Files are 0 bytes

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
MikeMaster
Posts: 7
Joined: 01 Oct 2012, 19:52

Files are 0 bytes

#1 Post by MikeMaster »

Hi all,
Ive recently ran into some problems with my harddrive which im unable to solve by myself. Ill try to explain as best i can.
I use a MSI CX-620 Laptop which has a WD 500G harddrive. The drive is divided in a C-drive and a D-drive. Whenever i need space i move some files to my external harddrive, a WD Mybook Essential 1TB. I also keep a backup of my laptop on this drive, although it has been a few months i ran a backup.
My laptop fell down the table resulting in a smart-failure. The laptop itself didnt boot up anymore.
I managed to access the harddrive by using Ultimate Boot CD and copied some files drom the D-drive to the external harddrive. Because the C-drive had a lot of data which i wanted to keep i wanted to copy a image of the C-drive on the external harddrive. I forgot which program i used, but apparently i used some kind of cloning program which tried to clone my C-drive to the external HD. I terminated the program after 5 minutes or so.
After that, the external HD was inaccessible. It shows up in Windows XP which i have on my old desktop but i cant access it.
I ran chkdsk /f /r on the drive which came back with a lot of errors. It didnt however make the drive accessible.
Ive did a analyse with Testdisk (which is also on the boot cd). After the scan i see all my old files (well i think) however they are all 0 bytes. Also the external hd now has a lot of unallocated space.

Basically my question is how to recover the files on the harddrive?

I appreciate your help and feel free to ask me anything.

MikeMaster
Posts: 7
Joined: 01 Oct 2012, 19:52

Re: Files are 0 bytes

#2 Post by MikeMaster »

Here's an update with some testresults.
My new laptop (W7 64) arrived. It detects the external drive (i do get the error message saying it wants to scan for errors) and i can view and access all my files and folders. They are however almost all with filesize 0.

Here are some screenshots from TestDisk (sorry for the bad screenschots, i can only make them fullscreen):

Start of TestDisk with analyse:
Image

Quick search (i dont know if its important but it starts at 29%):
Image

End of quick search:
Image

Deeper Search (its still running):
Image

Image

I should note that im not trying to rescue the drive itself (im just gonna format it when i can get the data transferred), im trying to rescue the data.

I also have some results from R-Studio demo but i dont know if it helps to post them.

MikeMaster
Posts: 7
Joined: 01 Oct 2012, 19:52

Re: Files are 0 bytes

#3 Post by MikeMaster »

Here's the last screenschot, Deeper Search is finished:
Image

dragonfly41
Posts: 67
Joined: 14 Sep 2012, 20:51

Re: Files are 0 bytes

#4 Post by dragonfly41 »

So to understand the situation ..
  • You have a laptop which fell off the table and probably damaged the internal drive?
  • You tried to clone the internal drive to another drive (using a program like clonezilla?)
  • You shut down this cloning after 5 minutes?
  • You have a brand new laptop?
  • You are trying to recover data from the (hard terminated) clone which is probably corrupt due to early shutdown?
  • You can see this external drive from the (hard dropped) laptop which runs Windows XP?
  • You are trying to access the cloned drive from your new laptop?

I suspect that your cloning process was corrupted.
Why was it stopped after just 5 minutes?

You can either try cloning your internal drive image again .. using ddrescue or clonezilla. These are on any linux live CD. Ubuntu is my choice.

Or .. you can physically remove the (suspect) hard drive in your old laptop and place it in a USB enclosure as an external device.

Then attach this USB drive to your new laptop and try to recover from your new Windows W7 64.

You can try installing RecoverMyFiles program in Win and see if (in free trial mode) you can view files in the USB enclosure. Or you can run testdisk on your Windows W7 64. Or do both in parallel.

You need to get your files off the suspect drive quickly before it totally fails.

The above is only what I would do .. but there are multiple approaches to recovery.

MikeMaster
Posts: 7
Joined: 01 Oct 2012, 19:52

Re: Files are 0 bytes

#5 Post by MikeMaster »

Thank you. Yes, youre right. I stopped the cloning process myself. I was worried it would overwrite the existing data on my external harddrive. On that drive i have (had) data that i dont have on the fixed drive of my laptop that fell. I want to try to recover that data first before im gonna clone the laptopdisk again to the external harddrive.
After that im gonna try to rescue the data on the laptop drive. I think im gonna try to build it in another old laptop i have.

My first priority here is to rescue the existing data on the external drive.

EDIT: after reading this post http://forums.seagate.com/t5/Barracuda- ... td-p/52407 im wondering if i should try to fix the boot and/ or MFT? U dont completely understand what they are and if the changes i make with testdisk are permanent (and perhaps make the situation worse).

