Thursday, 21 May 2015 00:00

Data recovery from HDD containing bad sectors using Linux

Rate this item
(0 votes)

b2ap3_thumbnail_iStock_000001225628XSmall.jpgSeveral introductory words.

Despite the persistent opposition of some manufacturers “of tiny software”, the Linux day-by-day occupies more and more desktops. An average user was many times warned against acquainting with yellow-heeled Tux, they said that Linux is OS for “red-eyed programmers” (and that is true – Linux is a remarkable free platform for software developer with a number of development tools), that Linux is solely a server OS (and yes it is – Linux has wonderfully showed itself working with tough web-servers as well as primitive routers) and so and so forth.

Moreover, thanks to efforts of thousands enthusiasts supported by hardware and software giants (what’s worth a single IBM), the penguin consolidated its grip over desktops as office workplace, as game-machine as well as a multimedia centre ‘out-of-the-box’. This trend makes me happy. But what can Linux contribute or give in such specific area as data recovery from faulty HDDs? I asked this question to myself and decided to share what I came up with eventually.

Having decided to put all small things aside I put forward a very complicated and non-trivial task for Linux: salvaging data from a really bad-badded Samsung 200 Gb (containing user-friendly Microsoft Windows XP) with standard Linux tools only. Customer’s requirement: to copy ‘only 2 folders from disk D’. Current symptoms according to the customer: Windows doesn’t boot, HDD is slow and nothing happens – black screen. All attempts to connect it to another working machine lead to 20 min booting time for Windows + trying to get any response from HDD and mount it automatically. As aresult, HDD becomes visible, Explorer shows only one partition of unknown size and ‘smart’ Windows suggests to format it ‘in a friendly manner’; after tight freeze 1 partition painted in yellow is visible in PartitionMagic with some kind of a mistake and size of 400 Gb.

And now as tradition has it, the disclaimer. The author shall not be responsible if you, using superuser rights easily wipe off yours or somebody else’s data without any chance of recovery. The author shall not be responsible if you don’t have sufficient experience and have mistakenly assessed the condition of your own or somebody else’s storage device which lead to HSA crash, surface scratches, burnt controller’s board etc. The author shall not be responsible for any financial damages caused by your personal negligence. And as a normal human being, of course, you decided to weigh all pros and cons and then only resort to implementation of the below algorithm. Good luck!

So let’s get started my friends!

We have IBM compatible computer, processor AMD Sempron 2800+, installed in Gigabyte GA-K8NE motherboard with nForce4-4x. Computer has pre-installed, not user-friendly, manually localized Slackware-10.2 (kernel 2.4.32). Additional programs installed: ddrescue, dd_rescue, testdisk and, just in case, ntfsprogs and ntfs-3g packages. Lets make a deal that we won’t boot into any x-es and will try to do even without mc :) (if you wish).

A little note. If you don’t have an installed Linux on HDD or you don’t want to install it, use Slackware-based (sic!) LiveCD RIPLinux-2.9 (kernel 2.6.21). It already has pre-installed all programs we need, like: ddrescue, dd_rescue,testdisk.

So lets apply a professional approach to this problem. And professional approach implies that first of all we need to copy a troublesome HDD to working one and from that point we will carry out all further works on a working drive to avoid glitches and freezing. Take the drive from the shelf (purchase in the shop, borrow from friends), the drive should be similar in terms of capacity or have more capacity than the troublesome. By coincidence we have a 500 Gb WD with SATA interface. Carry out all necessary preparations to start the work. Despite that the disk-recipient is clean, it would be a sign of a good manners to clean it with dd before copying. For fast cleaning set block size for not less than 16 sectors of the device, i.e. 16*512B=8KB. More is admissible too.

root@rozik3:~# dd if=/dev/zero of=/dev/sda bs=8K

The process of cleaning 500 Gb drive will take around 2 hours. During that time you can either go out and have a cigarette or play chess with your PC or go one of the Linux devoted forums to flame :) .

Periodically running killall -SIGUSR1 dd from the root on second terminal we can see the deletion process on the first one.

