turtletimer
asked on
Undelete old NTFS data...
I had some old music that I created on a hard drive. It's not really that important to me, but I'd like to try and get it back. It was sitting in my closet for 3 years and I need a drive for a web server dev box, so I used it.
Now I want to try and recover any of it. The linux install I did on it was small and not much writing occured to the drive besides the initial install. It is formatted as ext3 now.
Is there any program that is bootable and could try and find old ntfs stuff in there? Is everything that was NTFS definatley gone now that I formatted it as ext3?
Like I said it's not important, but I'd like to try. Give me anything you got...
Now I want to try and recover any of it. The linux install I did on it was small and not much writing occured to the drive besides the initial install. It is formatted as ext3 now.
Is there any program that is bootable and could try and find old ntfs stuff in there? Is everything that was NTFS definatley gone now that I formatted it as ext3?
Like I said it's not important, but I'd like to try. Give me anything you got...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lee W, MVP
I disagree. When I've formatted Extx file systems, I've not seen them do anything destructive to the data. I'm not saying you'll definitely get the data back, but if it's recoverable without extreme measures, I think ontrack will recover it.
ntfsundelete - recovers deleted files from an NTFS volume.
As I understand turtletimer has no NTFS partition(s) anymore.
Am I wrong?
nedvis
As I understand turtletimer has no NTFS partition(s) anymore.
Am I wrong?
nedvis
> As I understand turtletimer has no NTFS partition(s) anymore.
He more than likely still has NTFS file system structures on his disk. I am not sure if ntfsundelete requires that partition be otherwise intact, as I've never used it before, but it is feasible to search for these structures and recover the data.
He more than likely still has NTFS file system structures on his disk. I am not sure if ntfsundelete requires that partition be otherwise intact, as I've never used it before, but it is feasible to search for these structures and recover the data.
ASKER
The whole partition has been formatted to ext3...
What do you guys think?
What do you guys think?
The type of file system does not really matter. None completely overwrite every sector of the disk (and I would guess that none even have an option for doing so). They only overwrite what they need.
Ok, I had to check the man pages. If use "-c -c" with mke2fs/mkfs.ext3/etc. it'll destroy all the data, but who does that?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What's with this Ontrack? Have a look at their page (http://www.ontrack.com/easyrecoveryprofessional/) for system requirements:
"
Operating Systems
* Windows® 98SE & Windows Me
* Windows® 2000, Windows NT® & Windows XP
File Repair capabilities for:
* Microsoft Outlook 97, 2000, XP and 2003 (PST & OST)
* Microsoft Outlook Express 5.0, 5.01, 5.5 and v6.0 (DBX)
* Microsoft® Word (DOC)
* Microsoft® Excel (XLS)
* Microsoft® Access Database (MDB)
* Microsoft® PowerPoint® (PPT)
* Zip archive files (ZIP)
"
You don't run windoze and want to recover mp3s. What do you want to achieve with Ontrack?
ntfsundelete isn't any better:
"
Miracles
ntfsundelete cannot perform the impossible.
When a file is deleted the MFT Record is marked as not in use and the bitmap representing the disk usage is updated. If the power isn’t turned off immediately, the free space, where the file used to live, may become overwritten. Worse, the MFT Record may be reused for another file. If this happens it is impossible to tell where the file was on disk.
Even if all the clusters of a file are not in use, there is no guarantee that they haven’t been overwritten by some short-lived file.
"
You don't even have the Master File Table. Besides, I seriously doubt if it can accept an ext3 disk as an argument.
Regards,
ram_einstein
"
Operating Systems
* Windows® 98SE & Windows Me
* Windows® 2000, Windows NT® & Windows XP
File Repair capabilities for:
* Microsoft Outlook 97, 2000, XP and 2003 (PST & OST)
* Microsoft Outlook Express 5.0, 5.01, 5.5 and v6.0 (DBX)
* Microsoft® Word (DOC)
* Microsoft® Excel (XLS)
* Microsoft® Access Database (MDB)
* Microsoft® PowerPoint® (PPT)
* Zip archive files (ZIP)
"
You don't run windoze and want to recover mp3s. What do you want to achieve with Ontrack?
ntfsundelete isn't any better:
"
Miracles
ntfsundelete cannot perform the impossible.
