trying to recover windows ntfs disk from xen hba / lvm vol

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

trying to recover windows ntfs disk from xen hba / lvm vol

#1 Post by bbmitch »

I want to briefly explain how I broke it as it may affect how I should search.

I was reinstalling xen (no lvm backup info) and it prompted to reinitialize the "hardware hba" drive used for virtual machines. Believing i had a complete and working backup I let it.

Then I restored the first two backups. It was obvious backup#2 was not right.

Backup #2 was one of the later VM's - it consisted of a windows 2008 R2 install on a 35GB virtual disk and a 10GB data disk. The essential data is really the data disk but ideally both file systems would be recovered.

I've been looking for details. I need to recover word documents, excel files, quickbooks files, etc. I suspect they may be fragmented within the virtual hd - but if I can recover that whole (which should not be fragmented) that the underlying file system may hold the files complete.

I believe the best tack would be to recover the virtual hard drives themselves if possible. I know the name of the VM - but not the exact folder name it was stored in as this is sort of hidden in xen. (at least hidden to me).

On the xen support list it was suggested I try testdisk - but not how to use it - especially specific to my situation.

For what it's worth, it's my mistake - I own it - and am willing to pay for support / assistance if this is possible.

Please let me know if there is any information I can provide further to improve your advice / or if there is anyone with experience in such a recovery? In respect for other board users if you are offering consulting assistance please send a private message if possible?

Thank you in advance.

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#2 Post by bbmitch »

I've had some success... but I'm not quite there yet... I could really use some expert help. I've recovered an entire VHD which contains essential data.
I read a lot - searched a lot - found a LOT of people trying to do this and referenced a few docs:

http://natesbox.com/blog/data-recovery- ... vhd-files/ for the tip on adding a vhd signature and running.
Hi Nate! I don't see a way to contact you on there? (there's a link from this site to his - maybe the moderator has a contact?)

http://www.sarkhori.com/blog/?p=107 for tips on mounting the vhd's

Basically I added the vhd signature, and let photorec find my vhd's for me. I saved them to an NFS server.

Once they were there, I swapped them in one at a time for drives on a Windows system until I found the right one.

Voila! The missing data partition! Thank you!

So here's the problem!! I have to find one more vhd file. But there's a catch. I think I have realized that this vhd file must have been expanded. So... is there any way to detect the link between the pieces so I can stitch it back together into one VHD?

I've been posting on xen-users as well http://www.gossamer-threads.com/lists/xen/users/278066 but I don't know enough about the VHD structure to know if there's a second signature for the second piece?

I've tried a test... I created a 1GB vhd on NFS, and then increased the size to 2GB. This doesn't seem to work the same as it does for system partitions - which seem to be initially fully allocated. in this case the vhd file started at a few thousand bytes, grew to 20-30MB when it was formatted, and from another small percentage when I increased the size from 1GB to 2GB.

To completely recover a full LVM from a volume once allocated and now expanded I guess I need to be able to piece together the chunks - is that right?

Any help appreciated. The goal here is to restore a missing quickbooks file that was contained in the All Users on the C drive.

m

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#3 Post by bbmitch »

Is there maybe a way to treat a VHD which is incomplete (missing the end) as a source for testdisk to scan?
I've been attempting to mount or attach them under xen, and that works for the COMPLETE ones - but not for the incomplete ones. They fail with "The attempt to load the VDI failed."

If I could scan the vhd file itself as if it was a disk maybe I could pull out the files I need?

Thanks again.

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#4 Post by bbmitch »

I've seen some people suggesting I can run testdisk directly against an image file.

So far I haven't made this work. Of course a VHD might not be "an image file".

I have a vhd that works in xen. I can load it in xen as a drive on a windows 2008 r2 system. Windows thinks it's a 10GB drive.

To confirm I'm using testdisk properly I'm trying to use this VHD with testdisk to see if I can see the files within it.

WITHIN windows (already mounted /or unmounted) I can run testdisk and see the contents for the virtual device.

OUTSIDE WINDOWS if I simply run: "testdisk_static mydisk.vhd" I do not seem to be able to this. I think the issue MIGHT relate to the fact that the vhd for a 10GB drive is actually only 6GB in size (owing to the fact that it only stores 4GB of data maybe?)

At any rate, how do I get testdisk to ignore the size - or otherwise properly access teh vhd? I know the VHD works. I've recovered data off it by mounting it in xen. My thought is that if I can validate my method for accessing vhd's by testdisk directly that I can try some of the vhd's that xen will NOT mount and see if they are repairable or partially accessible.

Does anyone have any thoughts? Thanks!

