Scrounge-ntfs

From Notes_Wiki
Revision as of 10:31, 23 June 2013 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>Recovery_tools|Recovery tools</yambe:breadcrumb> =Recovering corrupted or deleted files from NTFS partitions using scrounge-ntfs= To recover corrupted or de...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>Recovery_tools|Recovery tools</yambe:breadcrumb>

Recovering corrupted or deleted files from NTFS partitions using scrounge-ntfs

To recover corrupted or deleted files from NTFS partition one should have space to store the recovered files. Hence if you are trying to recover files from 1TB drive then there should be 1TB free space in the folder where recovered files would be restored. Further to help with recovering it would be good to have Backtrack-5 RL3 or later so that many tools necessary for recovery are already available.

Steps for recovering corrupted or deleted files from NTFS parititions using Backtrack-5 RL3 or higher are:

  1. First the entire partitions should be available as a device. Now if the case is of deleted files then one can directly point to partition of hard-disk or external USB drive for recovery. But if the case is of corrupted hard-disk or external USB disk then first the entire disk data needs to be copied as a raw file. Normal dd command will not be helpful in this case it would give I/O error and quit when dd tries to read from bad sectors. Hence 'ddrescue' command is required to create a raw file where ddrescue will appropriately write zeros when the input sectors cannot be read.
    Example invocation of ddrescue command is
    ddrescue /dev/sdb usb_image.iso ddrescue.log
  2. Now if the image was created using dd then rescue tool requires it to be accessible as a device and not as a normal filesystem file. Also the requirement of having lot of free space for keeping recovered files is still present excluding the space occupied by raw file image. To create a device from a filesystem file use 'kpartx'. Now kpartx does not comes by default with Backtrack-5 so it should be installed using
    sudo apt-get update
    sudo apt-get install kpartx
    Once kpartx is installed use it to create device for a file using
    kpartx -va filename
    The name of device file is typically /dev/loop0 etc. The name of partition devices are typically /dev/mapper/loop0p0, /dev/mapper/loop0p1, etc.
  3. By this step one should have a uncorrupted (non bad sector) based device which can be read without I/O error by recovery program. Uncorrupted here means that originally unreadable bytes have been set to zero. Also one should have a recovery folder with enough free space to store all recovered files.
  4. Now use 'scrounge-ntfs' to get information about partition. The command is
    scrounge-ntfs -l
    This prints information which includes Start sector, End sector, Cluster size, MFT offset
  5. Now to recover files from given device to a recovery folder using parameters obtained above use:
    scroung-ntfs -m <MFT offset> -c <Cluster size> -o <recovery_folder> <start-sector> <end-sector>


<yambe:breadcrumb>Recovery_tools|Recovery tools</yambe:breadcrumb>