|
From: Frederic G. <ga...@fr...> - 2002-08-07 13:18:41
|
Hello, I try to read the content on a NTFS partition created by Win XP. The disk belongs to a friend, and its Windows XP (on a packard bell computer) has crashed and can no longer boot (MBR broken, I guess...). The Packard Bell Support told him to reinstall Windows (using a diskette and their master CDROM). Because this procedure would erase all the data on the disk, my friend asked me to try to recover the content. The disk was correctly detected by the reinstall program, and the DOS fdisk could also see the disk. I don't know much about Windows recovery (I abandoned M$ several years ago to use Linux), so I first tried to plug the disk into an NT Box at work. No success : The disk could be mounted, its directory structure could be browsed, but the files content was corrupt : when I tried to open any file, no system read error was reported, but the content was obviously wrong (binary data in boot.ini, etc...). A colleague told me it was because of ACL protection : the content of a disk could only be read by a windows whose SID was the same as the one who created the partition. So I tried to plug the disk into a Linux box whom ignores the ACL, to see what was wrong. With linux, I have exactly the same problem : the partition can be mounted, I can see the directory structure, but many files are corrupt. Some files seem to be OK though, for example Explorer.exe : [root@app1 WINDOWS]# file explorer.exe explorer.exe: MS-DOS executable (EXE), OS/2 or MS Windows Is the disk completely broken ? is there a chance the files content was "encrypted" by Windows XP (my friend, who is a computer newbie, told me he did not install anything) ? I understand my questions are a bit naive, but since I am not a windows expert, i'm a bit lost with this disk and partition... The linux kernel is a 2.4.19 with the latest NTFS patch : Aug 7 14:02:27 app1 kernel: NTFS driver 2.0.23b [Flags: R/O DEBUG MODULE]. Aug 7 14:02:37 app1 kernel: NTFS volume version 3.1. NOTE : The content of the corrupt files seems always to begin with the same byte pattern : several 0x00, then at offset 0x64 the string " run in DOS mode.". Sometimes the 0x00 are replaced by 0x01. You will find in attachment the debug output of the ntfs module, an exemple of corrupt file, and the MBR of the disk. Thanks in advance for your help and expertise. -- Frederic Garzon <ga...@fr...> |
