7

I'm recovering data from a failing hard drive using ddrescue. It's a 2TB disk, NTFS filesystem, but only about 200GB or so is actually used, so rescuing it in its entirety would be a big ol' waste of time.

I've rescued enough data from the beginning of the drive to (repair and) read the NTFS file tables and whatnot. I'd like to ddrescue only the parts which actually contain data used by files.

How can I get a list of cluster/sector ranges that files point to?

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
user1655754
  • 158
  • 9
  • that's not the way images work, I'm afraid. the software that would function as you want would have to completely readdress the locations of the files in the NTFS metadata, since you are only grabbing a block here or there across the whole volume. in order to preserve the addresses of the NTFS metadata you will need to include the whole volume in the image. – Frank Thomas Mar 02 '23 at 20:29
  • 3
    @FrankThomas Not really. There's nothing stopping you (or anyone) making the image file sparse (containing holes). The holes are never actually stored on disk, only the parts containing data are. So it's fairly trivial to create a file that's nominally a petabyte in length on a disk that's ten thousand times smaller, and as long as you don't write more than 100 GiB of data into that file, the OS is not going to complain. – TooTea Mar 03 '23 at 09:02

1 Answers1

15

ddru_ntfsbitmap

It will read in the NTFS bitmap and write out a ddrescue domain file with used blocks marked as finished. Next you should use this file with -m (--domain-mapfile=) option of ddrescue.

ddru_ntfsbitmap is a utility to extract the bitmap file from a NTFS partition, and then process it and create a domain file to be used with ddrescue. This would allow for only recovering the used portion of the partition, and not spending time reading unused and unneeded data.

(source)

In Debian or Ubuntu it's in the ddrutility package. Ubuntu manual: here.

info ddrutility ddru_ntfsbitmap contains the following example:

The ddru_ntfsbitmap command would be something like:

ddru_ntfsbitmap /dev/sda1 domain_logfile

Your ddrescue command would be something like:

ddrescue -m domain_logfile /dev/sda1 recovered_ntfs_image rescue_logfile

ntfsclone

An alternative to ddru_ntfsbitmap+ddrescue is ntfsclone with its --rescue option. It's a standalone utility, not a prelude to ddrescue.

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202