0

I have one large NTFS partition on an external disk which "doesn't work" any more and I'm trying to recover data from it. When I try to use it (using GNU/Linux) I'm told the partition doesn't contain an NTFS filesystem (e.g. ntfsresize tells me NTFS signature is missing).

Looking at the bytes in the partition, I do find the "tell tale" starting bytes described in https://en.wikipedia.org/wiki/NTFS (i.e. 0xEB 0x52 0x90 followed by NTFS and 4 spaces), but they're preceded by 4 zero bytes. I also see that the partition's boot sector's usual "end marker" (in the form of 0x55 0xaa) is also shifted by 4 bytes (i.e. those 2 bytes are at offset 514 instead of 510).

Any idea what might cause such a situation (it's not my disk, and from what I understand it's been used mostly with Windows, tho it's possible it's been used from a GNU/Linux Ubuntu system as well)?

I'm thinking of "unshifting" the partition's header, but I'm not sure how far this shifting has gone: obviously it affects at least the first 516 bytes (i.e. at least all the first sector and part of the second sector), but I don't know how to determine if it went further and if so how far.

I unshifted the bytes of the first sector (i.e. removed the "spurious" 4 zero bytes at the beginning and wrote the resulting 512 bytes in the first sector, thus leaving the bytes 512-516 as "obviously wrong"), which does get me ever so slightly further, but now I get the error

ntfs_mst_post_read_fixup_warn: magic: 0x04510000  size: 1024   usa_ofs: 18758  usa_count: 17739: Invalid argument
Record 0 has no FILE magic (0x4510000)
Failed to load $MFT: Input/output error
Failed to mount '/dev/sdb1': Input/output error

What should I normally expect to find in the bytes 512-1024? Or alternatively, where could I find this information?

Stefan
  • 133
  • 9
  • Well, if the whole partition is shifted by 4 bytes then you should shift back all of it, but you should work on a copy anyway so you could simply generate a disk image and then drop the first 4 bytes. After that, see here: https://askubuntu.com/a/776317/271 – Andrea Lazzarotto Jun 18 '17 at 00:36
  • I'm pretty sure the whole partition isn't shifted by 4 bytes. Not sure why the beginning is, that's actually a big part of the question. – Stefan Jun 18 '17 at 15:57
  • Then you would need to see why the first record of the MFT entry doesn't have the `FILE` magic value (which is also 4-bytes long). Still you could run RecuperaBit on the image and see if it finds any MFT entries. If they are found then the partition is aligned, but if they are not found then most likely it's not. – Andrea Lazzarotto Jun 18 '17 at 15:59
  • @AndreaLazzarotto: Hmm... what *is* the "FILE magic value"? [ Maybe it does have it, but shifted by 4 bytes, still. ] – Stefan Jun 18 '17 at 18:59
  • 1
    It's the signature of each MFT entry. Please see Table 3.2 here (page 16): https://www.scribd.com/doc/309337813/RecuperaBit-Forensic-File-System-Reconstruction-Given-Partially-Corrupted-Metadata – Andrea Lazzarotto Jun 18 '17 at 19:59
  • Any news on this? – Andrea Lazzarotto Jun 21 '17 at 15:51
  • @AndreaLazzarotto: Thank you for your help. That document is exactly what I needed. But it looks like the breakage was more serious than what I can muster: I couldn't find any FILE (or BAAD) magic value, I also tried replacing the 4 shifted bytes by "FILE", and I looked around but the nearby spots had values that did not make sense compared to what your document indicated. I gave up and went back to the last backup instead :-( – Stefan Jun 23 '17 at 17:02

0 Answers0