Other Tools for analysing a partition dump

B

balanga

After an unfortunate accident (I specified ada0 instead of da0 in a script) I messed up a 320GB disk. If I dd this to a file on a different device are there any tools available to try and recover some files. The partition contained an MBR Windows installation which was overwritten by a 20GB GPT FreeBSD partition.

Any advice appreciated.
 
balanga said:
After an unfortunate accident (I specified ada0 instead of da0 in a script) I messed up a 320GB disk. If I dd this to a file on a different device are there any tools available to try and recover some files.
Click to expand...
Yes: your backups, that you can easily write back to that screwed up partition using the resp. recovery tools.
balanga said:
The partition contained an MBR Windows installation which was overwritten by a 20GB GPT FreeBSD partition.
Click to expand...
It would be helpful to know the filesystem type that overwrote your Windows data. AFAIK, the newfs(8) or the like does only write the metadata (superblock, etc.) necessary to manage the filesystem, on initialization. So many blocks containing your data will still be there, but very likely vital metadata of the NTFS filesystem is overwritten, so you can't know which is what...
 
How much did you mess up the disk? If you only changed the GPT partition table, and put everything back where it should be, it might be OK. If you overwrote a few MB at the beginning (with dd, or creating a new file system), then a NTFS recovery tool might get some stuff back, but I don't know about the state of NTFS recovery tooling. On the other hand, if you formatted a complete file system on that partition, and wrote a few GB on it, then Mjoelnir is right: Find your backup tapes.

In cluster file system circles, there used to be a joke: the most common source of damage is someone creating a Reiser FS on one of the shared disks. The joke is "funny" (in a tragic way) because Hans Reiser famously murdered his wife.
 
No comment. Thx for the reminder. The point to fix is: did you only mess up
  • only the partition table, or
  • overwrite the NTFS filesystem's vital metadata?
 
Guys, balanga already told what happened.
balanga said:
... messed up a 320GB disk. ... partition contained an MBR Windows installation which was overwritten by a 20GB GPT FreeBSD partition.
Click to expand...
I noticed that the forum port link didn't work when I entered "testdisk" there (without "sysutils").
It is actually sysutils/testdisk. (<-- this Freshports link is verified, works!)

It has been a well-known program for many years, was added as port in 2004 already.
People say it can even extract/restore files without metadata, by analyzing the binary data for known signatures, like multimedia files. Actually, iirc the development of that program started because somebody needed to restore valuable multimedia files where the filesystem metadata was destroyed/missing.

There even exists an official Polish wiki.
 
Ah, he overwrote the first 20GB of a 320GB file system. That means quite a bit of the NTFS metadata will be gone. But you can try a NTFS recovery tool. If I remember right, NTFS uses a strange layout, with no fixed inode area, no fixed allocation tables, instead spreading everything (data, metadata, and logs) all over. I think it combines directory entries and inode into a common entity. It might be possible to recover those for most of the files, if they were written in the area that was not damaged. There must be file system recovery tools (probably commercial) which work on NTFS.

A program like Snurg's "testdisk" (which looks for data blocks) might help. Hard to predict how much it will recover; and hard to predict how reliable that recovery will be.
 
ralphbsz said:
There must be file system recovery tools (probably commercial) which work on NTFS.

A program like Snurg's "testdisk" (which looks for data blocks) might help. Hard to predict how much it will recover; and hard to predict how reliable that recovery will be.
Click to expand...
The "testdisk" program is not mine, it just came into my mind because a) years ago, it was covered in detail by Germany's main computer magazine "c't", b) depending on the data and their layout (fragmentation?) there might be a chance to recover without fs metadata, and c) it is ported to FreeBSD. A try would cost only a bit of time.

Of course, a professional data rescue service offers more chances. But cost would be substantial, I guess...
 
You must log in or register to reply here.
Back
Top