无法从Windows，Mas OSX或Linux访问损坏的NTFS文件夹 [英] Corrupt NTFS folder not accessible from either Windows, Mas OSX or Linux

问题描述

我有一个外部的2TB硬盘，包含GoPro和Sony Handycam的大量视频文件以及其他备份的内容。最近，当试图从我的Mac备份（通过OSXFUSE使用一些黑客，以允许写入NTFS文件系统，一直工作到现在为止）我发现我的一个文件夹丢失了一些文件夹。我删除了外部的高清，并尝试从Ubuntu恢复它，但在Ubuntu中，我得到的内容甚至更少的知名度。请参阅下面的截图。这两个紫色的文件夹不再作为文件夹，他们的名字已经缩短，他们应该阅读Navimag渡轮和索尼Hanicam（Handycam的错字）。

在我看来，信息是因为可用空间没有变化。

到目前为止，我已经尝试了以下内容：

pre $> sudo ntfsfix / dev / sda1


以下输出

 挂载量... OK 
 $ MFT和$ MFTMirr的处理已成功完成。 
检查备用引导扇区...确定
 NTFS卷的版本是3.1。 
 NTFS分区/ dev / sda1已成功处理。 
  

和

  sudo testdisk / dev / sda1 
  

使用 testdisk 我使用快速搜索函数在 analyze 之后加上深入搜索但都返回结构：好的。

上的软件建议网站。这些是特别针对严重损坏的驱动器，他们包括：

• DMDE （商业版，适用于Windows，但有Linux的控制台版本）
com /rel =nofollow noreferrer> Restorer Ultimate （适用于Windows和OS X的商业版本） RecuperaBit （开放源代码，基于Python）：它在Linux上确实运行，但它已经在Windows上进行了很多测试...就像一次 。它也应该在OS X上运行。

基于我的（有偏见的）意见和我的测试结果 RecuperaBit是最好的一个用于与磁盘表示严重损坏。你的是有点损坏，但我想就如何恢复两个特定的文件夹提供简要指导。

恢复这两个目录

首先，在磁盘上运行RecuperaBit。我强烈建议在一个比特流拷贝上运行它，但是它不会写任何东西，所以你可以尝试直接在设备上运行：

  mkdir / media / user / External / recovered_files 
 cd [recuperabit的完整路径] 
 pypy main.py / dev / sdb -o / media / user / External / recovered_files -s /media/user/External/savefile.save 
  

这里我假设 / dev / sdb 是损坏的驱动器，并且要将文件保存在 / media / user / External 上的另一个驱动器中。如果您直接在块设备上运行该工具，我认为您需要 sudo 。

扫描过程需要很长时间（高枕无忧，2TB是很多！），但是如果你第二次运行这个工具，结果会被保存到 savefile.save 。键入 recoverable 来找出需要恢复的分区的标识符。标识符由RecuperaBit给出，并不反映分区表。

假设它是＃2 ，保存一个CSV内容转储：

  csv 2 contents.csv 
  

程序将打印保存文件的路径。用LibreOffice打开它，找到要恢复的文件夹的ID。例如，根目录的id为 5 ，但是如果你只丢失两个目录，你可能不想获得所有文件的副本。

b
$ b

假设破损的目录有id 124 。回到RecuperaBit并输入：

 恢复2 124 
  

其中＃2 仍然是分区标识符。它将列出正在恢复的文件。你可以导航到输出目录，并检查你想要的是否在那里。如果不是，请重试：您可能选择了错误的标识符。

I have an external 2TB hard drive with a large number of video files from GoPro and a Sony Handycam as well as other backed up content. Recently while attempting to backup from my Mac (using a bit of a hack via OSXFUSE to allow writing to a NTFS filesystem which had been working for me up until now) I found one of my folders to be missing some folders. I removed the external HD and tried to recover it from Ubuntu, but in Ubuntu I get even less visibility of the content. See the screenshot below. The 2 folders coloured purple no longer act as folders and their names have been shortened, they should read 'Navimag Ferry' and 'Sony Hanicam' (typo from Handycam).

When I run ls -al I get the following

It seems to me that the information is there because the available space has not changed.

