You can also write to me about other subjects using this:
online reply form. (Opens in a new window.)
The Starman's Realm Index PageAn Introduction to
Data Recovery
(Copyright © 2003, 2008, 2011, 2015 by Daniel B. Sedory)
|
[ Note:
The author is available for performing Data Recovery operations
( if no data is recovered, then no charge; except for a
reasonably agreed upon travel/consulting fee ). If you can no longer boot up your OS, or access any of its partitions, and there is no internal physical damage, the author can usually recover most if not all of your data; and may even be able to return your drive to the exact state it was in before the problem arose! The chances of that happening decrease greatly each time you power-up the drive to try something else! (Click here to read about some examples from which your data can be recovered.) However,
if the problem turns out to have been caused by physical
damage (there can be internal damage that you would never be able
to see!), then the author (or you) will have to make arrangements with
a Data Recovery company that has a clean-room, expert technicians
and the necessary equipment (at a much higher fee); see below
for more info on such procedures. |
|
A Real-life
Experience with "Backup" Drives: |
Hardware Problems,
or Physical Damage to the Hard Disk ?
First, you
must realize that no software program can repair physical damage
to your hard disk.
[ Note: HDDs
today use built-in software that can cover-up the fact that you've even
had some damage by automatically noting where a number of 'faulty reads' have
occurred and removing access to that part of the disk for any future writes
( while relocating the missing sector space to an unused
portion of the drive set aside for such problems! ). The only thing the
user might notice is that one of their files or programs has become defective
or will no longer execute! To quote Steve Gibson, the author of SpinRite
(http://grc.com/):
That unused portion
of a drive set aside for these "variations" in its surface is
certainly not limitless (although it has expanded since their costs have been
greatly reduced over the years). If too many sectors become damaged (usually
during a single incident), then the drive's controller won't be able to handle
the damage on its own. Eventually the user or the OS itself will run a program
such as MS-SCANDISK which will definitely inform you about all the bad
sectors it has found; in essence it's doing the same thing that the drive
itself may have done earlier: marking sectors as bad and not allowing you to
ever write to them again. ]
However, if your hard drive's disk platter(s) are not spinning,
it might simply be due to an electrical problem with the drive's power connectors
or the computer's motherboard (connectors or components). Likewise, an inaccessible
drive may simply be due to a faulty connection of the data cable. You should
check the connections first, and then you could always try connecting the drive
to a known good computer to help determine the actual problem [But
first, make
sure the drive cannot 'boot up' in the other computer by setting it to boot
up from a floppy, CD or DVD drive and placing bootable media in them (or by connecting
it to a Secondary drive cable instead; most Pentium-class or later computers
will have a Secondary cable connected to the CD drive). If you don't do this,
the differences in the Motherboards and/or hardware attachments are sure to
cause all sorts of problems for any Windows OS trying to boot up on a different
machine than the one it was installed on!].
Chances are your Motherboard is not where the fault lies
though.
Non-spinning disks are
normally caused by a motor failure or a disk-controller card failure. A 'crash'
of one or more heads against the disk platter(s) might be severe enough
to cause physical damage to an arm mechanism, but this type of damage
has become rare for modern disk drives having gone through many design improvements...
do not drop one from a shelf onto a concrete floor and expect
it to work as if nothing ever happened though!
Sometimes a particle of foreign matter gets stuck between a head
and platter until it cuts into the very thin surface of media coating
on the platter. In such cases,
some of your data will always be unrecoverable since it was literally
removed from the disk! (See Bad Sectors below for suggestions
on how to proceed.)
When a drive can no longer be accessed due to Physical Damage,
an expensive procedure in a 'clean room' by trained technicians may:
1) Be able to recover all or most of your data (if they only need
to replace a dead motor and another motor is available [however,
I'm not sure if any Data Recovery labs even practice this procedure;
the storing of spare parts or trying to obtain them from various HDD manufacturers
isn't something they're likely to be interested in] ), or:
2) Possibly recover some to most of your data due to damaged heads
which likely caused damage to the media at the same time; but
there are never any guarantees that any of your data will be recovered
when this happens! Consider the following statement by a leading expert
in Data Recovery, Nicholas Majors (of Data Recovery Labs) which should give
you an idea of how difficult it is (in time, costs, expertise and technical
limits) to undertake such a process (and perform it correctly):
Despite claims to the contrary, technology does not exist to remove the platters (without extensive control measures) from one device and read them back with another machine.
