Saturday, January 3rd, 2009 (2009/01/03)
Drew Scott Daniels
Adventures with testdisk
Testdisk seems like a great utility as does its companion PhotoRec. I recently had a single NTFS partion hard drive stop displaying its contents in Windows. When I tried to mount it in Linux, “mount” complained that the $MFT file which holds the meta data about where files are was missing or corrupt. My initial experiments with testdisk showed the same results. The mirrored copy of the MFT seemed to be missing or corrupt too.
To try to restore the MFT file, I wanted to use the beta TestDisk 6.11. I tried the Microsoft Windows version which seems to be CygWin compiled. I’ve seen many problems with cygwin in the past so I have a bit of a distaste for it. I much prefer when applications are compiled with mingw. I gave it a try anyway, but couldn’t find the MFT recovery section, I later learned it was under Advanced, then Boot.
Since I had trouble with the Windows version, I pulled out an old copy of Knoppix (a Linux LiveCD) and booted to Linux with the startup options:
knoppix 2 noswap
The “2” boots to the command prompt which takes less memory. The noswap option prevents Knoppix from automatically trying to write files to any of the disks for “swap” space (AKA a page file). I later added the option “nodma” to try to make sure that the DMA controler/driver weren’t causing problems with trying to mount or run TestDisk.
Knoppix comes with the testdisk package installed, so I gave it a quick try. I didn’t find the MFT recovery section so I moved on to compiling TestDisk 6.11. I already had the source code so I coppied that to /tmp and tried configuring it. Of course, I was missing build dependencies. After a while of playing I remembered I could do an “apt-get build-deps testdisk”, but I needed to update the /etc/apt/sources.list file first so that I didn’t try to pull in a new libc6 (my Knoppix CD was from 2006) or anything else like that. On reflection, I should have added the deb-src line for Debian unstable (sid) after, and done a “apt-get source testdisk”, then coppied over the new TestDisk code, then did another round of getting build-deps.
I managed to get it compiled with a simple “./configure;make”, and ran the executable without needing to install the package. I still didn’t find the MFT option.
I rebooted back into Windows as my nagios monitor was of course reporting the host as being down, and my nightly bacula backup was about to start. I decided to treat the MFT issue as an accidentally reformated partition. I then went to Windows’ TestDisk’s Advanced, Boot options and found the MFT recovery option. The MFT mirror wasn’t available either. So I stared the boot recovery option which seems to scan for the MFT. The “Rebuild BS” didn’t seem to help. The MFT file or files seem to have bad magic. I beleive bad magic means the “magic numbers”. The magic numbers are a fixed string of bytes which are usually at the beginning of a file. See the “file” utility for more information on “magic”.
So I had no luck finding the MFT. I’m now starting to look at PhotoRec which supports scanning for an interesting variety of files. Unfortunatly, I’ll have to find a disk large enough to put all the found data on. I’ll have to sift through the data by hand and look to see if there was anything useful on the drive. I mostly think it was just where I did optical media backups so I’m not too worried, but I think I may have had some more interesting backups there.
Drew Scott Daniels’ resume: http://www.boxheap.net/ddaniels/resume.html
Originally from: http://www.boxheap.net/ddaniels/notes/20090103.html