When a file is deleted the MFT Record is marked as not in use and the bitmap representing the disk usage is updated. If the power isn’t turned off immediately, the free space, where the file used to live, may become overwritten. Worse, the MFT Record may be reused for another file. If this happens it is impossible to tell where the file was on disk.
Even if all the clusters of a file are not in use, there is no guarantee that they haven’t been overwritten by some short-lived file.
"
You don't even have the Master File Table. Besides, I seriously doubt if it can accept an ext3 disk as an argument.
Regards,
ram_einstein
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is a superb scenario, and technically interesting - I'd welcome information from anyone else as to the exact workings or internal knowledge of these pieces of software. Process carried out was as follows:
1. Install NTFS partition with Windows 2K professional on old 8GB drive. - Had this lying around.
2. Delete partition, and replace it with single ext3 / partition and installed puppy linux (Deliberately a small distribution)
3. Took image using R-Drive Image 3.0.
4. Drive inserted in test setup. Tried recovery.
I can't get ntfsundelete to work at all in this case, as it is no longer an ntfs file system - I'd welcome anyone else's solution to this, because even after changing the partition table back, it still didn't recognise the partition correctly. I'm wondering if the swap (500MB - deliberately at the end of the drive) is confusing it?
GetDataBack works (but you have to change the partition to be an ntfs one again otherwise it refuses to run on the partition - another write!...but I can get it to work.), but only appears to work if the first block of the file concerned still exists. If the first block of the file is gone, then none of the file is recovered. File recovery from first block seems to continue until a block is missing. Therefore potentially useful.
Zero Assumption Recovery will recover block chains after a missing block, and will also recover old versions of the same file. A little overkill in that you might end up checking 4-5 copies of a file with the same name in order to find the 'best' one (or most up to date). Had to delete the partition table in order to get this software to behave sensibly. I.e, it takes longer and more work to carry out the recovery, but in my opinion does a more thorough job. Most interestingly, after deleting the partition tables completely, on recovery, it decided that there must have been 2 partitions and did a complete recovery of the puppy linux, and also shed loads of Windows 2K files. Worth noting that the original drive had been in production use for a fair amount of time. Ignoring the puppy linux files, I've got a lot more files recovered with this, but there are loads of 'duplicates', but for some text based files I've got partial recovery where GetDataBack recovered nothing.
Final thoughts are that the individual is trying to recover MP3 files, which they probably only want if they are complete? In which case, GetDataBack is probably the best option if it works at all, followed by ZAR.
HTH:)
1. Install NTFS partition with Windows 2K professional on old 8GB drive. - Had this lying around.
2. Delete partition, and replace it with single ext3 / partition and installed puppy linux (Deliberately a small distribution)
3. Took image using R-Drive Image 3.0.
4. Drive inserted in test setup. Tried recovery.
I can't get ntfsundelete to work at all in this case, as it is no longer an ntfs file system - I'd welcome anyone else's solution to this, because even after changing the partition table back, it still didn't recognise the partition correctly. I'm wondering if the swap (500MB - deliberately at the end of the drive) is confusing it?
GetDataBack works (but you have to change the partition to be an ntfs one again otherwise it refuses to run on the partition - another write!...but I can get it to work.), but only appears to work if the first block of the file concerned still exists. If the first block of the file is gone, then none of the file is recovered. File recovery from first block seems to continue until a block is missing. Therefore potentially useful.
Zero Assumption Recovery will recover block chains after a missing block, and will also recover old versions of the same file. A little overkill in that you might end up checking 4-5 copies of a file with the same name in order to find the 'best' one (or most up to date). Had to delete the partition table in order to get this software to behave sensibly. I.e, it takes longer and more work to carry out the recovery, but in my opinion does a more thorough job. Most interestingly, after deleting the partition tables completely, on recovery, it decided that there must have been 2 partitions and did a complete recovery of the puppy linux, and also shed loads of Windows 2K files. Worth noting that the original drive had been in production use for a fair amount of time. Ignoring the puppy linux files, I've got a lot more files recovered with this, but there are loads of 'duplicates', but for some text based files I've got partial recovery where GetDataBack recovered nothing.
Final thoughts are that the individual is trying to recover MP3 files, which they probably only want if they are complete? In which case, GetDataBack is probably the best option if it works at all, followed by ZAR.
HTH:)
If you want the full number of files recovered statistics, you'll have to wait until tomorrow!.....:).....but the above information gives the idea.