555 files failed

Using PhotoRec to recover lost data
Post Reply
Message
Author
senfsavoi
Posts: 2
Joined: 07 Jul 2017, 14:31

555 files failed

#1 Post by senfsavoi » 07 Jul 2017, 15:05

Hi, I am using testdisk 7-0, included in system rescue cd
I deleted a partition or several (yes, I am not sure what I did) but didn't write anything to that disc after that. I didn't delete the first one, which is a swap partition. The size of the disk is 320GB.
One of them (if I deleted several...) is the biggest one, NTFS format, with lots of folders and files.

Testdisk told me that I had a GPT partition table (hint) So I chose that.
But then I got the error that the hard drive is too small.
Anyway, I chose one of the partitions that appeared to be the big important one, listed the files, the files were there. Nothing in red, at least not on main screen, but inside of one of the many folders who knows.
I selected all files (a) and then copied them to another drive.
At the end I got that a lot of files had been copied but 555 failed.

If I check the testdisk.log, the only weird thing I can find is many lines at the end of file containing "Cannot find attribute type 0x80"
The number of these lines is more than 555 times >>> EDIT: There are in fact 555 lines with that error.
I would like to know where those files were, their names or something.

I have repeated the same choosing "intel" at the beginning, and then I got 2 partitions listed, both in green color (don't know why the green color now)
I again chose the big one and copied files again to another hardrive. Same thing. 555 files failed.
I don't know where to look that tells me which files are the problematic ones... Plus I would like to understand the problem about "hard drive too small", when I go the GPT route. In the meantime I will do a deep search.
Thanks for any help.
Last edited by senfsavoi on 08 Jul 2017, 12:34, edited 1 time in total.

Sponsored links

User avatar
cgrenier
Site Admin
Posts: 3687
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: 555 files failed

#2 Post by cgrenier » 08 Jul 2017, 08:43

Without the testdisk.log file, it's difficult to help you.

Otherwise the MFT attribute 0x80 is the $DATA attribute.
https://digital-forensics.sans.org/blog ... ft-entries

senfsavoi
Posts: 2
Joined: 07 Jul 2017, 14:31

Re: 555 files failed

#3 Post by senfsavoi » 08 Jul 2017, 12:03

Hi, thanks for your reply.
One thing I want to correct is that indeed there are 555 lines with the error, I don't know why, maybe I was viewing the logfile while it was doing the copy or something and then I closed it and the file changed.
Anyway, those are the 555 lines with that error. I still don't know after your reply if it means there are 555 files that I am not going to recover, or if it means they are "really small" bunches of data that are not important.

Another detail, the size of the existing swap partition is 1GB.

About the logs, I am going to attach 2 of them, the first small one with a normal scan (quick search), the second one is really big, with the deeper search.
For a quick idea, I am going to copy here the resulting screen after each of the scans/searches

Log with quicksearch (I wrote some notes on it)
https://mega.nz/#!iAsmSBxZ!JAA9zWjRjRZ- ... JlHZsW8tBw

Resulting screen after quick search (choosing GPT partition)

Code: Select all

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 320 GB / 298 GiB - CHS 38913 255 63

The harddisk (320 GB / 298 GiB) seems too small! (< 639 GB / 595 GiB)
Check the harddisk size: HD jumpers settings, BIOS detection...

The following partitions can't be recovered:
     Partition               Start        End    Size in sectors
>  MS Data                625139711 1248180215  623040505
   MS Data                625141759  651526142   26384384
Resulting screen after quick search (choosing intel partition)

Code: Select all

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 320 GB / 298 GiB - CHS 38913 255 63
     Partition               Start        End    Size in sectors
>* Linux Swap               0  32 33   130 170 40    2097152
 P HPFS - NTFS            130 170 41 38913  37 36  623040512
Log containing deeper search
https://mega.nz/#!2AtVVYbL!5ihZel_MnsfH ... 5XbqMTJcwI

Resulting screen after deeper search

Code: Select all

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 320 GB / 298 GiB - CHS 38913 255 63

The harddisk (320 GB / 298 GiB) seems too small! (< 2305843 TB / 2097152 TiB)
Check the harddisk size: HD jumpers settings, BIOS detection...

The following partitions can't be recovered:
     Partition               Start        End    Size in sectors
>  MS Data                466723007 4503600094429169 4503599627706162 [ck: %04x tv: %lu %lu adj: %d
   MS Data                466723135 1792123198 1325400064
   MS Data                625139704 1248180208  623040505
   MS Data                625139711 1248180215  623040505
   MS Data                625141759  651526142   26384384
So far, what makes more sense to me is when I choose Intel partition, because I really think that was all, a 1GB swap partition (that I didn't delete) and a big NTFS partition (the one that I deleted).
But if I check this drive with gparted (where I can see the 1 GB swap partition and rest unallocated), it really says GPT partition table...
Image

With testdisk and the GPT option, all the numbers referring to starting sector, end sector and total of sectors don't make sense because they go beyond the real amount of sectors (as displayed in gparted for the total of the disk)

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests