Recover data from a formatted NTFS partition

February 20, 2010

Shit happens. And you are the one that may make it happen. If you’ve never accidentally formatted a partition, typed a rm -rf ~ or deleted some file that you actually didn’t have to remove, it can happen to some of your friends (if you got idiot friends) or customers (if you got idiot customers).

So here are a few notes about how to recover data from a formatted NTFS partition. I’ve tried several tools which I’ll give a brief opinion about.

  • Do not use any forensics analysis Live distribution. F.I.R.E. (homepage) is abandoned since 2004 and others are not necessary. The best forensics and recovery live distribution is indeed Knoppix (homepage), in which you can easily add any data recovery package with a simple apt-get install.
  • ntfsundelete (part of the ntfsprogs package, homepage) was completely useless, and could not find any deleted data but pagefile.sys.
  • sleuthkit (homepage), with its web GUI Autopsy worked exactly the same as ntfsundelete and was useless the same.
  • foremost (homepage) helped to recover some files, especially Jpeg pictures. Foremost does not re-create any directory structure. Furthermore, it didn’t find any Word document.
  • scalpel (homepage), based on foremost, is a bit better and was able to recover also some of the .doc documents. This tool should only be used is the support is severely compromised, otherwise more efficient tools can do a better work.

The problem with all these tools is that they can recover data from NTFS volumes but do not use any information in the volume. NTFS is a very redundant file system and store a lot of information that can be used to completely recreate the directory structure of a formatted volume, including file and directory names. To find a tool that uses these information, the Open Source option has to be discarded and we have to go for something commercial. My salvation was Runtime Software GetDataBack for NTFS (homepage), a commercial tool for Microsoft Windows that let me recover almost all the data with their original names and directory structure.

Still there are some tricks that may ease your work. The following is only an option of how to use this software which resulted easy for me because I had a ready Windows XP virtual machine running on VirtualBox and the formatted NTFS volume was saved in an image with dd. Here are some useful information for this specific scenario (otherwise, if you don’t have any installed Windows VM and the NTFS volume you want to recover is not saved in an image file, there are probably faster methods):

  • To convert a .img disk image created with dd to a .vdi disk image compatible with VirtualBox, use the command (takes long time):
    VBoxManage convertfromraw -format VDI image.img image.vdi
  • From VirtualBox, right-click on your Windows virtual machine, click Settings, Storage and add the virtual disk.
  • Run Windows, the virtual disk will appear as a normal volume. Install GetDataBack and run the recovery tool on the volume.
  • If you don’t have enough space in the Windows VM to save the restored data, install the guest additions and share a directory between the virtual Windows and your OS (google to find a how to).

If you find any working Open Source NTFS recovery tool or have had other experiences about NTFS data recovery, please leave a comment.

Filed under: data recovery


February 2010
« Jan   Apr »

Recent Posts