4GB of 2TB hdd is overwritten, how to recover the rest

[atuovu]

Hi

A friend has accidentally formatted an 2TB Seagate external drive with Rufus when trying to create a Windows installation USB.

I don't know the original filesystem (maybe NTFS or exFAT?)

Rufus overwritten the original partition table and created an 32GB FAT32 partition.

The new partition has 4GB Windows installation files written in it.

I guess rest of the disk is untouched.

What is the best approach/ best software for recovering files out of it? Recuva, R-studio, testdisk...?

I'm creating an image right now, will start recovery tomorrow.

Thanks

[MasterT]

Partition Table is gone. So you won't recover any data with structure as it was before.

You can use any data recovery software to scan in raw recovery mode targeting specific file types.

[atuovu]

Oh, shoot. I guess it has Autodesk files etc. but no idea what else. I'll see if the owner can give more precise description.

[fzabkar]

Can you show us the Partitions window in DMDE?

https://dmde.com/

[atuovu]

Can you show us the Partitions window in DMDE?

[fzabkar]

As expected, the $MFT has been overwritten. I think that a raw recovery will be your only option (as already stated), most likely without original file names.

[Arch Stanton]

As expected, the $MFT has been overwritten. I think that a raw recovery will be your only option (as already stated), most likely without original file names.

I have never checked this, but I do not know how much of MFT DMDE actually examines. What I do know is you may have a lucky break. If I for example look at the NTFS partition on my internal drive MFT is fragmented and a huge portion is out of this 4 GB danger zone. MFT holds about 1 million files which is roughly 1 GB. In my case overwriting 4 GB of start drive would still allow me to recover 60% of files using file system meta data.

[atuovu]

I'll see what will come out of it. This is an external drive so I guess there's a slim chance of fragmentation as the files were probably written in one (or two) go.

Which software handles this overwritten MFT scenario best? Getdataback, R-studio or DMDE?

[fzabkar]

Which software handles this overwritten MFT scenario best? Getdataback, R-studio or DMDE?

I have no personal experience, but there is a DR pro at reddit who consistently claims that Getdataback is the better tool in such cases, even though his primary tool appears to be R-Studio. Just saying ...

[atuovu]

Cool, thanks. I plan to try demo of both of them when I have the time.

[atuovu]

Status update:

GetDataBack didn't find anything (only NTFS special$ files).

Also tried raw file recovery with R-Studio. Scanned for 3 days and only found ~2-3 GB worth of mpg, jpg and pdf files. Some of them were legit but most of them useless. Scan abrubtly ended due to an unrelated BSOD and I didn't restart the scan afterwards.

[Arch Stanton]

RAW scans typically result in many false positives. 2 - 3 GB, how full was drive, how much data is expected?

GetDataBack, what version did you use? Assuming Pro, what file systems were detected, what level did you select?

Alternatively try ReclaiMe (long scan), UFS, ZAR (zero assumption recovery). Note that the latter will not show you RAW results unlike the first 2. However it's pretty good coming up with a file system assuming meta data is actually detected.

If you settle for RAW or if it's only option, PhotoRec is free and supports many file types, not just photos.

[atuovu]

RAW scans typically result in many false positives. 2 - 3 GB, how full was drive, how much data is expected?

GetDataBack, what version did you use? Assuming Pro, what file systems were detected, what level did you select?

Alternatively try ReclaiMe (long scan), UFS, ZAR (zero assumption recovery). Note that the latter will not show you RAW results unlike the first 2. However it's pretty good coming up with a file system assuming meta data is actually detected.

If you settle for RAW or if it's only option, PhotoRec is free and supports many file types, not just photos.

Unfortunately I've no idea how much data was in the drive.

Used the latest version of getdataback (simple?) on 4-star mode. found 2TB NTFS but it was useless as stated.

I'll try the programs you mentioned.

[biorpg]

Unfortunately I've no idea how much data was in the drive.

Used the latest version of getdataback (simple?) on 4-star mode. found 2TB NTFS but it was useless as stated.

I'll try the programs you mentioned.

Being a CAD geek myself, I can tell you your most valuable tool here will be information from the customer. Namely, the specific use case for the machine.
For instance, If you can narrow its use down to professional CAD work, as performed in an office, as opposed to a mix of professional CAD as well as personal CAD and the myriad of other personal uses, then I would say the customer is probably mostly interested in recovering work in the form of CAD files (almost always stored on a network drive or in the user's own folders) and possibly daily work reports or other critical documents that play a central role in much of the industry in which CAD work is performed.
The file-types differ quite greatly depending on which Autodesk software is primarily being used.
For AutoCAD, these would include (but are not limited to) DWG and DXF for the main form of the work being done, and to supplement the recovery of these, there are a number of automatically saved back-up copies of these that are typically stored in the user's temp folder or in a specifically configured folder.
There will be no end to the set of possible file types that you'd need to recover going only on a general presence of Autodesk files. It is likely that your customer is not a CAD person themselves, but getting them to obtain as much information from the person who used the machine would be your only real hope for success. This is due to the enormous number of files that are included with any Autodesk software that have the same file types as those created by the software itself.
The customer may just want a small folder that contains 5 dwg files from the user's desktop, but without the master file table, your software will be endlessly trying to carve out thousands of DWG files. But if the user could confirm whether they used, for example, the option to save DWGs in contiguous form, or that they routinely performed full de-fragmentation of their CAD files or the whole disk, then carving will have much better success.
If they were doing professional work without a network drive for completed work, back-up, collaboration, etc.. then you may also be looking for PDFs, PNGs, cached outlook emails, etc.
Regardless of whether the CAD files represent professional or personal work, if the user is a developer, they could also have any number of scripts, or possibly custom plugins developed on the machine that would be just as valuable to them as the related drawings.

Lastly, to re-iterate Arch's point, if the 2 TB drive happened to have more than a million files in its MFT, then Windows will have allocated an extension to the MFT residing well past the 4GB zone. ZAR is a good choice for creating a list of many possible locations for the MFT. If you find any that show a large portion saved in the upper areas of the disk, try recovering a few complex files using the most promising MFT instances, and see if any of them result in significantly more complete or working files.