Recover HDD

On 27/05/2017 08:48, Lucifer Morningstar wrote: What about running
chkdsk /f on it?
On what the OS sees as a RAW unformatted partition?

It'd be a neat trick if you could.

Also chkdsk /f is known to be a bad idea if you value your data.
It value getting the disk back to a consistent state above keeping all
your data.

--

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.

On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:

I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ

Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.

How do I open these "SWF" files?

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:

I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ

Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.

How do I open these "SWF" files?

https://en.wikipedia.org/wiki/SWF
--
Quote of the Week: "Ladies and gentlemen, hoboes and tramps... Crosseyed
Mosquitoes and bow-legged ants... I've come to tell you the story..."
--Bob Holman
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://antfarm.home.dhs.org (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / Please nuke ANT if replying by e-mail privately. If credit-
( ) ing, then please kindly use Ant nickname and AQFL URL/link.

On Mon, 12 Jun 2017 20:01:04 -0500, (Ant) wrote:

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:

I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ

Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.

How do I open these "SWF" files?

https://en.wikipedia.org/wiki/SWF

I tried all that with no luck.

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:

I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ

Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.

How do I open these "SWF" files?

And were there SWF files on the disk in the first place ?

If that wasn't the case, then you got a boatload of "garbage"
from the recovery attempt.

Using a scavenger is absolutely the last choice in data
recovery. If the disk is *perfectly* defragmented, the
results could be good. If the disk white areas were
swept with "sdelete" just before the failure, again,
the recovery operation could return spectacularly
good results. But nobody does that much housekeeping
on data drives, to make the operation of a scavenger
easy. When a scavenger is called for, the disk is in
the usual mess, and so 100,000 files that aren't really
there, get recovered.

*******

If the disk was full of JPG files, you would expect to find
JPG files in the output. And so on.

I don't know if you tried TestDisk or not. The last
time I tried to use that, the interface was just about
impossible to work with.

If would really really help your situation, if you
could regenerate the necessary partition table first.
In my opinion, running a file scavenger on a big volume,
the output is just too much to deal with manually, and
likely has a large "noise" content. TestDisk may report
many discouraging things, but if there really isn't an MBR
on there amyway, you might not have much to lose.

What you *must* do, is if restoring what might br an MBR
or MBR+GPT partition table, *don't* let the Windows OS
see it, until you're reasonably sure the partition pointers
are valid. If you have partitions that overlap one another,
the partitions can be destroyed instantly. (Unless you made
a sector level backup for emergencies of course.)

I was hoping by now, you'd have a chance to run this. It would
help if the partition could be found first though. I don't
know if this is capable of rebuilding a partition table.
The source code for this program, was bought by a third party,
and you will also see pictures of the windows interface of
this program, on some German site. This release included
support for NTFS, and one poster in the WinXP group got back
all data from an NTFS partition with it. That's the only feedback
I've had, about whether it can recover anything.

http://web.archive.org/web/200701010...rescue19d.html

driverescue19d.zip 1,007,764 bytes
MD5SUM = 63b7e1e8b1701593d5f52c7927d01558

Paul

Peter Jason wrote:
On Mon, 12 Jun 2017 20:01:04 -0500, (Ant) wrote:

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:
I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ
Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.
How do I open these "SWF" files?
https://en.wikipedia.org/wiki/SWF

I tried all that with no luck.

The most immediate way to look at the disk, is with HxD.

https://mh-nexus.de/en/hxd/

HxD does a wonderful job, of examining individual files.
It even works via drag and drop.

However, for this exercise, it has a separate menu
for opening hard drives at the block level. You can then
scroll down through the sectors and look at stuff.

Do you see a sector with "NTFS" in the first 63 sectors or so ?
As that tells you, you had an old MSDOS partition setup, with the
data aligned on 63 sector boundaries.

The NTFS partition could also be at offset 1048576 bytes.
Which is 2048 sectors. If the disk was prepared in Windows 7,
then the first partition could begin there, and you'd see
the sector with the letters "NTFS" in it, on that portion
of the disk.

