My disk (to be more precise: the partition of interest) is perfectly recoverable by the top recovery tools (R-Studio and DMDE).
Since I read through your master thesis and liked it I wanted to test RecuperaBit on that disk/partition. To my disappointment it didn't work as expected. I would say it didn't work at all.
I boot live Caine 13.0. RecuperaBit v1.1.1 already present there. But since it's not the latest version, I downloaded v1.1.6 from GitHub and ran it using Python.
caine@caine:~/Downloads/RecuperaBit-master$ sudo python ./main.py -s ../PHD_Data3_recuperabit.savefile -o ../PHD_Data3/ /dev/sdc6
___ ___ _ _
| _ \___ __ _ _ _ __ ___ _ _ __ _| _ |_) |_
| / -_) _| || | '_ \/ -_) '_/ _` | _ \ | _|
|_|_\___\__|\_,_| .__/\___|_| \__,_|___/_|\__|
|_| v1.1.6
(c) 2014-2021, Andrea Lazzarotto <andrea.lazzarotto@gmail.com>
Released under the GPLv3
INFO:root:Checking if results already exist.
INFO:root:Unable to open save file.
INFO:root:Results will be saved to ../PHD_Data3_recuperabit.savefile
Type [Enter] to start the analysis or "exit" / "quit" / "q" to quit:
INFO:root:Analysis started! This is going to take time...
INFO:root:Found NTFS boot sector at sector 0
INFO:root:Found NTFS index record at sector 16
INFO:root:Found NTFS index record at sector 24
INFO:root:Found NTFS index record at sector 40
WARNING:root:Cannot read sector(s). Filling with 0x00. Offset: 568 Size: 1 Bsize: 512
INFO:root:First scan completed
INFO:root:Saving results to ../PHD_Data3_recuperabit.savefile
INFO:root:Parsing MFT entries
INFO:root:Parsing INDX records
INFO:root:Reading boot sectors
INFO:root:Finding partition geometry
INFO:root:0 partitions found.
Write command ("help" for details):
> recoverable
Write command ("help" for details):
> allparts
Write command ("help" for details):
>
caine@caine:~/Downloads/RecuperaBit-master$ sudo python ./main.py -s ../PHD_recuperabit.savefile -o ../PHD/ /dev/sdc
___ ___ _ _
| _ \___ __ _ _ _ __ ___ _ _ __ _| _ |_) |_
| / -_) _| || | '_ \/ -_) '_/ _` | _ \ | _|
|_|_\___\__|\_,_| .__/\___|_| \__,_|___/_|\__|
|_| v1.1.6
(c) 2014-2021, Andrea Lazzarotto <andrea.lazzarotto@gmail.com>
Released under the GPLv3
INFO:root:Checking if results already exist.
INFO:root:Unable to open save file.
INFO:root:Results will be saved to ../PHD_recuperabit.savefile
Type [Enter] to start the analysis or "exit" / "quit" / "q" to quit:
INFO:root:Analysis started! This is going to take time...
WARNING:root:Cannot read sector(s). Filling with 0x00. Offset: 31519712 Size: 1 Bsize: 512
INFO:root:First scan completed
INFO:root:Saving results to ../PHD_recuperabit.savefile
INFO:root:Parsing MFT entries
INFO:root:Parsing INDX records
INFO:root:Reading boot sectors
DEBUG:root:Dropping bogus NTFS partition with MFT position 24887144 generated by MFT mirror of partition at offset 24881982
DEBUG:root:Dropping bogus NTFS partition with MFT position 24252740 generated by MFT mirror of partition at offset 24247578
DEBUG:root:Dropping bogus NTFS partition with MFT position 15617324 generated by MFT mirror of partition at offset 15612162
DEBUG:root:Dropping bogus NTFS partition with MFT position 1432912 generated by MFT mirror of partition at offset 1427750
INFO:root:Finding partition geometry
INFO:root:Finalizing MFT reconstruction of partition at offset 24881982
INFO:root:Adding extra attributes from $ATTRIBUTE_LIST
INFO:root:Adding ghost entries from $INDEX_ALLOCATION
INFO:root:Finalizing MFT reconstruction of partition at offset 24247578
INFO:root:Adding extra attributes from $ATTRIBUTE_LIST
INFO:root:Adding ghost entries from $INDEX_ALLOCATION
INFO:root:Finalizing MFT reconstruction of partition at offset 15612162
INFO:root:Adding extra attributes from $ATTRIBUTE_LIST
INFO:root:Adding ghost entries from $INDEX_ALLOCATION
INFO:root:Finalizing MFT reconstruction of partition at offset 1427750
INFO:root:Adding extra attributes from $ATTRIBUTE_LIST
INFO:root:Adding ghost entries from $INDEX_ALLOCATION
INFO:root:MFT for partition at offset 24881982 is fragmented. Trying to merge 2 parts...
