All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 23rd, 2021, 9:05 
Offline

Joined: December 18th, 2019, 6:21
Posts: 24
Hi

A friend has accidentally formatted an 2TB Seagate external drive with Rufus when trying to create a Windows installation USB.

I don't know the original filesystem (maybe NTFS or exFAT?)

Rufus overwritten the original partition table and created an 32GB FAT32 partition.

The new partition has 4GB Windows installation files written in it.

I guess rest of the disk is untouched.

What is the best approach/ best software for recovering files out of it? Recuva, R-studio, testdisk...?

I'm creating an image right now, will start recovery tomorrow.

Thanks


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 23rd, 2021, 10:22 
Offline

Joined: May 9th, 2017, 11:33
Posts: 140
Partition Table is gone. So you won't recover any data with structure as it was before.

You can use any data recovery software to scan in raw recovery mode targeting specific file types.


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 23rd, 2021, 10:45 
Offline

Joined: December 18th, 2019, 6:21
Posts: 24
Oh, shoot. I guess it has Autodesk files etc. but no idea what else. I'll see if the owner can give more precise description.


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 23rd, 2021, 15:22 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
Can you show us the Partitions window in DMDE?

https://dmde.com/

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 24th, 2021, 4:13 
Offline

Joined: December 18th, 2019, 6:21
Posts: 24
fzabkar wrote:
Can you show us the Partitions window in DMDE?


Attachment:
1.PNG
1.PNG [ 40.05 KiB | Viewed 27148 times ]


Attachment:
2.PNG
2.PNG [ 27.56 KiB | Viewed 27148 times ]


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 24th, 2021, 13:29 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
As expected, the $MFT has been overwritten. I think that a raw recovery will be your only option (as already stated), most likely without original file names.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 24th, 2021, 16:01 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
fzabkar wrote:
As expected, the $MFT has been overwritten. I think that a raw recovery will be your only option (as already stated), most likely without original file names.


I have never checked this, but I do not know how much of MFT DMDE actually examines. What I do know is you may have a lucky break. If I for example look at the NTFS partition on my internal drive MFT is fragmented and a huge portion is out of this 4 GB danger zone. MFT holds about 1 million files which is roughly 1 GB. In my case overwriting 4 GB of start drive would still allow me to recover 60% of files using file system meta data.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 24th, 2021, 19:23 
Offline

Joined: December 18th, 2019, 6:21
Posts: 24
I'll see what will come out of it. This is an external drive so I guess there's a slim chance of fragmentation as the files were probably written in one (or two) go.

Which software handles this overwritten MFT scenario best? Getdataback, R-studio or DMDE?


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 24th, 2021, 22:10 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
atuovu wrote:
Which software handles this overwritten MFT scenario best? Getdataback, R-studio or DMDE?

I have no personal experience, but there is a DR pro at reddit who consistently claims that Getdataback is the better tool in such cases, even though his primary tool appears to be R-Studio. Just saying ...

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: January 25th, 2021, 3:59 
Offline

Joined: December 18th, 2019, 6:21
Posts: 24
Cool, thanks. I plan to try demo of both of them when I have the time.


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: February 1st, 2021, 8:50 
Offline

Joined: December 18th, 2019, 6:21
Posts: 24
Status update:

GetDataBack didn't find anything (only NTFS special$ files).

Also tried raw file recovery with R-Studio. Scanned for 3 days and only found ~2-3 GB worth of mpg, jpg and pdf files. Some of them were legit but most of them useless. Scan abrubtly ended due to an unrelated BSOD and I didn't restart the scan afterwards.


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: February 1st, 2021, 9:15 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
RAW scans typically result in many false positives. 2 - 3 GB, how full was drive, how much data is expected?

GetDataBack, what version did you use? Assuming Pro, what file systems were detected, what level did you select?

Alternatively try ReclaiMe (long scan), UFS, ZAR (zero assumption recovery). Note that the latter will not show you RAW results unlike the first 2. However it's pretty good coming up with a file system assuming meta data is actually detected.

If you settle for RAW or if it's only option, PhotoRec is free and supports many file types, not just photos.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: February 2nd, 2021, 19:08 
Offline

Joined: December 18th, 2019, 6:21
Posts: 24
Arch Stanton wrote:
RAW scans typically result in many false positives. 2 - 3 GB, how full was drive, how much data is expected?

GetDataBack, what version did you use? Assuming Pro, what file systems were detected, what level did you select?

Alternatively try ReclaiMe (long scan), UFS, ZAR (zero assumption recovery). Note that the latter will not show you RAW results unlike the first 2. However it's pretty good coming up with a file system assuming meta data is actually detected.

If you settle for RAW or if it's only option, PhotoRec is free and supports many file types, not just photos.


Unfortunately I've no idea how much data was in the drive.

Used the latest version of getdataback (simple?) on 4-star mode. found 2TB NTFS but it was useless as stated.

I'll try the programs you mentioned.


Top
 Profile  
 
 Post subject: Re: 4GB of 2TB hdd is overwritten, how to recover the rest
PostPosted: June 11th, 2021, 6:21 
Offline

Joined: June 11th, 2021, 5:23
Posts: 2
Location: Las Vegas
atuovu wrote:
Unfortunately I've no idea how much data was in the drive.

Used the latest version of getdataback (simple?) on 4-star mode. found 2TB NTFS but it was useless as stated.

I'll try the programs you mentioned.


Being a CAD geek myself, I can tell you your most valuable tool here will be information from the customer. Namely, the specific use case for the machine.
For instance, If you can narrow its use down to professional CAD work, as performed in an office, as opposed to a mix of professional CAD as well as personal CAD and the myriad of other personal uses, then I would say the customer is probably mostly interested in recovering work in the form of CAD files (almost always stored on a network drive or in the user's own folders) and possibly daily work reports or other critical documents that play a central role in much of the industry in which CAD work is performed.
The file-types differ quite greatly depending on which Autodesk software is primarily being used.
For AutoCAD, these would include (but are not limited to) DWG and DXF for the main form of the work being done, and to supplement the recovery of these, there are a number of automatically saved back-up copies of these that are typically stored in the user's temp folder or in a specifically configured folder.
There will be no end to the set of possible file types that you'd need to recover going only on a general presence of Autodesk files. It is likely that your customer is not a CAD person themselves, but getting them to obtain as much information from the person who used the machine would be your only real hope for success. This is due to the enormous number of files that are included with any Autodesk software that have the same file types as those created by the software itself.
The customer may just want a small folder that contains 5 dwg files from the user's desktop, but without the master file table, your software will be endlessly trying to carve out thousands of DWG files. But if the user could confirm whether they used, for example, the option to save DWGs in contiguous form, or that they routinely performed full de-fragmentation of their CAD files or the whole disk, then carving will have much better success.
If they were doing professional work without a network drive for completed work, back-up, collaboration, etc.. then you may also be looking for PDFs, PNGs, cached outlook emails, etc.
Regardless of whether the CAD files represent professional or personal work, if the user is a developer, they could also have any number of scripts, or possibly custom plugins developed on the machine that would be just as valuable to them as the related drawings.

Lastly, to re-iterate Arch's point, if the 2 TB drive happened to have more than a million files in its MFT, then Windows will have allocated an extension to the MFT residing well past the 4GB zone. ZAR is a good choice for creating a list of many possible locations for the MFT. If you find any that show a large portion saved in the upper areas of the disk, try recovering a few complex files using the most promising MFT instances, and see if any of them result in significantly more complete or working files.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 37 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group