I accidentally ran mkfs.ntfs -Q /dev/sda (instead of /dev/sda6) on a 2Tb external HDD. Luckily, there's a 1G unused partition at the beginning, and also plenty of space at the end:
Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 2099199 2097152 1G b W95 FAT32
/dev/sda2 * 2099200 3739256831 3737157632 1.8T 7 HPFS/NTFS/exFAT
/dev/sda4 3739256832 3907029166 167772335 80G 5 Extended
/dev/sda5 3739258880 3751841791 12582912 6G 83 Linux
/dev/sda6 3751843840 3907029166 155185327 74G 7 HPFS/NTFS/exFATIs /dev/sda2 safe? Or does mkfs.ntfs write metadata in the middle of the target space, in which case I guess any file could be corrupted without so much as a warning?
1 Answer
Is
/dev/sda2safe?
In general: no. Keep reading to learn why I think so.
Example procedure
My 2TB HDD is of the size 2000398934016 bytes. The goal is to investigate what mkfs.ntfs -Q would do to a device of this size.
I create a sparse file of this exact size:
$ # the filesystem must support sparse files
$ truncate -s 2000398934016 fakesdals -ls confirms the whole file is sparse:
$ ls -ls fakesda
0 -rw-r--r-- 1 kamil kamil 2000398934016 Oct 31 18:48 fakesda(the first 0 tells this). But also sparsemap (which will be useful later) does:
$ sparsemap fakesda
HOLE 2000398934016I could do mkfs.ntfs -FQ fakesda, but then mkfs.ntfs would assume the sector size is 512 bytes. In this example let's assume my disk uses 4096 bytes as its logical sector size. In such case I think I can use --sector-size option of mkfs.ntfs (see man 8 mkfs.ntfs). But to be sure what sole mkfs.ntfs -Q would do to my disk I decide to create a loop device from fakesda:
$ sudo losetup -f --show --sector-size 4096 fakesda
/dev/loop0sparsemap tells me fakesda is still completely sparse. I run mkfs.ntfs -Q on the loop device:
$ sudo mkfs.ntfs -Q /dev/loop0I destroy the loop device and sync just in case:
$ sudo losetup -d /dev/loop0
$ syncHow sparse is the file now?
$ sparsemap fakesda
DATA 12288
HOLE 4096
DATA 110592
HOLE 250049753088
DATA 61460480
HOLE 750088122368
DATA 67125248
HOLE 1000132341760
DATA 4096See sparsemap -h to learn how to interpret this
The file is interpreted as a sequence of data and holes, for example given a file with 8192 bytes of data followed by a 4096 byte hole followed by 8192 bytes of data the output of sparsemap would be:
DATA 8192 HOLE 4096 DATA 8192
In my result each DATA line denotes a fragment affected by mkfs.ntfs. I can see mkfs.ntfs does write something in the middle of the target space.
Finally I remove the file with rm fakesda.
Your specific case
You can do your own tests using the exact size (and sector size) of your disk and the same mkfs.ntfs you used. This way you will probably be able to identify affected fragments accurately and to tell which partitions (which old filesystems) they belong to. Mapping the fragments to particular files or metadata in your old filesystems may not be easy and it's a different issue.
The partition table you posted tells me the sector size is 512 bytes in your case. I think you can use mkfs.ntfs -FQ fakesda without playing with losetup. My example deliberately uses different sector size, this way the answer is more general.
Doubt
If mkfs.ntfs -Q writes zeros to some part of the file it operates on, and if it's smart enough to achieve this by sparsifying the file, then my procedure won't detect this. Frankly I don't know if the tool does it. If it does then you need something more than my procedure to find all the affected fragments.
This imperfection of the procedure does not change the conclusion: the filesystem in your /dev/sda2 may have been partially overwritten.
I note mkfs.ntfs without -Q actually writes zeros without sparsifying the file; in fact it desparsifies the whole file. I tested this with files way smaller than 2TB, but still. I can only suspect mkfs.ntfs -Q is similar and never sparsifies the file.
Notes
My testbed: Debian GNU/Linux 10.
My
mkfs.ntfs -Vprintsmkntfs v2017.3.23AR.3 (libntfs-3g).I installed
sparsemapbysudo apt-get install python3-pip sudo pip3 install sparseutils
