I'm not new to testdisk, I've used it before and it was excellent, managed to recover files.
I was trying to re-image a device, from a backup taken from FTK Imager. I've provided the wrong block device in a dd command (a 'b' rather than a 'c') and have overwritten the boot sector rectord of an NTFS file system on a 2TB drive. Thankfully, FTK Imager fragmented the 512GB image, so I've only overwritten the first 1GB of the drive.
Code: Select all
sudo dd if="${fragment}" of=/dev/sdb1 bs=4M seek="${offset}" status=progress
...
└─$ cat overwrite.txt
└─$ sudo ./script.sh
[sudo] password for system:
001
788529152 bytes (789 MB, 752 MiB) copied, 23 s, 34.0 MB/s^C
190+0 records in
189+0 records out
792723456 bytes (793 MB, 756 MiB) copied, 23.7837 s, 33.3 MB/s
1572864000
002
dd: failed to open '/mnt/a/image.dd.002': No such file or directory
stat: cannot statx '/mnt/a/image.dd.002': No such file or directory
(standard_in) 2: syntax errorCode: Select all
mount /dev/sdb1 /mnt/aFor context, this 2TB drive has multiple encrypted images on it - so file recovery is going to me a complete nightmare.
I'm more so looking for someone to provide a bit of sanity checking here, I work in IT and my memory of file systems is a bit rusty but - I am of the understanding that:
* If I can locate the backup boot sector towards the end of the 2TB, I may be able to copy the backup boot sector and replace the original
* There is a chance I may be able to recover 99% of the drive, because the $MFT will be at least 3GB into the drive (I just won't know what offset it is at until I find the backup boot sector?)
* If the $MFT isn't 3GB in, I might have a chance of recovery with $MFTMirror?
Any advice would be greatly appreciated - the more I think of it, testdisk might be getting confused with the file systems on the drive, so I'm not sure testdisk will be best going forward