Linux FTW

[Red Squirrel]

So I was setting up win2k on my parents' old PC so I can give it to my sister as her PC totally crapped out. I went to copy her hard drive contents and it just told me it was corrupted right when I tried to open it. It did not even try.

I decided to boot up with Ubuntu to see what would happen, I mounted the drive, it gave me a warning about some corruption, but that it fixed it, and mounted it anyway.

The files are copying now. :awe: Go Linux!

Faster to copy through the linux command line anyway. Windows copying is so slow, and if there's one single error it craps out and stops.

 

[Khyron320]

Yeah for whatever reason when windows has a drive with ntfs corruption even if its not C drive it lags and chops. A 3rd party os can read it though... done this many times

 

[Red Squirrel]

Yep it was SUPER laggy. It just froze all explorer. I was not actively trying as I was just working on other stuff so I just let it be, and eventually the error came up. Linux fixed the error and mounted it in about a second. 😛 Pretty bad when Linux can deal with NTFS better then the OS designed for it, can. haha

 

[Netopia]

To be fair, we're comparing a modern Linux with a decade old OS. A decade ago, I would wager to bet that RH4 (or 3!) couldn't have handled it. Also, might be interesting to see what Win7 would have done with it.

At any rate, I too use Linux Live CDs to do all sorts of rescuing of Windows machines and am also often surprised at how much better Linux can be at this stuff.

 

[Platypus]

To be fair, we're comparing a modern Linux with a decade old OS. A decade ago, I would wager to bet that RH4 (or 3!) couldn't have handled it. Also, might be interesting to see what Win7 would have done with it.

At any rate, I too use Linux Live CDs to do all sorts of rescuing of Windows machines and am also often surprised at how much better Linux can be at this stuff.

This, you're comparing a 10 year old operating system to a modern operating system. Not saying Linux isn't great for these things but is it really surprising given what you're comparing it to?

Furthermore, there are good CLI copying tools in Windows that are fast and have flags to skip on errors. Look into robocopy/xcopy.

 

[Nothinman]

To be fair, we're comparing a modern Linux with a decade old OS. A decade ago, I would wager to bet that RH4 (or 3!) couldn't have handled it. Also, might be interesting to see what Win7 would have done with it.

At any rate, I too use Linux Live CDs to do all sorts of rescuing of Windows machines and am also often surprised at how much better Linux can be at this stuff.

Actually I'd still bet that the Linux NTFS driver from the same timeframe would still mount and read the filesystem better than the Windows driver. For some reason the Windows driver has always been extremely intolerant to filesystem corruption and declared volumes RAW when the filesystem was mostly fine.

Furthermore, there are good CLI copying tools in Windows that are fast and have flags to skip on errors. Look into robocopy/xcopy.

But you still have to get the volume mounted first which can range from difficult to impossible in situations like this.

 

[Platypus]

Actually I'd still bet that the Linux NTFS driver from the same timeframe would still mount and read the filesystem better than the Windows driver. For some reason the Windows driver has always been extremely intolerant to filesystem corruption and declared volumes RAW when the filesystem was mostly fine.



But you still have to get the volume mounted first which can range from difficult to impossible in situations like this.

Yeah, I meant in terms of general CLI file copying, there are better options than Windows' cp.

 

[Nothinman]

Yeah, I meant in terms of general CLI file copying, there are better options than Windows' cp.

True, but robocopy still isn't included with Windows so you still have to go find it first.

 

[Scarpozzi]

My experience is that when the NTFS tables get corrupt or a key part of the disk goes corrupt and can't be read properly, there's little recourse on the NTFS side without those tables being rewritten.

The reason linux can often read the file system is because it's already running and doesn't have to rely on those low-lying boot sectors to read its kernel startup instructions. I'm sure I've dumbed down all the steps in the process....

I was able to resize NTFS a few years ago with gparted and through a few utilities actually rewrite the tables in NTFS to display the new numbers. This allowed me to free up space on the drive for a linux partition without losing my (now smaller)XP partition. I probably wouldn't do it again, but it was definitely a learning experience. With the right tools, you can repair the tables and move on.

