TestDisk Step by Step

TestDisk Step By Step - CGSecurity
19/10/15, 9:07 AM
TestDisk Step By Step
This recovery example guides you through TestDisk step by step to recover a missing
partition and repair a corrupted one. After reading this tutorial, you should be ready to
recover your own data. Translations of this TestDisk manual to other languages are
welcome.
Example problem
We have a 36GB hard disk containing 3 partitions. Unfortunately;
the boot sector of the primary NTFS partition has been damaged, and
a logical NTFS partition has been accidentally deleted.
This recovery example guides you through TestDisk, step by step, to recover these
'lost' partitions by:
rewriting the corrupted NTFS boot sector, and
recovering the accidentally deleted logical NTFS partition.
Recovery of a FAT32 partition (instead of an NTFS partition) can be accomplished by
following exactly the same steps. Other recovery examples are also available. For
Information about FAT12, FAT16, ext2/ext3, HFS+, ReiserFS and other partition types,
read Running the TestDisk Program.
One condition:
TestDisk must be executed with Administrator privileges.
Important points for using TestDisk:
To navigate in TestDisk, use the Arrow and PageUp/PageDown keys.
To proceed, confirm your choice(s) with the Enter key.
To return to a previous display or quit TestDisk, use the q (Quit) key.
To save modifications under TestDisk, you must confirm them with the y (Yes)
and/or Enter keys, and
To actually write partition data to the MBR, you must choose the "Write"
selection and press the Enter key.
http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step
Page 1 of 13
19/10/15, 9:07 AM
Symptoms
If this hard disk's primary partition contained an operating system, it would most likely
no longer boot up - due to its corrupted boot sector. If the hard disk was a secondary
(data) drive or you can connect the drive to another computer in its secondary channel
(usually where a CD/DVD drive is connected), the following symptoms would be
observed:
1. Windows Explorer or Disk Manager displays the first primary partition as raw
(unformatted) and Windows prompts: The drive is not formatted, do you want
to format it now?
[You should never do so without knowing why!]

2. A logical partition is missing. In Windows Explorer, that logical drive is no longer
available. The Windows Disk Management Console now displays only
"unallocated space" where this logical partition had been located.
Running TestDisk executable

If TestDisk is not yet installed, it can be downloaded from TestDisk Download. Extract
the files from the archive including the sub-directories.
To recover a lost partition or repair the filesystem from a hard disk, USB key, Smart
Card, etc., you need enough rights to access a physical device.
Under DOS, run TestDisk.exe
Under Windows, start TestDisk (ie testdisk-6.13/testdisk_win.exe) from an
account in the Administrator group. Under Vista, right-click testdisk_win.exe and
then "Run as administrator" to launch TestDisk.
Under Unix/Linux/BSD, you need to be root to run TestDisk (ie. sudo testdisk6.13/testdisk_static)
Under MacOSX, if you are not root, TestDisk (ie testdisk-6.13/testdisk) will
restart itself using sudo after confirmation on your part.
Under OS/2, TestDisk doesn't handle a physical device, only a disk image.
Sorry.
To recover partition from a media image or repair a filesystem image, run
testdisk image.dd
to work from a raw disk image
testdisk image.E01
to recover files from an Encase EWF image
testdisk 'image.???'
if the Encase image is split into several files.
Page 2 of 13
19/10/15, 9:07 AM
To repair a filesystem not listed by TestDisk, run testdisk device, i.e.

testdisk /dev/mapper/truecrypt0
or testdisk /dev/loop0 to repair the NTFS or
FAT32 boot sector files from a TrueCrypt partition. The same method works with
filesystem encrypted with cryptsetup/dm-crypt/LUKS.
testdisk /dev/md0 to repair a filesystem on top of a Linux RAID device.
Log creation
Choose Create to instruct Testdisk to create a log file containing technical

information and messages, unless you have a reason to append data to the log or
you execute TestDisk from read only media and must create the log elsewhere.
Choose None if you do not want messages and details of the process to be
written into a log file (useful if for example Testdisk was started from a read-only
location).
Press Enter to proceed.
Disk selection
All hard drives should be detected and listed with the correct size by TestDisk:
Page 3 of 13
19/10/15, 9:07 AM
Use up/down arrow keys to select your hard drive with the lost partition/s.
Press Enter to Proceed.
If available, use raw device /dev/rdisk* instead of /dev/disk* for faster data transfer.
Partition table type selection

TestDisk displays the partition table types.
Select the partition table type - usually the default value is the correct one as
Page 4 of 13
19/10/15, 9:07 AM
TestDisk auto-detects the partition table type.

