Disaster recovery

[David]

Morning gurus,

Have had a sleepless weekend. My uncle had me look at his PC on Friday
evening: this had a 200Gb HDD, plus a 20Gb drive for backup. The 200Gb
disk was partitioned into five drives - a 5Gb C:; then D:, E; F: all 40Gb,
lastly G: (approx) 85Gb (all FAT32). The D: drive held My Documents
containing (amongst other things) all the digital photos from his recent
12mth trek around Aust in a camper van. Until recently My Documents were
being backed up to the separate 20Gb drive, but recently the PC had stopped
recognising this drive - hence bringing it to me to investigate.

It turned out the 20Gb backup drive had failed - no power to the drive, even
when I took it out and tried it in another machine. Oh well, c'est la vie.
He was running Win98SE on the machine and he also asked me to upgrade the
machine to Win XP while I was at it. This I did, was running smoothly for
an hour or so while I was setting up the software etc. Then for no readily
apparent reason, the machine flashed up a BSOD (so quick I didn't get to see
what it said) and rebooted.

When the machine restarted, it couldn't boot from the C: partition. I
booted using Partition Magic's Rescue floppies and all partitions were
present on the 200Gb drive, though the C: drive was reporting "too many
errors". Took the 200Gb drive out, put it in another machine as a slave,
found all the partitions/data alive and well, just corruption on C: drive
(folder names were just gobbledegook). Phew! Just rebuild the C drive and
we're back in business, I thought.

Then I booted from a Win98SE setup disk and ran FDISK with the aim of
deleting and recreating the C partition - chose "View Partition Information"
and that was it - Fdisk reported there were no partitions set up on the
200Gb drive. About this stage I started to panic - don't forget the backup
drive is also RIP. Thought it best to leave it to a professional at this
point.

Next morning I took it to the local computer shop. The guy there plugged
the 200Gb drive in as a slave on one of his machines (WinXP Pro). Windows
took ages to boot up, and when it finally started, it went into the chkdsk
screen. It then reported that it was correcting crosslinked clusters at
cluster 1, 2, 3... It was up to about cluster 40,000 before we decided I
would go home and he would call me when it was finished booting. He assured
me that this process wasn't making physical changes to the drive and if the
data had been intact before, it would be after (but I wasn't convinced by
this).

So - where I'm up to now is that I fear all the data on the 200Gb drive may
have been overwritten at the computer shop (though I'm not sure), and I know
the 20Gb backup drive is dead - so I fear I've lost all my uncle's photos.
(And suffice to say for complicated family reasons, this is one family
relationship I can't afford to stuff up!)

The small saving grace is that he has gone to Qld for three weeks so I have
three weeks to come up with a solution. Any recommendations here - or
should I start saving to pay the five-figure bill the data recovery people
in Syd or Melb are going to hit me with?

Thanks if you can help,

David

PS (I'm in Canberra, Aust, if anyone can recommend a good local disaster
recovery
specialist.)

 

[R. McCarty]

That's the one flaw in many recovery procedures. Chkdsk can and will
fix errors, but in the process loose data. It should be every technician's
process to image a drive before attempting repairs. I've seen this happen
time and time again. Of course when you're in the cascading failure mode
you tend to get nervous and make even more mistakes. Also, using any
magnetic based media as a backup is risky (As you've found out).

What you describe doesn't sound promising. I would save the 20-Gig
backup disk. It might be the best candidate for professional recovery.
What you describe with cluster errors probably means the drive's contents
are lost in recovery modules.

It still might be fixable, but chances are low and costs may be very high.
I wouldn't do anything with the 20-Gig until you exhaust every course
of action for the 200 Gig.

 

[Richard Urban]

It may already be too late for the 200 gig drive if the tech doesn't/didn't
know what he was doing.

--
Regards,

Richard Urban

If you knew as much as you thought you know,
You would realize that you don't know what you thought you knew!

 

[Rodger_B]

This program might be worth a try if you have the necessary expertise to use
it;

http://www.active-undelete.com/

 

[Rod Speed]

Have had a sleepless weekend. My uncle had me look at his PC on Friday
evening: this had a 200Gb HDD, plus a 20Gb drive for backup. The 200Gb
disk was partitioned into five drives - a 5Gb C:; then D:, E; F: all 40Gb,
lastly G: (approx) 85Gb (all FAT32). The D: drive held My Documents
containing (amongst other things) all the digital photos from his recent
12mth trek around Aust in a camper van. Until recently My Documents
were being backed up to the separate 20Gb drive, but recently the PC
had stopped recognising this drive - hence bringing it to me to investigate.