If you made the 2TB disk a GPT disk, then you'd have an MBR,
and you'd have a 128MB GPT partition table to "step over". There
really is no incentive at all, to be making 2TB drives into FPT.
Only hapless Dell/HP/Acer type companies do that, to make
data recovery "a lot less fun". I don't really think your
disk was GPT, unless you set out, long ago, to shoot
yourself in the foot. GPT is unavoidable for 3TB or larger
disks, so then you'd have an excuse for using it.

In a relatively short time, you could step out to offset 63
and offset 2048, and note whether the first sector of an
NTFS partition was present.

TestDisk automates that search, but it's going to take a long
time to process the entire disk. And the irritating interface
on the TestDisk program, means long long delays if you foul
up your button pushing. If you knew for certain the disk had
a certain alignment (all partitions on 1MB boundaries), the
older versions of TestDisk could search a bit faster. At one time,
there was an option to (effectively) search on cylinder boundaries
and an option to search on megabyte boundaries. It's possible the
last version of TestDisk, is searching on both strides at the
same time (slowing things down). Once the search stride is
too small, the time taken amounts to the time to read the
entire hard drive (which could be hours).

You haven't told us yet, whether there was only one partition
on this data disk. If there was only one partition, you
could "fake" a partitioning exercise on a new disk of the
exact same size, and use the MBR table generated as a
template for recovery. That's if you didn't want to put up
with the TestDisk interface.

Paul

On Mon, 12 Jun 2017 20:01:04 -0500, "Ant" posted:

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:

I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ

Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.

How do I open these "SWF" files?

https://en.wikipedia.org/wiki/SWF

O no,
The SWF-Files of EaseUS have nothing to do with Adobe.
Sometimes the same extensions are used in different programs.
In EaseUS, SWF-files are lost fragments of a file
You could try to open those files with a text editor or better, a hex editor.
But this normally will not help you.

Best way:
Contact the support
https://www.easeus.com/support/contact.htm

rgds
Juergen

Jürgen Meyer wrote:
On Mon, 12 Jun 2017 20:01:04 -0500, "Ant" posted:

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:
I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ
Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.
How do I open these "SWF" files?
https://en.wikipedia.org/wiki/SWF

O no,
The SWF-Files of EaseUS have nothing to do with Adobe.
Sometimes the same extensions are used in different programs.
In EaseUS, SWF-files are lost fragments of a file
You could try to open those files with a text editor or better, a hex editor.
But this normally will not help you.

Best way:
Contact the support
https://www.easeus.com/support/contact.htm

rgds
Juergen

Is there really any point ?

https://superuser.com/questions/4325...-are-corrupted

*******

The SWF files are probably everything after the 2GB "free" point is reached...

https://www.easeus.com/datarecoveryw...y-software.htm

Data Recovery Wizard Data Recovery Wizard Data Recovery Wizard
Free Pro $69.95 Pro+WinPE $99.90
-------------------- -------------------- --------------------

Amount of data 2GB As many as you want As many as you want
you can recover

*******

The names of some competitors are given he

http://www.pcworld.com/article/23268...e_edition.html

R-Studio ( http://www.r-studio.com/ )
Ontrack's EasyRecovery Professional (One year license - https://www.krollontrack.com/product...very-software/ )
Active @ File Recovery ( http://www.file-recovery.com/download.htm )

HTH,
Paul

The SWF files are probably everything after the 2GB "free" point is reached...
No, you will also find those files in the Professional version.


The names of some competitors are given he

http://www.pcworld.com/article/23268...e_edition.html

R-Studio ( http://www.r-studio.com/ )
Ontrack's EasyRecovery Professional (One year license - https://www.krollontrack.com/product...very-software/ )
Active @ File Recovery ( http://www.file-recovery.com/download.htm )

HTH,
Paul

I have tested a lot of recovery programs in the last years.
Forget Ontrack
Very expensive and with the worst results.
Nearly every freeware is better.
In my opinion, EaseUS is the best of all

You also may try
https://www.piriform.com/recuva

But whatever you use, don't expect to revover all files.

