I used ntfsclone from ubuntu to copy a bad windows hard drive to a new one using:
sudo ntfsclone --rescue -f --overwrite /dev/sda1 /dev/sdb1
which produces the following:
WARNING: Can't read sector at 470585344, lost data.
There's only about 70 of these warnings. How could I determine what real files were affected using these numbers?
To see which file is using a specific sector you can use ntfscluster
ntfscluster -s 470585344 /dev/sda1
Command and response example
ntfscluster -s 3904294913 /dev/sdc1
Searching for sector 3904294913
Inode 162 is an extent of inode 38.
Inode 733 is an extent of inode 732.
Inode 896 is an extent of inode 895.
Inode 10746 is an extent of inode 10745.
Inode 100391 is an extent of inode 72466.
Inode 129441 /bd/b3/auto/lib-20151023/lib.7z.076/$DATA
Inode 173802 is an extent of inode 72466.
Inode 201917 is an extent of inode 186579.
Inode 222920 is an extent of inode 185882.
Inode 222921 is an extent of inode 185883.
You also need to go through all the Inode numbers
ntfsinfo -i 129441 /dev/sdc1
Dumping Inode 129441 (0x1f9a1)
Upd. Seq. Array Off.: 48 (0x30)
Upd. Seq. Array Count: 3 (0x3)
Upd. Seq. Number: 2 (0x2)
LogFile Seq. Number: 0xfc2c2b3a
MFT Record Seq. Numb.: 4 (0x4)
Number of Hard Links: 2 (0x2)
Attribute Offset: 56 (0x38)
MFT Record Flags: IN_USE
Bytes Used: 456 (0x1c8) bytes
Bytes Allocated: 1024 (0x400) bytes
Next Attribute Instance: 5 (0x5)
MFT Padding: 00 00
Dumping attribute $STANDARD_INFORMATION (0x10) from mft record 129441 (0x1f9a1)
Resident: Yes
Attribute flags: 0x0000
Attribute instance: 0 (0x0)
Data size: 72 (0x48)
Resident flags: 0x00
File Creation Time: Tue Mar 19 09:16:04 2024 UTC
File Altered Time: Fri Oct 23 04:46:24 2015 UTC
MFT Changed Time: Tue Mar 19 09:16:26 2024 UTC
Last Accessed Time: Tue Mar 19 09:16:04 2024 UTC
File attributes: ARCHIVE (0x00000020)
Maximum versions: 0
Version number: 0
Class ID: 0
User ID: 0 (0x0)
Security ID: 268 (0x10c)
Quota charged: 0 (0x0)
Update Sequence Number: 232050512 (0xdd4cf50)
Dumping attribute $FILE_NAME (0x30) from mft record 129441 (0x1f9a1)
Resident: Yes
Attribute flags: 0x0000
Attribute instance: 2 (0x2)
Data size: 86 (0x56)
Resident flags: 0x01
Parent directory: 129370 (0x1f95a)
File Creation Time: Tue Mar 19 09:16:04 2024 UTC
File Altered Time: Tue Mar 19 09:16:04 2024 UTC
MFT Changed Time: Tue Mar 19 09:16:04 2024 UTC
Last Accessed Time: Tue Mar 19 09:16:04 2024 UTC
Allocated Size: 0 (0x0)
Data Size: 0 (0x0)
Filename Length: 10 (0xa)
File attributes: ARCHIVE (0x00000020)
Namespace: Win32
Filename: 'lib.7z.076'
Dumping attribute $FILE_NAME (0x30) from mft record 129441 (0x1f9a1)
Resident: Yes
Attribute flags: 0x0000
Attribute instance: 3 (0x3)
Data size: 88 (0x58)
Resident flags: 0x01
Parent directory: 129370 (0x1f95a)
File Creation Time: Tue Mar 19 09:16:04 2024 UTC
File Altered Time: Tue Mar 19 09:16:04 2024 UTC
MFT Changed Time: Tue Mar 19 09:16:04 2024 UTC
Last Accessed Time: Tue Mar 19 09:16:04 2024 UTC
Allocated Size: 0 (0x0)
Data Size: 0 (0x0)
Filename Length: 11 (0xb)
File attributes: ARCHIVE (0x00000020)
Namespace: DOS
Filename: 'LIB7Z~1.076'
Dumping attribute $DATA (0x80) from mft record 129441 (0x1f9a1)
Resident: No
Attribute flags: 0x0000
Attribute instance: 4 (0x4)
Compression unit: 0 (0x0)
Data size: 209715200 (0xc800000)
Allocated size: 209715200 (0xc800000)
Initialized size: 209715200 (0xc800000)
End of inode reached
In the output of these commands you can find the file names
On the hunt for the opposite, file to sector address resolution if you will, I came across your question. On a Windows box, using nfi.exe found in the Windows 2000 OEM toolkit: see http://forums.seagate.com/t5/Barracuda-XT-Barracuda-Barracuda/Tip-How-to-determine-which-file-occupies-a-particular-sector/td-p/35567
