Sign in to follow this  
Followers 0
grancharov

How to recover accidentaly deleted partition/files?

57 posts in this topic

Hello!

This is my problem and I hope somebody here can help me. HDD is WD20EARS - for data only - not system.OS is XP 32 bit. When I first installed this HDD, I reserved some 8 GB partition(not formatted) and the rest 1.8 TB was used for the files. Today I decided to delete this not formatted partition because I didn't want to see it between the other drive's letters. Obviously this was a big mistake because the second partition also disappeared with all of the files there. At first I tried PartedMagic with TestDisk and it showed start of the main partition at sector 16370235 and end at 3907024064 sector and total 3890653830 sectors. I am not so familiar with partition management so I tried to recover the partition in XP with PartitionWizard. This program showed slightly different sectors for the beginning ant the end of the partition. I think this was my second mistake because after PW finished, it showed ntfs-partition but there was nothing. XP still wasn't able to see the partition so I rebooted the system. Then appeared those blue screen with check disk tool and after the check the partition appeared in XP, but it is empty. Can I really recover the partition or at least most of the files? I now run deep analysis with TestDisk and afther several hours(the next morning here :)) I wil have some results. This is powerful tool and I don't know exactly what to do so I will need help.

0

Share this post


Link to post
Share on other sites

The analisys says - "The harddisk seems too small" - 4497 GB. There are two FAT16 partitions and I don't know where they came from.

post-384634-0-79845400-1385274912_thumb.

0

Share this post


Link to post
Share on other sites

It is actually 2 TB - WD20EARS. Something got wrong with the partitions and maybe also with the XP check disk tool that ran afther one reboot ater I(was thinking) recovered the main partition with PartitionWizard.

0

Share this post


Link to post
Share on other sites

The screenshot shows very little.

You should run TESTDISK again with a LOG (and post/attach the LOG, not a screenshot.

Also, you did not provide an EXACT (enough) report of the actions you took.

How EXACTLY (on which OS; with which tool giving which EXACT commands) did you try to delete the first partition?

The issue (more or less) is the following (now).

IF you recreated a NTFS partition starting on the SAME address (or a "near enough" one) you have effectively overwritten the $MFT of the original NTFS partition and you won't be able to recover the "previous" partition contents (but you might be able to recover most of the files in it, with file-oriented recovery software, very likely losing the filenames). :(

IF on the other hand you recreated the new NTFS partition on a DIFFERENT address (or "far enough" one) like it would be if you created just a single partition starting from the beginning of the disk, there is a chance that the new $MFT did not overwrite the previous one and thus it is possible to recover a large part of the filesystem. :)

The data "sector 16370235 and end at 3907024064 sector and total 3890653830 sectors" represent a "valid" partition created with the "old" Cylinder boundary standard (possibly through XP or a third party tool, not with Vista :ph34r: or later)

On such a partition the $MFT should start at 786432*8+16370235=22661691

First check you should make would be to use a disk viewer/editor and verify that absolute sector 22661691 is the actual start of $MFT .

jaclaz

0

Share this post


Link to post
Share on other sites

I have some LOG, but I don't know if this is enough or I should go further with TestDisk actions. OS is XP 32 bit and I used the standard tool - Disk Management. According to TestDisk the main partition should start at sector 16370235 and end at sector 3907024064. I tried to recover the main partition with PartitionWizard - Partition Recovery Wizard. It showed start at sector 16370298 and end at 3907020601. Does this mean that I should go for file recovery and not partition recovery? I was hoping that if I resize this now looking empty partition to it's correct boundaries...

"First check you should make would be to use a disk viewer/editor and verify that absolute sector 22661691 is the actual start of $MFT ." - PartitionWizard shows: Partition type ID: 0x7 Serial Number: 0x1cb6bb8c1f403a0; First Ph sector: 16370298; Last Ph. sector: 3907020601 - Is that you ask for?

Should I try to make a copy with Data RescueDD? I have a NAS and I can use one 2 TB HDD that I have there.

testdisk.txt

Edited by grancharov
0

Share this post


Link to post
Share on other sites

Actually you should have done the image BEFORE fiddling with the disk, and right now it would (unless you continue fiddling, doing "random" things to that poor little disk ;)) be just loosing some time.

The idea is to first verify by ONLY reading some data on the disk, if it is recoverable (as filesystem).

If it is not, the free space you have will become useful as target for the "file-oriented" recovery attempt.

Ideally you should get "partition wizard", whatever it is, in the dustbin and not even think of using it again (unless told by someone to actually use it).

Last time I checked them there were 3 or 4 programs called "partition wizard", WHICH one have you used?

I need to:

  • understand WHAT EXACTLY you did (please describe everything you did, with the most details you can remember)
  • have you perform a couple of tests by reading/copying a few "key" sectors

The point is this.

  1. IF you ONLY created a partition entry in the MBR AND did NOT "format" it, then it is possible that the filesystem is recoverable
  2. IF you - through any means - "formatted" the partition then IF it was a "quick" format, you have lost the filesystem for good BUT file recovery might be possible
  3. IF you - through any means - "formatted" the partition then IF it was a "full" format (as an example as performed by Vista :ph34r: or later) then not only the filesystem is lost forever but also each and every file that was there.

To quickly disambiguate, of the above three actions, #1 is instantaneous, #2 would have taken several seconds/minutes, #3 would have taken hours.

Without knowing what EXACTLY you did and under which EXACT OS and with WHICH EXACT tool, I cannot provide you with any meaningful support/advice.

You seemingly do not know what is (let alone use it) a disk editor/viewer.

Go here:

http://mh-nexus.de/en/hxd/

http://mh-nexus.de/en/downloads.php?product=HxD

and get this file:

http://mh-nexus.de/downloads/HxDen.zip

It is the portable English edition of the Nexus HD editor.

Uncompress in a directory.

Run Hxd.exe, it will ask you to create a configuration file in the directory, tell it "OK".

Then Extras->Open Disk Select the disk, you want to choose among the Physical disks, and since it is /dev/sdc in TESTDISK, that disk should be Hard Disk 3 (the numbering is the same that you can see in disk management), LEAVE the tickbox to "read only".

On the top bar there is an "edit box" Sector 0.

Write in it 22661691 and press Enter.

You should be now be on sector 22661691 of the disk.

It should begin with "File0" and around the middle of it you should be able to see "$.M.F.T.".

If you use the little up arrow beside the "Edit box" you can go on later sectors.

Every other sector should begin with "File0", the next one beginning with "File0" should have around the middle "$.M.F.T.m.i.r.r."

If you continue to go ahead, you should find a number of sectors with the "default" hidden fiels of a NTFS filesystem, like $LogFile, $boot, $Quota, etc.

If you continue to go ahead, within a few sectors you should be able to recognize some file/directory names that were on the disk.

If you can find some of them visually, there are good chances that the filesystem can be recovered, if after a few tens sectors there are no such filenames, the $MFT is lost (and your only chance is file based recovery).

jaclaz

0

Share this post


Link to post
Share on other sites

OK - I will try again.

I had 2 partitions - G and H on WD20EARS. The first one was 8 GB and not formatted. I didn't want to see the letter for that partition so I decided to delete it from the Disk Managemen tool in XP. Then the second - ntfs-partition disappeared. I loaded Parted Magic but didn't write nothing to HDD. In the past I managed to recover accidentally lost partition with MiniTool Partition Wizard so I used it again.

post-384634-0-85338000-1385299731_thumb.

Then I ran Wizard - Partition Recovery Wizard - I don't know if this is some kind of formatting... It definitely didn't take hours - I think it is the first or second case.

I didn't perform reading/copying "key" sectors - don't know how.

There are only Zeroes on sector 22661691. The symbols begin at sector 138270720.

post-384634-0-90743900-1385301283_thumb.

0

Share this post


Link to post
Share on other sites

Wait a minute.

It is possible that originally you made a (huge) Extended partition and created two logical volumes in it? :unsure:

That would explain how you managed to delete BOTH volumes from XP disk Management, and also the reason why in the posted screenshot of Minitool Partition Wizard the "lost" partition is seen as "logical".

What we need to find is the $MFT of the volume that you had as H:.

A "normal" NTFS partition sized above 5 or 6 Gb has it's $MFT on cluster 786432 and the default cluster size for a NTFS partition of that size should be 8 sectors.

So, the $MFT should not be before 786432*8=6291456 sectors starting from the beginning of the volume.

Here the problem seems to be that we don't know for sure where the volume exactly began.

Try the following:

  1. in HxD, go to sector 6291456 of the disk
  2. once there Search->Find "search for=FILE0 Datatype=Text-string Search direction=Forward

It may take a long time for the search to find a hit (if any).

Alternatively, as it might be faster/better, do the following:

  1. get DMDE from here: http://dmde.com/
  2. extract it to a directory
  3. run dmde
  4. Select the PhysicalDisk 3
  5. click on the button "NTFS search"
  6. leave the scan areas settings "start sector" at 0
  7. change the "end sector" by using the cursor to something around 20 Gb (jolt down the exact sector number)
  8. click on Search
  9. post a screenshot of results (if any)
  10. if no results are found, re-run the search by selecting "Range", this time use as "start sector" what you had before as "end sector" and limit the "end sector" to 40 Gb
  11. if no result repeat up to 60 Gb and then up to 80 Gb (I don't think there can be anything of use beyond this range)

jaclaz

0

Share this post


Link to post
Share on other sites

I mounted this HDD many months ago and I don't remember - I guess it is possible.

From HxD I saw that there are symbols from sector 77453312 to 93916713 and from 138270720 to 3907024064 and also in the first sector.

ntfsscan.log.txt

post-384634-0-19373300-1385309200_thumb.

post-384634-0-97165900-1385309557_thumb.

post-384634-0-91885300-1385309565_thumb.

post-384634-0-22469300-1385309765_thumb.

