I zeroed out the first 1% of my 2tb storage drive. Wendell, FORGIVE ME

and so here i am!!!

I've stupidly gotten syself into the exact scenario that Wendell damns
at 5:01 . I accidentally 'dd if=/dev/zero of=/dev/sdb bs=4k &&
sync' where sdb... contained my life lolc its a 2tb hdd. i killed the process
after noticing my error. i assume the first 1-2% has been zeroed out. I assume most of the files are still on
there. the drive was NTFS, and was all one partition.

I'm not super savvy with linux but have been slowly learning ad hoc for a year now and its the only OS i care to use anymore. I do know a fair bit of the basics and will be comfortable and able to learn more.

I have tired running photorec but the ETA completion time goes up and up
and up. once it reached 600hrs i cancelled it. It had found a hundred
odd files in the hour that it was running, though.

testdisk is running a deepscan as i type and it will be finshed before i get to bed tonight.

Is there a way to fix my issue with testdisk, so that i won't go insane
sorting through thousands of files to find the right ones (photorec
can't recover dir structure or file name)?

failing that, is there a way to get photorec to finish the job before i
retire?

Please help! I am at your mercy, oh knowledgable ones.

testdisk finished and has popped this out:

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER [email protected]

Disk /dev/sdb - 2000 GB / 1863 GiB - CHS 243201 255 63

The harddisk (2000 GB / 1863 GiB) seems too small! (< 3894 GB / 3627 GiB)
Check the harddisk size: HD jumpers settings, BIOS detection...

The following partition can't be recovered:
Partition Start End Size in sectors

FAT16 >32M 295245 222 13 473497 30 6 2863606278

[ Continue ]
1466 GB / 1365 GiB

i press continue:
Disk /dev/sdb - 2000 GB / 1863 GiB - CHS 243201 255 63
Partition Start End Size in sectors
D HPFS - NTFS 0 32 33 243201 45 44 3907024896

D Linux 10497 196 4 12977 237 60 39843840
D Linux 10539 51 9 13019 93 2 39843840
D Linux 10547 124 10 13027 166 3 39843840
D Linux 10548 226 47 13029 13 40 39843840
D Linux 10559 217 27 13040 4 20 39843840
D Linux 10597 214 50 13078 1 43 39843840
D Linux 10599 224 58 13080 11 51 39843840
D Linux 10601 72 32 13081 114 25 39843840

all the 'linux' partitons (where did those come from?) are empty and testdisk suggests the partiton is damaged. The NTFS actually displays the contents of the top level dircetory, as i remember it:

 HPFS - NTFS              0  32 33 243201  45 44 3907024896

Directory /

dr-xr-xr-x 0 0 0 26-Nov-2015 22:36 .
dr-xr-xr-x 0 0 0 26-Nov-2015 22:36 ..
dr-xr-xr-x 0 0 0 16-Aug-2013 00:14 $AVG
dr-xr-xr-x 0 0 0 19-Jan-2015 19:31 $RECYCLE.BIN
dr-xr-xr-x 0 0 0 26-Nov-2014 22:14 1e71adf78e8fed30ce07953a186031
dr-xr-xr-x 0 0 0 13-May-2015 02:16 518a48f63ef9ae306316
dr-xr-xr-x 0 0 0 4-Aug-2013 00:32 ATI Demos

there is more but i have ommited most for brevity

a lot of the original directory structure seems intact. but i have suffered a heavy, heavy blow. the only directory i actually cared about, an old user directory, is missing a lot

-r--r--r-- 0 0 94 26-Nov-2015 23:20 My Documents
my documents isn't even showing as a dircetory.

and the Downloads folder, which is showing as a directory, is only showing a handful of files. I irresponsibly used to save all data that i cared about in either there, or my documents, and these folders were huge.

Is there something more that can be done? everything, from my CV and (only copy of) photo albums to personal projects and evidence of work, has evaporated.

Interestingly, when i did run photorec earlier today, it did manage to save files that were in these folders, so i hanvn't given up hope.

I humbly ask for assistance from the pros, the loss i have suffered feels like having lost a part of the proof of who i am, and have been.

Once you have overwritten a section of a file, you cannot recover it, it's done. However by chance that that file has been stored somewhere else like in RAM, then it may be possible to extract it.

Sorry for your lose but that's how it is, you should really backup your data before you do these (dangerous low level) procedures.

If photorec is reading from the overwritten part of the disk (which would be very illogical if it's overwritten), it could make sense that this process is slow. It would get faster as it reaches areas that are intact, so never assume it'll take ages to do a full scan.
Let it run for a couple of days and sort out the photos afterwards.

Given the kind of mess you're dealing with, personally I'd get in touch with a data recovery firm and ask if they think they can recover the data. If they give a positive answer, I'd ask what they typically quote for a job like this and then decide if the data is worth that kind of money.

P.S. : It's not an OS disk, I hope. If it is, install a temporary OS on another drive so you don't have to actually run anything on the drive you're trying to recover data from.
Oh, and don't recover to the drive itself, always to a different drive. You don't want to write anything to that drive until you have all your files backed up.

When you ctrl c, DD would have told you exactly how many blocks. How many was it? You can recreate the partition table probably but the mft is probably hosed too . There is more than one mft.

You may be able to mount on Linux guessing about the partition table. One big partition on this drive? It's sort of important you create the ability to undo your work. I'd suggest buying a large drive and dding what's left to that drive before practicing surgery.

Hi Wendell, thanks for getting back to me.

The original catastrophe happened a while ago. I have no record of what dd output after i ctrl+c'ed the process. Is there a way i can work this out and how might i put this information to use?

I will follow your advice and clone the disk to my newly purchased backup hdd. Then look into your suggestions for recreating/guessing the partiton table.

Would you be able to suggest some material that i can read which may teach me/guide me through this process?

Again, many thanks.

Use DD to save the partition table (probably all blanks) then let windows make a new partition table. If you just nexted through the wizard originally chances are it pops out the same partition table. After that it's FS repair. Mount for NTFS had an option for using alternative mft iirc

Hi Wendell,

I don't use/have windows. i assume that using mkfs would involve guessing various settings? I will see about commadeering a friends windows and report back. My love to you :D

Thanks again!

dont mkfs, it's the partition table, make you can try to recreate the partition table with gparted or fdisk? that's the thing you'd have to guess in

I havn't had any luck yet. using windows 7 disk manager to 'quick format' the (cloned) drive to a single partition occured, then i went into testdisk to do a recovery of the mtf. from what i have learnt, there is a backup of the mtf at the end of the filesystem, which should be intact as i only wrecked the beginning of the drive.

Testdisk reported 'MFT and MFT mirror are bad. Failed to repair them.'

i assume this meant the partitioning didn't work properly.

If i clone the drive again, is there a way to extract the backup mtf form the unpartitioned drive, and reconstruct the ntfs partiton using the backup mtf?

it seems that test disk could do either of these things seperately, but not together, would it be possible?

well I suppose you can write a program to search for the backup mft then based on that calculate what the parititon layout was so you can re-create the parittion which will then let testdisk do its thing with the backup mft?

One day, i will be capable of this lol. For now i think i'm going to have to pay a lab for a recovery. Thanks for all the help :)

Gilware might be able to help call them