Jürgen

On Mon, 12 Jun 2017 22:37:11 -0400, Paul
wrote:

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:

I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ

Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.

How do I open these "SWF" files?

And were there SWF files on the disk in the first place ?

If that wasn't the case, then you got a boatload of "garbage"
from the recovery attempt.

Using a scavenger is absolutely the last choice in data
recovery. If the disk is *perfectly* defragmented, the
results could be good. If the disk white areas were
swept with "sdelete" just before the failure, again,
the recovery operation could return spectacularly
good results. But nobody does that much housekeeping
on data drives, to make the operation of a scavenger
easy. When a scavenger is called for, the disk is in
the usual mess, and so 100,000 files that aren't really
there, get recovered.

*******

If the disk was full of JPG files, you would expect to find
JPG files in the output. And so on.

I don't know if you tried TestDisk or not. The last
time I tried to use that, the interface was just about
impossible to work with.

If would really really help your situation, if you
could regenerate the necessary partition table first.
In my opinion, running a file scavenger on a big volume,
the output is just too much to deal with manually, and
likely has a large "noise" content. TestDisk may report
many discouraging things, but if there really isn't an MBR
on there amyway, you might not have much to lose.

What you *must* do, is if restoring what might br an MBR
or MBR+GPT partition table, *don't* let the Windows OS
see it, until you're reasonably sure the partition pointers
are valid. If you have partitions that overlap one another,
the partitions can be destroyed instantly. (Unless you made
a sector level backup for emergencies of course.)

I was hoping by now, you'd have a chance to run this. It would
help if the partition could be found first though. I don't
know if this is capable of rebuilding a partition table.
The source code for this program, was bought by a third party,
and you will also see pictures of the windows interface of
this program, on some German site. This release included
support for NTFS, and one poster in the WinXP group got back
all data from an NTFS partition with it. That's the only feedback
I've had, about whether it can recover anything.

http://web.archive.org/web/200701010...rescue19d.html

driverescue19d.zip 1,007,764 bytes
MD5SUM = 63b7e1e8b1701593d5f52c7927d01558

Paul

Thank you for your advice. But all this is beyond me, so I plan to
just reformat and install the off-site backup I have, which isn't too
old and so I'll lose very little.
As a further complication, the drive in question was Bitlockered.

Peter Jason wrote:


Thank you for your advice. But all this is beyond me, so I plan to
just reformat and install the off-site backup I have, which isn't too
old and so I'll lose very little.
As a further complication, the drive in question was Bitlockered.

That's an important detail.

Bitlocker should have a recovery procedure, and a decryption key
of some sort (for emergencies). Now, this company wants to sell
you a tool. Whereas for you, the idea would be, to understand how
the BitLocker encryption is applied, and undo the encryption first,
before applying CHKDSK or TestDisk or whatever.

https://www.m3datarecovery.com/bitlo...raw-drive.html

Notice in that example, the product doesn't "crack" the encryption.
You offer the key, and somehow, it's able to convert the disk image
to plaintext, to be stored on a second drive. It's at that point,
you could be applying your favorite tools to recover data from
an (un-encrypted) disc.

System Reserved (unencrypted, to allow boot)
C: (can be encrypted)

D: (can be encrypted - this is your disk, with a single partition)

So at the very least, some sort of step like that is required,
before you can use "regular" data recovery.

Paul

Peter Jason wrote:

As a further complication, the drive in question was Bitlockered.

https://support.microsoft.com/en-ca/...ws-server-2008

repair-bde.exe

The idea (apparently), is that program allows recovery of a volume
to a second volume. Now, if the broken drive shows "RAW", I don't
know how a user is supposed to specify the "C:" source volume.

repair-bde C: D: -rp 111111-222222-[...] -lf F:\log.txt

*******

OK, in this example, the author of the article makes "New Simple Volume"
but does *not* format it. You are given the warning that the size of the
partition must match the original size. And it won't always be possible
to guess at that, if for example, the drive had multiple partitions.
The simplest case, would be a data drive where one partition filled the
whole thing. And the 2TB sized drive would encourage best practice of
using MSDOS partitioning. If you had an even larger drive, with GPT
partitioning, I wonder what the odds would be of getting the partition
sized properly for this to work.

https://www.normanbauer.com/2013/07/...led-partition/

So the claim of that author is, it can be fixed. But it almost
looks like a person would need a snapshot of the MBR and/or GPT
partition table, to have a shot at recovery.