At the time of manufacture, control signals (servo information) are written to every drive after it has been assembled. Any attempt to recreate or read back these signals once the exact alignment and relative positioning of the platters and the head stack have been altered is virtually impossible.
Commercial data recovery companies (including ourselves) have invested heavily into research to overcome some of these problems. At Data Recovery Labs, we have been successful in many forms of platter transplants - but in every case - the removal of the disks must be done with exacting measurements to maintain the positioning in relation to the spindle that they are mounted on. If the platters are removed - without strict engineering methodologies - the surfaces are useless for data recovery purposes.
Industry sales reps routinely boast of removing platters and reading them in another drive and often allude to mysterious capabilities, but when specifically questioned on their success with physically removed platters they claim that each case is different and must be handled on a one by one basis. If pressed for examples of successful platter removal and recovery, they will usually claim it's a matter of not wanting to violate company confidentiality or reveal trade secrets. [Ed. note: That's often just a lie!]
[ "Data Removal and Erasure from Hard Disk Drives." Copyright(c)1992-1998 Nicholas Majors & Data Recovery Labs. Toronto, Ontario, Canada. ]
At a cost that far exceeds the price of a new hard disk, the home PC user almost never chooses this option!
If the drive is no longer under warranty and you believe that a company's MINIMUM FEE for initiating or recovering your data is reasonable, you might feel like trying to find out if they could actually do it... although you had better "read the fine print" on all paperwork before giving/sending your drive to even a reputable company! Hindsight for how to deal with any future problems is about all that most home users are left with for a 'dead drive.' The best approach, of course, is this: Always backup your files to a separate drive (or two) and have your most precious (irreplaceable) data on at least two separate copies (if you use floppy, CD or DVD media, make sure you have multiple copies in separate locations)! [Unfortunately, I've heard horror stories, such as a grad student who had his whole thesis on only one Zip-disk and it failed! What a waste!]
What should you do about 'Bad Sectors'
?
Hard disks can have 'bad sectors' (called 'bad clusters' when
the OS uses a FAT file system) which are physical defects that make it impossible
for certain sectors to retain any data. Although a drive crash often
creates many 'bad sectors,' there may be other causes which result
in the inability to read data from your drive.
As soon as you become aware of 'bad sectors,' you should immediately
copy all important data that has not already been backed-up to a good
disk! If you suspect that a drive will not boot due to 'bad sectors' at the
beginning of the drive (which makes either the Master Boot Record or Operating
System Boot sectors impossible to be read), you should try accessing the drive
from a Boot Disk or, better yet, another drive on which you can back-up
any important data as soon as access is gained to the target drive. It
may also be possible for you to use a low-level 'drive copy' program* which can copy all of the data that can be read (sector-by-sector)
from the faulty drive to a known good drive for later analysis by a recovery
specialist.
Note that Physical defects (bad sectors or clusters)
tend to multiply, sometimes rapidly; they do not go away.
_____________
* There
are some commercial programs for making sector-by-sector image files of hard
disks, but don't consider using one unless it can
be set to automatically skip over 'bad sectors' and continue
copying the rest of the drive (most drive copy programs will quit with an error
msg. under these circumstances, because they were only created to make what
should be perfect copies of the data; not for data recovery purposes).
[
If you are familiar with the Linux / UNIX command 'dd' then you
might know about its 'conv=noerror' switch which forces it to continue
copying data even if it encounters many read errors! However, the 'noerror'
keyword is not always functional under some versions of dd (for example,
the author of 'tomsrtbt' Linux root boot diskette
told me it wouldn't work with his 2.0.103 version), so most likely you'll need
to
use a full install of Linux or some other *nix
or have a static version of dd on another floppy.
The dcfl
(DoD Computer Forensics Lab) has a version of 'dd'
called an "Enhanced Forensic DD" so I'd expect that downloading and
compiling their source code on your own Linux/UNIX box should ensure that the
'noerror' keyword performs as expected; but I haven't done so.
Testing
'dd' with a damaged floppy diskette
I'd
suggest that you first test any 'dd' program using a damaged floppy diskette
before trying to copy a damaged hard drive. You
could create such a floppy by first filling a 3.5 inch floppy with data, then forcibly
holding open its 'shutter' and at the shutter edge closest to the center of the disk
(about 2/3 of the way into its contents), very carefully either scrape
a small portion of the media's exposed surface; making sure to wipe away any excess
particles, or try rubbing a small spot with a chemical solvent (perhaps 70% alcohol
on a cloth) until you notice the oxide layer has come off. [Never do this at the
outer edge, or the whole disk may become unreadable!]