8034929+0 entries read
8034929+0 entries written
copied 65822138368 bytes (66 GB), 832,959 seconds, 79,0 MB/s
52809917+0 entries read
52809917+0 entries written
copied 432618840064 bytes (433 GB), 6286,23 seconds, 68,8 MB/s
#As it was expected, by the end of the disk the writing speed slows down
dd: entry `/dev/sda': No space left on device
61048324+0 entries read
61048323+0 entries written
copied 500107862016 bytes (500 GB), 7750,36 seconds, 64,5 MB/s

That is wonderful. Shut down the computer to connect the disabled device. Turn it on again. BIOS immediately threw a phrase or two about troublesome’s SMART, like: backup and throw this device out of the window :) Yeap, that’s what we need :) If even a dumb motherboard doesn’t like SMART, let us assess the situation as it is.


root@rozik3:~# smartctl -i -A /dev/hdc

smartctl version 5.36 [i486-slackware-linux-gnu] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF INFORMATION SECTION ===
Device Model: SAMSUNG SP2014N
Serial Number: S088J1NL203227
Firmware Version: VC100-33
User Capacity: 200.049.647.616 bytes
Device is: In smartctl database [for details use: -P show]
ATA Version is: 7
ATA Standard is: ATA/ATAPI-7 T13 1532D revision 4a
Local Time is: Tue Sep 18 00:12:19 2007 EEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 253 099 051 Pre-fail Always - 0
3 Spin_Up_Time 0x0007 038 033 025 Pre-fail Always - 12800
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 272
5 Reallocated_Sector_Ct 0x0033 001 001 010 Pre-fail Always FAILING_NOW 32267
7 Seek_Error_Rate 0x000f 253 253 051 Pre-fail Always - 0
8 Seek_Time_Performance 0x0025 253 253 015 Pre-fail Offline - 0
9 Power_On_Half_Minutes 0x0032 097 097 000 Old_age Always - 17476h+42m
10 Spin_Retry_Count 0x0033 253 253 051 Pre-fail Always - 0
11 Calibration_Retry_Count 0x0012 253 002 000 Old_age Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 13
190 Unknown_Attribute 0x0022 166 127 000 Old_age Always - 24
194 Temperature_Celsius 0x0022 166 127 000 Old_age Always - 24
195 Hardware_ECC_Recovered 0x001a 100 100 000 Old_age Always - 1228
196 Reallocated_Event_Count 0x0032 001 001 000 Old_age Always - 32267
197 Current_Pending_Sector 0x0012 253 001 000 Old_age Always - 4294935023
198 Offline_Uncorrectable 0x0030 253 001 000 Old_age Offline - 4294935631
199 UDMA_CRC_Error_Count 0x003e 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x000a 253 253 000 Old_age Always - 0
201 Soft_Read_Error_Rate 0x000a 253 089 000 Old_age Always - 0

So we have fluctuating parameters with ID 1, 197, 198, 201, telling us that reading is unstable and there are defects and crashed parameter with ID 5, clearly telling us that the drive has endowed upon G-List tons of bad sectors and filled it with remaps .
With the help of fdisk we won’t get lost in the procedure and make sure that we do not erase or delete anything by mistake :)

root@rozik3:~# fdisk -l

#It is our clean device-recipient and there is nothing on it.
Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/sda doesn't contain a valid partition table

#Its our disabled drive.
#Instead of clear logical structure there is a mess – the source of yellow color in PartitionMagic and 400 Gb.
Disk /dev/hdc: 200.0 GB, 200049647616 bytes
255 heads, 63 sectors/track, 24321 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

This doesn't look like a partition table
Probably you selected the wrong device.

Device Boot Start End Blocks Id System
/dev/hdc1 ? 13578 119522 850995205 72 Unknown
Partition 1 does not end on cylinder boundary.
/dev/hdc2 ? 45382 79243 271987362 74 Unknown
Partition 2 does not end on cylinder boundary.
/dev/hdc3 ? 10499 10499 0 65 Novell Netware 386
Partition 3 does not end on cylinder boundary.
/dev/hdc4 167628 167631 25817+ 0 Empty
Partition 4 does not end on cylinder boundary.

Partition table entries are not in disk order

#And this is our system drive
Disk /dev/hda: 120.0 GB, 120059362816 bytes

Disk /dev/hda: 120.0 GB, 120059362816 bytes
255 heads, 63 sectors/track, 14596 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 1 65 522081 82 Linux swap
/dev/hda2 66 1340 10241437+ 83 Linux
/dev/hda3 * 1341 14468 105450660 7 HPFS/NTFS
/dev/hda4 14469 14596 1028160 c W95 FAT32 (LBA)

Based on given by fdisk names of devices’ files we will proceed with our work.

