Skip to main content

KHE

Notes on Data Rescue

Kenneth H. East [view page source]

Random notes on recovering a failed/failing hard drive.

Tools

Gnu ddrescue is a data recovery dd. It creates a logfile. You can run it multiple times; when doing this, it consults the logfile and only reads what it couldn't read earlier. Any new data obtained is added to the output of previous runs. The algorithm it uses in trying to read all the data from a dying disk is pretty sophisticated.

http://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html

dd_rescue is a modified dd that continues to copy, even after encountering errors and that can read the drive either forwards or backwards. It is optimized for getting data off of a failing drive that is emitting errors -- something that dd can't do. There is a macports version.

http://www.garloff.de/kurt/linux/ddrescue

Clonezilla

http://clonezilla.org/clonezilla-live.php

Bare metal backup like Acronis, Ghost, etc. Also good for recovery.

EaseUS

http://www.easeus.com/resource/windows-ntfs-recovery.htm

Free ?? (really??) NTFS partition recovery software?

Partition Find and Mount

http://findandmount.com/

Free, looks very interesting. Won't write to disk (can't damage it).

hddscan

http://hddscan.com

Free, gets SMART and IDE data from drive. Reads geometry. Performs surface tests.

Process

Image the Drive

If a drive is going bad, the very first thing that should be done is to make an image of it. All recovery efforts should be made against this new image -- not the original disk. This guards against accidental data loss on the original disk. Depending upon how the drive is failing, you might only be able to read it once or twice before it totally craps out. If you are trying to perform recovery on the original disk, you'll be out of luck if it fails totally. Also, every time the bad disk is used, you run the risk of losing additional data. Finally, it's easy to make a mistake during the recovery process. If you are experimenting on your bad disk, operator error might accidentally wipe out data that could have otherwise been recovered. So, make an image. The Gnu ddrescue appears to be the most recommended way to make an image.

Using the macports ddrescue took approximately 3 days to image a 2GB drive. So, be patient.

Use the image that you create with ddrescue for all further work -- preserve your original drive image and don't mess with it.

Fix the Filesystem

If the filesystem is damaged, you can try repairing it with testdisk. It seems like testdisk can only do fairly simple repairs to the filesystem. If it can't take care of your problem, then the next step is to use software designed specifically for the filesystem you need to fix.

For Windows, the chkdsk program that comes with the OS is what I have used. There are other superior programs, but all that I've seen cost $75+, and I have never tried them.

For Linux, there is e2fsck. I am sure there are others, but this is the only one I'm aware of.

If you are able to successfully repair the filesystem, then you can just mount it and copy its contents wherever you wish -- mission accomplished. If you are not so fortunate, keep reading.

Recover Lost Files

If you could not repair the filesystem, or if it appears that files were lost during the repair, you will need to use tools that work outside of the filesystem to recover files.

TestDisk

http://www.cgsecurity.org/wiki/TestDisk

This does all sorts of things, including recovering previously deleted files. It will preserve the directory/file hierarchy.

Photorec

http://www.cgsecurity.org/wiki/PhotoRec

If the filesystem has been hopelessly damaged, you can try photorec. It searches the disk contents for magic numbers and recovers as many files as possible. It recovers 300+ file types.

The downside is that it knows nothing of directory structures. Therefore, all recovered files are in a flat hierarchy, regardless of how they were originally structured. Also, the original file names are lost; the recovered file names are meaningless. There are some tools to help organize the recovered files (e.g., directories by date from EXIF data in photos), but it is still a chore. However, if the alternative is no recovered files, I think most will gladly undertake the sorting/organizing task, as opposed to an empty disk.

Here is the wiki page on organization techniques: http://www.cgsecurity.org/wiki/After_Using_PhotoRec