Location: Leiderdorp, NL

Re: Windows "recovered" my NTFS volume by overwriting it

#3 Post by roelvdh »

The volume is an iSCSI disk on a remote Linux computer. Windows controls such disk as a local NTFS-volume. When the Ethernet cable between both computers got disconnected for a moment, Windows decided it should recheck the disk but rechecking became reformatting. There was zero writing activity after reformatting as I immediately saved the entire iSCSI-image on a different disk. My understanding of TestDisk was clearly wrong and I will now try Photorec. Thanks for the advice.

roelvdh
Posts: 7
Joined: 14 Aug 2018, 17:03
Location: Leiderdorp, NL

Re: Windows "recovered" my NTFS volume by overwriting it

#4 Post by roelvdh »

I have used PhotoRec and successfully recovered some files. The files all seem to be there but the NTFS filesystem cannot yet be found. I tried TestDisk again, as follows:
- copied the Linux ext4 file disk01.img, which is a loop device containing a NTFS-volume somewhere, onto a >750 GB USB disk using dd
- ported the USB disk back to Windows as F:\ and tried chkdsk first (failed), then TestDisk
- TestDisk found 2 MS Data partitions but couldn't recover them. Also reported the disk might be too small. That is not the case: the original Linux disk is 750 GB, I had made a 806 GB /751 GiB USB disk F:\ with an empty NTFS filesystem
- tried partition 1 nevertheless. TestDisk now reported a MS Data filesystem that could make some sense.
Drive F: - 807 GB / 751 GiB - CHS 12270 255 63 The hard disk (807 GB / 751 GiB) seems too small! (< 1593 GB / 1484 GiB)
Check the hard disk size: HD jumper settings, BIOS detection...
The following partitions can't be recovered:
Partition Start End Size in sector
> MS Data 192255999 384511998 192256000
MS Data 194559999 389119998 194560000
Drive F: - 807 GB / 751 GiB - CHS 12270 255 63
Partition Start End Size in sectors
1 P MS Data 12556544 190813951 178257408
Is there a way to use TestDisk making the partition known as an NTFS volume to Windows?

Edit:
Even if the NTFS filesystem could be recovered, I understand it would probably be the reformatted filesystem, but I would like to try anyhow.
Also: Am I correct that a partition size 178257408 means 91.3 GB (@ 512 bytes/sector) of actual data, not the ultimate size which should be close to 750 GB? That number could actually be right for the actual data. Could this mean: Linux iSCSI has the full 750 GB available, but only extends the NTFS volume "on the fly" as it needs it, currently at 91.3 GB?
Last edited by roelvdh on 26 May 2022, 08:54, edited 1 time in total.

recuperation
Posts: 2719
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Windows "recovered" my NTFS volume by overwriting it

#5 Post by recuperation »

roelvdh wrote: 26 May 2022, 07:51 I have used PhotoRec and successfully recovered some files. The files all seem to be there but the NTFS filesystem cannot yet be found. I tried TestDisk again, as follows:
- copied the Linux ext4 file disk01.img, which is a loop device containing a NTFS-volume somewhere, onto a >750 GB USB disk using dd
- ported the USB disk back to Windows as F:\ and tried chkdsk first (failed), then TestDisk
- TestDisk found 2 MS Data partitions but couldn't recover them. Also reported the disk might be too small. That is not the case: the original Linux disk is 750 GB, I had made a 806 GB /751 GiB USB disk F:\ with an empty NTFS filesystem
- tried partition 1 nevertheless. TestDisk now reported a MS Data filesystem that could make some sense.
Use the p-key to look into the partition to see if there is content that you are missing. Guessing "could make some sense" is not necessary.
Drive F: - 807 GB / 751 GiB - CHS 12270 255 63 The hard disk (807 GB / 751 GiB) seems too small! (< 1593 GB / 1484 GiB)
Check the hard disk size: HD jumper settings, BIOS detection...
The following partitions can't be recovered:
Partition Start End Size in sector
> MS Data 192255999 384511998 192256000
MS Data 194559999 389119998 194560000
Drive F: - 807 GB / 751 GiB - CHS 12270 255 63
Partition Start End Size in sectors
1 P MS Data 12556544 190813951 178257408
Is there a way to use TestDisk making the partition known as an NTFS volume to Windows?
You can write your partition setup to the disk - read the online documentation:
https://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

Edit:
Even if the NTFS filesystem could be recovered, I understand it would probably be the reformatted filesystem, but I would like to try anyhow

roelvdh
Posts: 7
Joined: 14 Aug 2018, 17:03
Location: Leiderdorp, NL

Re: Windows "recovered" my NTFS volume by overwriting it

#6 Post by roelvdh »

Thank you. I carefully read the online manual but seemingly need some help in this special case.
I have a 4TB USB disk with a 807 GB volume containing an NTFS filesystem, which runs fine.
The 807 GB volume is a hexdump copy of a 750 GB Linux ext4 disk, which must contain a Windows NTFS volume somewhere (iSCSI disk).
When running TestDisk on the 807 GB volume there seems to be the NTFS volume I am looking for. The volume has a size of 178257408 sectors (93.1 GB) which could actually be right. It is not the full 750 GB of the Linux disk, but I assume Linux iSCSI extends the NTFS volume "on the fly" as it needs it, so the 93.1 GB could be correct.
I am not looking for TestDisk to recover my 807 GB volume, as it runs fine. I am looking for a possibility to repatriate the 93.1 NTFS part out of the 807 GB volume, starting at 12556544 as per TestDisk's report. The online manual doesn't seem to provide for this special case.

Locked