I have an dd image of a partition that once had a Windows 10 NTFS filesystem and then got accidentally formatted (or so I assume) and now has a pretty empty NTFS with only an empty Windows directory on it.
Is it possible to recover at least some files by scanning the binary dump for Magic Bytes?
I tried testdisk, foremost and some other tools without finding any file so I'm wondering if NTFS somehow works that different than FAT or ext where the contents can be found even if the filesystem is not readable any more.
dd'ed a lot of zeros. easy test: if this imagegzips to basically nothing, you can give up.testdisk's sister program:PhotoRec.photorec. Inphotorecthere are options for a) selecting ntfs as the underlying system and b) searching by magic bytes. you just need to runphotorecas sudo. Unless you went through some serious effort actively erasing your partition, you will virtually always come up with something. I have formatted partitions, put new OSes on them, then re-filled them up 90% of the way ( per OS diskspace managers) and could still pull out files from when the previous OS was on them. Even ifphotoreccomes up empty, your data may still be recoverable.