How do we copy? Good question. Linux-gurus insistently suggest not to invent a bicycle and use the same dd

root@rozik3:~# dd if=/dev/hdc of=/dev/sda bs=8K conv=noerror,sync
where bs=8K for better speed, noerror allows not to crash on errors, sync writes up problematic blocks with zeros to avoid offsets on recipient drive.
On the testdisk website they recommend to use ddrescue in two steps:
root@rozik3:~# ddrescue -n /dev/hdc /dev/sda samsung200.log
where n – do not divide problem blocks on the original disk, session record is logged to prevent successfully copied sectors from the second turn:
root@rozik3:~# ddrescue -r 1 /dev/hdc /dev/sda samsung200.log
where -r 1 – a single attempt to read defect sector during saved log read.

Nice programs, right techniques. But, as it became clear subsequently, 11th Gb on disabled Samsung had a substantial defect zone where heads tend to loose servo markings with subsequent clicking sound. And if you leave the drive to copy overnight, there are all the chances of getting only 11 Gb of information and monotonously clicking body with dead heads. Of course it doesn’t serve our purpose. That is why we will resort to a so much advertised dd_rescue. It treats session log in a way that every start is like nothing had happened. However reverse copying overlaps its insufficient intellectuality and aromaticity. Decided! In this case our choice stops on dd_rescue.

It is a tradition before departing to Moon :) to smoke help for starship controls :).

root@rozik3:~# dd_rescue -h

dd_rescue Version 1.14, This email address is being protected from spambots. You need JavaScript enabled to view it. , GNU GPL
($Id: dd_rescue.c,v 1.59 2007/08/26 13:42:44 garloff Exp $)
dd_rescue copies data from one file (or block device) to another.
USAGE: dd_rescue [options] infile outfile
Options: -s ipos start position in input file (default=0),
#Start sector in input file (by def.=0)
-S opos start position in output file (def=ipos),
#Start sector in output file (by def.=same as input)
-b softbs block size for copy operation (def=65536),
#block size for copy operation (by def.=64 Кb)
-B hardbs fallback block size in case of errs (def=512),
#block size in case of copying on defects (by def.=512 B)
-e maxerr exit after maxerr errors (def=0=infinite),
#exit after a certain number of errors (by def.=0=no exit)
-m maxxfer maximum amount of data to be transfered (def=0=inf),
#maximum copied amount of data upon reaching which exit (by def.=0=no exit)
-y syncfrq frequency of fsync calls on outfile (def=512*softbs),
#fsync frequency for synch outfile with infile (small value slwas operation) (by def.=every 32 МB)
-l logfile name of a file to log errors and summary to (def=""),
#name of a file to log errors and summary to terminal (useful for analysis) (by def.=no)
-o bbfile name of a file to log bad blocks numbers (def=""),
#name of a file to log bad blocks numbers (useful for analysis) (by def.=no)
-r reverse direction copy (def=forward),
#reverse copying (!!!) (by def.=on, copy forward)
-t truncate output file (def=no),
#clean output file (as does dd) (by def.= no cleaning)
-d/D use O_DIRECT for input/output (def=no),
-w abort on Write errors (def=no),
#abort on write errors (by def.=do not abort)
-a spArse file writing (def=no),
-A Always write blocks, zeroed if err (def=no),
#always write blocks, zeroed if error (useful, if recipient has not been cleaned; slightly slows down copy if errors) (by def.=no write)
-i interactive: ask before overwriting data (def=no),
#interactive regime: ask before overwriting data (by def.=off)
-f force: skip some sanity checks (def=no),
-p preserve: preserve ownership / perms (def=no),
-q quiet operation,
#quiet copying
-v verbose operation,
#detailed copying
-V display version and exit,
#display program version and exit
-h display this help and exit.
#display this help and exit
Note: Sizes may be given in units b(=512), k(=1024), M(=1024^2) or G(1024^3) bytes
This program is useful to rescue data in case of I/O errors, because
it does not necessarily abort or truncate the output.
Having comprehended the abovementioned, lets fly :).
root@rozik3:~# dd_rescue -v -y 1G -l samsung200.log -o samsung200.bb /dev/hdc /dev/sda
# -v – let it write what it does; -y 1G – synch once in Gb, otherwise slows a lot; -l, -o – let it log...for history:)
dd_rescue: (info): about to transfer 0.0 kBytes from /dev/hdc to /dev/sda
dd_rescue: (info): blocksizes: soft 65536, hard 512
dd_rescue: (info): starting positions: in 0.0k, out 0.0k
dd_rescue: (info): Logfile: samsung200.log, Maxerr: 0
dd_rescue: (info): Reverse: no , Trunc: no , interactive: no
dd_rescue: (info): abort on Write errs: no , spArse write: never
dd_rescue: (info): ipos: 2283520.0k, opos: 2283520.0k, xferd: 2283520.0k
errs: 0, errxfer: 0.0k, succxfer: 2283520.0k
+curr.rate: 54010kB/s, avg.rate: 50720kB/s, avg.load: 16.9%
------skip-------
dd_rescue: (info): ipos: 10801400.5k, opos: 10801400.5k, xferd: 10801400.5k
* errs: 449, errxfer: 224.5k, succxfer: 10801176.0k
+curr.rate: 0kB/s, avg.rate: 10586kB/s, avg.load: 3.6%
dd_rescue: (warning): /dev/hdc (10801400.5k): Input/output error!

