search

Lazza / RecuperaBit

A tool for forensic file system reconstruction.
GNU General Public License v3.0
534 stars 75 forks source link

Cannot restore non-resident $DATA attribute(s) #114

Closed brainwind-software closed 12 months ago

brainwind-software commented 1 year ago

Today I used dd to write an image to an USB-Stick. At least that was, what I intended. Instead I overwrited 2-3 GB of my 2TB NTFS harddrive :(

I just found RecuperBit and tried it out. It finds a lot of file records:

...
INFO:root:Found NTFS file record at sector 6963838
INFO:root:Found NTFS file record at sector 6963840
INFO:root:Found NTFS file record at sector 6963842
...

And finds 1 partition:

NFO:root:First scan completed
INFO:root:Parsing MFT entries

INFO:root:Parsing INDX records
INFO:root:Reading boot sectors
INFO:root:Finding partition geometry
INFO:root:1 partitions found.

But using recoverable does not show my partition, instead other does. Now, if I try the restore command, I get these errors for all my files:

INFO:root:Restoring #288677 Root/Steuer/2017/USt_Q1/MCP
ERROR:root:Cannot restore non-resident $DATA attribute(s) for File(#289722, ^^288677^^, MCP-1216-0547.pdf, offset = 6870900 sectors)
ERROR:root:Cannot restore non-resident $DATA attribute(s) for File(#289720, ^^288677^^, MCP-0117-0213.pdf, offset = 6870896 sectors)
ERROR:root:Cannot restore non-resident $DATA attribute(s) for File(#289721, ^^288677^^, MCP-0217-0185.pdf, offset = 6870898 sectors)

and only get a directory with all the files inside, but they are all 0 byte.

Is there still some way to restore my files ? Should I try to overwrite the partition table, or use the MFT backup to overwrite the original one, ... ?

Lazza commented 1 year ago

I get these errors for all my files

This is expected, because if the geometry of a partition cannot be detected, then you cannot recover files.

use the MFT backup to overwrite the original one, ... ?

This should not be needed because RecuperaBit reads the backup as well.

Can you verify if the NTFS partition was using a 4096 sector size? That's not supported. Only 512 is, currently.

brainwind-software commented 1 year ago

Can you verify if the NTFS partition was using a 4096 sector size? That's not supported. Only 512 is, currently.

Ah ok, I guess that was the problem. I ended up buying a piece of software, but thanks for your reply.

Lazza commented 1 year ago

I am going to mark this as a feature request, supporting the 4096 sector size would be nice. I don't know when I will ever have time to do it, but that's another aspect. 😅

Lazza commented 12 months ago

Actually, to avoid repetition I am closing this as a duplicate of #99. Any discussion on sector size can continue there.