Trying to recover a NTFS corrupt partition
Super User Asked by abiyi on December 8, 2020
I’m stucked with the fixing of a NTFS partition, which I kind of recovered from the MFT backup using TestDisk 7.2-WIP on Windows 7, even so the partition recovered is corrupted.
Applying on Debian Linux the instructions of https://www.andreafortuna.org/dfir/how-to-extract-data-and-timeline-from-master-file-table-on-ntfs-filesystem/ to analyze the Master File Table (with analyzeMFT.py) I can get the partition layout of the hard drive:
debian:~# mmls /dev/sdc
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000016063 0000016064 Unallocated
002: Meta 0000000063 0976773119 0976773057 Win95 Extended (0x0f)
003: Meta 0000000063 0000000063 0000000001 Extended Table (#1)
004: 001:000 0000016064 0976768064 0976752001 NTFS / exFAT (0x07)
005: ------- 0976768065 0976773167 0000005103 Unallocated
I’m interested in the NTFS / exFAT (0x07) partition, starting in the offset of 16064
But instead of displaying the content of that inode, it shows an error:
debian:~# icat -o 16064 /dev/sdc 0 > mft.raw
Cannot determine file system type
Specifying the file system is futile…
debian:~# icat -f ntfs -o 16064 /dev/sdc 0 > mft.raw
Invalid magic value (Not a NTFS file system (magic))
… not even as a RAW filesystem:
debian:~# icat -f raw -o 16064 /dev/sdc 0 > mft.raw
Function/Feature not supported (Illegal analysis method for raw data )
Even fdisk says it’s a NTFS filesystem:
debian:~# fdisk -l /dev/sdc
Disk /dev/sdc: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Disk model: 00LPVX-22V0TT0
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa5eb893d
Device Boot Start End Sectors Size Id Type
/dev/sdc1 63 976773119 976773057 465.8G f W95 Ext'd (LBA)
/dev/sdc5 16064 976768064 976752001 465.8G 7 HPFS/NTFS/exFAT
ntfsfix finally provides some insight into the problem:
debian:~# ntfsfix /dev/sdc5
Mounting volume... NTFS signature is missing.
FAILED
Attempting to correct errors... NTFS signature is missing.
FAILED
Failed to startup volume: Invalid argument
NTFS signature is missing.
Trying the alternate boot sector
Unrecoverable error
Volume is corrupt. You should run chkdsk.
But I was twice wrong, chkdsk can’t even work with the filesystem, it says it’s a RAW filesystem:
C:Windowssystem32>chkdsk d: /f
The type of the file system is RAW.
CHKDSK is not available for RAW drives.
The question is: How to set the filesystem type as NTFS without formatting the partition?
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- Peter Machado on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Jon Church on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?