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#5 Post by bbmitch »

Need to sleep. Last post of the night.
The problem is that I want to mount a VHD that doesn’t work under windows. So I’ve been trying to make testdisk work on it so I can scan for / recover files.
I’ve been trying to do that with a WORKING vhd image. So far no luck.
Testdisk seems to not like that a vhd is dynamically allocated. Somehow if I mount it in windows and it is accessed by testdisk through the device in windows, testdisk sees the intended max size and it works.
When I mount it or access the vhd file directly testdisk sees the REAL size. and that skews the geometry??

Thanks - good night all.

Lito
Posts: 83
Joined: 08 Sep 2012, 06:58

Re: trying to recover windows ntfs disk from xen hba / lvm v

#6 Post by Lito »

Found this link in Google:

http://extension.nirsoft.net/vhd

As well as this thread:

http://sourceforge.net/p/sevenzip/discu ... /f5752ad8/

It might be just possible to open one of your VHD files.


http://en.wikipedia.org/wiki/VHD_%28fil ... imitations

"It is sometimes useful to modify a VHD file without booting an operating system."

This might be of interest. It is just an idea.

Also found a link to this project:

http://discutils.codeplex.com/

in this thread:

http://superuser.com/questions/57017/ca ... with-7-zip

Best of luck in your quest.

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#7 Post by bbmitch »

Thanks Lito - here's my current "state of the nation". :-)

I have run vhd-util -n FILE on all the vhd's.

Some of these VHD's (created by xcp / xen) WORK i.e. I could remount them in xen.

Some of these VHD's can be explored using "winimage" - but I can't seem to do anything to make them open in testdisk. That's a little confusing / frustrating seeing as how photorec is the only reason I was able to extract the VHD's.

For example:
vhd-util reports Cyl: 49932, Hds: 16, Sctrs: 63

But that doesn't work at all in testdisk.

When I open testdisk it reports:
>Disk f199757952.vhd - 10 GB / 10 GiB (which is wrong - must be based on the file size - which is about 10GB as that's the only data allocated / written - the partition is actually 24GB).

If I chose partition table type intel, and analyse it doesn't find anything.

If I try to change that to 255 heads, 3134 cyl it still doesn't see a partition table.

If I back out and change the partition table type to none it shows this:
> P Unknown 0 0 1 3133 254 63 50347710

If I analyze and do a quick search I see this instantly:
>P NTFS 0 166 47 13 102 33 204800
P NTFS 13 239 10 3133 238 24 50122752

BUT, if I press P and try to list files it says the structure is damaged - but I know the structure isn't damaged because this is one of the drives I can mount in Windows 2008R2 or read using WinImage.

So where do I go from here? I can't help but think that my lost data is in one of the vhd's that I can't open with windows/winimage (corruption of course) but if I could use testdisk to read a working one I could try it at extracting from a broken one?

But I must be doing somethign wrong with it if it can't read a VHD that works in two other systems...

Anyone have any thoughts? Thank you!

Mitch.

Lito
Posts: 83
Joined: 08 Sep 2012, 06:58

Re: trying to recover windows ntfs disk from xen hba / lvm v

#8 Post by Lito »

OK.
You could try reading some of those VHDs in something like this:

http://arainia.com/software/gizmo/overview.php?nID=4

the point is being able to extract the data.


As mentioned before 7zip might be able to let you see inside the VHDs to extract some data.
Most likely in a 64 bit system because you are talking about huge files.

Another solution could be to use commercial recovery software.

http://www.diskinternals.com/ntfs-recovery/

This site looks interesting. I downloaded some of their free software but never tried
their proper recovery products. There is a claim in their pages that their products can mount VHD and read them
no matter what. Finding out will cost you dosh, but there is a chance of a try out.

About TesDisk. Are you talking running it against the disk where XEN is installed, or running it
against one of the VHDs on its own?

For example:

testdisk f199757952.vhd

Does it give you any options like making an image?

Recreating or fixing the boot sector?

In your example, there are two partitions.
Do they both give an error when you try to List (P)?

In your example TestDisk proposes this as correct: 254 63
Did you try that? You can try without writing the changes.
But I gather that you already know that.

Some posts in this forum talk about disk geometry.
I don't know wether they apply or not.
Sometimes the information is sketchy but there are nuggets here an there.
I only list three messages. You can search for more. Look for Fiona, CGrenier or Remy.

http://forum.cgsecurity.org/phpBB3/post7329.html#p7329

http://forum.cgsecurity.org/phpBB3/post ... icky#p1093

http://forum.cgsecurity.org/phpBB3/post ... icky#p2334


The Step by step guide has some advise on how to run the TestDisk executable

http://www.cgsecurity.org/wiki/TestDisk ... executable

If you have an option to make an image of a partition, TestDisk will name it
something like image.dd - You can rename it your_name.img
and open it with 7Zip, as shown in this forum:

http://forum.piriform.com/index.php?showtopic=34355

Another option may be to run PhotoRec to scan for the lost data, deselecting every file
option with "s" and then selecting only the files you are looking for (Quickbooks).
The problem here is that PhotoRec does not recover the files names as they were.
You can do that against an image as well. I don't know if you could run it against
a VHD file, but I suspect you can.

