Recovering an entire partition that has been somewhat formatted (I seriously messed up an external HD’s filesystem)

command linedata-recoveryexternal-diskpartitionunix

I have an embarrassing but very urgent problem. A friend of mine asked me to set up their new external HD for both Time Machine and file storage, and to transfer over files from their old HD. I started to partition the new drive using Disk Utility, but the partition option was greyed out. The entire disk was formatted as exFat, so I thought to reformat it as HFS+. I began to do so with diskUtil: diskUtil erasedisk hfs+ External /dev/disk2 (Note: this is on a Macbook Pro running El Capitan)

However, I mistyped. The new drive was not disk2, it was disk3–I had started to erase the old disk instead, which has important data in it. I realized my problem in an instant and ^C'd my way out of there, but the damage was done. Here's the sitch:

Terminal output says:

Starting erase on disk2
Unmounting disk
diskutil:interrupted
$ diskUtil list
...
/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *1.0 TB     disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2:                  Apple_HFS                         999.8 GB   disk2s2

As you can see, OSX recognizes the drive as GPT and the partition as HFS+. However, the drive will not show up in Finder.
Windows (10) recognizes that I have an external HD plugged in, but nothing shows under "Volumes" when I view its device in Device Manager.
Linux (Arch) recognizes the drive and the partition, just like OSX. I tried running ntfsfix, but to no avail. (It gave me a warning that said something about being unable to fix it and to try using chkdsk).
I am not 100% certain what the state of this HD was before I half-formatted it. It was first used and formatted on a cheap Windows laptop when Vista was the newest Windows OS, so I would think that it was NTFS on an MBR scheme before I violated it. (Perhaps I'm wrong and someone knows better, but that's what I'm led to believe).

Anyways, here I am. I need to recover about 700GB of data, perhaps NTFS/MBR, on a drive that thinks it's HFS+/GPT. All of the data has got to be there, more or less at least, but I need help accessing it. If you have any insight or knowledge that could help me out, I would truly appreciate it.

(Lastly, I've downloaded and installed some data recovery software from Easeus. It's running a "scan" on the drive, and I suspect it'll fix my problem if I dish over $90 or so. This is just a last resort, though. I'd really rather not have this headache become an expensive one, and since it's picking a lot of data, I know there's gotta be a way to solve this with some elbow grease.)

Best Answer

You should be able to restore at least the boundaries of the old NTFS volume:

Windows (like OS X) uses some default partition schemes to partition and format a disk.

An MBR/NTFS disk usually has an MBR in the first block (block0). The first partition usually starts at the 1 MB boundary (that's block2048) with a special block - the NTFS Boot Sector - and ends with a special block. Both blocks start with EB 52 90 4E 54 46 53 20 (hex) or ∂RENTFS(x20). The last 4096 blocks (2 MiB) are empty space usually.

Depending on how much was written while creating ("erasing") the new main HFS+ volume (usually about 120 - 160 MB after the process finished) the success of a data recovery may vary.

Detach any external drive except the broken one!

To recover the old NTFS volume boundaries you have to delete the GUID partition table and restore an MBR partition scheme:

To remove the GUIDpt, first open Terminal.app and get an overview (below I assume the disk identifier of the falsely formatted disk is disk2):

diskutil list
sudo gpt -r show disk2

The result is similar to the one below (your total size - here 1953525760 blocks and the main volume - here 1952853936 blocks - may differ slightly):

         0          1         PMBR
         1          1         Pri GPT header
         2         32         Pri GPT table
        34          6         
        40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
    409640 1952853936      2  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
1953263576     262151         
1953525727         32         Sec GPT table
1953525759          1         Sec GPT header

Remove the GUIDpt:

diskutil umountDisk disk2
sudo gpt destroy disk2 
dd if=/dev/zero of=/dev/disk2 bs=512 count=1

Search the disk for the string ∂RENTFS(x20) in the last sectors of the disk:

hexdump -s 930g /dev/rdisk2  | grep "eb 52 90 4e 54 46 53 20"

-s: Skip offset bytes from the beginning of the input. The size is KiB/MiB/GiB. In my example the disk has a size of 931.51 GiB, so I searched the last 1.51 Gib only.

The result is e8e0bffe00 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 with e8e0bffe00 being the offset in hex. Converted with a hex2dec service this means an offset of 1000203091456 (dividing this by 512, the result is equal to block 1953521663).

Since this block is the last one in the previous volume you can determine the old volume size: 1953521663 (last block) - 2048 (probable start block) + 1 (counting starts with 0). The result has to be divisible by 8!

You may also check the first blocks of the disk with:

hexdump /dev/rdisk2  | grep "eb 52 90 4e 54 46 53 20"

You should get at least one line like this: 800 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00. This is the NTFS Boot Sector at block 2048 - the 1 MB boundary - since these blocks are usually not erased by Disk Utility. Enter ctrlC to stop hexdump.