It turned out the 20Gb backup drive had failed - no power to the drive,
even when I took it out and tried it in another machine. Oh well, c'est la
vie.
He was running Win98SE on the machine and he also asked me to upgrade
the machine to Win XP while I was at it. This I did, was running smoothly
for an hour or so while I was setting up the software etc. Then for no
readily apparent reason, the machine flashed up a BSOD (so quick
I didn't get to see what it said) and rebooted.

When the machine restarted, it couldn't boot from the C: partition.

Whoops, not good when its just had the 20G drive die.

The power supply may be going bad and is killing drives.

I booted using Partition Magic's Rescue floppies and all partitions
were present on the 200Gb drive, though the C: drive was reporting
"too many errors". Took the 200Gb drive out, put it in another
machine as a slave, found all the partitions/data alive and well,
just corruption on C: drive (folder names were just gobbledegook).
Phew! Just rebuild the C drive and we're back in business, I thought.

You should have paused at this point given that the 20G drive had died too.

Then I booted from a Win98SE setup disk and ran FDISK with the aim of
deleting and recreating the C partition - chose "View Partition Information"
and that was it - Fdisk reported there were no partitions set up on the
200Gb drive. About this stage I started to panic - don't forget the backup
drive is also RIP. Thought it best to leave it to a professional at this
point.

Wise, tho that fella doesnt look like he knows much.

Next morning I took it to the local computer shop. The guy there plugged
the 200Gb drive in as a slave on one of his machines (WinXP Pro). Windows
took ages to boot up, and when it finally started, it went into the chkdsk
screen. It then reported that it was correcting crosslinked clusters at
cluster 1, 2, 3... It was up to about cluster 40,000 before we decided I
would go home and he would call me when it was finished booting. He assured
me that this process wasn't making physical changes to the drive and if the
data had been intact before, it would be after (but I wasn't convinced by
this).

Yeah, the last thing he should have done was allow chkdsk to run on that drive.

So - where I'm up to now is that I fear all the data on the 200Gb drive
may have been overwritten at the computer shop (though I'm not sure),

Yeah, very likely.

and I know the 20Gb backup drive is dead - so I fear I've lost all my uncle's
photos.

It may still be possible to get some of them back.

(And suffice to say for complicated family reasons,
this is one family relationship I can't afford to stuff up!)

The small saving grace is that he has gone to Qld for three
weeks so I have three weeks to come up with a solution.

Any recommendations here - or should I start saving to pay the five-figure
bill the data recovery people in Syd or Melb are going to hit me with?

And they may not be able to do all that much now with the 200G drive.
They should be able to get the data off the 20G drive tho, but that may
well be rather older data by now. Better than nothing tho.

What should have been done is to run the hard drive
manufacturer's diagnostic run on the drive to see if the
drive is dying or if the data structures had just got scrambled.

If the drive is dying, a forensic clone should have been done on
the drive while it isnt dead and recovery attempted on the clone.

If there is no evidence that the drive is dying, a sector
image should have been made of the drive and then
something like Easy Recovery Pro should have been
used on the drive. And if that didnt get back all of what
was missing, the sector image could have been restored
and other recovery software tried on the drive.

I'd still go that route now, tho chkdsk may well have
very comprehensively ****ed the data over now.

There are some recovery programs that can scan the drive
looking for file headers and identify which files were pixs etc,
but the prospects arent great with 40G partitions because
they can only recover files that arent fragmented at all and
a 40G partition is quite likely to be significantly fragmented.

Thanks if you can help,

Get a compass and grovel furiously in the general direction of Mecca |-)

 

[NoStop]

From his spyware and virus infected Windoze box, David had this to say:

Morning gurus,

Have had a sleepless weekend. My uncle had me look at his PC on Friday
evening: this had a 200Gb HDD, plus a 20Gb drive for backup. The 200Gb
disk was partitioned into five drives - a 5Gb C:; then D:, E; F: all 40Gb,
lastly G: (approx) 85Gb (all FAT32). The D: drive held My Documents
containing (amongst other things) all the digital photos from his recent
12mth trek around Aust in a camper van. Until recently My Documents were
being backed up to the separate 20Gb drive, but recently the PC had
stopped recognising this drive - hence bringing it to me to investigate.

