尝试恢复 NTFS 损坏分区

tag-icon tag-icon linux partitioning ntfs filesystem-corruption
尝试恢复 NTFS 损坏分区

我被困在修复 NTFS 分区的问题中,我使用 MFT 备份恢复了它TestDisk 7.2-WIP在 Windows 7 上,即使如此,恢复的分区也已损坏。

在此处输入图片描述

在此处输入图片描述

在 Debian Linux 上应用说明 https://www.andreafortuna.org/dfir/how-to-extract-data-and-timeline-from-master-file-table-on-ntfs-filesystem/分析主文件表(和分析MFT.py)我可以获得硬盘的分区布局:

debian:~# mmls /dev/sdc
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000016063   0000016064   Unallocated
002:  Meta      0000000063   0976773119   0976773057   Win95 Extended (0x0f)
003:  Meta      0000000063   0000000063   0000000001   Extended Table (#1)
004:  001:000   0000016064   0976768064   0976752001   NTFS / exFAT (0x07)
005:  -------   0976768065   0976773167   0000005103   Unallocated

我感兴趣的是NTFS / exFAT (0x07)分区,从偏移量开始16064 但是它并没有显示该 inode 的内容,而是显示一个错误:

debian:~# icat -o 16064 /dev/sdc 0 > mft.raw
Cannot determine file system type

指定文件系统是徒劳的......

debian:~# icat -f ntfs -o 16064 /dev/sdc 0 > mft.raw
Invalid magic value (Not a NTFS file system (magic))

...甚至不是生的文件系统:

debian:~# icat -f raw -o 16064 /dev/sdc 0 > mft.raw
Function/Feature not supported (Illegal analysis method for raw data )

甚至磁盘管理说这是一个NTFS文件系统:

debian:~# fdisk -l /dev/sdc
Disk /dev/sdc: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Disk model: 00LPVX-22V0TT0  
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa5eb893d

Device     Boot Start       End   Sectors   Size Id Type
/dev/sdc1          63 976773119 976773057 465.8G  f W95 Ext'd (LBA)
/dev/sdc5       16064 976768064 976752001 465.8G  7 HPFS/NTFS/exFAT

ntfs修复最后对问题提供了一些见解:

debian:~# ntfsfix /dev/sdc5
Mounting volume... NTFS signature is missing.
FAILED
Attempting to correct errors... NTFS signature is missing.
FAILED
Failed to startup volume: Invalid argument
NTFS signature is missing.
Trying the alternate boot sector
Unrecoverable error
Volume is corrupt. You should run chkdsk.

但我错了两次,校验甚至无法使用文件系统,它说这是一个生的文件系统:

C:\Windows\system32>chkdsk d: /f
The type of the file system is RAW. 
CHKDSK is not available for RAW drives.

问题是:如何在不格式化分区的情况下将文件系统类型设置为 NTFS?

相关内容