Edited by grancharov
0

Share this post


Link to post
Share on other sites

Good. :)

So DMDE found two possible NTFS volumes:

NTFS 0 which has 4412 entries in the $MFT and that supposedly starts at sector 16373760

NTFS 1 which has 5 entries in the $MFT and that supposedly starts at sector 16370298

The sector 16373760 corresponds to CHS 1019/55/61 and is correctly "Mb" aligned, as 7995*1048576/512=16373760

The sector 16370298 corresponds to CHS 1019/1/1 (which is the data currently in the MBR) and is correctly "cylinder" aligned.

It seems like originally the Disk has been partitioned/formatted under an OS (or with a tool) that aligns to Mb and that (for whatever reason) the tool you used cannot recognize such partitioning scheme and defaulted to a "cylinder aligned" values.

If this is the case, if in DMDE you select the NTFS0 volume and press the "Open Volume" button, and in the window that opens you click on the [+] besides "Root", you should be able to see most if not all the files you had before.

If you click on "Metadata" and click on the line that starts with $AttrDef, on the right panel you should see the $MFT entry and it's creation date (see if it "sounds" like the right one for the period when the disk was originally formatted).

If you double click on the $MFT entry in the right top pane, in the lower one you should see the actual LBA of the $MFT and a hex view of it.

See the attached screenshot of an "example" volume.

Does this happen?

What do you find instead?

jaclaz

post-25215-0-23662000-1385317488_thumb.j

0

Share this post


Link to post
Share on other sites

Yes - when I initially mounted this HDD, I used the tool(Acronis I think) recommended from WD to align the partition from 512 b to 4 k - I use 32 bit OS.

I don't see nothing on NTFS0.

On NTFS1 $Root I see only RECYCLER and System Volume information. In the Metadata I see 14-oct-2010 - the date I bought the HDD.

post-384634-0-77956600-1385318794_thumb.

post-384634-0-60686200-1385318959_thumb.

In NTFS1 $MFT I see this:

post-384634-0-55038100-1385319889_thumb.

Edited by grancharov
0

Share this post


Link to post
Share on other sites

Sorry but now I can't upload another screenshot - "You can upload up to Uploading is not allowed of files (Max. single file size: 100MB)" - don't know why.

In $Noname02 I can't see nothing under MetaData and $Root. Instead in $Noname01 I see what I uploaded already.

0

Share this post


Link to post
Share on other sites

Sorry but now I can't upload another screenshot - "You can upload up to Uploading is not allowed of files (Max. single file size: 100MB)" - don't know why.

In $Noname02 I can't see nothing under MetaData and $Root. Instead in $Noname01 I see what I uploaded already.

Yes, there is a "max size" of the attachments.

You can upload the screenshots to a free hosting service, like -as an example - zshare:

http://www2.zshares.net/

If you compare the screenshot you posted:

http://www.msfn.org/board/uploads/post-384634-0-60686200-1385318959.jpg

with this snippet of the DMDE Help:

Indicators - volume diagnostic indicators (indicate correspondent structure presence):

  • T – partition table;
  • E – table entry;
  • B – volume boot sector;
  • C – boot sector copy;
  • F – MFT(0) for NTFS or Root for FAT (is being tested on FAT volume opening);
  • f – MFTMirr(0) for NTFS;
  • x – structure is absent or damaged;
  • – structure is not tested.

Red color indicates errors in the partitioning.

and based on your previous screenshot here:

http://www.msfn.org/board/uploads/post-384634-0-91885300-1385309565.jpg

you will see how everything confirms that the "good" voume is the one starting on 16373760, it is possible that you (or DMDE) are doing *something* that currently prevents the correct parsing of that volume data.

Maybe you should try closing and restarting DMDE, then do a new scan, starting from fresh.

When you get to this screenshot:

http://www.msfn.org/board/uploads/post-384634-0-91885300-1385309565.jpg

if you select the "NTFS0" it should open the "right" data.

It is possible that something has been modified by your previous attempts with partition wizard or by the built-in Windows tools, but I doubt it, in any case there is "enough" to attempt a filesystem based recovery.

(i.e. it is worth the time to make a dd-like copy of the disk as is)

In DMDE re-open the Physical disk, then go to "Tools"-> Copy Sectors, click on Partition button, on the dialog that opens click on the PhysicalDisk listing and click OK (this will auto-compile the fields Start Sector and End Sector in the "Source" part of the dialog), choose in the "Target" part a file.

Be VERY careful to choose a drive with enough space!

The resulting file will be a 1:1 copy of the disk, so it will be 2 Tb in size!

Consider that it will take several hours to make the copy and if - for whatever reasons - either the source or the target disk tend to heat up, it would be a good idea to add something to keep them cool, like a small fan.

jaclaz

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.