And to be clear, the recovery doesn't take care of every possible
outcome. Your data is put somewhere for you, but it still
might need further recovery effort.

Paul

Peter Jason wrote:
On Mon, 12 Jun 2017 22:37:11 -0400, Paul
wrote:

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:

I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ
Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.

How do I open these "SWF" files?
And were there SWF files on the disk in the first place ?

If that wasn't the case, then you got a boatload of "garbage"
from the recovery attempt.
Using a scavenger is absolutely the last choice in data
recovery. If the disk is *perfectly* defragmented, the
results could be good. If the disk white areas were
swept with "sdelete" just before the failure, again,
the recovery operation could return spectacularly
good results. But nobody does that much housekeeping
on data drives, to make the operation of a scavenger
easy. When a scavenger is called for, the disk is in
the usual mess, and so 100,000 files that aren't really
there, get recovered.

*******

If the disk was full of JPG files, you would expect to find
JPG files in the output. And so on.

I don't know if you tried TestDisk or not. The last
time I tried to use that, the interface was just about
impossible to work with.

If would really really help your situation, if you
could regenerate the necessary partition table first.
In my opinion, running a file scavenger on a big volume,
the output is just too much to deal with manually, and
likely has a large "noise" content. TestDisk may report
many discouraging things, but if there really isn't an MBR
on there amyway, you might not have much to lose.

What you *must* do, is if restoring what might br an MBR
or MBR+GPT partition table, *don't* let the Windows OS
see it, until you're reasonably sure the partition pointers
are valid. If you have partitions that overlap one another,
the partitions can be destroyed instantly. (Unless you made
a sector level backup for emergencies of course.)

I was hoping by now, you'd have a chance to run this. It would
help if the partition could be found first though. I don't
know if this is capable of rebuilding a partition table.
The source code for this program, was bought by a third party,
and you will also see pictures of the windows interface of
this program, on some German site. This release included
support for NTFS, and one poster in the WinXP group got back
all data from an NTFS partition with it. That's the only feedback
I've had, about whether it can recover anything.

http://web.archive.org/web/200701010...rescue19d.html

driverescue19d.zip 1,007,764 bytes
MD5SUM = 63b7e1e8b1701593d5f52c7927d01558

Paul

Thank you for your advice. But all this is beyond me, so I plan to
just reformat and install the off-site backup I have, which isn't too
old and so I'll lose very little.
As a further complication, the drive in question was Bitlockered.

I don't know if you've moved on or not.

I've been doing some more experimenting :-)

*******

First off, there are two important sectors on that disk drive.

1) MBR - it points to the four primary partitions.
- if I zero this sector out, Disk Management says "Unallocated"
But that's not your symptom.

2) VBR - Volume Boot Sector (aka file system header sector)
This is the first sector of your (lost) data partition.
The letters "NTFS" are replaced with "-FVE-FS-"
when the partition is encrypted by Bitlocker.
- Yours is a data disk, so it isn't going to boot :-)
- Bitlocker writes critical metadata in here.
Disk Management labels a drive letter (like E: ) as "Bitlocker"
based on reading that sector.
- if I zero this sector out, Disk Management says E: is "RAW"
and that matches your symptoms.

This shows my broken Bitlocker volume, holding 1.6GB
of PDF files. Oh no! What will I do ?

https://s3.postimg.org/ylr2qb1fn/broken_bitlocker.gif

Well, I found this article earlier today. It discusses
how BitLocker works.

http://jessekornblum.com/publications/di09.pdf

The interesting thing is, the metadata is recorded in
the partition *three* times. There are at least
three instances of "-FVE-FS-" in the 20GB partition.
I used HxD.exe to find them.