dd_rescue: (info): ipos: 10801401.0k, opos: 10801401.0k, xferd: 10801401.0k
* errs: 450, errxfer: 225.0k, succxfer: 10801176.0k
+curr.rate: 0kB/s, avg.rate: 10544kB/s, avg.load: 3.6%
dd_rescue: (warning): /dev/hdc (10801401.0k): Input/output error!

dd_rescue: (info): ipos: 10801401.5k, opos: 10801401.5k, xferd: 10801401.5k
* errs: 451, errxfer: 225.5k, succxfer: 10801176.0k
+curr.rate: 0kB/s, avg.rate: 10502kB/s, avg.load: 3.6%
dd_rescue: (warning): /dev/hdc (10801401.5k): Input/output error!

Bad block: 21602803
dd_rescue: (fatal): Caught signal 2 "Interrupt". Exiting!
Summary for /dev/hdc -> /dev/sda:
dd_rescue: (info): ipos: 10801402.0k, opos: 10801402.0k, xferd: 10801402.0k
errs: 452, errxfer: 226.0k, succxfer: 10801176.0k
+curr.rate: 0kB/s, avg.rate: 10461kB/s, avg.load: 3.6%
Here it is! On 11th Gb the drive vigorously grunted and started clocking even louder than on previous errors/defects. Ctrl+C - exit. Now lets copy back to front.
root@rozik3:~# dd_rescue -r -v -y 1G -l samsung200.log -o samsung200.bb /dev/hdc /dev/sda
# -r - reverse; logs write up
dd_rescue: (info): ipos set to the end: 195360984.0k
dd_rescue: (info): about to transfer 0.0 kBytes from /dev/hdc to /dev/sda
dd_rescue: (info): blocksizes: soft 65536, hard 512
dd_rescue: (info): starting positions: in 195360984.0k, out 195360984.0k
dd_rescue: (info): Logfile: samsung200.log, Maxerr: 0
dd_rescue: (info): Reverse: yes, Trunc: no , interactive: no
dd_rescue: (info): abort on Write errs: no , spArse write: never
dd_rescue: (info): ipos: 195225816.0k, opos: 195225816.0k, xferd: 135168.0k
- errs: 0, errxfer: 0.0k, succxfer: 135168.0k
+curr.rate: 14083kB/s, avg.rate: 14083kB/s, avg.load: 4.3%
And its time to go to sleep :) . We’ve got it started. Now it will read till the end. Even if problem zone will kick again, we will still get a lion’s share of data. Reverse copying is three times slower than direct. It is what it is :) .
------------------------
Morning update: dd_rescue passed through the problem zone with 11 thousand errors and successfully completed the job:
dd_rescue: (info): ipos 7539736.0k promote to large bs again!
dd_rescue: (info): ipos: 216.0k, opos: 216.0k, xferd: 195360768.0k
- errs: 11016, errxfer: 5508.0k, succxfer: 195355260.0k
+curr.rate: 18205kB/s, avg.rate: 6161kB/s, avg.load: 2.3%
Summary for /dev/hdc -> /dev/sda:
dd_rescue: (info): ipos: 0.0k, opos: 0.0k, xferd: 195360984.0k
- errs: 11016, errxfer: 5508.0k, succxfer: 195355476.0k
+curr.rate: 17705kB/s, avg.rate: 6161kB/s, avg.load: 2.3%
Hurray! Shut down the PC, disconnect the disabled.
BTW, it would be smart to backup sector-by-sector copy from the live drive. If you’ve got one more drive, make it using the same dd.