To copy a damaged target drive to a known good drive (or file) under Linux,
you would first need to identify both the input device (the if)
and output device or file (the of) and of course make sure there was
at least as much empty space on the output drive as the size of your
damaged data drive. I recommend setting the block size (bs)
to the standard 512 bytes. In the case of our damaged 'test floppy' diskette,
place the diskette in your fd0 drive and enter this command from a directory
of your choice:
dd if=/dev/fd0 of=ddtest.bin bs=512
conv=noerror
then check the size of the file 'ddtest.bin' for the expected size of an undamaged
floppy diskette. I haven't done this myself, so I don't know how the "in
and out record" sizes should appear on your display screen.
If your 'dd' functions as expected with this diskette, then it should be able
to copy a hard drive with damaged sectors.
For
Windows 2000/XP/2003/Vista/2008/7 users:
FAU -- July 2009 (both x86 and 64-bit versions!)
Forensics expert George M. Garner Jr. wrote and compiled a special version of
what he calls the "Forensic Acquisition Utilities"
(based in part on the UnxUtils version of 'dd'; http://unxutils.sourceforge.net
and others) which will run on Win 2000, Win XP or a Microsoft
.Net server. The "conv=noerror"
switch will definitely function correctly with this
program; which contains more options than you would ever need for making a data
recovery image file! It will, however, require you to learn a slightly
different command syntax than that of the standard Linux/UNIX 'dd'. Drive references
are: \\.\PhysicalDriveN where N=the drive number (0, 1, 2 etc.)
and the \\. is used to
refer to the "local machine" against others in a network or \\.\X:
where X=the Logical drive letter. As an example, here's
the command for testing a damaged floppy diskette (as we did above) from a Win2000 DOS-box prompt:
dd if=\\.\A: of=ddtest.bin bs=512
conv=noerror --log=out.txt
where the --log switch allows you to save all the output that
would normally be displayed on the screen to a specified filename (and his program
outputs some very useful data about the drive it is copying!). You can find
his work which is still in progress (at this time), here:
http://gmgsystemsinc.com/fau/
( the DD binary is included in a large archive with the source code
and MANY other files. To use it, you must extract the 5 files: dd.exe,
getopt.dll, zlibU.dll, md5lib.dll
and md5sum.exe from the archive -- the last 3 files are required because
MD5
sums have been integrated into the program's options.
Your system will also need to have: msvcr70.dll and msvcp70.dll which
are also included in the distribution if needed ). Here's a copy of two logfiles from tests we've
performed; copying logical partitions to another drive as image files.
If you really need a program to copy a drive with damaged sectors to an image file
or another drive, and know nothing about Linux, this could
be exactly what you need! Make
sure to read all of Mr. Garner's web page!]
Lost Data due to Unintentional
Disk Writes: from poorly documented or faulty Software, Viruses or Operator
Error
If
your hard drive does not have a physical problem, then certain software
utility programs and skill may be able to help you recover all
your data; provided you or a virus has not already overwritten all
of the key sectors (example: Key sectors for a Microsoft™
FAT16/FAT32 partition are either of the FATs (File Allocation Tables)
or the actual data itself (if both FATs are damaged, then forget about
restoring the drive to be exactly as it was, or bootable, even though we may
recover all its data files).
If all of the indexes (FATs or other data structures; such
as an NTFS partition's $MFT sectors) have been overwritten, then your data will
most likely be recovered in pieces (due to fragmentation); which may or may
not fit together easily. [Frequent defragging may help avoid this.]
Textual data is easier to recover under such circumstances,
but a binary file may never function again since it only takes ONE misplaced
byte to ruin it. [Note: If you ever intend some day to make sure that the data
on your drive can never be read, you may wish to read this related discussion:
How to Permanently Erase all Data on a Hard
Disk.]
Although there are a number of utility programs available to help you recover
your data, being successful at it often requires a great deal of specific knowledge
about PCs in general, hard disks, the MBR (Master Boot Record), Partition
Tables, any EBRs (Extended Boot Records; similar to the MBR, but inside
an Extended Partition), BIOS chips, the Operating System's Boot sector(s) and
the File System that's being used.
NOTE: As they say, 'a little knowledge can be dangerous' in this field as in many others. For example, too many people often think that the command "FDISK /MBR" is the 'cure all' for most of their disk drive troubles. The truth is that this will ONLY work if the "code" in the MBR has been corrupted, or was replaced by some code for a different OS (such as the Linux Loader; LILO). FDISK /MBR does *nothing* about incorrect Partition Table data, and in some cases can actually make matters worse! (See our page: FDISK /MBR for more details.)
