How to generate a list of files from a list of sectors

bad-sectorsddrescuefile-recoveryfilesystems

I've had a hard disk failure and managed to rescue some data from the disk (1TB) with GNU's ddrescue. The last 800GB of the disk were perfect, no single error, but in the first 200GB there were almost 14000 errors (badblocks) spread across the area. ddrescue creates a logfile that describes where the badblocks are.

ddrescues command line params:

ddrescue /dev/sdb /dev/sdd /mnt/sdc1/sdb.log -r -1 -f -d -v

The logfile looks like this:

#      pos        size  status
0x00000000  0x1C08CE00  +
0x1C08CE00  0x00000200  -
0x1C08D000  0x011E6800  +
0x1D273800  0x00000200  -
0x1D273A00  0x005EC000  +
0x1D85FA00  0x00000200  -
...         ...         ...

The plus (+) means contiguous good space, the minus (-) unreadable space; position and size are in hexadecimal. Striping the lines ending in '+' I have a list whith badblock positions, but I need a way to correlate this badblocks to files on the File System, which is, by the way, NTFS.

I know that I can use something like DiskExplorer to do this manually, but it would be the hell with 14000 sectors. So, there is a more or less automatic and elegant way of doing this ?

Best Answer

Since the huge success of this question, I've been left without answers, if there were any. But I continued researching and found an Microsoft utility that dates 1999, called nfi.exe, part of the OEM Support Tools Phase 3 Service Release 2 for Windows NT 4 and 2000. The utility does exactly what I needed, receives a sector and returns a file. But it does that to individual sectors, so I had to created a script to automate the process. It's a Python (2.7+) script that works this way:

It receives as input an ddrescue log file, parses it, calls nfi.exe for each sector in the file and generates a list with the files in alphabetical order.

>sector_correlator.py -h

usage: sector_correlator.py [-h] [-v] [-n \path\to\nfi.exe] [-V] [-L]
                        logfile nt-device-path output file

Receives a list of sectors and returns a list of files which resides in them.

positional arguments:
  logfile              path to ddrescue's logfile.
  nt-device-path       NT-style path to physical device, like
                       \device\harddisk1\dr1
  output file          filelist output file name

optional arguments:
  -h, --help           show this help message and exit
  -v, --version        show program's version number and exit
  -n \path\to\nfi.exe  nfi.exe's path, if not speciified, assumes's it is in
                       the same path as the script
  -V                   enables verbose mode
  -L                   save nfi.exe's output log to nfi_raw.log

Example:

sector_correlator.py sdb.log \devices\harddisk0\dr0 filelist.txt

Where: sdb.log is ddrescue's log,

\device\harddisk0\dr0 is an NT-style path to the HD (you discover it using an sysinternals tool called WinObj and the Disk Management Utility) WinObj showing physical device list enter image description here

and filelist.txt is the file list you want. It will look like this:

\Documents\Downloads\Evernote_4.5.1.5432.exe
\Documents\Downloads\Programs\Apophysis207SE.exe
\Documents\Downloads\Programs\GetGnuWin32-0.6.21.exe
\Documents\Downloads\Programs\mbam-setup.exe
\Documents\Downloads\Programs\msnbackup133.exe
\Documents\Downloads\Programs\x64Components_v254.exe

The other arguments on the script are optional and are explained when you run it with -h. By default, the script assumes nfi.exe is in the same dir, if not, use -n pathtonfi.exe.

Finally, here is the link to the script: sector_correlator.py

It's very rudimentary and has no error handling, but does the job.

Related Solutions

Ext4 File Recovery – How to Recover/Undelete Files from Ext4 Partition

You may have luck with:

http://extundelete.sourceforge.net/

However, I've never used it.

Warning: typically these days, filesystems don't support undelete. Trying to recover deleted files is an exercise in computer forensics and you're going to be very lucky to get them back. In particular, if you have written any more files to the disk, chances are your deleted files will be gone forever.

Get list of files affected by bad sectors

This question was asked several months ago, I hope you have found a suitable answer in the meantime. Still, here's one that I used with great success recently on a failing 1TB HDD that someone handed out to me in the hope that I could “make him talk”, and recover as much data as possible without paying an arm and a leg for it ! :^p It turns out that I managed to recover a very high percentage of his personal files, on a hard disk drive affected by the infamous click-of-death : only about 125 were corrupted by irrecoverable sectors, which I identified with this method, and since most of those files were duplicated once or more, I could then restore or repair most of them (using DoubleKiller Pro in size-only mode to detect the duplicates – in some instances 2 or 3 normally identical files located in different places had corrupted parts which were different and complimentary so I could regenerate the original using WinHex, that's kinda advanced stuff for a mere “amateur”), so only about 20 files remain partially or totally corrupted. (And I asked only 50€ to do this ! O_o Oh well, it was instructive at least...)

– Recover the original storage unit using ddrescue, with a logfile / mapfile.

ddrescue [options] [input drive or partition] [image file or volume] [logfile]

– Once the recovery is considered finished, as it is almost certainly a NTFS partition, run ddru_ntfsfindbad, included in ddrutility, using the output image or volume and the logfile / mapfile as input. That tool will analyze the logfile / mapfile (now it's called "mapfile", used to be "logfile"), which indicates what areas have not been recovered, and compare it with the informations found in the MFT. It proceeds very quicky (it took 2 minutes to analyze a 919GB partition), and produces a list of the affected files, with the exact size of the error(s). Of course it requires that the MFT has been fully recovered to work properly (it is generally located at the begining of the volume, in my case the first 165GB or so were recovered without errors so it gave reliable results).

ddru_ntfsfindbad [-V] -i [partition offset] [ddrescue output] [ddrescue mapfile]

Excerpt of the list I obtained (edited with TEDNotepad) :

name=./Users/titi/Desktop/Documents/Films/Clones.avi    errors=0006 errorsize=163549184 FILE    inode=4942
name=./Users/titi/Desktop/Documents/Films/Cloud Chasers Les Traqueurs de Tempêtes.avi   errors=0005 errorsize=160069632 FILE    inode=91564
name=./Users/titi/Desktop/Documents/Films/Contagion.avi errors=0003 errorsize=173576192 FILE    inode=3410
name=./Users/titi/Desktop/Documents/Films/Fast and Furious 5.avi    errors=0003 errorsize=163557376 FILE    inode=5076
name=./Users/titi/Desktop/Documents/Films/Green Lantern.avi errors=0003 errorsize=163553280 FILE    inode=13740
name=./Users/titi/Desktop/Documents/Films/Numéro 4.avi  errors=0003 errorsize=163553280 FILE    inode=5252
name=./Users/titi/Desktop/Documents/mes chiens/MapsAppList.targetsize-48.png    errors=0001 errorsize=000551    FILE    inode=301935
name=./Users/titi/Desktop/Documents/mes escargots/Recette d'Escargots à la catalane_files/430(2)    errors=0001 errorsize=035793    FILE    inode=84109
name=./Users/titi/Desktop/Documents/mes escargots/Recette d'Escargots à la catalane_files/430(3)    errors=0002 errorsize=032768    FILE    inode=84118
name=./Users/titi/Desktop/Documents/mes escargots/Recette d'Escargots à la catalane_files/430(5)    errors=0001 errorsize=036864    FILE    inode=84745

Best Answer

Related Solutions

Ext4 File Recovery – How to Recover/Undelete Files from Ext4 Partition

Get list of files affected by bad sectors

Related Question