Turn on again. Run fdisk once again. Maybe something changed for the better :) ?

root@rozik3:~# fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

This doesn't look like a partition table
Probably you selected the wrong device.

Device Boot Start End Blocks Id System
/dev/sda1 ? 13578 119522 850995205 72 Unknown
Partition 1 does not end on cylinder boundary.
/dev/sda2 ? 45382 79243 271987362 74 Unknown
Partition 2 does not end on cylinder boundary.
/dev/sda3 ? 10499 10499 0 65 Novell Netware 386
Partition 3 does not end on cylinder boundary.
/dev/sda4 167628 167631 25817+ 0 Empty
Partition 4 does not end on cylinder boundary.

Partition table entries are not in disk order

Disk /dev/hda: 120.0 GB, 120059362816 bytes
255 heads, 63 sectors/track, 14596 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 1 65 522081 82 Linux swap
/dev/hda2 66 1340 10241437+ 83 Linux
/dev/hda3 * 1341 14468 105450660 7 HPFS/NTFS
/dev/hda4 14469 14596 1028160 c W95 FAT32 (LBA)

Everything as it was before. Despite that MBR contains nothing that looks like truth, back it up just in case.

root@rozik3:~# dd if=/dev/sda of=samsung200.mbr.old count=1
1+0 entries read
1+0 entries written
copied 512 bytes (512 B), 0,000281 seconds, 1,8 MB/s
Run the testdisk. Eventhough it is console, it has intuitive interface with buttons and menus :).
root@rozik3:~# testdisk
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org
Please wait...
After which a menu with a number of devices pops up:
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.

Select a media (use Arrow keys, then press Enter):
Disk /dev/hda - 120 GB / 111 GiB
Disk /dev/sda - 500 GB / 465 GiB

[Proceed ] [ Quit ]

Note: Disk capacity must be correctly detected for a successful recovery.

If a disk listed above has incorrect size, check HD jumper settings, BIOS
detection, and install the latest OS patches and disk drivers.
Using keyboard arrows, choose a necessary device /dev/sda and then press Proceed

TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Disk /dev/sda - 500 GB / 465 GiB

Please select the partition table type, press Enter when done.
[Intel ] Intel/PC partition
[Mac ] Apple partition map
[None ] Non partioned media
[Sun ] Sun Solaris partition
[XBox ] XBox partition
[Return ] Return to disk selection

Note: Do NOT select 'None' for media with only a single partition. It's very
rare for a drive to be 'Non-partitioned'.

In spite of the fact that we have AMD:), select Intel

TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63

[ Analyse ] Analyse current partition structure and search for lost partitions
[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ MBR Code ] Write TestDisk MBR code to first sector
[ Delete ] Delete all data in the partition table
[ Quit ] Return to disk selection

Note: Correct disk geometry is required for a successful recovery. 'Analyse'
process may give some warnings if it thinks the logical geometry is mismatched.
Press Analyse
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
Current partition structure:
Partition Start End Size in sectors
1 * Sys=72 13577 238 11 119521 238 60 1701990410

Bad relative sector.
2 * Sys=74 45381 70 3 79242 34 29 543974724

Bad relative sector.
3 * NetWare 3.11+ 10498 56 41 10498 56 40 0

Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
1 * Sys=72 13577 238 11 119521 238 60 1701990410
2 * Sys=74 45381 70 3 79242 34 29 543974724

*=Primary bootable P=Primary L=Logical E=Extended D=Deleted

[Proceed ] [ Save ]
Try to locate partition
As a result we observe the same mess as fdisk gave. Press Proceed to try and detect live partitions.
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
Partition Start End Size in sectors
* HPFS - NTFS 0 1 1 5182 254 63 83264832 [WIN_XP]
L HPFS - NTFS 5183 1 1 24320 254 63 307451907 [ARCHIVE]

Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
NTFS, 42 GB / 39 GiB
Press Enter
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63

Partition Start End Size in sectors
1 * HPFS - NTFS 0 1 1 5182 254 63 83264832 [WIN_XP]
2 E extended LBA 5183 0 1 24320 254 63 307451970
5 L HPFS - NTFS 5183 1 1 24320 254 63 307451907 [ARCHIVE]

[ Quit ] [Search! ] [ Write ] [Extd Part]

Return to main menu

With remaining boot sectors testdisk detected some partitions. We could have ended with it by pressing Write, moreover, according to the customer the size of found partitions matches the supposed size of lost ones. With the purpose of increasing our intellectuality lets go through the entire chain till the end. Select Search!

TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
Partition Start End Size in sectors
D HPFS - NTFS 0 1 1 2233 254 63 35889147
D HPFS - NTFS 0 1 1 5182 254 63 83264832 [WIN_XP]
D HPFS - NTFS 0 1 32 5182 254 63 83264801
D HPFS - NTFS 2234 1 1 21371 254 63 307451907 [ARCHIVE]
D HPFS - NTFS 5183 1 1 24320 254 63 307451907 [ARCHIVE]

Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
NTFS, 42 GB / 39 GiB

Records about some partitions, apparently remained from the previous Windows installation, has been detected. Having thouight a little, select partitions you are interested in with keyboard arrows and in accordance with a hint below mark them.

TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
Partition Start End Size in sectors
D HPFS - NTFS 0 1 1 2233 254 63 35889147
* HPFS - NTFS 0 1 1 5182 254 63 83264832 [WIN_XP]
D HPFS - NTFS 0 1 32 5182 254 63 83264801
D HPFS - NTFS 2234 1 1 21371 254 63 307451907 [ARCHIVE]
L HPFS - NTFS 5183 1 1 24320 254 63 307451907 [ARCHIVE]

Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
NTFS, 157 GB / 146 GiB
Press Enter.
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63

Partition Start End Size in sectors
1 * HPFS - NTFS 0 1 1 5182 254 63 83264832 [WIN_XP]
2 E extended LBA 5183 0 1 24320 254 63 307451970
5 L HPFS - NTFS 5183 1 1 24320 254 63 307451907 [ARCHIVE]

[ Quit ] [ Write ] [Extd Part]
Write partition structure to disk
Testdisk displayed PT structure, which we are to write into MBR. Write!
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

Write partition table, confirm ? (Y/N)
Asked at the last moment, are we sure? Yes, press Y.
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

You will have to reboot for the change to take effect.

[Ok]
To make everything work, reboot. Press OK. Go to level up.
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org


Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63

[ Analyse ] Analyse current partition structure and search for lost partitions
[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ MBR Code ] Write TestDisk MBR code to first sector
[ Delete ] Delete all data in the partition table
[ Quit ] Return to disk selection

Note: Correct disk geometry is required for a successful recovery. 'Analyse'
process may give some warnings if it thinks the logical geometry is mismatched.
Press Quit.
TestDisk 6.3, Data Recovery Utility, March 2006
Christophe GRENIER
http://www.cgsecurity.org

TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.

Select a media (use Arrow keys, then press Enter):
Disk /dev/hda - 120 GB / 111 GiB
Disk /dev/sda - 500 GB / 465 GiB

[Proceed ] [ Quit ]

Note: Disk capacity must be correctly detected for a successful recovery.
If a disk listed above has incorrect size, check HD jumper settings, BIOS
detection, and install the latest OS patches and disk drivers.

Quit program
And once again Quit.
TestDisk exited normally.
You have to reboot for the change to take effect.
root@rozik3:~# reboot
Reboot. And again check what you’ve got:
root@rozik3:~# fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 2234 17944573+ 7 HPFS/NTFS
/dev/sda2 2235 21372 153725985 f W95 Ext'd (LBA)
/dev/sda5 2235 21372 153725953+ 7 HPFS/NTFS

