Recovering data from an almost dead hard drive - Blog

Posted: Tuesday, June 21, 2016 by Tyler Durden in
0

Recovering data from an almost dead hard drive - Blog



Last weekend, my cousin handed me a hard disk drive which was malfunctioning and needed data recovery. Just for my future reference (and in case it helps anyone else in the same situation), I've documented my process below.
Hardware:
  • 80 GB Maxtor hard disk drive, IDE, in a generic IDE->USB enclosure
Symptoms:
  • When the USB cable is plugged into a Windows machine, the hard drive begins making loud clicking noises.  The access (busy) LED lights up and stays lit for ~45 seconds until the read or write attempt times out or otherwise fails.
  • Windows cannot recognize the drive.  It shows up in Disk Management, but with no partitions
Failed recovery attempts:
  • Booting the computer with Clonezilla and attempting to image the drive fails
  • Booting up in Parted Magic, gparted gets stuck trying to read the partition information (access LED turns on solid; drive begins clicking)
  • Spinrite sees the disk, and can read from it (albeit very slowly.. ~1 MB/sec).  Left to run on a level 2 repair operation, it comes upon a bad sector and gets stuck (access LED turns on solid; drive begins clicking, Spinrite freezes)
Diagnosis:
  • At this point, I knew the drive had bad sectors.  The data is still there, but I needed to image the drive while skipping over the bad sectors.
Successful recovery process:
  • Booted up the computer with SystemRescueCd.  Hard drive attached while booting
  • Figure out where the drives are connected
  • $ fdisk -l
  • Drive to store recovered data is on /dev/sdb1, while malfunctioning drive has several partitions -- /dev/sdc1, /dev/sdc5, /dev/sdc3
  • Mounted a partition on the recovery drive (/dev/sdb1) that's formatted to exFAT
  • $ mkdir /mnt/recovery
  • $ mount /dev/sdb1 /mnt/recovery
  • Made a folder on the recovery drive to store images
  • $ mkdir /mnt/recovery/recovered
  • $ cd /mnt/recovery/recovered
  • Used ddrescue to attempt recovery of each partition
  • $ ddrescue -d /dev/sdc1 sdc1.img sdc1.log
  • $ ddrescue -d /dev/sdc5 sdc5.img sdc5.log
  • $ ddrescue -d /dev/sdc3 sdc3.img sdc3.log
  • Process takes a few hours.  It will get stuck trying to read bad sectors, but will skip over them after some time.
  • For sectors where it really gets stuck, hit Ctrl C to abort
  • Skip over that section (e.g. the 6 GB mark) and continue recovery
  • $ ddrescue -d -i6G /dev/sdc3 sdc3.img sdc3.log
  • Go back to the skipped section and rerun ddrescue, but with a sane timeout (3 minutes)
  • $ ddrescue -d -T3m /dev/sdc3 sdc3.img sdc3.log
  • ddrescue should have a pretty good image now.  Attempt to mount image (it's NTFS)...
  • $ mount -t ntfs -o ro,loop sdc1.img
  • ... results in an error.  First clusters are probably corrupt.  Unmount everything and power down the machine
  • Boot into Windows with the drive containing the recovered images.  Install ImDisk, which allows corrupt disk images to be mounted
  • Mount the image using ImDisk (I mounted it to drive R:).  Run chkdsk /f on the image
  • > chkdsk /f r:
  • chkdsk manages to fix the MFT, volume bitmap, and other structural metadata.  Open up the drive to see if it works
  • > r:
  • > dir
  • Success! Repeat process on the other two images.  Then copy the data out using any method

0 comments :