Recuperabit doesn't find any partitions, while the partition table is still intact.

[wziard]

I have a disk image with a corrupted ntfs filesystem. The partition table is still intact. RecuperaBit prints a lot of messages about finding file entries. and then it prints 0 partitions found

The allparts command does not return anything.

The partition table of the disk is still intact, so I would expect RecuperaBit to find the partition (and maybe tell me it's not recoverable)

Output follows:

INFO:root:Found NTFS boot sector at sector 63
INFO:root:Found NTFS file record at sector 3993093
INFO:root:Found NTFS file record at sector 83242008
INFO:root:Found NTFS file record at sector 219609705
INFO:root:Found NTFS file record at sector 220144489
INFO:root:Found NTFS file record at sector 221549529
INFO:root:Found NTFS file record at sector 221679915
INFO:root:Found NTFS file record at sector 221960169
INFO:root:Found NTFS file record at sector 221960174
INFO:root:Found NTFS file record at sector 221960215
INFO:root:Found NTFS file record at sector 222270425
INFO:root:Found NTFS file record at sector 224799858
INFO:root:Found NTFS file record at sector 225427456
INFO:root:Found NTFS file record at sector 227972838
INFO:root:Found NTFS file record at sector 228109772
INFO:root:Found NTFS file record at sector 231214086
INFO:root:Found NTFS file record at sector 231284524
INFO:root:Found NTFS file record at sector 232242528
INFO:root:Found NTFS file record at sector 233857004
INFO:root:Found NTFS file record at sector 233868102
INFO:root:Found NTFS file record at sector 234851360
INFO:root:Found NTFS file record at sector 238046962
INFO:root:Found NTFS file record at sector 239385901
INFO:root:Found NTFS file record at sector 239405609
INFO:root:Found NTFS file record at sector 239405614
INFO:root:Found NTFS file record at sector 239405655
INFO:root:Found NTFS file record at sector 239985879
INFO:root:Found NTFS file record at sector 244553198
INFO:root:Found NTFS file record at sector 314520764
INFO:root:Found NTFS file record at sector 314522048
INFO:root:Found NTFS file record at sector 314536382
INFO:root:Found NTFS file record at sector 328078905
INFO:root:Found NTFS file record at sector 328083705
INFO:root:Found NTFS file record at sector 328085991
INFO:root:Found NTFS file record at sector 328288313
INFO:root:Found NTFS file record at sector 328293145
INFO:root:Found NTFS file record at sector 429865600
INFO:root:Found NTFS file record at sector 431426292
INFO:root:Found NTFS file record at sector 432091151
INFO:root:Found NTFS file record at sector 432146680
INFO:root:Found NTFS file record at sector 432166419
INFO:root:Found NTFS file record at sector 432191859
INFO:root:Found NTFS file record at sector 432495584
INFO:root:Found NTFS file record at sector 432876948
INFO:root:Found NTFS file record at sector 433034720
INFO:root:Found NTFS file record at sector 433495444
INFO:root:Found NTFS file record at sector 433536591
INFO:root:Found NTFS file record at sector 433593368
INFO:root:Found NTFS file record at sector 433654771
INFO:root:Found NTFS file record at sector 434802697
INFO:root:Found NTFS file record at sector 434802702
INFO:root:Found NTFS file record at sector 434802743
INFO:root:Found NTFS boot sector at sector 625137344
INFO:root:First scan completed
INFO:root:Parsing MFT entries
INFO:root:Parsing INDX records
INFO:root:Reading boot sectors
INFO:root:Finding partition geometry
INFO:root:0 partitions found.

[Lazza]

I have to ask you the same question as here:

Do you know maybe the NTFS version of the partition you are analyzing? Was it created before Windows XP? Very old NTFS drives didn't include ids in their MFT entries.

[wziard]

I'll have to ask the owner of the borked drive. I'd guess the drive was formatted in windows XP, but it could have been windows 2000.

Also, I'd expect the partition to be listed under 'other' if it's not detected as ntfs? After all the partition table is still ok? Or do I misunderstand how it's supposed to work?

[Lazza]

it could have been windows 2000

NTFS up to version 3.0 (corresponding to Windows 2000) didn't include the identifier in file records. So when file records are scanned it is impossible to distinguish them and figure out how they should be divided.

While one could (in the lucky case of a working partition table) put them "all together" in one partition, the issue would still be of figuring out exactly where the MFT starts (so you must have the first records there as well) and if it is fragmented. You would also need to avoid using records from a previously formatted/old file system.

Otherwise you would end up with a "heap" of random files smashed together which is not a very forensic approach. Actually using wild guesses to rebuild the file system doesn't seem a reasonable solution if one wants to ensure that the extracted information is correct.

Also, you must assign an id to each entry otherwise the directory tree reconstruction cannot work.

I'd expect the partition to be listed under 'other' if it's not detected as ntfs? After all the partition table is still ok?

The partition table is not used at all. RecuperaBit only supports NTFS reconstruction so any other file system type is ignored. You may want to check out the slides for further information.

