timOleary said:
My wife's computer couldn't find boot device. I removed the drive and
put into an external USB enclosure. Connected it to my PC. My PC sees
the drive but says it isn't formatted. Got PC Inspector File Recovery
and ran it. It found the physical drive in question and four logical
drives on the physical drive. It calls them noname and the details are
garbled.
I am totally inexperienced at file recovery, but wanted to see what
could be salvaged off this drive.
suggestions as to how to proceed would be appreciated
This is the order I'd work in, ignoring the wear and tear on the busted drive.
Too much switching on and off, rebooting and the like, may finish off a sick drive.
(I had a drive once, where it was still working, but I knew it was sick.
I was tired and went to bed. I turned on the computer the next day, and
the disk was gone for good. If your disk is like that, then copying the drive
is the priority. Sometimes, you only get a chance to save the contents,
if you don't reboot or power off. In my case, I lost all that data, because
I was too tired to do the minimum.) Anyway...
1) Purchase two spare disks, preferably a little larger than the busted one.
2) While running Windows, use HDTune from HDTune.com (free version 2.55),
and use the error scan. The purpose of the error scan, is to determine
whether the drive is free of CRC errors. If there are errors, then a
slightly different tool is needed.
3) Connect a spare drive. Boot a Knoppix (knopper.net) Linux LiveCD.
This is an OS that runs, without installing anything on the computer.
It is great for maintenance. You can copy the busted drive to the
spare drive, with a command like this. (You have to correlate the
/etc/fstab entries, against the known drives connected to the computer,
to make appropriate names for the drives.)
sudo dd if=/dev/hda of=/dev/hdb
Sudo gives root privileges in Knoppix. "dd" allows copying the sectors
from one disk to the other. The spare disk "hdb", should be the same
size or larger, than the source disk. If the spare disk was USB connected,
it might be /dev/sda. SATA drives also might be /dev/sda.
The purpose of this, is to backup the original busted drive, so if
anything happens later, you have a recovery plan. You can "dd" the
information back to the busted drive later, if that made sense to do.
You might even send the spare disk prepared with "dd" to a data
recovery firm, as there would still be a lot that could be recovered.
"dd" is less stressful for a drive, because it reads sequentially from
end to end. That is unlike regular file backup software, which jiggles
the heads a lot more.
4) It the test in (2) shows errors, then in step (3), you want to use
something called "dd_rescue". This is like "dd", but when it runs into
a CRC error, it substitutes 512 bytes of zeros. That is to allow a
disk to disk copy, to happen in finite time. A badly damaged disk may
take an eternity, if using (3). dd_rescue helps to complete the imaging
effort, without throwing recoverable stuff away. If a sector has a CRC
error, then substituting zeros probably doesn't make things worse.
5) Now you can go back to actual data recovery. Disconnect the first spare
and connect the second. The second spare, is where the recovered data
should go.
6) You can start by looking at the partition table on the busted disk.
ftp://ftp.symantec.com/public/english_us_canada/tools/pq/utilities/
PTEDIT32.zip (Raw number display - CHS and LBA type info, partition types.
Double click on the partition type field, to get a
text name for the partition type. There should be
things like FAT32, NTFS and so on.)
PartInNT.zip (This display looks more like Disk Management type info)
The partition table defines where each partition starts and ends.
The partition type declared, doesn't have to match the actual
file system. (For example, I can try to hide something I'm doing on
my hard drive, by simply changing a byte field in the partition table.)
So from a forensic point of view, the partition table is not the
whole story, but is another piece of evidence to work with. The
start and end of each partition, is the most important part, in
terms of recovering a file system. If the start location was moved
part way into a partition, it would be very hard for a recovery tool
to make sense of what it finds.
On some of the prebuilt machines, there may be a C: drive and a couple
other partitions. One of the partitions could be a recovery partition,
and it could have a weird declaration for partition type. Data recovery
tools are most likely to handle NTFS or FAT32 partitions without a
problem. Recovering the recovery partition might be another issue.
Not all Dell/HP/Gateway/whatever machines do that stuff the same way.
7) Now, when you use your "$39.95 data recovery software", you at least
have an idea what it is talking about, when it tells you what it is
going to recover. The best plan, is for the recovered data to go to
the spare drive. "In-place" repair is more risky, if the recovery tool
makes a mistake. I learned this the hard way, about 20 years ago, when
a recovery tool deleted the only good directory structure. Which is why
I'm an advocate of immediate imaging of the disk.
Some other tools that are free.
"TestDisk" is a tool, which can scan a hard drive, and compute the
partition table. It might be used in cases, where you knew the partition
table was trashed. I don't know if this tool has any other desirable
attributes. I've tested this here, by deleting the third partition
entry on one of my drives, and TestDisk was correctly able to
suggest the appropriate parameters to be written to the partition table.
It takes time for it to scan the entire disk. I've also put back an MBR
with this tool
http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step
For recovery, I also located a copy of something I thought had disappeared
from the net. This is a data recovery program, which was offered for free,
but the author eventually sold it to a commercial company. The commercial
version (would be renamed), might not bear much resemblance. In any case,
you're welcome to give this a try. I suggested this to someone a while
back (while you could still get it), and they were able to get back some
data from an NTFS partition. (I think I may have scanned this on
VirusTotal, but that doesn't mean too much. Stuff still gets by
all those AV engines.) If you've paid for PC Inspector File Recovery or
any other "$39.95" program, then don't bother with this. This is more
for people who insist on doing stuff for free (like me
)
http://www.pricelesswarehome.org/WoundedMoon/win32/driverescue19d.html
Another freebie file scavenger, is this one.
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
I don't know if there is much in the way of "in-place" repair for
the actual file and directory structures on the disk. The check disk
utility the OS comes with, is an example of something that does that.
But if the OS says it isn't formatted, maybe the disk checking routine
won't even try to help ?
Paul
