cgsecurity.org

TestDisk & PhotoRec forum
https://forum.cgsecurity.org/phpBB3/

1GB of 2TB NTFS HDD overwritten using dd

https://forum.cgsecurity.org/phpBB3/viewtopic.php?t=12451

Page 1 of 1

1GB of 2TB NTFS HDD overwritten using dd

Posted: 06 Oct 2023, 12:35
by loros
Hi,

I'm not new to testdisk, I've used it before and it was excellent, managed to recover files.

I was trying to re-image a device, from a backup taken from FTK Imager. I've provided the wrong block device in a dd command (a 'b' rather than a 'c') and have overwritten the boot sector rectord of an NTFS file system on a 2TB drive. Thankfully, FTK Imager fragmented the 512GB image, so I've only overwritten the first 1GB of the drive.

Code: Select all

sudo dd if="${fragment}" of=/dev/sdb1 bs=4M seek="${offset}" status=progress
...
└─$ cat overwrite.txt 
└─$ sudo ./script.sh           
[sudo] password for system: 
001
788529152 bytes (789 MB, 752 MiB) copied, 23 s, 34.0 MB/s^C
190+0 records in
189+0 records out
792723456 bytes (793 MB, 756 MiB) copied, 23.7837 s, 33.3 MB/s
1572864000
002
dd: failed to open '/mnt/a/image.dd.002': No such file or directory
stat: cannot statx '/mnt/a/image.dd.002': No such file or directory
(standard_in) 2: syntax error
The mount command used for context was:

Code: Select all

mount /dev/sdb1 /mnt/a
I've used testdisk, I'm currently using the Analyse option. I previously tried to see if I could repair the boot sector, but Backup BS was not an option, only Rebuild BS.

For context, this 2TB drive has multiple encrypted images on it - so file recovery is going to me a complete nightmare.

I'm more so looking for someone to provide a bit of sanity checking here, I work in IT and my memory of file systems is a bit rusty but - I am of the understanding that:

* If I can locate the backup boot sector towards the end of the 2TB, I may be able to copy the backup boot sector and replace the original
* There is a chance I may be able to recover 99% of the drive, because the $MFT will be at least 3GB into the drive (I just won't know what offset it is at until I find the backup boot sector?)
* If the $MFT isn't 3GB in, I might have a chance of recovery with $MFTMirror?

Any advice would be greatly appreciated - the more I think of it, testdisk might be getting confused with the file systems on the drive, so I'm not sure testdisk will be best going forward

Re: 1GB of 2TB NTFS HDD overwritten using dd

Posted: 06 Oct 2023, 13:24
by recuperation
loros wrote: 06 Oct 2023, 12:35 * If I can locate the backup boot sector towards the end of the 2TB, I may be able to copy the backup boot sector and replace the original
Yes.
* There is a chance I may be able to recover 99% of the drive, because the $MFT will be at least 3GB into the drive (I just won't know what offset it is at until I find the backup boot sector?)
No. There is no fixed location. It can be moved by a defragmentation software.
* If the $MFT isn't 3GB in, I might have a chance of recovery with $MFTMirror?
Just use Testdisk the ordinary way and verify its search results by looking into the partitions.
Any advice would be greatly appreciated - the more I think of it, testdisk might be getting confused with the file systems on the drive, so I'm not sure testdisk will be best going forward
Encrypted file systems cannot disturb TestDisk.

Re: 1GB of 2TB NTFS HDD overwritten using dd

Posted: 06 Oct 2023, 13:47
by loros
Just while I have you, Analyse has just finished, can you help with interpretation?

The top sector looks promising, the cursor states that it has been found NTFS using backup boot sector. It's the full size of the drive, at a bs=512 (3906959360), but when I select P, select files, it's empty, just . and .. - I don't suppose you know how I get it to copy the backup boot sector - given that advanced > ntfs > mft search only came up with the original as 0000 and the backup as an EFI partition?

Code: Select all

TestDisk 7.1, Data Recovery Utility, July 2019                                                                                                                         
Christophe GRENIER <grenier@cgsecurity.org>                                                                                                                            
https://www.cgsecurity.org                                                                                                                                             
                                                                                                                                                                       
Disk /dev/sdb - 2000 GB / 1862 GiB - CHS 243197 255 63                                                                                                                 
     Partition               Start        End    Size in sectors                                                                                                       
>P NTFS                     0  32 33 243197  25 28 3906959360 [Elements]                                                                                               
 P FAT32                    0  65  2    13   0 51     204800 [EFI System Partition] [SYSTEM]                                                                           
 P FAT12                  173 126  6   173 171 50       2880 [EFI System Partition] [NO NAME]                                                                          
 P FAT12                  192 197 22   192 243  3       2880 [EFI System Partition] [NO NAME]                                                                          
 P FAT12                  203 122 32   203 168 13       2880 [EFI System Partition] [NO NAME]                                                                          
 P FAT12                  220 176  5   220 221 49       2880 [EFI System Partition] [NO NAME]                                                                          
 P FAT12                  465 168 16   465 213 60       2880 [EFI System Partition] [EFISECTOR]                                                                        
 P NTFS                   467   5 42   467 103 41       6174                                                                                                           
 P NTFS                   467 103 41   467 201 40       6174 [Boot]                                                                                                    
 P FAT12                  470   4 51   470  50 32       2880 [EFI Syste

Re: 1GB of 2TB NTFS HDD overwritten using dd

Posted: 07 Oct 2023, 05:05
by recuperation
Please use the most recent version of Testdisk and post your complete logfile.

Re: 1GB of 2TB NTFS HDD overwritten using dd

Posted: 10 Oct 2023, 12:08
by loros
recuperation wrote: 07 Oct 2023, 05:05 Please use the most recent version of Testdisk and post your complete logfile.
It's a long log file:

https://paste.bingner.com/paste/4reng (0-20000)
https://paste.bingner.com/paste/vyz5p (20000-40000)
https://paste.bingner.com/paste/pb6hp (40000-50000)

Re: 1GB of 2TB NTFS HDD overwritten using dd

Posted: 11 Oct 2023, 17:11
by loros
Just an update, I managed to get the new version of testdisk to copy the backup BS to the start of the drive.

testdisk was unsuccessful beyond that point, it couldn't find the MFT

I used GetDataBack NTFS, which was able to recover everything that was recoverable. Just for future ref for anyone that has this issue in future
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited