Comments (12)
Lazza
commented on August 23, 2024
I have to ask you the same question as here:
Do you know maybe the NTFS version of the partition you are analyzing? Was it created before Windows XP? Very old NTFS drives didn't include ids in their MFT entries.
from recuperabit.
wziard
commented on August 23, 2024
I'll have to ask the owner of the borked drive. I'd guess the drive was formatted in windows XP, but it could have been windows 2000.
Also, I'd expect the partition to be listed under 'other' if it's not detected as ntfs? After all the partition table is still ok? Or do I misunderstand how it's supposed to work?
from recuperabit.
Lazza
commented on August 23, 2024
it could have been windows 2000
NTFS up to version 3.0 (corresponding to Windows 2000) didn't include the identifier in file records. So when file records are scanned it is impossible to distinguish them and figure out how they should be divided.
While one could (in the lucky case of a working partition table) put them "all together" in one partition, the issue would still be of figuring out exactly where the MFT starts (so you must have the first records there as well) and if it is fragmented. You would also need to avoid using records from a previously formatted/old file system.
Otherwise you would end up with a "heap" of random files smashed together which is not a very forensic approach. Actually using wild guesses to rebuild the file system doesn't seem a reasonable solution if one wants to ensure that the extracted information is correct.
Also, you must assign an id to each entry otherwise the directory tree reconstruction cannot work.
I'd expect the partition to be listed under 'other' if it's not detected as ntfs? After all the partition table is still ok?
The partition table is not used at all. RecuperaBit only supports NTFS reconstruction so any other file system type is ignored. You may want to check out the slides for further information.
Going back to your original point: if it is at least NTFS 3.1 then it is a bug (so please let me know). If it is an older NTFS version then unfortunately you cannot reconstruct it with this approach. You may want to use other tools such as Restorer Ultimate Pro, but keep in mind the accuracy might not be excellent.
from recuperabit.
rockofclay
commented on August 23, 2024
I seem to be having a similar problem, but it was a windows 7 partition.
EDIT:
I get the same output. No partitions found, but it has found records. I have also tried allparts and had no partitions returned.
from recuperabit.
Lazza
commented on August 23, 2024
@rockofclay please can you show the output?
from recuperabit.
rockofclay
commented on August 23, 2024
RecuperaBit 1.0
Copyright 2014-2017, Andrea Lazzarotto <[email protected]>
Released under the GPLv3
INFO:root:Checking if results already exist.
INFO:root:Unable to open save file.
INFO:root:Results will be saved to /disk1/savethis
Type [Enter] to start the analysis or "exit" / "quit" / "q" to quit: INFO:root:Found NTFS file record at sector 295931
INFO:root:Found NTFS file record at sector 435761
INFO:root:Found NTFS file record at sector 444465
INFO:root:Found NTFS file record at sector 445766
INFO:root:Found NTFS file record at sector 449585
INFO:root:Found NTFS file record at sector 451142
INFO:root:Found NTFS file record at sector 452608
INFO:root:Found NTFS file record at sector 2691409
INFO:root:Found NTFS file record at sector 61265911
INFO:root:Found NTFS file record at sector 740568827
INFO:root:Found NTFS file record at sector 740589301
INFO:root:Found NTFS file record at sector 740589326
INFO:root:Found NTFS file record at sector 740600135
INFO:root:Found NTFS file record at sector 740617460
INFO:root:Found NTFS file record at sector 740617579
INFO:root:Found NTFS file record at sector 740691649
INFO:root:Found NTFS file record at sector 740712916
INFO:root:Found NTFS file record at sector 740820622
INFO:root:Found NTFS file record at sector 740988329
INFO:root:Found NTFS file record at sector 740988537
INFO:root:Found NTFS file record at sector 740989678
INFO:root:Found NTFS file record at sector 744819475