Apart from knowing
what a 'healthy' file system should look like, you need some tools that can
show you what is actually present (or not present!) on the drive in question.
Although definitely not intended as a systematic (or
complete) course on how to do Data Recovery, some of the other pages on this
site may provide just the right kind of information for those adept enough in
learning the technical skills necessary to recover their own data... However,
there's nothing that compares to having actual experience in using a
tool; so if possible, you should have a spare hard disk you can perform tests
on (practice with) over and over again first... Fill it up with a bunch of data on
more than one partition, use FDISK or a disk editor to delete the Partition Table in
the MBR and then see if you can recover the data! [You can begin studying here:
MBR Index page.]
By working at this 'low level' of operation, it's possible
to recover all of the data from a 1 GB or larger drive running Win 9x
that's been hit by the CIH virus! All you need to do is:
First identify the location of the partition(s) on the disk,
make a new MBR, create a new Boot Record for the first partition, and then copy
the Second FAT (of the FAT32 file system) into the location of the First FAT.
[ If you believe those steps are easy, then you either have experience
in carrying out these procedures, or you're one of those people who "knows
just enough to be dangerous." ]
The KEY POINT I'd like to get across to everyone is this: Although a program
written by someone to fix a number of general problems might correct the
specific issue you're having, if your lost data is truly important to you,
you will only make changes to your disk that you KNOW with a high degree of
certainty (or have assurances from a true expert) will actually recover your data,
rather than desperately trying whatever a well-meaning friend suggests, or you
found advertised on the Net!
[ Warning: Improper use of these programs may result in further data loss! You should learn how to use them on spare drives before ever using them on your critical disks!]
NOTE: Over the next few years (2012-2015), more people will start having issues with GPT/EFI Partitioned hard disks; only GPT partitioning can take full advantage of disks larger than 2 TB (TeraBytes). A disk editor will still be useful (if it can access a drive that large), but many tools that provide detailed information about how disks are partitioned were designed only for Basic MBR partitioned disks, and they are useless in providing GPT (GUID Partition Table) data.
1. Power Quest's Partition Table Editor (PTedit32). Read about and use the link on our Boot Tools page. NOTE: There are many other useful tools listed on this page!
2. Symantec's, Norton Disk Editor 2000 (for DOS/Win 9x). This is *not* recommended unless you're dealing with FAT12/16/32 file systems. This editor has many built-in features useful in data recovery that are generally not well known. CAUTION: There are many different versions of this disk editor going back to at least MS-DOS 5.0 (which could 'wreak havoc' on MS-FAT32 file system partitions). Also be aware you MUST know a great deal about the kind of data structures you are trying to recreate when using its "Recovery" tool; you could easily increase the corrupted data; making it worse. We have some pages on: Using DISKEDIT to Learn about Boot Records, Fats and Directories.
3. PTS-Disk Editor (Free Demo version.) Simpler than Norton's above, but just as helpful in editing MBRs and even easier to use for 'jumping to' specific disk sectors. Good for quickly following the chain of ExtendedMBRs through a drive. Read more about it from the link on my Boot Tools page.
4. Svend
Olaf Mikkelsen's Disk Utilities. Not for novices. Very few helps. You'll
either know what to do with them, or get frustrated and forget about them!
We often use these to get a 'quick picture' of what someone else's drive looks
like by having them run GETSECT (or the 32-bit version: findpart getsect) and
then receive files via e-mail.
5.
TestDisk by
Christophe Grenier. Useful in recovering lost partitions or just gathering
information about them. Runs on Linux, BSD or Win9x/DOS,
and Window 2K/XP/Vista/7 platforms; even two different 64-bit versions!
Recovers Linux, NTFS, FAT and many other file systems! We wrote some of the
documentation for this program and enjoy finding whatever new data it can acquire
about a drive when using its logging and debugging parameters.
Version 6.12 of TestDisk was compiled May 11, 2011. This is a
reliable tool which should be able to help people recover all their data when
they've lost partitions from a result of mistakes made when 'experimenting'
with a new OS or trying to create a dual or multi-booting computer.
Updated: October 9, 2011. (Added notes about 'back up' experiences that can go terribly wrong, 28 June 2008.)
Write to me for Data Recovery only using
this Online reply Form, or:
You can also write to me about other subjects using this:
online reply form. (Opens
in a new window.)
The Starman's Realm Index Page