Re: Trying to rescue data from a failed NTFS HD

bug-ddrescue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trying to rescue data from a failed NTFS HD

From:	Martin Bittermann
Subject:	Re: Trying to rescue data from a failed NTFS HD
Date:	Sun, 27 Feb 2022 19:18:31 +0100
User-agent:	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1

Hello Quentin,

I hope your data rescue is going well.
Perhaps I can help with some suggestions to speed it up.

From your ddrescue output I can see that

* The average read rate is low, about 1 MB/sec
* ddrescue skips a lot over slow areas (non-trimmed: 10327 MB)

In such cases I find it helpful to limit the operation of ddrescue to
the most important sectors.
This is possible with the feature called 'Domain Mapfiles'.
From the ddrescue manual:

|-m |file
|--domain-mapfile=|file
    Restrict the rescue domain to the blocks marked as finished in the
    mapfile file. This is useful for merging partially recovered
    images of backups, or if the destination drive fails during the
    rescue. Use '-' as file to read the domain mapfile from standard
    input. Specialized tools like ddrutility or partclone can produce
    a domain mapfile listing all the used blocks in a partition,
    making the rescue more efficient.

To use a domain mapfile, you would simply interrupt the rescue, then
invoke ddrescue again with the additional parameter '-m domainfile',
like e.g.

% sudo ddrescue -n -b4096 -m /home/quentin/ntfs/ddrescue_part2_dom
 /dev/sde
 /home/quentin/nfs/data/forensic/ntfs_data.img
 /home/quentin/ntfs/ddrescue_data

Here I have prepared a domain mapfile that excludes your first partition
(48GB) which is not important to you:

# Rescue Domain mapfile for partition 2
# Command line:
# current_pos  current_status
0x00000000     +
#      pos        size  status
0x00000000  0x00100000  +
0x00100000  0x0C35000000  ?
0x0C35100000  0x01C58C016000  +

This is of course of limited use, for all we know ddrescue might have
already copied the whole first partition.

To gain a better overview of the rescue status, you could use my program
ddrescueview, which visualizes ddrescue mapfiles.
See https://sourceforge.net/projects/ddrescueview/
There is a Debian package as well, but it has not yet been updated to
the latest version.
For usage with ddrescue 1.24 and later, I recommend you use the latest
version 0.4.5 .

So after trying out the domain mapfile above, stop ddrescue again and
let's continue to reduce the rescue domain.
As the manual says, we can use ddrutility or partclone to create a
domain mapfile which includes only the used space on one partition.
The emptier your partition, the more useful ;-)
I've always used ddrutility when dealing with NTFS. It is a collection
of tools to supplement ddrescue.
See https://sourceforge.net/projects/ddrutility/
Especially read the whole manual section about ddru_ntfsbitmap.
Now you would run (in a separate directory, because ddru_ntfsbitmap
creates a bunch of files in the working directory)

% ddru_ntfsbitmap /dev/sde /home/quentin/ntfs/ddrescue_part2_dom_usedspace  -m 
/home/quentin/ntfs/ddrescue_part2_dom_mft -i 52429848576 -o "-n -b4096"

Now ddru_ntfsbitmap will invoke ddrescue a few times to recover the MBR,
MFT header and volume bitmap.
With some luck, this should yield two domain mapfiles which you can use
with your main rescue:

/home/quentin/ntfs/ddrescue_part2_dom_mft
->  marks only the clusters which hold the Master File Table, i.e. the most 
essential file system index. Start with this one and let it finish.

/home/quentin/ntfs/ddrescue_part2_dom_usedspace
->  marks all space occupied by files, folders, metafiles according to the 
volume bitmap. After the MFT is rescued successfully, use this domain.

Now it all depends on whether your disk plays nice...
I'm just assuming the best case scenario (Not much used space, HDD
copies all data in domain eventually).

The next logical thing to do is:

try to scrap some files from the .img ? (how ?)

In the best case scenario, ddrescue has already copied all essential
filesystem structures (not only the MFT) such that the image,
or more precisely: the partition inside the image, is mountable with
ntfs-3g (as you already tried, but please read-only):

% sudo losetup -P -r /dev/loop0 /home/quentin/nfs/data/forensic/ntfs_data.img
% sudo mkdir /mnt/ntfs_data
% sudo mount -o ro /dev/loop0p2 /mnt/ntfs_data

However, Linux is very picky. It won't mount a defective NTFS volume,
not even read-only.

That means you will most likely need to
a) prior to mounting, repair the filesystem on a COPY of your rescue
image (using ntfsfix or chkdsk) -or-
b) prior to mounting, repair the filesystem in your image while
diverting the changes done by ntfsfix to a buffer (using xmount) -or-
c) do not mount the image, but use a file recovery software on the image
and restore your files (testdisk or others)

I hope this helps with your rescue.

Best regards,
Martin

[Prev in Thread]

Current Thread

[Next in Thread]

Trying to rescue data from a failed NTFS HD, kenadinka hrustic, 2022/02/22
- Re: Trying to rescue data from a failed NTFS HD, Antonio Diaz Diaz, 2022/02/23
  - Re: Trying to rescue data from a failed NTFS HD, Martin Bittermann <=
    - Re: Trying to rescue data from a failed NTFS HD, kenadinka hrustic, 2022/02/28

Prev by Date: Re: Trying to rescue data from a failed NTFS HD
Next by Date: Re: Trying to rescue data from a failed NTFS HD
Previous by thread: Re: Trying to rescue data from a failed NTFS HD
Next by thread: Re: Trying to rescue data from a failed NTFS HD
Index(es):
- Date
- Thread