DEBUG:root:Merging partition with MFT offset 24881966 into Partition (NTFS, 3.01 MB, 14 files, Recoverable, Offset: 24881982, Offset (b): 12739574784, Sec/Clus: 1, MFT offset: 24884040, MFT mirror offset: 24887144) (fragmented MFT)
INFO:root:MFT for partition at offset 24247578 is fragmented. Trying to merge 2 parts...
DEBUG:root:Merging partition with MFT offset 24247562 into Partition (NTFS, 3.01 MB, 14 files, Recoverable, Offset: 24247578, Offset (b): 12414759936, Sec/Clus: 1, MFT offset: 24249636, MFT mirror offset: 24252740) (fragmented MFT)
INFO:root:MFT for partition at offset 15612162 is fragmented. Trying to merge 2 parts...
DEBUG:root:Merging partition with MFT offset 15612146 into Partition (NTFS, 3.01 MB, 14 files, Recoverable, Offset: 15612162, Offset (b): 7993426944, Sec/Clus: 1, MFT offset: 15614220, MFT mirror offset: 15617324) (fragmented MFT)
INFO:root:MFT for partition at offset 1427750 is fragmented. Trying to merge 2 parts...
DEBUG:root:Merging partition with MFT offset 1427734 into Partition (NTFS, 3.01 MB, 14 files, Recoverable, Offset: 1427750, Offset (b): 731008000, Sec/Clus: 1, MFT offset: 1429808, MFT mirror offset: 1432912) (fragmented MFT)
INFO:root:6 partitions found.
Write command ("help" for details):
> recoverable
Partition #0 -> Partition (NTFS, 3.01 MB, 19 files, Recoverable, Offset: 24881982, Offset (b): 12739574784, Sec/Clus: 1, MFT offset: 24884040, MFT mirror offset: 24887144)
Partition #1 -> Partition (NTFS, 3.01 MB, 19 files, Recoverable, Offset: 24247578, Offset (b): 12414759936, Sec/Clus: 1, MFT offset: 24249636, MFT mirror offset: 24252740)
Partition #4 -> Partition (NTFS, 3.01 MB, 19 files, Recoverable, Offset: 15612162, Offset (b): 7993426944, Sec/Clus: 1, MFT offset: 15614220, MFT mirror offset: 15617324)
Partition #5 -> Partition (NTFS, 3.01 MB, 19 files, Recoverable, Offset: 1427750, Offset (b): 731008000, Sec/Clus: 1, MFT offset: 1429808, MFT mirror offset: 1432912)
Write command ("help" for details):
> allparts
Partition #0 -> Partition (NTFS, 3.01 MB, 19 files, Recoverable, Offset: 24881982, Offset (b): 12739574784, Sec/Clus: 1, MFT offset: 24884040, MFT mirror offset: 24887144)
Partition #1 -> Partition (NTFS, 3.01 MB, 19 files, Recoverable, Offset: 24247578, Offset (b): 12414759936, Sec/Clus: 1, MFT offset: 24249636, MFT mirror offset: 24252740)
Partition #2 -> Partition (NTFS, ??? b, 3 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 5865486, MFT mirror offset: None)
Partition #3 -> Partition (NTFS, ??? b, 3 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 7495230, MFT mirror offset: None)
Partition #4 -> Partition (NTFS, 3.01 MB, 19 files, Recoverable, Offset: 15612162, Offset (b): 7993426944, Sec/Clus: 1, MFT offset: 15614220, MFT mirror offset: 15617324)
Partition #5 -> Partition (NTFS, 3.01 MB, 19 files, Recoverable, Offset: 1427750, Offset (b): 731008000, Sec/Clus: 1, MFT offset: 1429808, MFT mirror offset: 1432912)
Write command ("help" for details):
>
See all the found partitions have same size and files? That's bullshit! Actual layout is:
root@caine:/home/caine# fdisk -l /dev/sdc
Disk /dev/sdc: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Silicon-Power
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x8eb658a1
Device Boot Start End Sectors Size Id Type
/dev/sdc1 * 75497472 314572799 239075328 114G c W95 FAT32 (LBA)
/dev/sdc2 314572800 314638335 65536 32M ef EFI (FAT-12/16/32)
/dev/sdc3 356515777 1953521663 1597005887 761,5G f W95 Ext'd (LBA)
/dev/sdc5 356515840 1352660991 996145152 475G 7 HPFS/NTFS/exFAT
/dev/sdc6 1352663040 1751119871 398456832 190G 7 HPFS/NTFS/exFAT
Partition 3 does not start on physical sector boundary.