Press Enter to Proceed.
Current partition table status

TestDisk displays the menus (also see TestDisk Menu Items).
Use the default menu "Analyse" to check your current partition structure and
search for lost partitions.
Confirm at Analyse with Enter to proceed.
Now, your current partition structure is listed. Examine your current partition structure
for missing partitions and errors.
Page 5 of 13
19/10/15, 9:07 AM
The first partition is listed twice which points to a corrupted partition or an invalid
partition table entry.
Invalid NTFS boot points to a faulty NTFS boot sector, so it's a corrupted filesystem.
Only one logical partition (label Partition 2) is available in the extended partition. One
logical partition is missing.
Confirm at Quick Search to proceed.
Quick Search for partitions

During the Quick Search, TestDisk has found two partitions including the missing
logical partition labeled Partition 3.
Page 6 of 13
19/10/15, 9:07 AM
Highlight this partition and press p to list your files (to go back to the previous
display, press q to Quit, Files listed in red are deleted entries).
All directories and data are correctly listed.
Save the partition table or search for more partitions?
When all partitions are available and data correctly listed, you should go to the
menu Write to save the partition structure. The menu Extd Part gives you the
Page 7 of 13
19/10/15, 9:07 AM
opportunity to decide if the extended partition will use all available disk space or
only the required (minimal) space.
Since a partition, the first one, is still missing, highlight the menu Deeper
Search (if not done automatically already) and press Enter to proceed.
A partition is still missing: Deeper Search

Deeper Search will also search for FAT32 backup boot sector, NTFS backup boot
superblock, ext2/ext3 backup superblock to detect more partitions,
After the Deeper Search, the results are displayed as follows:
The first partition "Partition 1" was found by using backup boot sector. In the last line
of your display, you can read the message "NTFS found using backup sector!" and
the size of your partition. The "partition 2" is displayed twice with different size.
Partitions listed as D(eleted) will not be recovered if you let them listed as deleted.
Both partitions are listed with status D for deleted, because they overlap each other.
You need to identify which partition to recover.
Highlight the first partition Partition 2 and press p to list its data.
Press q for Quit to go back to the previous display.
Let this partition Partition 2 with a damaged file system marked as D(deleted).
Highlight the second partition Partition 2 below
Press p to list its files.
Page 8 of 13
19/10/15, 9:07 AM
It works, your files are listed, you have found the correct partition!
Use the left/right arrow to navigate into your folders and watch your files for more
verification
Note: FAT directory listing is limited to 10 clusters - some files may not appear but it
doesn't affect recovery.
Press q for Quit to go back to the previous display.

The available status are Primary, * bootable, Logical and Deleted.
Using the left/right arrow keys, change the status of the selected partition from
D(eleted) to L(ogical). This way you will be able to recover this partition.
Page 9 of 13
19/10/15, 9:07 AM
Hint: read How to recognize primary and logical partitions?

Note: If a partition is listed *(bootable) but if you don't boot from this partition, you can
change it to Primary partition.
Partition table recovery

It's now possible to write the new partition structure.
Note: The extended partition is automatically set. TestDisk recognizes this using the
different partition structure.
Page 10 of 13
19/10/15, 9:07 AM
If all partitions are listed and only in this case, confirm at Write with Enter, y and
OK.
Now, the partitions are registered in the partition table.
NTFS Boot sector recovery

The boot sector of the first partition named Partition 1 is still damaged. It's time to fix
it. The status of the NTFS boot sector is bad and the backup boot sector is valid. Boot
sectors are not identical.
To copy the backup of the boot sector over the boot sector, select Backup BS,
validate with Enter, use y to confirm and next OK.
More information about repairing your boot sector under TestDisk Menu Items. The
following message is displayed:
Page 11 of 13
19/10/15, 9:07 AM
The boot sector and its backup are now both OK and identical: the NTFS boot sector
has been successfully recovered.
Press Enter to quit.
TestDisk displays You have to restart your Computer to access your data so
press Enter a last time and reboot your computer.
Recover deleted files
Page 12 of 13
19/10/15, 9:07 AM
TestDisk can undelete

files and directory from FAT12, FAT16 and FAT32 filesystem,
files from ext2 filesystem,
files from NTFS partition since version 6.11.
If it doesn't work or for other filesystem, try PhotoRec, a signature based file recovery
utility.
Return to TestDisk main page
Page 13 of 13

TestDisk Step by Step - CGSecurity PDF

Uploaded by

Copyright:

Available Formats

TestDisk Step by Step - CGSecurity PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TestDisk Step by Step - CGSecurity PDF

Uploaded by

Copyright:

Available Formats

TestDisk Step By Step - CGSecurity