 

[Nothinman]

The reason linux can often read the file system is because it's already running and doesn't have to rely on those low-lying boot sectors to read its kernel startup instructions. I'm sure I've dumbed down all the steps in the process....

Or completely gotten them wrong. The kernel "startup instructions" are only on an NTFS volume in so much as they're in the boot.ini and registry which may be on an NTFS volume. The boot record in any partition contains nothing filesystem specific, it's only a few bytes and is just dumb code that tells the CPU where to go to run the next stage, i.e. NTLDR, GRUB stage2, etc.

And AFAICT the OP is talking about a data drive so booting is in no way related to Windows inability to mount the volume.

The NTFS driver is extremely intolerant to any damage to a filesystem and will refuse to even mount it at the slightest sign of a problem. MS probably considers this a feature since they haven't fixed it in the past decade or so.

 

[Platypus]

It's been awhile since I've looked into any of this but a few years ago I did some filesystem forensics work and NTFS can be pretty damn resilient to damage as I believe it stores a copy of the meta/information about geometry at the very end of the partition as well that can be used to rebuild broken integrity. This was for a forensic data investigation using specialized software however. It's interesting that NTFS is written rather well but Windows does such a shite job of handling it.

 

[Nothinman]

It's been awhile since I've looked into any of this but a few years ago I did some filesystem forensics work and NTFS can be pretty damn resilient to damage as I believe it stores a copy of the meta/information about geometry at the very end of the partition as well that can be used to rebuild broken integrity. This was for a forensic data investigation using specialized software however. It's interesting that NTFS is written rather well but Windows does such a shite job of handling it.

I'm pretty sure that NTFS, like most other decent offerings from MS, was bought from another company and then expanded on by MS. I'm also pretty sure that the redundant partition information stored at the end of the disk is only used to facilitate the conversion to a dynamic disk. But without being able to actually see the NTFS.sys source it's impossible to know for sure.

 

[Platypus]

I'm pretty sure that NTFS, like most other decent offerings from MS, was bought from another company and then expanded on by MS. I'm also pretty sure that the redundant partition information stored at the end of the disk is only used to facilitate the conversion to a dynamic disk. But without being able to actually see the NTFS.sys source it's impossible to know for sure.

You may be right, we were able to recover/rebuild an NTFS volume in an exercise where a white collar crime type user tried to format his drive as he was being raided (the sample drive had the first chunk of it completely corrupted) and we used the info at the end of the drive to fix it enough to recover data from it. This was years ago though so the details are fuzzy 🙂

 

[Khyron320]

Enemy raid!!!!
Do the police hire contractors for computer forensics? How does that work anyways. I love doing investiagtions in IT. Unfortunantly in corperate its to get somebody fired for a minor offence.

 

[Platypus]

Enemy raid!!!!
Do the police hire contractors for computer forensics? How does that work anyways. I love doing investiagtions in IT. Unfortunantly in corperate its to get somebody fired for a minor offence.

I almost did it for a career.

No, the police typically have their own employees for computer crimes but their case log is so backed up beyond belief that it could take years for anything to happen. Depending on the severity of the crime (let's say for example the criminals were sharing inappropriate pictures of minors online) it gets kicked up to the federal level for investigation. If it's a matter of national security it gets bumped to the secret service or NSA.

I spoke at length with representatives from each of those departments about their computer crime departments. If you do something bad enough you will get processed pretty quickly, but generic white collar computer crime type stuff can take forever to prosecute and most local police departments don't handle the investigations properly (extremely rigid as far as rules) so the perp's lawyers easily destroy any case they might have actually had because local cops don't have the resources or training to do a proper investigation. The general public's awareness of computer crime is such a black box that the feds actually spend most of their time learning how to appear in court and present facts to juries than they actually do learning how to investigate the crimes themselves. In crimes that involve juries it's almost impossible to explain these very detailed computer concepts without them getting confused. (think about trying to explain hidden partitions and encryption to your grandmother).

 

[Gooberlx2]

True, but robocopy still isn't included with Windows so you still have to go find it first.

It is as of Vista. But yeah, it's a hunting project for XP and earlier.