Now having the first block and the last block of the NTFS volume you should be able to restore the old MBR partition with fdisk:

fdisk -e /dev/disk2
Would you like to initialize the partition table? [y] y
fdisk:*1> auto dos
fdisk:*1> edit 1
     Starting       Ending
#: id  cyl  hd sec -  cyl  hd sec [     start -       size]
------------------------------------------------------------------------
*1: 0C    0   1   1 - 1023 254  63 [        63 - 1953525697] Win95 FAT32L
Partition id ('0' to disable)  [0 - FF]: [C] (? for help) 07
Do you wish to edit in CHS mode? [n] n
Partition offset [0 - 1953525760]: [63] 2048 #probable start of the NTFS volume
Partition size [1 - 1953523712]: [1953523712] 1953519616 #use the probable size of YOUR NTFS volume found previously here.
fdisk:*1> write
Writing MBR at offset 0.
fdisk: 1> q

Now you may be lucky and the NTFS volume just pops up or you have to use a data recovery tool.

Related Solutions

MacOS – Resetting MBR on iMac

Boot from an install DVD or USB key (If you have one).

From the first installer page choose Disk Utility from the Tools menu.

Check to see if it finds your partition.

Verify/Repair it.

Then, from Tools, choose Startup Disk, and see if you can set your system partition.

If you don't have an install DVD or USB key there are plenty of instructions around on how to do it.

iPartition can change partition schemes without wiping the disk if it comes to that. It's a great tool to have, I've used it a lot for various disk activities over the years, with Linux, Windows, and OSX partitions.

You need a GUID disk to boot OSX normally, not sure how you had it working with an MBR. Disk Utility will normally tell you what you have and how to correct it, if it can.

Long story short - make sure you back up your disk, you're probably going to be reformatting it.

I think I messed up the Fusion Drive on the 1TB iMac (with BootCamp)

Theoretically everything is fine with your Fusion Drive. Fusion Drives look like this. Disk0 is your SSD with 121 GB and disk1 is your HDD with ~1 TB (~1.121 TB summed up).

The larger parts of your SSD (disk0s2) and your HDD (disk1s2) are pooled to a CoreStorage LVG (Fusion Drive: disk3) with a size of 967.8 GB. The rest is reserved for EFIs, a Recovery HD (alltogether ~1.3 GB) and your old Windows partition - now probably free space (~152 GB).

The logical volume 'Macintosh HD' (967.8 GB) spans disk0s2 and disk1s2. This is the first 'Macintosh HD' in picture 1. The volume 'Macintosh HD' - it's the one visible on the desktop - should ideally also have about 967.8 GB. This is the second 'Macintosh HD' in picture 1.
In fact it has only 852.67 GB (see picture 3).

In the second picture the logical volume 'Macintosh HD' is the first listed in black, the volume 'Macintosh HD' is the second listed in black, the other two 'Macintosh HD's listed in grey are the parts of your SSD and HDD dedicated to the logical volume 'Macintosh HD'.

In my opinion something went wrong after deleting various partitions with the Bootcamp Assistant/Disk Utility or in Windows.

Preparation:

Detach any external drive (especially your external Time Machine backup drive)
Restart to Internet Recovery Mode by pressing alt cmd R at startup.
The prerequisites are the latest firmware update installed, either ethernet or WLAN (WPA/WPA2) and a router with DHCP activated.
On a 50 Mbps-line it takes about 4 min (presenting a small animated globe) to boot into a recovery netboot image which usually is loaded from an apple/akamai server.

I recommend ethernet because it's more reliable. If you are restricted to WIFI and the boot process fails, just restart your Mac until you succeed booting.

Alternatively you may start from a bootable installer thumb drive (preferably Mavericks or Yosemite) or a thumb drive containing a full system (preferably Mavericks or Yosemite).

Now you may either repair CoreStorage or rebuild your Fusion Drive:

'Repair CoreStorage' (not recommended):

First i would try to check the volume 'Macintosh HD' with Disk Utility. If the volume is corrupted consider a reinstall of Mac OS X.
If the volume is ok quit Disk Utility
Open Terminal and enter diskutil unmountDisk /dev/LVIdentifier and both diskutil unmountDisk /dev/DiskContainingApple_CoreStorageIdentifier
In your case: first diskutil unmountDisk /dev/disk3 then diskutil unmountDisk /dev/disk0 and diskutil unmountDisk /dev/disk1
remove the EFI NO NAME partition with gpt remove -i IndexNumberOfEFINoName DiskIdentifier:
gpt remove -i 4 disk1
Remount the CoreStorage disks and then the Logical Volume:
In your case: first diskutil mountDisk /dev/disk0 and diskutil mountDisk /dev/disk1 and then diskutil mount /dev/disk3.

enter gpt -r -vvv show /dev/diskIdentfierOfApple_CoreStorage to get infos of your HDD CoreStorage disk.
In your case: gpt -r -vvv show /dev/disk1
It should look like this:

-bash-3.2# gpt -r -vvv show /dev/disk1
gpt show: /dev/disk1: mediasize=1000204886016; sectorsize=512;         blocks=1953525168
gpt show: /dev/disk1: PMBR at sector 0
gpt show: /dev/disk1: Pri GPT at sector 1
gpt show: /dev/disk1: GPT partition: type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, start=40, size=409600
gpt show: /dev/disk1: GPT partition: type=53746F72-6167-11AA-AA11-00306543ECAC, start=409640, size=1671210848
gpt show: /dev/disk1: GPT partition: type=426F6F74-0000-11AA-AA11-00306543ECAC, start=1671620488, size=1269760
gpt show: /dev/disk1: Sec GPT at sector 1953525167                               
     start          size  index contents                                        
         0             1        PMBR                                            
         1             1        Pri GPT header                                  
         2            32        Pri GPT table                                   
        34             6
        40        409600      1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
    409640    1671210848      2 GPT part - 53746F72-6167-11AA-AA11-00306543ECAC
1671620488       1269760      3 GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
1672890248     280634887
1953525135            32        Sec GPT table
1953525167             1        Sec GPT header

The free space on your HDD has 280634887 blocks. Please calculate the biggest block number dividable through 8. That's 280634880 blocks (á 512 bytes) which equals 143685058560 B or ~143.7 GB. Add the size of your HDD CoreStorage Physical Volume (852666400768 B) The result is 143685058560 B + 852666400768 B = 996351459328 B
Resize your HDD CoreStorage physical volume with diskutil cs resizeDisk HDDPVUUID newsize
In your case: diskutil cs resizeDisk 93892BE8-2B7F-4ABD-A4C3-984495DCD98D 996351459328b
Calculate the maximal size of your CoreStorage Logical Volume in diskutil cs list: (size disk0s2) + (size disk1s2) In your case that's 120988852224 B + 996351459328 B = 1117340311552 B. That should be the size of your refreshed Logical Volume Group.
Resize your Logical Volume with diskutil cs resizeVolume LVUUID LVGSize-128 MB In your case that's diskutil cs resizeVolume D237FFDC-7DA4-41D7-AC13-4CC7E5E8C0A0 1117212311552b. If you get an error (There is not enough free space...) choose a smaller size like 1117148311552b.
Quit Terminal and open Disk Utility.
Check your expanded CoreStorage Volume for errors.
Quit Disk Utility, choose your CS volume as startup disk and restart your Mac

'Rebuild Fusion Drive' (recommended if you have a Time Machine backup)

Booted to Internet Recovery Mode open Utilities → Terminal in the menubar and enter:
diskutil cs list to get the CoreStorage listing.
Copy the Logical Volume UUID, it's the fifth listed.
Now delete the Logical Volume with diskutil cs deleteVolume LVUUID.
In your case: diskutil cs deleteVolume D237FFDC-7DA4-41D7-AC13-4CC7E5E8C0A0.
Copy the Logical Volume Group UUID, it's the first listed in the listing of diskutil cs list.
Then delete the Logical Volume Group with diskutil cs delete LVGUUID.
In your case: diskutil cs delete 1EFE58BC-3613-44C4-86EE-D816F3B66E3E
Enter exit and quit 'Terminal'
Open 'Disk Utility'. Enter 'Ignore' if you are asked to fix the drives.
Choose your SSD and partition it: 1 Partition Mac OS X Extended (Journaled), hit the Options button and choose GUID Partiton table and hit OK and Apply.
Please check that the size is ~121 GB

Example:
Choose your HDD and partition it: 1 Partition Mac OS X Extended (Journaled), hit the Options button and choose GUID Partiton table and hit OK and Apply.
Please check that the size is ~1 TB

Example:
Quit Disk Utility and open Terminal
Enter diskutil list

Example (your disk identifiers and sizes are different of course: Your volume SSD probably has the Identifier disk0s2 and the size 121 GB and your volume HDD probably has the Identifier disk1s2 and the size 1.0 TB):
Enter diskutil cs create "Name" IdentifierSSD IdentifierHDD
In your case probably diskutil cs create "Macintosh HD" disk0s2 disk1s2.

Copy the resulting LVGUUID

Example:
Enter diskutil cs CreateVolume LVGUUID jhfs+ "Macintosh HD" 100%.

Example:
Enter diskutil cs list
Check the size of your Logical Volume. It should have the size ~1.121 TB

Example:
Quit Terminal
Open 'Disk Utility' and check your newly created volume for errors
Quit 'Disk Utility'
Attach your external Time Machine backup drive or check this answer if you use NAS or another network share.
Open 'Restore from Time Machine Backup'
Choose the appropriate Time Machine backup and restore your system
Reboot to your restored system.
Unmount and detach your Time Machine backup drive
Open 'Terminal' and enter 'diskutil list'
Check if your 'Recovery HD' is listed.
If your 'Recovery HD' is missing, usually reinstalling your current system with the latest available system installer (e.g. 'Install OS X Mavericks (10.9.5)' if Mavericks is currently installed) will recreate it without loosing any data. AFAIK Recovery Partition Creator 3.8 will NOT create a Recovery HD on CoreStorage volumes.
After reinstalling the system with the latest available system installer open App Store and install the latest security fixes.

Best Answer

Related Solutions

MacOS – Resetting MBR on iMac

I think I messed up the Fusion Drive on the 1TB iMac (with BootCamp)

Related Question