Next, I did this. E: is the RAW partition. F: is my
data recovery disk drive, which has a partition slightly
bigger than E: . That's because, when I do the recovery,
it converts the whole partition (which would be 2TB in
your case, minus about 3MB or so).

When you make a BitLocker volume, the interface offers
an option to print out the recovery key. This is the
key for my Virtual Machine install of Windows 10, with the
throwaway setup inside.

repair-bde E: F:\rec.img -rp 271986-441892-336908-617188-588115-234861-172282-276210 -force -lf F:\log.txt

What that command does, is take the raw partition E, and store
it as a pile of decrypted sectors, as "rec.img". The rec.img file
will be 2TB in size. So the F: volume has to be big enough
(i.e. a big bigger than 2TB).

The "-rp" is for that recovery key, consisting of eight
groups of six digits.

The -force handles dismounting of E: if it is mounted.
Now, in my case, E: is RAW so that should not be possible.
You want to close Disk Management and close the File Explorer
window, and maybe then it wouldn't need that option. But
since the option isn't hurting anything, I threw it in
anyway.

The -lf specifies a log file. But the log that is dumped
into the *Administrator* Command Prompt window is slightly
more detailed. So really, the "-lf F:\log.txt" isn't
worth the typing effort. The log.txt should have matched
all the lines that got dumped on the screen.

When the program starts, it should "notice" the first sector
was destroyed. It then scans for the other two metadata blocks.
They were located at around 1GB and 2GB of my 20GB partition perhaps.
I didn't write down the exact addresses.

Once it found the metadata block, it would then decrypt some
keys it can use for the recovery. That string of numbers
by itself, won't decrypt the volume. It's the combination
of that info, and at least one metadata block that makes it work.

OK, so I wait a few minutes for the repair-bde to complete,
and ship the 20GB file over to this PC. I use 7ZIP to open
rec.img (as 7ZIP can now open a disk drive sector-by-sector image}
and this is what I see.

https://s17.postimg.org/4j4klmgfj/re...es_visible.gif

If I double click the PDF10 folder, all my PDF files
are in there, and if I double-click them, Acrobat opens
and I can read them. Using the "Extract" button in 7ZIP, and
extracting to (yet-another) disk drive, I can get all my
files back.

So your tools needed a

1) administrator command prompt window
2) lots of disk drives (because yours is 2TB)

The command can also do

repair-bde E: F: .....

but I don't know what that means exactly - does F: have to be
exactly the same size as E: ? I think it means all the sectors
in F: will be overwritten by decrypted sectors from E: , so my
guess is they would have to be exactly the same. Creating
F:\rec.img (where F: is now *bigger* than E: ), wastes extra
hours of your time, but means not having to verify the
size involved. If you had two identical 2TB drives, the
sizes on at least some of them are exactly the same. So just
by chance, you might end up with an F: which is exact. I use
PTEDIT32.exe to display the MBR contents, but perhaps you
can find some other tool to verify that E: on the broken
drive is the same size as F: on the recovery drive.

So anyway, I did an experiment that kinda has the same
symptoms as yours. If more sectors got blasted than
just the first sector of E: then some serious CHKDSK
may be required. In which case doing it this way,
would prepare you for your CHKDSK attempt on F:

(Prepare F: to be *exactly* the same size as E: )

In an administrator command prompt, do this, but use your
own value of recovery key...

repair-bde E: F: -rp 271986-441892-336908-617188-588115-234861-172282-276210 -force

(reboot so F: can be discovered again)

chkdsk F: --- is it broken ???

chkdsk /f F: --- attempt a fix.

If you want to go with the 7ZIP method, there will be
the extra delay associated with extracting the files
after the attempted recovery. If the partition is
damaged, then 7ZIP won't be able to display the files.
And other tools we've discussed previously, could
also be used on F: since F: contains the decrypted
NTFS file system.