So far I have tried the following:

sudo ntfsfix /dev/sda1

Which gives the following output

Mounting volume... OK
Processing of $MFT and $MFTMirr completed successfully.
Checking the alternate boot sector... OK
NTFS volume version is 3.1.
NTFS partition /dev/sda1 was processed successfully.

and

sudo testdisk /dev/sda1

Using testdisk I used the quick search function in analyse followed by the deeper search but both returned Structure: Ok.

Additionally I used the undelete function but could not find the missing files or folders.

It seems to me that the link between the data and the directory structure is missing, but I am unsure how I can get this link back.

Any ideas??

Thanks,

Stu.

解决方案

Small disclaimer / introduction

I am the author of a MSc thesis related to forensic NTFS reconstruction when metadata is partially damaged and the creator of RecuperaBit, an open source software I will mention later in this answer.

What (likely) happened

The 2 folders coloured purple no longer act as folders and their names have been shortened

NTFS file records (called MFT entries) contain some crucial elements:

• Flags → Some bits describing the file. In particular, one bit corresponds to the "Is this a folder?" question and another to "Is this deleted or still allocated?".
• $FILE_NAME attribute(s) → Each file has one or more file names, because NTFS is compatible with DOS 8.3 names.
• $STANDARD_INFORMATION attribute → This contains MAC (modification, access, creation) times and a bit more.

Moreover, each directory contains one $INDEX_ROOT and possibly several $INDEX_ALLOCATION attributes listing the children names (but not the MAC times).

From your output, it seems to me that the MFT entries of those two directories have been lost. You still see them as elements inside camera uploads because they are found in one of the index attributes, but when the system tries to read the records to show you the dates, it fails.

The NTFS driver works as any other "normal" OS utility to access a file system: it goes top-down. Break a node and you lose any sub-tree (the contents of those directories, basically).

Here's where advanced data recovery software can help.

Recovering the files

Since this is a programming related website, I will briefly explain how you would program a software that is able to read a NTFS partition where some MFT entries are missing:

• Scan the whole drive, attempting to parse any pair of sectors starting with FILE as a valid MFT entry (I am simplifying a bit here)
• Build a tree bottom up by doing this for any node:
  • Read the id of the parent node
  • If you have a node with said id, link the child to the parent
  • Otherwise, create a Folder_<id> directory under Lost Files and link the child to it
• Read the $DATA attributes of each file you want to recover and copy them somewhere else

For more details related to the algorithmic techniques for file system reconstruction, check out my thesis linked above.

Tools you can try

I have mentioned a few programs in this answer on the Software Recommendations website. Those were specifically targeted to heavily damaged drives, and they included:

• DMDE (commercial, for Windows but has a console version for Linux)
• Restorer Ultimate (commercial, for Windows and OS X)
• RecuperaBit (open source, Python-based): It runs for sure on Linux but it has been fainly tested on Windows... like once. It should run on OS X as well.

Based on both my (biased) opinion and my test results RecuperaBit is the best one with disks showing severe damage. Yours is slightly damaged, nevertheless I would like to provide a brief guidance on how to recover two specific folders.

Recovering those two directories

First of all, run RecuperaBit on the disk. I would strongly suggest running it on a bitstream copy, but it does not write anything to it, so you might try to run it directly on the device:

mkdir /media/user/External/recovered_files
cd [full path of recuperabit]
pypy main.py /dev/sdb -o /media/user/External/recovered_files -s /media/user/External/savefile.save

Here I assume /dev/sdb is the damaged drive and you want to save the files in another drive mounted on /media/user/External. If you run the tool on the block device directly, I think you'll need sudo.

The scanning process will take a long time (sit back and relax, 2TB are a lot!), however the results are saved to savefile.save should you run the tool a second time. Type recoverable to find out the identifier of the partition you need to restore. The identifier is given by RecuperaBit and does not reflect the partition table.

Assuming it is #2, save a CSV dump of the contents:

csv 2 contents.csv

The program will print the path of the saved file. Open it with LibreOffice and find the id of the folder(s) you want to restore. For example, the root directory would have id 5, but you probably don't want to get a copy of all files if you miss only two directories.

Let's say the broken directory has id 124. Go back to RecuperaBit and type:

restore 2 124

Where #2 is still the partition identifier. It will list the files it is recovering. You can navigate to the output directory and check if what you want is there. If it is not, try again: you might have chosen the wrong identifier.

这篇关于无法从Windows，Mas OSX或Linux访问损坏的NTFS文件夹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！