Testdisk detects lost partition on physical drive but not on dd image of that drive Topic is solved

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
Chris1337
Posts: 4
Joined: 04 Oct 2021, 10:06

Testdisk detects lost partition on physical drive but not on dd image of that drive

#1 Post by Chris1337 »

Dear all,

I have created a dd image from a harddrive with a broken (NTFS) file system using Ubuntu. The dd process ran smoothly without any errors and within the expected time, leading me to the assumption that there is no technical fault with the drive but "only" a problem in the MFT and MFTmirr. The size of the image corresponds to the drive, adding circumstantial evidence that the entire drive was mirrored. Now my question is less about rescuing the data but more about understanding the following discrepancy.

When running Testdisk against the physical drive, an intel architecture and NTFS partition is readily detected, whereas when running Testdisk against the dd image (both when directly supplying the image to testdisk via command-line and when mounting the image in ubuntu and then selecting it as a disk in Testdisk), detects neither the correct architecture nor the (broken) NTFS partition. Deep scan reveals all kinds of old or suspected partitions, none of them similar in size and offsets to the "actual" lost partition.

Where is my error in reasoning? Shouldn't the dd image be identical to the drive? I guess, based on the observations above, it is obvious that the dd image and the drive must be different from each other, so I did not even invest the time to run and compare checksums on both. But why is this the case? What is wrong my dd image?

Thank you for your insight!

Kind regards,
Chris

recuperation
Posts: 2718
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Testdisk detects lost partition on physical drive but not on dd image of that drive

#2 Post by recuperation »

Chris1337 wrote: 04 Oct 2021, 10:29 Dear all,

I have created a dd image from a harddrive with a broken (NTFS) file system using Ubuntu. The dd process ran smoothly without any errors and within the expected time, leading me to the assumption that there is no technical fault with the drive but "only" a problem in the MFT and MFTmirr. The size of the image corresponds to the drive, adding circumstantial evidence that the entire drive was mirrored. Now my question is less about rescuing the data but more about understanding the following discrepancy.
Even with an error-free drive I would use the ddrescue command using the log file feature instead of using the dd command because the ddrescue output on the screen gets updated and ddrescue logs everything into a file. Using that file you can even stop and restart the duplicating process.
When running Testdisk against the physical drive, an intel architecture and NTFS partition is readily detected, whereas when running Testdisk against the dd image (both when directly supplying the image to testdisk via command-line and when mounting the image in ubuntu and then selecting it as a disk in Testdisk), detects neither the correct architecture nor the (broken) NTFS partition. Deep scan reveals all kinds of old or suspected partitions, none of them similar in size and offsets to the "actual" lost partition.
A dd image is just a file and even when it's identical to its source it contains less information than the file it came from. A file won't tell you about sector size p.e..
Where is my error in reasoning? Shouldn't the dd image be identical to the drive?
Maybe it is. You should have used ddrescue instead and you should not mount a dd image containing one or a couple of NTFS file systems because you risk write operations when mounting the file under Window. For linux I would doubt that but I really don't know.
I guess, based on the observations above, it is obvious that the dd image and the drive must be different from each other, so I did not even invest the time to run and compare checksums on both. But why is this the case? What is wrong my dd image?
Compare it - no guessing!

Chris1337
Posts: 4
Joined: 04 Oct 2021, 10:06

Re: Testdisk detects lost partition on physical drive but not on dd image of that drive

#3 Post by Chris1337 »

Thank you for your feedback! I will use ddrescue as a default in the future.

Locked