l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2004 May 23 19:18

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] data recovery via linux
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] data recovery via linux

If you know what the partition should look like (i.e., One primary
partition that tapes up the entire hard drive), you can recreate it using
a non-destructive partitioning utility and get the data back.  That's
assuming the actual partition itself is intact.  I've done this using
`fdisk` under Linux to recover a partition, but each partitioning utility
is a little different, so using a partitioning utility to recover a
partition that wasn't originally used to create it could be a problem.
In my situation, the original partition *was* created using `fdisk` so
recreating it using `fdisk` didn't cause any problem.

Another option is to figure out where NTFS partition starts, then mount it
under Linux. Linux can do this without the partition table, as long as you
can tell it where the NTFS starts.  This is a little dirty process but
it's doable.  What's more, this is a good option because it's
non-destructive -- even if it turns out the method doesn't work, it
doesn't require writing to the hard drive so it won't damage the hard
drive as long as you don't accidentally write to it.  Here are the steps:

   1. Make sure you're using a Linux that has a NTFS reading capability.

   2. Figure out what the NTFS's partition header looks like.

   3. Find out where the NTFS paritition begins on the damaged
      hard drive.

   4. Mount it using `mount /dev/hdX /mnt -o offset=<offset>`, where
      <offset> is where the NTFS partition begins.

   5. Copy over any data you need.

I'll let you figure out #1.  #2 is the most complex part, and if you can't
find the information on the Internet, you can find it out yourself like

   A. Get a hard drive with an accessible NTFS partition.

   B. Check its partition table to see where the NTFS partition starts.

   C. Grab the first few bytes from the beginning of the partition.
      That's the NTFS partition header (probably.)

Then in #3, you need to figure out where the NTFS header begins.  You'll
probably need to write a small program that walks through /dev/hdX and
find out where the header is.

#4 and #5 are self-explanatory.

I hope that makes sense.

If all else fails, you can run `strings /dev/hdX | less` to get some text
data.  Though much of it won't be contiguous, it's an option nonetheless.
Good luck!


On Thu, 20 May 2004, dylan wrote:

> Hi!
> recently we had a mysterious problem at work:
> yesterday afternoon i used one of our win2k machines to do some regular
> stuff. in the morning the machine was off. when powered up it acted like
> there was no operating system installed. the dept. IT people took the hard
> drive to their office and ran some diagnostics on it... they said that the
> hard drives appears to be 'empty' to their tools.
> the disk is a 20Gb NTFS formatted drive, that has been at about 95% capacity
> for the last 5 months. i wonder if running at 95% capacity could have lead
> to fragmentation of the partition mac... i picked up this crazy idea reading
> a recent slashdot article:
> http://apple.slashdot.org/article.pl?sid=04/05/19/1531236&mode=thread&tid=17
> 9&tid=182&tid=185&tid=190
> so- i am wondering what the best plan of attack at recovering some of the
> files from the drive via unix/linux tools.
> 1. is there any way to get data off of a drive that has a hosed partition
> table?
> 2. if so, would it be possible to get non-text type files off?
> any ideas/comments/etc would be greatly appreciated!
> thanks!
> Dylan
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.jsp?id=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE
PGP key available on the homepage
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.