INFO:root:Found NTFS file record at sector 744830935
INFO:root:Found NTFS file record at sector 744831023
INFO:root:Found NTFS file record at sector 749008167
INFO:root:Found NTFS file record at sector 749032334
INFO:root:Found NTFS file record at sector 749091343
INFO:root:Found NTFS file record at sector 749117630
INFO:root:Found NTFS file record at sector 753146261
INFO:root:Found NTFS file record at sector 753147001
INFO:root:Found NTFS file record at sector 753147009
INFO:root:Found NTFS file record at sector 753148345
INFO:root:Found NTFS file record at sector 753148353
INFO:root:Found NTFS file record at sector 753149577
INFO:root:Found NTFS file record at sector 753149947
INFO:root:Found NTFS file record at sector 753152053
INFO:root:Found NTFS file record at sector 753152761
INFO:root:Found NTFS file record at sector 753152769
INFO:root:Found NTFS file record at sector 753153226
INFO:root:Found NTFS file record at sector 753154321
INFO:root:Found NTFS file record at sector 753155347
INFO:root:Found NTFS file record at sector 753157038
INFO:root:Found NTFS file record at sector 753159792
INFO:root:Found NTFS file record at sector 753161088
INFO:root:Found NTFS file record at sector 753161667
INFO:root:Found NTFS file record at sector 757338281
INFO:root:Found NTFS file record at sector 757389216
INFO:root:Found NTFS file record at sector 757389232
INFO:root:Found NTFS file record at sector 757389360
INFO:root:Found NTFS file record at sector 757394521
INFO:root:Found NTFS file record at sector 757411057
INFO:root:Found NTFS file record at sector 757777729
INFO:root:Found NTFS file record at sector 761702311
INFO:root:Found NTFS file record at sector 769963583
INFO:root:First scan completed
INFO:root:Saving results to /disk1/savethis
INFO:root:Parsing MFT entries
INFO:root:Parsing INDX records
INFO:root:Reading boot sectors
INFO:root:Finding partition geometry
INFO:root:0 partitions found.
from recuperabit.
Lazza
commented on August 23, 2024
It would be really interesting to see those records at a lower level. Could you send me a dump of a few of them via email?
from recuperabit.
jtlz2
commented on August 23, 2024
@Lazza I am trying to run this on a dd_rescue output of a failing Apple_HFS drive but get 0 partitions found too... Where to start?
from recuperabit.
Lazza
commented on August 23, 2024
a failing Apple_HFS
Why? 😮 HFS has nothing to do with NTFS.
from recuperabit.
rockofclay
commented on August 23, 2024
I'm currently running the script again. What did you want me to do to dump the records?
from recuperabit.
Lazza
commented on August 23, 2024
Please open the disk image with wxHexEditor (or another tool that can handle huge files) and extract a couple of megabytes starting from:
INFO:root:Found NTFS file record at sector 435761
Sector 435761 starts at byte 223109632. You will see that the first characters are FILE. Then send me an email with the extracted dump. Thank you!
from recuperabit.
Lazza
commented on August 23, 2024
I am going to close this as it was not possible to reproduce and was (probably) due to a old, unsupported NTFS version.
from recuperabit.
Related Issues (20)
- Removed HOT 1
- Gave me an error after typing "tree" and exited HOT 5
- How to use with windows HOT 1
- Windows exe ? HOT 7
- Recover RAW SSD. HOT 10
- Recoverable partition but only restores a few files. HOT 5
- Add a command to savefile once scan has ended.
- A better tree command HOT 2
- Function best_name crashes while sorting entries HOT 2
- RecursionError: maximum recursion depth exceeded HOT 2
- Traceback when using saved scan file. HOT 1
- Unicode in filenames makes the program crash HOT 2
- Cannot restore non-resident $DATA attribute(s) HOT 4
- CSV export should include the full path of files
- Different partition #s generated for save file vs. rescan of drive image HOT 1
- Doesn't work for my disk HOT 3
- Unbound Local Error HOT 1
- Adding simple test image files
- recover breaks when custom properties appear as nodes HOT 1
- I don't understand HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from recuperabit.