root@caine:/home/caine#
root@caine:/home/caine# file -s /dev/sdc6
/dev/sdc6: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 63, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 398456824, $MFT start cluster 2286, $MFTMirror start cluster 4, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 01d741ab62d63ee0; contains bootstrap NTLDR
root@caine:/home/caine#
root@caine:/home/caine# hexdump -C -s 0 -n 512 -v /dev/sdc6
00000000 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 |.R.NTFS .....|
00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 3f 00 00 00 |........?...?...|
00000020 00 00 00 00 80 00 80 00 f8 f7 bf 17 00 00 00 00 |................|
00000030 ee 08 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |................|
00000040 f6 00 00 00 01 00 00 00 e0 3e d6 62 ab 41 d7 01 |.........>.b.A..|
00000050 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb b8 c0 07 |.....3.....|....|
00000060 8e d8 e8 16 00 b8 00 0d 8e c0 33 db c6 06 0e 00 |..........3.....|
00000070 10 e8 53 00 68 00 0d 68 6a 02 cb 8a 16 24 00 b4 |..S.h..hj....$..|
00000080 08 cd 13 73 05 b9 ff ff 8a f1 66 0f b6 c6 40 66 |...s......f...@f|
00000090 0f b6 d1 80 e2 3f f7 e2 86 cd c0 ed 06 41 66 0f |.....?.......Af.|
000000a0 b7 c9 66 f7 e1 66 a3 20 00 c3 b4 41 bb aa 55 8a |..f..f. ...A..U.|
000000b0 16 24 00 cd 13 72 0f 81 fb 55 aa 75 09 f6 c1 01 |.$...r...U.u....|
000000c0 74 04 fe 06 14 00 c3 66 60 1e 06 66 a1 10 00 66 |t......f`..f...f|
000000d0 03 06 1c 00 66 3b 06 20 00 0f 82 3a 00 1e 66 6a |....f;. ...:..fj|
000000e0 00 66 50 06 53 66 68 10 00 01 00 80 3e 14 00 00 |.fP.Sfh.....>...|
000000f0 0f 85 0c 00 e8 b3 ff 80 3e 14 00 00 0f 84 61 00 |........>.....a.|
00000100 b4 42 8a 16 24 00 16 1f 8b f4 cd 13 66 58 5b 07 |.B..$.......fX[.|
00000110 66 58 66 58 1f eb 2d 66 33 d2 66 0f b7 0e 18 00 |fXfX..-f3.f.....|
00000120 66 f7 f1 fe c2 8a ca 66 8b d0 66 c1 ea 10 f7 36 |f......f..f....6|
00000130 1a 00 86 d6 8a 16 24 00 8a e8 c0 e4 06 0a cc b8 |......$.........|
00000140 01 02 cd 13 0f 82 19 00 8c c0 05 20 00 8e c0 66 |........... ...f|
00000150 ff 06 10 00 ff 0e 0e 00 0f 85 6f ff 07 1f 66 61 |..........o...fa|
00000160 c3 a0 f8 01 e8 09 00 a0 fb 01 e8 03 00 fb eb fe |................|
00000170 b4 01 8b f0 ac 3c 00 74 09 b4 0e bb 07 00 cd 10 |.....<.t........|
00000180 eb f2 c3 0d 0a 41 20 64 69 73 6b 20 72 65 61 64 |.....A disk read|
00000190 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 00 | error occurred.|
000001a0 0d 0a 4e 54 4c 44 52 20 69 73 20 6d 69 73 73 69 |..NTLDR is missi|
000001b0 6e 67 00 0d 0a 4e 54 4c 44 52 20 69 73 20 63 6f |ng...NTLDR is co|
000001c0 6d 70 72 65 73 73 65 64 00 0d 0a 50 72 65 73 73 |mpressed...Press|
000001d0 20 43 74 72 6c 2b 41 6c 74 2b 44 65 6c 20 74 6f | Ctrl+Alt+Del to|
000001e0 20 72 65 73 74 61 72 74 0d 0a 00 00 00 00 00 00 | restart........|
000001f0 00 00 00 00 00 00 00 00 83 a0 b3 c9 00 00 55 aa |..............U.|
00000200
root@caine:/home/caine#
My disk (to be more precise: the partition of interest) is perfectly recoverable by the top recovery tools (R-Studio and DMDE).
Since I read through your master thesis and liked it I wanted to test RecuperaBit on that disk/partition. To my disappointment it didn't work as expected. I would say it didn't work at all.
I boot live Caine 13.0. RecuperaBit v1.1.1 already present there. But since it's not the latest version, I downloaded v1.1.6 from GitHub and ran it using Python.
The disk condition:
First I wanted to check only the partition of interest:
Surprised by that result, I ran it for whole disk:
Snip those 'INFO:root:Found NTFS * at sector *'
See all the found partitions have same size and files? That's bullshit! Actual layout is:
Additional info:
First 8K of MFT
Sorry, GitHub didn't allow me to post that much text, so I give you a file instead. As a bonus it's 1M instead of just 8K ;)dd if=/dev/sdc6 bs=4K skip=$((0x8ee)) count=256 of=MFT.ddMFT.dd.zip
First 5 KB of MFT mirror (despite it's just 4K in size :D )
Sorry, GitHub didn't allow me to post that much text, so I give you a file instead. As a bonus it's 8K instead of 5K ;)dd if=/dev/sdc6 bs=4K skip=4 count=2 of=MFT_mirror.ddMFT_mirror.dd.zip
Adding those savefiles just in case you want to take a look:
PHD_Data3_recuperabit.savefile.zip
PHD_recuperabit.savefile.zip