HDD Data Recovery with start of disk over written

Discussion:

Neil Henwood

2011-11-06 04:44:33 UTC

Hi All

After being a read only member of this list for a while, I seem to have
got myself into a bit of a jam and need some assistance to see if I can
get it sorted out.

Issue is that I was writing an ISO to a USB drive, but instead of
writing to the 4GB USB drive, I wrote to the first 500Mb odd of the
750Gb USB HDD that was at the next drive letter. (f & g are very close
on the keyboard.) The 750Gb drive is (was) formatted as NTFS.

I'm sure that there will be a way to get the data past the written ISO
back, but I cannot figure it out as yet.

I have tried to use ddrescue to create a ISO of the overwritten drive
(less the over ridden part) to another drive, but am unable to read it.
Most likely the way I am trying to mount the image.

Is any body able to point me in the right direction of how I can recover
the remaining data on this HDD. I'm not concerned if I use windows or
linux to do the recovery.

Thanks all in advance.

Regards

Neil

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

Clark Mills

2011-11-06 05:50:12 UTC

Permalink

Hi Neil.

I used something a while ago, this I think:

http://www.lnx4n6.be/

but it I recall rightly most of your data will be grouped toward the
beginning of the disk, and that's where you clobbered. Depends on your
partitioning as well...

Create a file image dd seek-ing past the ISO image and collecting the
remainder of the disk.
Then aim the forensics disk at your remainder file.

HTH, good luck & cheers... Clark

Post by Neil Henwood
...
Is any body able to point me in the right direction of how I can
recover the remaining data on this HDD. I'm not concerned if I use
windows or linux to do the recovery.

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

Clark Mills

2011-11-08 02:28:05 UTC

Permalink

Hi Neil.

Actually, you should get most of your data back (less filenames).
I misread 500GB written on a 750GB disk.
500MB is bugger all on a 750GB disk.
Apologies, I should have read the question properly. :)

Cheers... Clark

Post by Clark Mills
but it I recall rightly most of your data will be grouped toward the
beginning of the disk, and that's where you clobbered. Depends on
your partitioning as well...

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

Shiv Manas

2011-11-06 21:33:55 UTC

Permalink

Hi Neil,

TestDisk can (attempt to) restore deleted partitions, but it might not be
able to, if your NTFS metadata was located in the first 500MB. However,
another tool included in the package - PhotoRec - can recover data from
raw/damaged file-systems. Don't be fooled by the name - it can recognize
around 400 file-formats!

If you're looking for a commercial program, I've had good results with
R-Studio in the past. (Available on both Windows and Linux)

HTH

- Shiv
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

Elroy

2011-11-09 08:40:45 UTC

Permalink

Had some experience with this in the past - also look into:

Scalpel

Foremost

And others here:

http://www.noah.org/wiki/Forensics,_Undelete,_and_Data_Recovery

G/L!

Elroy.

Post by Neil Henwood
Hi All
After being a read only member of this list for a while, I seem to have
got myself into a bit of a jam and need some assistance to see if I can
get it sorted out.
Issue is that I was writing an ISO to a USB drive, but instead of
writing to the 4GB USB drive, I wrote to the first 500Mb odd of the
750Gb USB HDD that was at the next drive letter. (f & g are very close
on the keyboard.) The 750Gb drive is (was) formatted as NTFS.
I'm sure that there will be a way to get the data past the written ISO
back, but I cannot figure it out as yet.
I have tried to use ddrescue to create a ISO of the overwritten drive
(less the over ridden part) to another drive, but am unable to read it.
Most likely the way I am trying to mount the image.
Is any body able to point me in the right direction of how I can recover
the remaining data on this HDD. I'm not concerned if I use windows or
linux to do the recovery.
Thanks all in advance.
Regards
Neil
_______________________________________________
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

graham dixon

2011-11-11 07:06:14 UTC

Permalink

________________________________
Hi Neil,
Have a look at Runtime Software's GetDataBack software.
It's not free but not expensive.
I used it a bit in the time when NTFS had not fully replaced FAT32 and a microsoft tool for recovering NTFS file directory after a particular bug attack was often mis-applied to FAT32 systems thereby loosing the root directory data.
It is easy to use and in my experience reliable.
Make sure you get the version that is for NTFS.
It scans the disk to find reconisable file or folder directory blocks then recovers the files listed from there.
It is non destructive on the broken disk so you'll need somewhere else to store the rebuilt directory structures.

cheers
Graham

=======================================
Message: 2
Date: Sun, 06 Nov 2011 17:44:33 +1300
From: Neil Henwood <***@gmail.com>
Subject: [nzlug] HDD Data Recovery with start of disk over written
To: ***@linux.net.nz
Message-ID: <***@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi All

After being a read only member of this list for a while, I seem to have
got myself into a bit of a jam and need some assistance to see if I can
get it sorted out.

Issue is that I was writing an ISO to a USB drive, but instead of
writing to the 4GB USB drive, I wrote to the first 500Mb odd of the
750Gb USB HDD that was at the next drive letter. (f & g are very close
on the keyboard.) The 750Gb drive is (was) formatted as NTFS.

I'm sure that there will be a way to get the data past the written ISO
back, but I cannot figure it out as yet.

I have tried to use ddrescue to create a ISO of the overwritten drive
(less the over ridden part) to another drive, but am unable to read it.
Most likely the way I am trying to mount the image.

Is any body able to point me in the right direction of how I can recover
the remaining data on this HDD. I'm not concerned if I use windows or
linux to do the recovery.

Thanks all in advance.

Regards

Neil

Neil Henwood

2011-11-15 08:59:36 UTC

Permalink

This is what I ended up using in the end.It got most of what I was
expecting back. Have some other directories to look into, but overall was Ok

Post by Neil Henwood
________________________________
Hi Neil,
Have a look at Runtime Software's GetDataBack software.
It's not free but not expensive.
I used it a bit in the time when NTFS had not fully replaced FAT32 and a microsoft tool for recovering NTFS file directory after a particular bug attack was often mis-applied to FAT32 systems thereby loosing the root directory data.
It is easy to use and in my experience reliable.
Make sure you get the version that is for NTFS.
It scans the disk to find reconisable file or folder directory blocks then recovers the files listed from there.
It is non destructive on the broken disk so you'll need somewhere else to store the rebuilt directory structures.
cheers
Graham
=======================================
Message: 2
Date: Sun, 06 Nov 2011 17:44:33 +1300
Subject: [nzlug] HDD Data Recovery with start of disk over written
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi All
After being a read only member of this list for a while, I seem to have
got myself into a bit of a jam and need some assistance to see if I can
get it sorted out.
Issue is that I was writing an ISO to a USB drive, but instead of
writing to the 4GB USB drive, I wrote to the first 500Mb odd of the
750Gb USB HDD that was at the next drive letter. (f& g are very close
on the keyboard.) The 750Gb drive is (was) formatted as NTFS.
I'm sure that there will be a way to get the data past the written ISO
back, but I cannot figure it out as yet.
I have tried to use ddrescue to create a ISO of the overwritten drive
(less the over ridden part) to another drive, but am unable to read it.
Most likely the way I am trying to mount the image.
Is any body able to point me in the right direction of how I can recover
the remaining data on this HDD. I'm not concerned if I use windows or
linux to do the recovery.
Thanks all in advance.
Regards
Neil
------------------------------
_______________________________________________
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug