Login/Register
Writing your own partition recovery [closed]
Asked Answered
c++cassemblypartitioningdata-recovery
S

1

8

I realise that the question I'm asking isn't a simple "O, that's easy! Do a simple this and that and voilà!" Fact is, without thinking one night I deleted the wrong partition. I tried a few Windows and Linux tools (Partition disk doctor, Easeus, Test disk, etc) but none of them worked. And I think it's because of the way I deleted the partition.

I have written my own boot sector creators / backup tools in C++ before as well as one or two kernels in C and Assembler (albeit fairly useless kernels...) so I think I have sufficient knowledge to at the very least TRY to recover it manually.

My drive was set up as follows:

 Size: 1.82TB
 part0 100MB (redundant windows recovery partition)
 part1 ~1760MB (my data partition)

How I broke it:

In Windows 7, I deleted the first partition. I then extended the second to take up the first's free space, which meant I still had 2 partitions, now acting as one dynamic partition. I rebooted into my Ubuntu OS, and realised I could no longer read it. I rebooted back into Windows, deleted the first partition, then thought, wait...i shouldn't have done that. Needless to say it's dead now.

What I would like is some advice / good links on where to start, what not to do, and what not to expect. I'm hoping that if the journals are still intact I'll be able to recover the drive.

Edit:
This is an NTFS drive. After posting this question, I was wondering: given that I know the approximate location of where my partition was located, is there a way to easily identify the journals? Maybe I can reconstruct some of the other drive / partition info myself and write it to the disk.

Subulate answered 27/9, 2012 at 7:16 Comment(9)
It might help others to tell what FS was there. NTFS? EXT*?Dress
This probably belongs on superuser, I don't see how it's programming related. You are asking for help on manually recovering a partition in this particular case, right?Creole
@Charles, I believe (based on c, c++ and assembly tags) that the OP wants to write an application to recover it.Shela
@AlexeyFrunze It's a NTFS drive.Subulate
@CharlesBailey As SingerOfTheFall suggested, I want to write my own program to do it. I would like to use C++ for the task.Subulate
Have you overwritten the data in the partition? Maybe all that's needed is to restore the original MBR and the partition table?Lotz
@AleksG Maybe..but how would I go about doing that though? My biggest problem rite now is finding sources on doing this programmatically. Every time I google something related to "write your own partition table c++" it returns results of softwares that do this process for you.Subulate
Have a look at ntfs.com site and, specifically at ntfs.com/partition-table.htm article. It may give you what you're after.Lotz
Even though it is a very interesting challenge, I don't think this is a one man task, and if you really care abut that data, you should definitely clone the drive before attempting to run any hardcore low-level stuff on it. On the other hand, perhaps you should at least try to inspect it with something like piriform.com/recuva first and see what it can find.Aleutian
S
1

The first step, I think, is to figure out how exactly those "dynamic partitions" as you call them work in windows 7. From your description, it sounds as if you created a kind of logical volumn from two physical partitions. My guess is that the second partition now contains some kind of header for that volume, which is why recovery tools unfamiliar with that format fail to function.

If you figure out what windows 7 did exactly when you merged the two partitions, you should be able to writen an application which extracts an image of the logical volume.

Or, you could check out NTFS-3G, the FUSE implementation of NTFS at http://www.tuxera.com/community/ntfs-3g-download/. By studying that code, I bet that you can find a way to locate the NTFS filesystem on your borked disk. Once you have that, try extracting everything from the beginning of the filesystem to the end of the disk into an image, and run some ntfs filesystem checker on it. With a little luck, you'll get a moutable filesystem back.

If you're wondering how to access the disk, just open the corresponding device in linux as if it was a regular file. You might need to align your reads to 512 bytes, though (or whatever the sector size of your disk is. 512 and to a lesser extend 4096 are common values), otherwise read() might return an error.

Strohben answered 28/9, 2012 at 8:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.