It turned out the 20Gb backup drive had failed - no power to the drive,
even
when I took it out and tried it in another machine. Oh well, c'est la
vie. He was running Win98SE on the machine and he also asked me to upgrade
the
machine to Win XP while I was at it. This I did, was running smoothly for
an hour or so while I was setting up the software etc. Then for no
readily apparent reason, the machine flashed up a BSOD (so quick I didn't
get to see what it said) and rebooted.

When the machine restarted, it couldn't boot from the C: partition. I
booted using Partition Magic's Rescue floppies and all partitions were
present on the 200Gb drive, though the C: drive was reporting "too many
errors". Took the 200Gb drive out, put it in another machine as a slave,
found all the partitions/data alive and well, just corruption on C: drive
(folder names were just gobbledegook). Phew! Just rebuild the C drive
and we're back in business, I thought.

Then I booted from a Win98SE setup disk and ran FDISK with the aim of
deleting and recreating the C partition - chose "View Partition
Information" and that was it - Fdisk reported there were no partitions set
up on the
200Gb drive. About this stage I started to panic - don't forget the
backup
drive is also RIP. Thought it best to leave it to a professional at this
point.

Next morning I took it to the local computer shop. The guy there plugged
the 200Gb drive in as a slave on one of his machines (WinXP Pro). Windows
took ages to boot up, and when it finally started, it went into the chkdsk
screen. It then reported that it was correcting crosslinked clusters at
cluster 1, 2, 3... It was up to about cluster 40,000 before we decided I
would go home and he would call me when it was finished booting. He
assured me that this process wasn't making physical changes to the drive
and if the data had been intact before, it would be after (but I wasn't
convinced by this).

So - where I'm up to now is that I fear all the data on the 200Gb drive
may have been overwritten at the computer shop (though I'm not sure), and
I know the 20Gb backup drive is dead - so I fear I've lost all my uncle's
photos. (And suffice to say for complicated family reasons, this is one
family relationship I can't afford to stuff up!)

The small saving grace is that he has gone to Qld for three weeks so I
have
three weeks to come up with a solution. Any recommendations here - or
should I start saving to pay the five-figure bill the data recovery people
in Syd or Melb are going to hit me with?

Thanks if you can help,

David

PS (I'm in Canberra, Aust, if anyone can recommend a good local disaster
recovery
specialist.)

Reading through what you've done, I suspect the problem is related to the
size of that hard drive. XP - unless it has been patched with SP1 or SP2 -
doesn't know how to handle hard drives larger than 137GB.

You probably attempted to install XP without the patches on this hard
drive's C drive and XP being the braindead OS it is famous for, just puked
and corrupted your C partition.

More than likely the other partitions are still OK. Hopefully that is the
case. If this is correct then you might still be able to get at that data
on the D drive.

More than likely the tech who's running chkdsk on Drive C won't get very far
in repairing that partition, but he'll probably not be destroying anything
on D drive.

I suggest that you get XP slipstreamed to at least SP1 and try installing XP
again on the C partition when you get the hard drive back. Then if you have
success, you should be able to go into drive management and get at your D
drive and the data there.

Another thing you can try to do if the above fails, is get a copy of the
Knoppix iso and burn Knoppix. This will create what is known as a Live
Linux CD. It'll allow you to boot up Knoppix Linux from the CD and then get
access to the partitions on your hard drive. (hopefully). You can find this
iso here ...

http://www.knoppix.org/

You'll want to download the iso, do a test on the iso to make sure it is all
there ...

http://theopencd.sunsite.dk/md5.php

Then burn a CD from the iso file you downloaded using something like Nero
that knows how to burn a CD from an image file (iso).

Best of luck! I'm sure that one way or another you'll get that data back.

 

[geoff]

it was running after the upgrade to XP ?

boot from the xp CD and run repair

when you could see all the partitions when a installed as a
slave you should have backed up the data then. did you put
it back onto that machine after the win98 boot disks failed
?

good luck

Geoff

 

[Jeff Richards]

If he allowed SCANDISK to 'repair' the drive when it was still faulty then
the data is almost certainly gone. He should know better. The proper
procedure is to install it as slave (so that there is minimal risk of
anything trying to write to it) and copy the data off (assuming it's
accessible). Then work out what the fault is and what's needed to fix it.

If SCANDISK has restricted itself to the primary partition the rest may be
recoverable, using partition repair utilities. But you need to first
properly diagnose exactly what the problem is - where the disk does or
doesn't work, what data is still intact, what the exact partition
information is, and whether it can be restored (it usually can, if the data
hasn't been altered).

