This site was designed by Bootpolish.net
© Bootpolish.net, All rights reserved
home » howto » recover data from a hard disk
This is how I recovered data from an NTFS partitioned hard disk, I am not a recovery expert, and it would irresponsible of me to recommend that you follow these instructions. I include some References at the end of this page; which may be of more use.
You need access to a hard drive that is able to support large files. I started with fat32 and came a cropper when it hit 4gb. I replaced that with an NFS share on my desktop PC and it worked beautifully. Mount it ready for action.
I will assume that the destination drive has been mounted at /mnt/destination
Ensure that the source (broken) drive is not mounted (it shouldn't be unless you mounted it).
You need to find out the id of the source drive. This will be listed under /dev and if it's your primary drive will probably be /dev/sda or /dev/hda. If you're not confident, do not proceed.
Note for historical (and hysterical) reasons, the package is named gddrescue in Debian and Ubuntu.
$ sudo aptitude install gddrescue $ man ddrescue
Replace "/dev/sda" for actual source drive, and "/mnt/destination" for action destination drive.
$ sudo ddrescue -n /dev/sda /mnt/destination/recovered.img /mnt/destination/recovered.log
The "-n" should run faster as it will skip over the errors (although it seemed just as slow to me).
Data recovered is not a fast process, and it will probably take a few days. The great thing about ddrescue is that you can abort at any time and recommence from where you left off. You can also skip forward by adding the switch "-i" followed by the number bytes into the disk, e.g. to start from 10gb:
$ sudo ddrescue -n -i 10000000000 /dev/sda /mnt/destination/recovered.img /mnt/destination/recovered.log
My tip is to keep aborting (Ctrl+C) and skip forward until you pass the area of the disk which is causing problems. Then, once the bulk of the drive has been recovered you can go back to the sections you skipped, or just move onto the second pass (see next section).
ddrescue will not replace data already recovered, so you can do this safely.
This time replacing the -n with "-r 1" or perhaps "-r 3" to try more than once to recover the data.
$ sudo ddrescue -r 1 /dev/sda /mnt/destination/recovered.img /mnt/destination/recovered.log
You don't want to mess up your hard earned image - so copy it and work on the copy.
On the destination PC, install sleuthkit:
$ sudo aptitude install sleuthkit $ man mmls
Simply
$ sudo mmls copy.img
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0117195119 0117195057 NTFS (0x07)
03: ----- 0117195120 0117210239 0000015120 Unallocated
This shows several partitions. In this example, we want to mount the NTFS partition starting at block 63. To calculate the number of bytes, multiply by 512:
63 x 512 = 32256
For a DOS partition:
$ sudo mount -o loop,offset=16384 copy.img mountpoint
For an NTFS partition:
$ sudo aptitude install ntfs-3g $ sudo mount -t ntfs-3g -o ro,force,loop,offset=32256 copy.img mountpoint
If it won't mount, then the NTFS partition is probably corrupted (not surprisingly). Try installing testdisk and then running:
$ testdisk copy.img
drwxr-xr-x 30 root root 4096 2009-01-08 18:04 . drwxrwxrwx 5 root root 4096 2009-01-08 18:03 .. -rw-r--r-- 1 root root 888832 2009-01-08 18:15 audit.txt drwxr-xr-- 2 root root 12288 2009-01-08 18:15 avi drwxr-xr-- 2 root root 12288 2009-01-08 18:15 bmp drwxr-xr-- 2 root root 69632 2009-01-08 18:15 dll drwxr-xr-- 2 root root 4096 2009-01-08 18:10 doc drwxr-xr-- 2 root root 20480 2009-01-08 18:15 exe drwxr-xr-- 2 root root 139264 2009-01-08 18:15 gif drwxr-xr-- 2 root root 20480 2009-01-08 18:15 htm drwxr-xr-- 2 root root 4096 2009-01-08 18:13 jar drwxr-xr-- 2 root root 135168 2009-01-08 18:15 jpg drwxr-xr-- 2 root root 4096 2009-01-08 18:04 mbd drwxr-xr-- 2 root root 4096 2009-01-08 18:15 mov drwxr-xr-- 2 root root 4096 2009-01-08 18:04 mpg drwxr-xr-- 2 root root 4096 2009-01-08 18:14 ole drwxr-xr-- 2 root root 4096 2009-01-08 18:14 pdf drwxr-xr-- 2 root root 57344 2009-01-08 18:15 png drwxr-xr-- 2 root root 4096 2009-01-08 18:04 ppt drwxr-xr-- 2 root root 4096 2009-01-08 18:14 rar drwxr-xr-- 2 root root 4096 2009-01-08 18:04 rif drwxr-xr-- 2 root root 4096 2009-01-08 18:04 sdw drwxr-xr-- 2 root root 4096 2009-01-08 18:04 sx drwxr-xr-- 2 root root 4096 2009-01-08 18:04 sxc drwxr-xr-- 2 root root 4096 2009-01-08 18:04 sxi drwxr-xr-- 2 root root 4096 2009-01-08 18:04 sxw drwxr-xr-- 2 root root 4096 2009-01-08 18:04 vis drwxr-xr-- 2 root root 12288 2009-01-08 18:15 wav drwxr-xr-- 2 root root 4096 2009-01-08 18:15 wmv drwxr-xr-- 2 root root 4096 2009-01-08 18:13 xls drwxr-xr-- 2 root root 4096 2009-01-08 18:14 zip
If it still won't mount, then the general advice seems to be to copy the image to clean hardware and use a Windows recovery disk to boot. Failing that, all is not lost, there are a number of tools that will search disk images for files. I played with photorec, but whilst it recovered loads of cached images from IE, it failed to recover more than a handful of proper photos. Foremost on the other hand seemed to be more successful.
$ foremost -i copy.img -o output-folder
With luck this will give you a folder that looks like the one to the right.
This site was designed by Bootpolish.net
© Bootpolish.net, All rights reserved