Disk /dev/hda: 120.0 GB, 120059362816 bytes
255 heads, 63 sectors/track, 14596 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 1 65 522081 82 Linux swap
/dev/hda2 66 1340 10241437+ 83 Linux
/dev/hda3 * 1341 14468 105450660 7 HPFS/NTFS
/dev/hda4 14469 14596 1028160 c W95 FAT32 (LBA)
Looks true. We need /dev/sda5 – there are catalogs required by the customer. Try mounting /dev/sda5, and do not forget that that is a Windows partition, therefore:
root@rozik3:~# mount -o iocharset=koi8-r /dev/sda5 /mnt/hd
No opposite reation from mount. Our chances hike up :)
root@rozik3:~# cd /mnt/hd
root@rozik3:/mnt/hd# ls
Book/ GAMES/ Install/ Office\ 2003/ RECYCLER/ WindowsXP/ Storage\ documents/
Film/ ImageDrive/ Music/ Pictures/ System\ Volume\ Information/ DOCUMENTATION/

Yes!

root@rozik3:/mnt/hd# cp –R DOCUMENTATION /root
root@rozik3:/mnt/hd# cp -R Storage\ documentation /root
That’s all folks:) .
Results and afterword.
It was not in vain that we kept copy logs. Subsequently, when studying logs we saw that a lion’s share of errors on faulty storage media was on the system partition, including badly damaged MFT. All attempts for the sake of experiment to mount or fix /dev/sda1 failed.
root@rozik3:~# mount -o iocharset=koi8-r /dev/sda1 /mnt/hd
mount: wrong fs type, bad option, bad superblock on /dev/sda1,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so

root@rozik3:~# ntfs-3g /dev/sda1 /mnt/hd -o force
Failed to load $MFT: Input/output error
Failed to startup volume: Input/output error
Failed to mount '/dev/sda1': Input/output error
NTFS is inconsistent. Run chkdsk /f on Windows then reboot it TWICE!
The usage of the /f parameter is very IMPORTANT! No modification was
made to NTFS by this software.

root@rozik3:~# ntfsfix /dev/sda1
Mounting volume... Failed to load $MFT : Input/output error
Failed to startup volume : Input/output error
FAILED
Attempting to correct errors... Failed to load $MFT : Input/output error
FAILED
Failed to startup volume : Input/output error

Volume is corrupt. You should run chkdsk.

Using a simple chkdsk in the "most user-friendly OS" recovered the validity of partition and gave access to the majority of files with the remaining user data (system files in such situation usually get damaged although they are not of any particular value), even without using a thrid party proprietary data recovery.

One should not forget that in this situation copy programs work via system drivers of the same IDE host controller with tirned on UDMA, which is this situation usually leads to incorrect interpretation of freezing or timeouts of defective storage media as a certain errors. Which is supported by comparative copy using paid copy program written for DOS and working directly via ports of IDE host controller and using its copy speed control algorithms (including in UDMA modes) and reading out. Paid copy program gave four times less errors. On top of that we know nothing about Linux HDD primary diagnostics tools able to display disk’s map or even a reading diagram like MHDD, Victoria and Vivard for DOS. That is why in the described above event we had to rely on SMART attributes' values and personal experience and making corrections during the process of data recovery, in some cases might be a challenging and risky business.

Nevertheless, I want to mark it out that in contrast with a “user-friendly OS” for which it is sometimes difficult to find even paid soft, there are quite powerful and smart programs written and developed specifically for Linux. Those are open and free applications able to fight with quite bad physical damages of HDDs as well software with fast and wisely developed algorithms of search of primary logical structures which are not at all native for Lunix.

We didn’t try to show that Linux rules :) (although we saw what it can :) ), we wanted to share all these deliberations and right professional approach to data recovery with a community of like-minded and show that the meaning of RIP for Linux is not Rest In Peace but Recovery Is Possible!!!


Last modified on Thursday, 21 May 2015 18:11
Data Recovery Expert

Viktor S., Ph.D. (Electrical/Computer Engineering), was hired by DataRecoup, the international data recovery corporation, in 2012. Promoted to Engineering Senior Manager in 2010 and then to his current position, as C.I.O. of DataRecoup, in 2014. Responsible for the management of critical, high-priority RAID data recovery cases and the application of his expert, comprehensive knowledge in database data retrieval. He is also responsible for planning and implementing SEO/SEM and other internet-based marketing strategies. Currently, Viktor S., Ph.D., is focusing on the further development and expansion of DataRecoup’s major internet marketing campaign for their already successful proprietary software application “Data Recovery for Windows” (an application which he developed).

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

Get Help Now

Thank you for contacting us.
Your Private Investigator will call you shortly.