 

[Black Adder]

That's the one flaw in many recovery procedures. Chkdsk can and will
fix errors, but in the process loose data. It should be every technician's
process to image a drive before attempting repairs.

Oh yeah, We've all got spare 200GB Hard Drives lying around the workshop.
We have a little disclaimer that says that we try everything in our power
not to lose data, and that we're not responsible for any data loss. It is
the responsibility of the consumer to protect their data. (or something to
that effect).

I'd stick the hard drive inside a USB2 case and try read the drive that way.
That way you can hotplug it without windows wanting to scan it for errors.
I would then use some data recovery software such as "file restorer 2000
professional". 8/10 times this works for me providing the drive doesn't
have too much physical damage. Otherwise you stick your head between your
legs and Kiss your Arse goodbye

I've seen this happen

 

[Victor Bien]

Morning gurus,

Have had a sleepless weekend. My uncle had me look at his PC on Friday
evening: this had a 200Gb HDD, plus a 20Gb drive for backup. The 200Gb
disk was partitioned into five drives - a 5Gb C:; then D:, E; F: all 40Gb,
lastly G: (approx) 85Gb (all FAT32). The D: drive held My Documents
containing (amongst other things) all the digital photos from his recent
12mth trek around Aust in a camper van. Until recently My Documents were
being backed up to the separate 20Gb drive, but recently the PC had stopped
recognising this drive - hence bringing it to me to investigate.

It turned out the 20Gb backup drive had failed - no power to the drive, even
when I took it out and tried it in another machine. Oh well, c'est la vie.
He was running Win98SE on the machine and he also asked me to upgrade the
machine to Win XP while I was at it. This I did, was running smoothly for
an hour or so while I was setting up the software etc. Then for no readily
apparent reason, the machine flashed up a BSOD (so quick I didn't get to see
what it said) and rebooted.

[big cuts...]

Next morning I took it to the local computer shop. The guy there plugged
the 200Gb drive in as a slave on one of his machines (WinXP Pro). Windows

That was a bad mistake. He should have used Ghost or DiskCopy etc.
to get a copy of the critical data before linking it up to Windoze!

took ages to boot up, and when it finally started, it went into the chkdsk
screen. It then reported that it was correcting crosslinked clusters at
cluster 1, 2, 3... It was up to about cluster 40,000 before we decided I
would go home and he would call me when it was finished booting. He assured
me that this process wasn't making physical changes to the drive and if the
data had been intact before, it would be after (but I wasn't convinced by
this).

So - where I'm up to now is that I fear all the data on the 200Gb drive may
have been overwritten at the computer shop (though I'm not sure), and I know
the 20Gb backup drive is dead - so I fear I've lost all my uncle's photos.
(And suffice to say for complicated family reasons, this is one family
relationship I can't afford to stuff up!)

4 figure sum, not 5. Try Forensic Data based in Darlinghurst 9368
1699 or http://www.forensicdata.com.au/

A client of mine's disk failed - head crashed even and Forensic got
all of the data back. Cost was about $1200 but that was for a small
disk. They have a surcharge for larger disks but it was only
$80/partition or disk that I recollect.

 

[Rod Speed]

Oh yeah, We've all got spare 200GB Hard Drives lying around the workshop.

If he hasnt got what the image can be written to, he should have refused the
job.

We have a little disclaimer that says that we try everything in our power not
to lose data, and that we're not responsible for any data loss. It is the
responsibility of the consumer to protect their data. (or something to that
effect).

Taint gunna save your bacon in that particular situation where that
fool was stupid enough to claim that he could RECOVER the data.

I'd stick the hard drive inside a USB2 case and try read the drive that way.
That way you can hotplug it without windows wanting to scan it for errors.

That aint the only way to avoid it doing that.

I would then use some data recovery software such as "file restorer 2000
professional".

Only a fool does that without imaging it first
when its known to have irreplaceable data on it.

8/10 times this works for me providing the drive doesn't have too much
physical damage. Otherwise you stick your head between your legs and Kiss
your Arse goodbye

Plenty of more viable approaches than that.

 

[Richard Urban]

Oh yeah, We've all got spare 200GB Hard Drives lying around the workshop.
We have a little disclaimer that says that we try everything in our power
not to lose data, and that we're not responsible for any data loss. It is
the responsibility of the consumer to protect their data. (or something
to that effect).

