Re: [vox-tech] data recovery via linux
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] data recovery via linux
BTW, all standard disclaimers apply... But that goes without saying for
every advice we give on this list, right? =P
On Thu, 20 May 2004, Mark K. Kim wrote:
> If you know what the partition should look like (i.e., One primary
> partition that tapes up the entire hard drive), you can recreate it using
> a non-destructive partitioning utility and get the data back. That's
> assuming the actual partition itself is intact. I've done this using
> `fdisk` under Linux to recover a partition, but each partitioning utility
> is a little different, so using a partitioning utility to recover a
> partition that wasn't originally used to create it could be a problem.
> In my situation, the original partition *was* created using `fdisk` so
> recreating it using `fdisk` didn't cause any problem.
> Another option is to figure out where NTFS partition starts, then mount it
> under Linux. Linux can do this without the partition table, as long as you
> can tell it where the NTFS starts. This is a little dirty process but
> it's doable. What's more, this is a good option because it's
> non-destructive -- even if it turns out the method doesn't work, it
> doesn't require writing to the hard drive so it won't damage the hard
> drive as long as you don't accidentally write to it. Here are the steps:
> 1. Make sure you're using a Linux that has a NTFS reading capability.
> 2. Figure out what the NTFS's partition header looks like.
> 3. Find out where the NTFS paritition begins on the damaged
> hard drive.
> 4. Mount it using `mount /dev/hdX /mnt -o offset=<offset>`, where
> <offset> is where the NTFS partition begins.
> 5. Copy over any data you need.
> I'll let you figure out #1. #2 is the most complex part, and if you can't
> find the information on the Internet, you can find it out yourself like
> A. Get a hard drive with an accessible NTFS partition.
> B. Check its partition table to see where the NTFS partition starts.
> C. Grab the first few bytes from the beginning of the partition.
> That's the NTFS partition header (probably.)
> Then in #3, you need to figure out where the NTFS header begins. You'll
> probably need to write a small program that walks through /dev/hdX and
> find out where the header is.
> #4 and #5 are self-explanatory.
> I hope that makes sense.
> If all else fails, you can run `strings /dev/hdX | less` to get some text
> data. Though much of it won't be contiguous, it's an option nonetheless.
> Good luck!
> On Thu, 20 May 2004, dylan wrote:
> > Hi!
> > recently we had a mysterious problem at work:
> > yesterday afternoon i used one of our win2k machines to do some regular
> > stuff. in the morning the machine was off. when powered up it acted like
> > there was no operating system installed. the dept. IT people took the hard
> > drive to their office and ran some diagnostics on it... they said that the
> > hard drives appears to be 'empty' to their tools.
> > the disk is a 20Gb NTFS formatted drive, that has been at about 95% capacity
> > for the last 5 months. i wonder if running at 95% capacity could have lead
> > to fragmentation of the partition mac... i picked up this crazy idea reading
> > a recent slashdot article:
> > http://apple.slashdot.org/article.pl?sid=04/05/19/1531236&mode=thread&tid=17
> > 9&tid=182&tid=185&tid=190
> > so- i am wondering what the best plan of attack at recovering some of the
> > files from the drive via unix/linux tools.
> > 1. is there any way to get data off of a drive that has a hosed partition
> > table?
> > 2. if so, would it be possible to get non-text type files off?
> > any ideas/comments/etc would be greatly appreciated!
> > thanks!
> > Dylan
> > _______________________________________________
> > vox-tech mailing list
> > firstname.lastname@example.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> Mark K. Kim
> AIM: markus kimius
> Homepage: http://www.cbreak.org/
> Xanga: http://www.xanga.com/vindaci
> Friendster: http://www.friendster.com/user.jsp?id=13046
> PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE
> PGP key available on the homepage
> vox-tech mailing list
Mark K. Kim
AIM: markus kimius
PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE
PGP key available on the homepage
vox-tech mailing list