disk image backup/recovery

*I’m wondering if there are any disk gurus out there who could shed some light on a “situation” I encountered a few days ago concerning the subject of image backup/recovery software, disk partitioning, and NTFS file systems.

If you’re still reading, here’s the story:

The desktop computer I use at home has an 80GB drive partitioned into 20GB C: and 60GB E: partitions.

The C: partition contains my OS (XP Pro SP3) and a critical subset of my installed apps.

The E: partition is my workspace, and also contains some installed apps.

Prior to installing a large statistical analysis app for evaluation, I made an image backup of C: using Macrium Reflect Free version 4.2.2952.0, which I have been using successfully for quite some time.

I installed the statistical analysis app, worked with it for a bit, then decided to remove it.

To remove it, I used the C: image I had made. (This is my preferred method for completely and cleanly “un-installing” an app I am evaluating.)

Foolishly (I was in a hurry and grabbed the wrong CD) I used a Live CD from a more recent version of Macrium to do the recovery. Instead of just copying the C: image back to the C: partition (as I have done successfully so many times in the past with the older LiveCD), this newer LiveCD copied the backup image to the C: partition and did something to the E: partition.

Partition editing software shows that the E: partition is still there, and it still has the exact same clusters allocated to it. Also, physical disk sector software shows that my data is still there. However, Windows can’t seem to find the NTFS file system on that partition, so I can’t access the files.

Fortunately, I have a backup of all the critical files on the E: drive. But it is not a complete image backup, so there will be some manual labor involved to re-construct it.

Many years ago (more than I care to think about) I used to understand how disks were laid out. But I’ve forgotten most of it, and haven’t kept up with the changes.

So, finally, here are my questions:

  • Does anyone have a guess concerning what Macrium might have done to make the NTFS file system on the E: partition invisible to Windows?

  • Is it remotely possible that all I need to do is set a flag somewhere to magically make it re-appear?

I can’t imagine why Macrium would go to the trouble of erasing the file system, and leave the partition and data intact.

What about the MBR? If that got corrupted, it might make Windows unable to see your partition, even though it still exists on the disk.

The C: partition is fine. The machine boots normally, and all the files are there, and Windows can read them.

Oh, gotcha. Makes sense now. I’m not sure what to do, though. Best of luck to you.

You can try booting into a Linux LiveCD and seeing if you can copy the files from there. If you can, copy them over to either the C: Drive or to an external. You can then use G-Parted (under the same Linux LiveCD) to dynamically repartition your main drive.

I don’t know how much experience you have with Linux (I would imagine more than me) but I’ve had good experience with loading up Mint onto a USB drive using Unetbootin and going from there.

The E: partition is the 2nd partition on Disk1.

Linux does not display sda2 (2nd partition on Disk1)
because it too doesn’t see the file system on that partition (see screenshots).

I ran the following apps, with the following results:

MBR Wizard

  • file system NTFS
  • shows correct allocated sectors

cfdisk

  • file system NTFS
  • shows correct partition size

GParted

  • file system unknown
  • shows correct allocated sectors

winHex

  • file system unknown
  • shows correct sector count
  • shows that there is data in the partition (log entry that I made the day of the “crash”)
  • shows that sector 0 of E: partition has been zero’d out

nfi

  • “volume does not contain a file system”

EaseUS Partition Master

  • says “unformatted”
  • shows correct allocated sectors

Disk Investigator

  • clueless

Bottom line: MBR Wizard and cfdisk both say there’s a file system in the E: partition, but that’s probably just because it says so in the partition table. The other apps appear to be actually looking for the file system in the partition, and not finding it, because Macrium apparently destroyed it for some inscrutable reason.

See screenshots here:

http://ether.comeze.com/FRC/77133/

Well now…that is interesting.

I can’t say I have any more ideas up my sleeve that you haven’t already done 10 times over. That’s an interesting problem, that’s for sure.

Sorry I couldn’t have been of more help, sir. Best of luck to you though.

I am wildly speculating here, so smack me back if you know better.

It looks like the first several bytes of E:\ were erased. If you only could reconstruct that h200 bytes of data, the drive should resurrect, right? Well, might come back, anyway.

Any chance to find another drive, format it about the same way, and copy those bytes over to E:? Or research what it should have in there and recreate it?

Someone, somewhere, can recover data that’s been written over once. Investigate that for data recovery. Maybe that’s too CIA for us mere mortals though.

Or call it a day, recreate what you can, and let it fade as a bad memory. No pun intended.

The entire first sector (512 bytes) of the E: partition has been zeroed out.

I don’t know enough about NTFS to determine if that’s the extent of the damage (if so it might even be possible to reconstruct it).

It still puzzles me why Macrium would go out of its way to make the file system inaccessible, but leave the data and partition intact.

For the time being, I’m just leaving the E: partition as-is and using the 2 other internal SATA drives in the machine for workspace and backup.