---

Going back to your original point: if it is at least NTFS 3.1 then it is a bug (so please let me know). If it is an older NTFS version then unfortunately you cannot reconstruct it with this approach. You may want to use other tools such as Restorer Ultimate Pro, but keep in mind the accuracy might not be excellent.

[rockofclay]

I seem to be having a similar problem, but it was a windows 7 partition.

EDIT:

I get the same output. No partitions found, but it has found records. I have also tried allparts and had no partitions returned.

[Lazza]

@rockofclay please can you show the output?

[rockofclay]

RecuperaBit 1.0
Copyright 2014-2017, Andrea Lazzarotto <andrea.lazzarotto@gmail.com>
Released under the GPLv3

INFO:root:Checking if results already exist.
INFO:root:Unable to open save file.
INFO:root:Results will be saved to /disk1/savethis
Type [Enter] to start the analysis or "exit" / "quit" / "q" to quit: INFO:root:Found NTFS file record at sector 295931
INFO:root:Found NTFS file record at sector 435761
INFO:root:Found NTFS file record at sector 444465
INFO:root:Found NTFS file record at sector 445766
INFO:root:Found NTFS file record at sector 449585
INFO:root:Found NTFS file record at sector 451142
INFO:root:Found NTFS file record at sector 452608
INFO:root:Found NTFS file record at sector 2691409
INFO:root:Found NTFS file record at sector 61265911
INFO:root:Found NTFS file record at sector 740568827
INFO:root:Found NTFS file record at sector 740589301
INFO:root:Found NTFS file record at sector 740589326
INFO:root:Found NTFS file record at sector 740600135
INFO:root:Found NTFS file record at sector 740617460
INFO:root:Found NTFS file record at sector 740617579
INFO:root:Found NTFS file record at sector 740691649
INFO:root:Found NTFS file record at sector 740712916
INFO:root:Found NTFS file record at sector 740820622
INFO:root:Found NTFS file record at sector 740988329
INFO:root:Found NTFS file record at sector 740988537
INFO:root:Found NTFS file record at sector 740989678
INFO:root:Found NTFS file record at sector 744819475
INFO:root:Found NTFS file record at sector 744830935
INFO:root:Found NTFS file record at sector 744831023
INFO:root:Found NTFS file record at sector 749008167
INFO:root:Found NTFS file record at sector 749032334
INFO:root:Found NTFS file record at sector 749091343
INFO:root:Found NTFS file record at sector 749117630
INFO:root:Found NTFS file record at sector 753146261
INFO:root:Found NTFS file record at sector 753147001
INFO:root:Found NTFS file record at sector 753147009
INFO:root:Found NTFS file record at sector 753148345
INFO:root:Found NTFS file record at sector 753148353
INFO:root:Found NTFS file record at sector 753149577
INFO:root:Found NTFS file record at sector 753149947
INFO:root:Found NTFS file record at sector 753152053
INFO:root:Found NTFS file record at sector 753152761
INFO:root:Found NTFS file record at sector 753152769
INFO:root:Found NTFS file record at sector 753153226
INFO:root:Found NTFS file record at sector 753154321
INFO:root:Found NTFS file record at sector 753155347
INFO:root:Found NTFS file record at sector 753157038
INFO:root:Found NTFS file record at sector 753159792
INFO:root:Found NTFS file record at sector 753161088
INFO:root:Found NTFS file record at sector 753161667
INFO:root:Found NTFS file record at sector 757338281
INFO:root:Found NTFS file record at sector 757389216
INFO:root:Found NTFS file record at sector 757389232
INFO:root:Found NTFS file record at sector 757389360
INFO:root:Found NTFS file record at sector 757394521
INFO:root:Found NTFS file record at sector 757411057
INFO:root:Found NTFS file record at sector 757777729
INFO:root:Found NTFS file record at sector 761702311
INFO:root:Found NTFS file record at sector 769963583
INFO:root:First scan completed
INFO:root:Saving results to /disk1/savethis
INFO:root:Parsing MFT entries
INFO:root:Parsing INDX records
INFO:root:Reading boot sectors
INFO:root:Finding partition geometry
INFO:root:0 partitions found.

[Lazza]

It would be really interesting to see those records at a lower level. Could you send me a dump of a few of them via email?

[jtlz2]

@Lazza I am trying to run this on a dd_rescue output of a failing Apple_HFS drive but get 0 partitions found too... Where to start?

[Lazza]

a failing Apple_HFS

Why? 😮 HFS has nothing to do with NTFS.

[rockofclay]

I'm currently running the script again. What did you want me to do to dump the records?

[Lazza]

Please open the disk image with wxHexEditor (or another tool that can handle huge files) and extract a couple of megabytes starting from:

INFO:root:Found NTFS file record at sector 435761

Sector 435761 starts at byte 223109632. You will see that the first characters are FILE. Then send me an email with the extracted dump. Thank you!

[Lazza]

I am going to close this as it was not possible to reproduce and was (probably) due to a old, unsupported NTFS version.