In any case, what happened to the two backups you mentioned at the beginning?
Do you still have them or did they get destroyed in the process?
If you still had them, it might be worth going back to version 1.1 (where you were safe and sound)
on a different disk (you could make clones to save you time), and try those backups again.

Best of luck

bbmitch
Posts: 14
Joined: 17 Apr 2013, 01:14

Re: trying to recover windows ntfs disk from xen hba / lvm v

#9 Post by bbmitch »

Hi Lito - thanks for responding... :-)

I was running testdisk against the vhd file itself.

Neither partition works within testdisk (error on P - at least the way I'm trying to do it)
- while both work in xen itself or WinImage.

I understood heads were zero based? So head 0 to head 254 is 255 heads - isn't that right?

If I select 254 as the heads then I see this:

Code: Select all

>   P Unknown                  0   0  1  3145 [b]253 [/b]63   50342292
I tried using the geometry the VHD stores on it (from vhd-util) and I get this:

Code: Select all

Disk f199757952.vhd - 25 GB / 23 GiB - CHS 49932 16 63
Analyse cylinder   504/49931: 01%

Warning: number of heads/cylinder mismatches 255 (NTFS) != 16 (HD)
  NTFS                    10   6 47   213   9 33     204800
Warning: number of heads/cylinder mismatches 255 (NTFS) != 16 (HD)
  NTFS                   222   2 10 49947   1 24   50122752
So I switch back to 3134/255/63

When I do a deep search, I get this:

Code: Select all

Disk f199757952.vhd - 25 GB / 24 GiB - CHS 3134 255 63
     Partition               Start        End    Size in sectors
 P NTFS                     0 166 47    13 102 33     204800
 P NTFS                     2 112 46    15  48 32     204800
 P NTFS                     2 112 47  3122 111 61   50122752
>P NTFS                    13 239 10  3133 238 24   50122752
 P NTFS                   273 161 44   274   4 43       6174
 P NTFS                   274   4 43   274 102 42       6174
 P NTFS                   274   5 15   274 103 14       6174
 P NTFS                   274 103 14   274 201 13       6174 [Boot]
 P NTFS                   274 103 41   274 201 40       6174
 P NTFS                   274 201 40   275  44 39       6174
 P HFS                    391 250 40   914  38 10    8388610 [ÿÿÿºD^A]
 P FAT12                  646  66 32   647 140 43      20739 [NO NAME]
 P FAT12                  689 239 55   690  30 36       2880 [EFISECTOR]
 P NTFS                   877 247 28   890 183 14     204800
 P NTFS                   890 183 14   903 118 63     204800
 P NTFS                   890 183 17   891  26 16       6174
 P NTFS                   891  26 16   891 124 15       6174 [Boot]
Doesn't seem to matter what I do testdisk says:

Code: Select all

Can't open filesystem. Filesystem seems damaged.
It looks like testdisk just doesn't groc xen vhd's (maybe they are wonky but they seem constently wonky...)

If I select a part type of none, a quick search finds it right away but won't let me write an image or access files because part type is none and the "file system seems damaged" - if I select a part type of intel it complains the final bytes of the part table should be aa55 (and I remember that's right!) - so maybe xen just doesn't do that?

It doesn't seem to matter if it's a windows files system on the vhd or an ext3 system.

As I had a small copy of an ext3 file system vhd which worked (in xen and winimage), I tried using testdisk to rewrite an intel style partition table - and broke the file with it. So it seems that testdisk doesn't work with xen vhd's. Could that be possible?

Maybe I should post a separate issue concerning that - maybe it's a bug (presuming xen follows the vhd spec)? not trying to lay any blame here of course- just trying to find data.

No options to make an image though unfortunately.

Thanks for your ideas - I read all the links. I did read the step by step - went through it again in case I was missing something. :-)

Mitch.

Lito
Posts: 83
Joined: 08 Sep 2012, 06:58

Re: trying to recover windows ntfs disk from xen hba / lvm v

#10 Post by Lito »

Hi there, the "filesystem damaged" seem to appear in lots of cases. Still the team members seem to crack them.
The aa55 thing, i think is related to the boot sector. Is some sort of expected signature. Do not have the link at hand or at the top of my head, but someone called The Starman does explain it in his pages.
It is good that you posted some of the log. There is much more information. Unfortunately i'm not that hot with numbers. Besides there is people much more experienced to help with that in this forum.
In any case if this is your working file, will be best to work on a copy. Then you could try a different approach. Instead of choosing Analyse, choose Advanced, Boot. You can search the board for messages with those keywords. The point being to diagnose where the fault is.

Best of luck

Locked