HTH,
Paul

On Thu, 15 Jun 2017 17:03:06 -0400, Paul
wrote:

Peter Jason wrote:
On Mon, 12 Jun 2017 22:37:11 -0400, Paul
wrote:

Peter Jason wrote:
On Sat, 27 May 2017 15:33:45 +1000, Peter Jason wrote:

I accidentally pulled the data plug of an online (non system) HDD, and
now the Disk Management shows it to be "1863.01GB RAW Healthy (Primary
Partition)"
and it wants me to format it before proceeding.

Can I do this Formatting as it wants and will this get me back the HDD
data?
PJ
Hi, I have attempted a recovery from the RAW partitions using the
"easeUS" file-recovery software and this produced a large number of
"SWF" files which I have recovered to another HDD.

How do I open these "SWF" files?
And were there SWF files on the disk in the first place ?

If that wasn't the case, then you got a boatload of "garbage"
from the recovery attempt.
Using a scavenger is absolutely the last choice in data
recovery. If the disk is *perfectly* defragmented, the
results could be good. If the disk white areas were
swept with "sdelete" just before the failure, again,
the recovery operation could return spectacularly
good results. But nobody does that much housekeeping
on data drives, to make the operation of a scavenger
easy. When a scavenger is called for, the disk is in
the usual mess, and so 100,000 files that aren't really
there, get recovered.

*******

If the disk was full of JPG files, you would expect to find
JPG files in the output. And so on.

I don't know if you tried TestDisk or not. The last
time I tried to use that, the interface was just about
impossible to work with.

If would really really help your situation, if you
could regenerate the necessary partition table first.
In my opinion, running a file scavenger on a big volume,
the output is just too much to deal with manually, and
likely has a large "noise" content. TestDisk may report
many discouraging things, but if there really isn't an MBR
on there amyway, you might not have much to lose.

What you *must* do, is if restoring what might br an MBR
or MBR+GPT partition table, *don't* let the Windows OS
see it, until you're reasonably sure the partition pointers
are valid. If you have partitions that overlap one another,
the partitions can be destroyed instantly. (Unless you made
a sector level backup for emergencies of course.)

I was hoping by now, you'd have a chance to run this. It would
help if the partition could be found first though. I don't
know if this is capable of rebuilding a partition table.
The source code for this program, was bought by a third party,
and you will also see pictures of the windows interface of
this program, on some German site. This release included
support for NTFS, and one poster in the WinXP group got back
all data from an NTFS partition with it. That's the only feedback
I've had, about whether it can recover anything.

http://web.archive.org/web/200701010...rescue19d.html

driverescue19d.zip 1,007,764 bytes
MD5SUM = 63b7e1e8b1701593d5f52c7927d01558

Paul

Thank you for your advice. But all this is beyond me, so I plan to
just reformat and install the off-site backup I have, which isn't too
old and so I'll lose very little.
As a further complication, the drive in question was Bitlockered.

I don't know if you've moved on or not.

I've been doing some more experimenting :-)

*******

First off, there are two important sectors on that disk drive.

1) MBR - it points to the four primary partitions.
- if I zero this sector out, Disk Management says "Unallocated"
But that's not your symptom.

2) VBR - Volume Boot Sector (aka file system header sector)
This is the first sector of your (lost) data partition.
The letters "NTFS" are replaced with "-FVE-FS-"
when the partition is encrypted by Bitlocker.
- Yours is a data disk, so it isn't going to boot :-)
- Bitlocker writes critical metadata in here.
Disk Management labels a drive letter (like E: ) as "Bitlocker"
based on reading that sector.
- if I zero this sector out, Disk Management says E: is "RAW"
and that matches your symptoms.

This shows my broken Bitlocker volume, holding 1.6GB
of PDF files. Oh no! What will I do ?

https://s3.postimg.org/ylr2qb1fn/broken_bitlocker.gif

Well, I found this article earlier today. It discusses
how BitLocker works.

http://jessekornblum.com/publications/di09.pdf

The interesting thing is, the metadata is recorded in
the partition *three* times. There are at least
three instances of "-FVE-FS-" in the 20GB partition.
I used HxD.exe to find them.