A competent technician, in it to make money will! For instance: I have 8-10
extra drives on the shelf constantly, along with 4-6 boxed M/B's, a few new
400W plus power supplies, 3-5 retail boxed AMD CPU's, and an assortment of
about 50 sticks of various types of RAM (some used - some new). Also 2 each
(unopened) of WinXP Home (Full Install) and WinXP Professional (Upgrade).

I almost forgot my 3 Seagate external USB 2.0 hard drives from 120 gig up
(used specifically to image customers hard drives - before I attempt repairs
that may cause data loss). And my stock is a bit down right now. I am
waiting for an order to arrive shortly.

There is a vast difference between a technician and a hobbyist.

--
Regards,

Richard Urban

If you knew as much as you thought you know,
You would realize that you don't know what you thought you knew!

 

[Leythos]

A competent technician, in it to make money will! For instance: I have 8-10
extra drives on the shelf constantly, along with 4-6 boxed M/B's, a few new
400W plus power supplies, 3-5 retail boxed AMD CPU's, and an assortment of
about 50 sticks of various types of RAM (some used - some new). Also 2 each
(unopened) of WinXP Home (Full Install) and WinXP Professional (Upgrade).

I almost forgot my 3 Seagate external USB 2.0 hard drives from 120 gig up
(used specifically to image customers hard drives - before I attempt repairs
that may cause data loss). And my stock is a bit down right now. I am
waiting for an order to arrive shortly.

There is a vast difference between a technician and a hobbyist.

Actually, a technician would have a partner agreement with MS and own
the Action Pack and an MSDN Universal subscription.

I have 7 servers in test state at all times, a bunch of public IP's, a
couple firewall appliances, 10+ NAT routers, about 15 workstations up
and running at any time, but I don't carry any spare parts as I can get
them locally from a vendor at OEM cost in under 1 hour. Now, I do have a
ton of parts, but nothing I would sell as new to customers.

 

[Richard Urban]

In another 6 months to a year, I will have to do something. But I do like
having a smattering of new items I can sell, and install on the spot.

--
Regards,

Richard Urban

If you knew as much as you thought you know,
You would realize that you don't know what you thought you knew!

 

[Brian]

One of the software programs that may help you is Acronis RecoveryExpert. It
claims that it can completely recover deleted partitions. If your computer
becomes unbootable from a system crash or virus attack, Acronis
RecoveryExpert will help you recover all your critical system areas and
undelete partitions - making your PC bootable again. Then there is Ontrack
EasyRecovery Professional. I have personally used it. In my opinion it is
one of the best for mass recovery of deleted files and directories.

Brian

 

[_RR]

Then there is Ontrack
EasyRecovery Professional. I have personally used it. In my opinion it is
one of the best for mass recovery of deleted files and directories.

Brian

I'm not a big fan of OnTrack, but their ERP program is effective, if
not intuitive. I've used a few different recovery programs with
clients' machines, and ontrack has done as well as any.

The key, of course, is not letting ANYTHING touch that partition
before the recovery starts. This includes chkdsk or any other program
that will write data.

Have a problem with a drive with crucial data on it? Power it down
right away and think a while about how to solve it. Avoiding that
initial desperate impulse may save your data.

If you turn ERP or another data recovery program loose, keep in mind
that it needs a separate partition to write to. It is not going to
write your data back to the damaged partition.

 

[Richard Urban]

Please note that the recovery partition/drive must be equal to, or exceed,
the size necessary to store the recovered data.

--
Regards,

Richard Urban

If you knew as much as you thought you know,
You would realize that you don't know what you thought you knew!

 

[Harry]

I'm not a big fan of OnTrack, but their ERP program is effective, if
not intuitive. I've used a few different recovery programs with
clients' machines, and ontrack has done as well as any.

The key, of course, is not letting ANYTHING touch that partition
before the recovery starts. This includes chkdsk or any other program
that will write data.

Have a problem with a drive with crucial data on it? Power it down
right away and think a while about how to solve it. Avoiding that
initial desperate impulse may save your data.

If you turn ERP or another data recovery program loose, keep in mind
that it needs a separate partition to write to. It is not going to
write your data back to the damaged partition.

A simple solution to that is to format the partition first. Then use
Runtime's GetDataBack for NTFS or Fat32 to retrieve the contents of the
drive. I have done this many of times with great success. As long as the
hard drive is seen in the bios this software will retrieve the data stored
on the disk.