Deleted renamed partitions, broken file systems, you name it

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
joel96
Posts: 3
Joined: 27 May 2013, 18:34

Deleted renamed partitions, broken file systems, you name it

#1 Post by joel96 »

OS: Win7 x64 Professional

tl;dr: Get my drive un-reformatted.

I did a Quick Format in Disk Management, and I need to restore it to the normal file structure.

I don't have any recent system restore points. It all started when I noticed that there were two drives when there were supposed to be one in My Computer. One was the normal drive where all the files and Windows installation are stored, and the other drive had a different letter and was labeled System Reserved and had 100MB of space allocated. It was a partition of the main drive. One article I read said that the System Reserved drive is only used if you utilize BitLocker, which I do not. The article said the volume could be safely deleted from Disk Manager. I deleted the volume from disk manager, but there were still two partitions. I rebooted to make sure everything still worked, but it would no longer boot from that drive. So I followed more instructions from the Internet that said to format the 100MB partition and label it System Reserved, and from there I planned to copy-paste the files I'd copied off the drive prior to the deletion. What that ended up doing was renaming both partitions (despite being told from multiple sources it would only do it to the selected partition), and started to format the entire larger partition of the drive. I immediately closed Disk Manager, but the file directory had already been changed, and the drive contents couldn't be accessed from a completely different hard drive I'm using now. We used testdisk to restore write-capability to the System Reserved partition, and to make it appear as a separate drive from the larger portion, and now shows up as 98.9MB instead of 100MB. I copy-pasted the files back from the emergency backup windows bootable drive to the System Reserved partition. The goal now is to restore the file directory for the main drive so that the contents are accessible from any other drive booting into Windows, and restoring the System Reserved partition back the way it was before deleting the System Reserved partition. Do you know how to get the file structure and bootability back?

And here's a reply I've gotten from a user on another site:
Techie007
That could be difficult. First of all, the second partition (the large one) needs to begin exactly where it previously did, so that old MFT offsets remain good. Next, the MFT offset data in the header of the partition needs to point to the old MFT. However, part of the MFT (including the important beginning which says where all the MFT's fragments are) could possibly be overwritten with the new blank MFT, which could make repair nearly impossible. Succeeding that, you will probably need to write a new boot sector to both the 1st and 2nd partitions.
For your information, the MFT file on the disk begins with "FILE0", which is also the beginning of a file record. The file records are usually 1,024 bytes long, and each one begins with "FILE0". The filename that the record is storing starts at the 243rd byte in after the "FILE0". Perhaps you could find the old MFT by searching for "FILE0" in a hex editor (I like HxD). I don't know where in the partition's header the MFT's offset is stored, however. And this would only work if the beginning of the old MFT was not overwritten with the new one.

Do you currently see both partitions, with the larger one being empty due to formatting? If so, it would might be easier to recover the files from the drive, reformat it, and put the recovered files back on the drive. I'm not certain how we would handle complicated reparse-point folders and linked files, however (I'm thinking of the mess in the Users folder). Try recovering files with Piriform Recuva. Go its settings dialog and turn on "Recover non-deleted files" and "Deep scan (increases scanning time)" before scanning the larger partition. Make sure that you recover the files to a totally different drive, or you will overwrite your data.

Then my reply to Techie007:
Let me know if I understand what is going on and what needs to be done before I do anything else:
"First of all, the second partition (the large one) needs to begin exactly where it previously did, so that old MFT offsets remain good." I need to find where the second partition originally began or if the beginning of the second partition has been moved or overwritten. You mentioned how to find the beginning of the MFT, but not how to find out the start of the partition.

Are the beginning of the partition and the beginning of the file record two different things?

I can find where the MFT begins by using HxD to search for "FILE0" and then counting 243 bytes after the FILE0 flag.

"Succeeding that, you will probably need to write a new boot sector to both the 1st and 2nd partitions." Earlier, you mentioned that overwriting the MFT would break the MFT and make it not bootable. I still have the contents from the smaller partition, and copy-pasted it from the backup drive to the first, smaller partition. How do I write the new boot sector without breaking anything?

I want to avoid having to extract the files rather than just restore the drive. I'm fine with doing it the hard way if it will restore bootability, since I don't have enough backup hard drive space to keep the extracted files. I'm wondering if Testdisk will help at all in restoring the drive. It has boot sector and MFT recovery, but right now the problem is that the larger partition reads as Free Space, because of the split-second reformat. I need to get it back to being a regular partition before it will be able to boot into the drive.

---
http://pastebin.com/CXeuf0jD
After running HxD, I searched for FILE0, and found it in Sector 16. I don't know how to go about counting exactly 243 bytes aside from doing it manually. The text bar next to the raw hex readout says near the middle of Sector 16 "$.M.F.T.". Other text of note says near end of Sector 0, "BOOTMGR is missing...BOOTMGR is compressed...Press Ctrl+Alt+Del to restart."

I ran a TestDisk cylinder analysis of the whole drive. It says that there are invalid FAT boot sectors, but the drive has always been formatted in NTFS. After it finished running the long scan in about three hours, it says that the harddrisk seems too small (see log). It also says that none of the partitions can be recovered (see log again). I'm thinking it's because TestDisk is not reading the disk geometry correctly. I don't want to actually change the geometry on the disk, just how it's being read to get TestDisk to perform a proper analysis.

mosgo2
Posts: 2
Joined: 06 Jun 2013, 00:46

Re: Deleted renamed partitions, broken file systems, you nam

#2 Post by mosgo2 »

I know it's been a while but I'm having a very similar issue, did you ever end up figuring it out? if so, how? :?

joel96
Posts: 3
Joined: 27 May 2013, 18:34

Re: Deleted renamed partitions, broken file systems, you nam

#3 Post by joel96 »

No, I haven't found any answers here. There's a discussion going on at overclock.net about restoring Win7 file structures, though.

Locked