cgsecurity.org

I have a 2TB external drive that, for reasons too ridiculous to elaborate on, had a 500GB Linux drive dd'd onto it by accident for about 20 seconds, overwriting the partition table and probably very little else. And while none of the mainstream recovery programs seemed to be able to recover the partition data (ha!), TestDisk had no problem locating the original NTFS partition. But when I hit the key to list the files, multiple folders turned up missing. The log shows "ntfs_readdir failed for cluster so-and-so" errors above every folder that I know has stuff missing, including the root, and no such errors above folders that are completely intact.

Aside from being a problem, this seems odd. I thought the NTFS file table is located in the middle of the platter to minimize seek times, whereas dd starts at one end and works its way across, so a few seconds shouldn't have been enough to remove anything from the file table.

I know the individual files are still in there somewhere, though, because I ran another program called DiskInternals NTFS Recovery (which, despite its name, can only find individual files with no names or metadata), and it pulled up accurate thumbnails of a bunch of pictures that are in the missing folders. But even if I shelled out the money for the full version of that program, that's not much use to me because a lot of the files I'm looking for are pretty useless without the filenames and the folder structure they were in.

So I'm unsure what to do next. I'd assume the next step is to try to restore the partition anyway, but will the folders still be missing? And if not, will running Undelete afterwards be able to find the original paths of the missing files? The sample screenshot on the wiki shows complete folder paths, but I don't know where it's getting those from.

Pocket wrote: 26 Aug 2020, 10:33 Aside from being a problem, this seems odd. I thought the NTFS file table is located in the middle of the platter to minimize seek times, whereas dd starts at one end and works its way across, so a few seconds shouldn't have been enough to remove anything from the file table.

The master file table under NTFS is a file itself which can grow, shrink and be moved by defragmentation programs.

I know the individual files are still in there somewhere, though, because I ran another program called DiskInternals NTFS Recovery (which, despite its name, can only find individual files with no names or metadata), and it pulled up accurate thumbnails of a bunch of pictures that are in the missing folders.

No, not necessarily. Thumbnail picture data in files can be healthy whereas the whole picture might be unrecoverable.

So I'm unsure what to do next. I'd assume the next step is to try to restore the partition anyway, but will the folders still be missing?

Yes.

And if not, will running Undelete afterwards be able to find the original paths of the missing files?

No. Deleting files under NTFS is different from overwriting areas of the disk. Undeleting may be possible, overwritten data is permanently lost.

You are left with the option to try out various commercial programs or even hire a professional recovery service.

As for "slightly overwritten" one shot at the right place is enough, see Star Wars I or when the issue is to destroy parts of the internet.
Unfortunately most forum users are more precise when shooting than Luke Skywalker was when it was about hitting the reactor ventilation.

Is there a reason why the "ntfs_readdir failed" errors are happening to clusters as far apart as 5 and 471075? It seems like that shouldn't be happening.

Pocket wrote: 26 Aug 2020, 18:52 It seems like that shouldn't be happening.

Why?