Next, I did this. E: is the RAW partition. F: is my
data recovery disk drive, which has a partition slightly
bigger than E: . That's because, when I do the recovery,
it converts the whole partition (which would be 2TB in
your case, minus about 3MB or so).

When you make a BitLocker volume, the interface offers
an option to print out the recovery key. This is the
key for my Virtual Machine install of Windows 10, with the
throwaway setup inside.

repair-bde E: F:\rec.img -rp 271986-441892-336908-617188-588115-234861-172282-276210 -force -lf F:\log.txt

What that command does, is take the raw partition E, and store
it as a pile of decrypted sectors, as "rec.img". The rec.img file
will be 2TB in size. So the F: volume has to be big enough
(i.e. a big bigger than 2TB).

The "-rp" is for that recovery key, consisting of eight
groups of six digits.

The -force handles dismounting of E: if it is mounted.
Now, in my case, E: is RAW so that should not be possible.
You want to close Disk Management and close the File Explorer
window, and maybe then it wouldn't need that option. But
since the option isn't hurting anything, I threw it in
anyway.

The -lf specifies a log file. But the log that is dumped
into the *Administrator* Command Prompt window is slightly
more detailed. So really, the "-lf F:\log.txt" isn't
worth the typing effort. The log.txt should have matched
all the lines that got dumped on the screen.

When the program starts, it should "notice" the first sector
was destroyed. It then scans for the other two metadata blocks.
They were located at around 1GB and 2GB of my 20GB partition perhaps.
I didn't write down the exact addresses.

Once it found the metadata block, it would then decrypt some
keys it can use for the recovery. That string of numbers
by itself, won't decrypt the volume. It's the combination
of that info, and at least one metadata block that makes it work.

OK, so I wait a few minutes for the repair-bde to complete,
and ship the 20GB file over to this PC. I use 7ZIP to open
rec.img (as 7ZIP can now open a disk drive sector-by-sector image}
and this is what I see.

https://s17.postimg.org/4j4klmgfj/re...es_visible.gif

If I double click the PDF10 folder, all my PDF files
are in there, and if I double-click them, Acrobat opens
and I can read them. Using the "Extract" button in 7ZIP, and
extracting to (yet-another) disk drive, I can get all my
files back.

So your tools needed a

1) administrator command prompt window
2) lots of disk drives (because yours is 2TB)

The command can also do

repair-bde E: F: .....

but I don't know what that means exactly - does F: have to be
exactly the same size as E: ? I think it means all the sectors
in F: will be overwritten by decrypted sectors from E: , so my
guess is they would have to be exactly the same. Creating
F:\rec.img (where F: is now *bigger* than E: ), wastes extra
hours of your time, but means not having to verify the
size involved. If you had two identical 2TB drives, the
sizes on at least some of them are exactly the same. So just
by chance, you might end up with an F: which is exact. I use
PTEDIT32.exe to display the MBR contents, but perhaps you
can find some other tool to verify that E: on the broken
drive is the same size as F: on the recovery drive.

So anyway, I did an experiment that kinda has the same
symptoms as yours. If more sectors got blasted than
just the first sector of E: then some serious CHKDSK
may be required. In which case doing it this way,
would prepare you for your CHKDSK attempt on F:

(Prepare F: to be *exactly* the same size as E: )

In an administrator command prompt, do this, but use your
own value of recovery key...

repair-bde E: F: -rp 271986-441892-336908-617188-588115-234861-172282-276210 -force

(reboot so F: can be discovered again)

chkdsk F: --- is it broken ???

chkdsk /f F: --- attempt a fix.

If you want to go with the 7ZIP method, there will be
the extra delay associated with extracting the files
after the attempted recovery. If the partition is
damaged, then 7ZIP won't be able to display the files.
And other tools we've discussed previously, could
also be used on F: since F: contains the decrypted
NTFS file system.

HTH,
Paul

Thank you for all your efforts Paul but I have re formatted the disk
and will do the backup later. The backup is quite recent, so not all
is lost. However I did an image of the RAW partition(s) and I will
keep this - just in case. I have saved all your advice.
Peter