Sign in to follow this  
Followers 0
onlit4regs

still no partition on Seagate after successful unbrick

63 posts in this topic

size of image is 500 105 217 024 bytes

HOW can this have happened?

You posted:

so, here is what I've done for this grown image:

- datarescuedd the faulty drive in a single image of all sectors (with a lot of reading errors)

- mksparse <path>\my500GB.img 500105281536

- dsfi <path>\my500GB.img 0 0 <path>\thewhatever136GB.img

re-do, this time make sure that the resulting sparse image is actually 500105281536 or slightly more than that.

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

:blink:

don't know why the size was wrong.

I've redone it, it's now clearly 500 105 281 536 bytes

I've passed again testdisk on it, with same results as before: can see only one directory, and content is empty.

I've tried to mount with IMDisk this new made image my500GB.img, and still same result:

I've mounted it with IMDisk, with default parameters of size of virtual disk, etc. It showed a new letter, but impossible to browse this letter ! (no filesystem type indicated in IMDisk, and windows can't see the size of partition, file or directory unreable or corrupted ...) :realmad:

so, can't get fileextents to work on it too.

??

thanks

0

Share this post


Link to post
Share on other sites

:blink:

don't know why the size was wrong.

I've redone it, it's now clearly 500 105 281 536 bytes

I've passed again testdisk on it, with same results as before: can see only one directory, and content is empty.

I've tried to mount with IMDisk this new made image my500GB.img, and still same result:

But you can still open it in DMDE , this time being NOT propmpted with:

Volume does not fit into device:

Use this virtual volume size (this is what I've selected)

or

Use decreased volume size

and see the $MFT contents with it?

Since (the good thing is) that the image is a "copy", we can play a bit with it.

What happens if you mount it in IMDISK , open a command prompt and run in it:

CHKDSK F:

(provided that the drive letter assigned by IMDISK is F:, of course)?

But BEFORE that, can you check it again in TESTDISK, and do three things:

  1. do a log of the session
  2. check/verify/fix the $MFT Mirror
  3. post the actual log

jaclaz

0

Share this post


Link to post
Share on other sites

But you can still open it in DMDE , this time being NOT propmpted with:

Volume does not fit into device:

Use this virtual volume size (this is what I've selected)

or

Use decreased volume size

and see the $MFT contents with it?

yes, there is no more prompted message

on the lower right pane, I can see "FILE:$MFT" with all information about $FILE_NAME, $DATA,$BITMAP, ....

But BEFORE that, can you check it again in TESTDISK, and do three things:

  1. do a log of the session
  2. check/verify/fix the $MFT Mirror
  3. post the actual log

jaclaz

under testdisk, I've just searched for partition, display files (only display one empty directory) and that's all

I've attached the log

did you want other actions in testdisk ? I don't understand which action you mean on checklist #2

thanks

testdisk.log.txt

0

Share this post


Link to post
Share on other sites

under testdisk, I've just searched for partition, display files (only display one empty directory) and that's all

I've attached the log

did you want other actions in testdisk ? I don't understand which action you mean on checklist #2

thanks

You see, in the log there is:

NTFS filesystem need to be repaired.

ntfs_readdir failed

Now we do know (from the PBR/bootsector) that the $MFT mirror is on cluster 61048000, i.e. 61048000*4096=250052608000 (given or taken the few sectors before) i.e. around 250 Gb, i.e. well beyond your "good" 134 Gb, so in practice thre is NO $MFT mirror.

Actually - on a "normal" image it should be there (in the worst case) as all 00's BUT you have a sparse 500Gb image, so the $MFT Mirror actually doesn't exist at all. (I hope I make some sense to you now, a sector in a sparse file does not exist until something actually performs an operation on that sector).

This may be connected (or may be not) with the Windows IFS driver incapable to recognize the NTFS volume (error you have in IMDISK) and with the TESTDISK log (though it may be only PART of the issue).

The idea is to first thing use TESTDISK to create a new $MFTMirror from the actual $MFT, see here:

http://www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair

Repair An NTFS MFT

The MFT (Master File Table) is sometimes corrupted. If Microsoft's Checkdisk (chkdsk) failed to repair the MFT, run TestDisk. In the Advanced menu, select your NTFS partition, choose Boot, then Repair MFT. TestDisk will compare the MFT and MFT mirror (its backup). If the MFT is damaged, it will try to repair the MFT using the backup. If the MFT backup is damaged, it will use the main MFT.

before attempting running CHKDSK.

jaclaz

0

Share this post


Link to post
Share on other sites

I've done testdisk, Advanced Menu, Boot, and then Org.BS

it wrotes backup sector with the original sector

then I've made "Repair MFT", it wrotes the Mirror MFT with original MFT

I have the same problem mounting with IMDriver, no success under windows explorer

should I run a chkdsk now ?

thanks

0

Share this post


Link to post
Share on other sites

should I run a chkdsk now ?

Yes. :)

Run it at first without parameters, then - again - with /F parameter and then - again - with the /R parameter.

Let's see what happens. :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

ok, first checkdisk without parameters returns a lot of messages like this one (sorry it's translated from french):

errors corrected in index $I30 of file 42062

....

index verification terminated

errors found. chkdsk can not continue in read only mode

Then, with /F, a lot of messages like this:

errors corrected in index $I30 of file 41863

Sort of index $I30 of file 41863

Restore of orphaned file xxxx.xxx (1198) in file of directory 49

Insert of index entry with ID 311 in index $SDH of file 9

Fix of record segment of security file

...

