Recover a single NTFS partition

[ennui93]

I generated an image of a single partition containing an NTFS filesystem rather than a whole disk.

Is it possible to modify RecuperaBit's restore command or create another command to assume the data in the image file is a single partition?

I have already run a scan and captured the results in a save file. I also have access to the original drive from where the image was taken, so capturing any values/sizes from the original partition table to be used as parameters to RecuperaBit is possible.

[Lazza]

You can run RecuperaBit on a whole drive, a partition, even a single MFT entry (not very useful in the last case, but you would still get some information from parsing it) and it will work as it is now. 😄

If you are thinking about merging leftovers from previous partitions that happen to be found on the same spot as the current one, this is not a good idea. Even if you can avoid every possible clash on identifiers (very unlikely) you would still get an output which is wrong, because you'd end up with files from several partitions merged into a single one.

Many commercial tools actually make assumptions like this and they get it wrong.

[ennui93]

Thanks @Lazza. Then I think RecuperaBit is unable to recover the data from this particular image in that case. RecuperaBit finds a great number of NTFS index records, but still finishes with "0 partitions found."

See the gist below for the full console output I achieved when running with the latest code from master ( ba4ebf6 ). If you have any suggestions about how to proceed with recovering the data from this drive/image, I'd be much obliged if you could share them.

https://gist.github.com/anonymous/1fec6528e66dc800106d37f8798c9959

[Lazza]

Do you know maybe the NTFS version of the partition you are analyzing? Was it created before Windows XP? Very old NTFS drives didn't include ids in their MFT entries.

[Lazza]

Closing this because no more information has been provided.

[ennui93]

Just as a follow-up, I took a closer look at this image file and found large sections of zeroes, which I assume is where the source device was unable to elicit any data. I was unable to determine the NTFS version as the sections where I understood the MFT and secondary MFT to be located were also zeroed out, though anecdotally this was originally a Windows 7 installation that was later upgraded to Windows 10. In the end, I was unfortunately forced to abandon my attempts at recovering the filesystem structure and resorted to recovering data from the image based upon file signature heuristics (via PhotoRec).

[Lazza]

I've looked again at your output and saw that it only found some index records, but absolutely no file records. Yes, probably the whole MFT got destroyed. That's a pretty bad situation.