Sunday, September 24, 2017

backup - From bad sector to "damaged file" - did it for Linux/ext3, can I do it for Windows/NTFS?



When a SMART check on a disk reports a bad sector, it is important to be able to identify the file that has the bad sector - and restore it from backups. Below, I show how I did this for my Linux/ext3 VMWARE server - but does anyone know if this can be done for Windows/NTFS?



Here's how I did it for Linux/ext3: I first asked the drive to do a hardware surface scan (below the OS level, with the on-drive SMART circuits):




vserver:~# smartctl -t long /dev/sdc


I looked at the results:



vserver:~# smartctl -a /dev/sdc
...
196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       1
197 Current_Pending_Sector  0x0012   100   100   000    Old_age   Always       -       9
...

Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error
# 1  Extended offline    Completed: read failure       90%     27679         591363172


So, one sector was already marked bad, 9 were marked for replacing from the "staging" sector space. More importantly, the first logical block address (LBA) that is unreadable, was 591363172.



I found the partition (and the offset inside it) that this number "translated" to:



vserver:~# fdisk -lu /dev/sdc
Device Boot      Start         End      Blocks   Id  System

/dev/sdc1           32   976773119   488386544   83  Linux


The partition started at sector 32. So, the bad sector was...



vserver:~# bc -l
591363172-32+1
591363141



...at an offset of 591363141 sectors from the beginning of the partition.



Now I could find which file was "hosed":



vserver:~# tune2fs -l /dev/sdc1 | grep Block\ size
Block size:               4096


The block size of this EXT3 filesystem was 4096 bytes, so the bad sector destroyed this block in the filesystem:




vserver:~# bc -l
591363141*512/4096
73920392.62500000000000000000


And the block number (73920392) corresponded into this file:



vserver:~# debugfs
debugfs 1.41.3 (12-Oct-2008)
debugfs:  open /dev/sdc1

testb 73920392
debugfs:  testb 73920392
Block 73920392 marked in use
debugfs:  icheck 73920392
Block           Inode number
73920392        18472967
debugfs:  ncheck 18472967
Inode           Pathname
18472967        /path/to/filewithbadsector



And I restored that file from my backups.



Is there an equivalent procedure I can follow for Windows/NTFS?


Answer



I know you have an NTFS FS, and run windows on that FS.
I don't know if you "could" boot a live Linux to work on that driver or not.



If you can boot Linux from CD or USB,
you can use ntfsprogs. look at - 




ntfscluster 

ntfsinfo


I believe ntfscluster tell you what file a particular cluster stores. I hope this puts you in the right direction.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...