Errors corrected in miror of MFT

Errors corrected in "capslock" file

errors corrected in bitmap attribute of MFT

errors corrected in volume map

and finally with /F /R:

everything was ok

Then, I can see the directory and files under windows !! :thumbup

but of course, still unable to read the dozen of files I'm interested in.

should I give a try with the extents now ? (from your procedure in a previous post)

thanks a lot

0

Share this post


Link to post
Share on other sites

Then, I can see the directory and files under windows !! :thumbup

but of course, still unable to read the dozen of files I'm interested in.

should I give a try with the extents now ? (from your procedure in a previous post)

thanks a lot

Yep :thumbup:

You may want to redirect the output of running getfileextents to a file, so that you have a list of the offsets (it would be a good idea to later use a spreadsheet to make a list of them.

A simple batch may be of use (make a directory C:\GFE\ and save this as GFE.CMD :


@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
Set File=%~dpnx1
ECHO FOffset: LBA: Sectors: File
FOR /F "tokens=3,5,7 delims=: " %%A IN ('getFileExtents.exe "%File%"') DO (
CALL :octify Foffset %%A
CALL :octify LBA %%B
CALL :octify Sectors %%C
ECHO !Foffset! !LBA! !Sectors! %File%
ECHO !Foffset! !LBA! !Sectors! %File%>>gfelog.log
)
ECHO.>>gfelog.log
GOTO :EOF

:octify
SET %1=0000000%2
SET %1=!%1:~-8,8!
GOTO :EOF

depending on the spreadsheet and local settings you use, you can replace the spaces in the line:

ECHO !Foffset! !LBA! !Sectors! %File%>>gfelog.log

with either [TAB] or [COMMA] or [sEMICOLON]

jaclaz

Edit: Typo in the batch. "Good" version attached (just in case)

Edit2: Added as attachment gfedec.zip, that directly outputs decimal data instead of Hex

gfe.zip

gfedec.zip

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

sorry, but how to use your batch ?

gfe.cmd driverletter: ??

thanks

0

Share this post


Link to post
Share on other sites

sorry, but how to use your batch ?

gfe.cmd driverletter: ??

thanks

No, you need to provide the full path to the target file.

If you want to know the extents of file (say) F:\my_path\my_file.ext, you would normally run:

GetFileExtents.exe F:\my_path\my_file.ext

hence:

gfe.cmd F:\my_path\my_file.ext

or

gfedec.cmd F:\my_path\my_file.ext

jaclaz

0

Share this post


Link to post
Share on other sites

GetFileExtents always returns me this error:

initFileTranslation: invalid descriptor

(even when I try on the file that was recoverable)

:huh:

0

Share this post


Link to post
Share on other sites

GetFileExtents always returns me this error:

initFileTranslation: invalid descriptor

(even when I try on the file that was recoverable)

:huh:

Hmmm. :unsure:

Try it on a file on another volume (a "good" one, with a working filesystem).

For very small files it won't work as they are stored directly in the $MFT, but it should otherwise work (I don't think that there are issues with the "sparse" nature of the underlying file, as it is mounted in IMDISK, you could try using a different mounting tool/driver, but it shouldn't actually matter).

Try another tool.

Get myfragmenter:

http://www.mydefrag.com/SeeAlso-MyFragmenter.html

(part of mydefrag):

http://www.mydefrag.com/Manual-DownloadAndInstall.html

make SURE to use it with the -i switch, i.e.

myfragmenter.exe -i F:\my_path\my_file.ext

What happens?

Also please, when posting the result of a command, post also the EXACT way you invoked it (command line), you did not specify how you invoked GetFileExtents, it could be that you invoked it wrongly (in the sense of having given it a non existing path or whatever)...

jaclaz

0

Share this post


Link to post
Share on other sites

so, the command I used was:

getfileextents F:\myfile.txt

and always get the same error: initFileTranslation: invalid descriptor

on a "good" partition, it worked ! no problem. It's only with the mounted image that cause problems.

with myfragmenter, I have more results:

MyFragmenter.exe -i f:\montage\2011-tmp.pds

MyFragmenter v1.2, 2008 J.C. Kessels

Commandline argument '-i' accepted.

Processing: f:\montage\2011-tmp.pds

Fragment list:

Extent 1: Lcn=495625, Vcn=0, NextVcn=2

Extent 2: Lcn=28135076, Vcn=2, NextVcn=4

Extent 3: Lcn=48751063, Vcn=4, NextVcn=8

Extent 4: Lcn=48797290, Vcn=8, NextVcn=16

Extent 5: Lcn=50038742, Vcn=16, NextVcn=32

Extent 6: Lcn=26068714, Vcn=32, NextVcn=48

Extent 7: Lcn=94098378, Vcn=48, NextVcn=65

Extent 8: Lcn=74619826, Vcn=65, NextVcn=80

Extent 9: Lcn=95440487, Vcn=80, NextVcn=99

Extent 10: Lcn=106615323, Vcn=99, NextVcn=112

Extent 11: Lcn=95441871, Vcn=112, NextVcn=131

Extent 12: Lcn=48579698, Vcn=131, NextVcn=134

134 clusters, 12 fragments.

Finished, 1 files processed.

what do you suggest for next step ? :yes:

thanks a lot

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.