MikeMaster
Posts: 7
Joined: 01 Oct 2012, 19:52

Re: Files are 0 bytes

#6 Post by MikeMaster »

Here's an update:
my friend has been able to recover a lot of files from my external drive. However the original filenames and maps they were in got lost in the proces (files are named found001.jpg etc and all in 1 map).

So here''s what i know so far:
- files seem to be intact (with exception of the filenames and maps)
- the 'drive-structure' seems to be intact (i can see all my maps and files in explorer however files have a filesize of 0 bytes).

The link between these two seems to be the problems. Does anybody have any idea what might be wrong?

Here's some additional information from the scan:

file records: 40145
signature files: 27553

NTFS Boot Sector detected
MFT Mirror Zone detected
Block 1 Size 50.0 MB (5248800 bytes)
Sectors from 0 to 102399

MFT Zone detected
Block 62 Size 50.0 MB (5248800 bytes)
Sectors from 6246400 to 6348799)

NTFS Boot Sector detected
Block 5600 Size 50.0 MB (5248800 bytes)
Sectors from 573337600 to 573439999

Appreciate your help!

MikeMaster
Posts: 7
Joined: 01 Oct 2012, 19:52

Re: Files are 0 bytes

#7 Post by MikeMaster »

Last question from me. And please, dont be afraid to give me your input or suggestions, im running out of options here.

Im pretty sure my problem lies in the MFT of the drive.

Testdisk reports that both the MFT and the MFT mirror are fine, but not identical. The chkdsk suggestion it gives doenst solve the problem.

Is there anyway to replace the MFT with the MFT mirror?

dragonfly41
Posts: 67
Joined: 14 Sep 2012, 20:51

Re: Files are 0 bytes

#8 Post by dragonfly41 »

this

http://www.cgsecurity.org/wiki/Advanced ... MFT_Repair

reads ..

Repair An NTFS MFT

The MFT (Master File Table) is sometimes corrupted. If Microsoft's Checkdisk (chkdsk) failed to repair the MFT, run TestDisk. In the Advanced menu, select your NTFS partition, choose Boot, then Repair MFT. TestDisk will compare the MFT and MFT mirror (its backup). If the MFT is damaged, it will try to repair the MFT using the backup. If the MFT backup is damaged, it will use the main MFT.

If both MFT and MFTMirr are damaged and thus cannot be repaired using TestDisk, you might want to try commercial software like Zero Assumption Recovery, GetDataBack for NTFS or Restorer 2000.

...

My earlier suggestion was to try commercial software RecoverMyFiles

http://www.recovermyfiles.com/

Have you tried this yet (evaluation)?

============================

[p.s.]

This might be a useful read ..

http://www.wuziq.com/weblog//node/965

see the last comment posted.

============================

[Further late EDIT]

Since I'd like to learn more from this exercise (in case I hit similar $MFT problems in the future) I decided to research MFT records .. which only apply in NTFS formatted partitions.

I found this very useful site

http://dmitrybrant.com/ntfswalker

Running ntfswalker in windows you can inspect your MFT records in great detail for any NTFS partition.

I've just inspected my working Vista partition and
file0 $MFT is 27KB
file1 $MFTMirr is 4KB in size

So how testdisk can reconstitute $MFT from $MFTMirr is not too clear to me.

I found reference to ntfswalker in this forum ..

http://www.forensicfocus.com/

Search "ntfswalker" in this forum to get more understanding of $MFT from the forum threads.

The question I can't find an answer to is if $MFT records can be backed up before any $MFT failure might arise and if a corrupted $MFT could then be restored from a backup.


=====================================================

[Yet further EDIT]

This following thread I've now found knocks on the head any ideas (posted earlier) of backing up $MFT (which is metadata and constantly changing).

http://www.pcguide.com/vb/archive/index ... 60645.html

As one poster wrote
"The cornerstone of avoiding disappointment is backup of DATA - not metadata."
and
"The main function of the (badly named) MFTmirror is to replace those parts of the MFT that reference metadata (including the MFT itself) and not data in normal files and folders."

More explanation here ..

http://www.pcguide.com/ref/hdd/file/ntfs/arch_Arch.htm


MikeMaster
Posts: 7
Joined: 01 Oct 2012, 19:52

Re: Files are 0 bytes

#9 Post by MikeMaster »

Thank you for this. It gave me a better understanding of how the MFT works. I also tried the NTFSWalker. Unfortunately it gave me the same results i got in the normal windows explorer. I think im out of options and i formatted the drive. After the format im gonna try one last recovery, after that i have to mark the data as gone forever. I did recover a lot of data in raw file format. Works good for little files (JPG's). Big files (movie files) do get messed up however.

Locked