07 May 2008

Hard Drive Recovery 101

I get asked to do a occasional data recovery. I was going to make a user-friendly post, but that was taking too much effort. Consider these notes for myself that I want to be able to access easily. Thus, the beginning will be much more verbose and user-friendly, then it will get terse and RTFM. Also, I’m not an expert on this, thus you should consider this sketchy advice.

Of course, you are trying to save money by doing it yourself, but simply running power through the drive (which we will be doing) presents some risk of making things worse. The operations we will be doing will be ‘non-destructive’ in the sense that we won’t be doing so-called write operations (where we explicitly tell the computer to make changes to the hard drive). However, if there is an electrical problem in the drive or metal is touching metal in a place that it isn’t supposed to be, simply turning the drive on can cause things to be worse. If you hear a screeching or scratching noise come from the drive, you are likely in this situation. There are ways to deal with this yourself (e.g. the freezer method), but they are not very likely to work.

Last but not least, I have not dealt with recovery on any flash devices. I’m not sure how much this advice applies in that situation.

  1. a) Backup your data. b) Restore from your backups. c) Done. You didn’t do a), did you? Well, this is why we are here, isn’t it.
  2. How much would you pay to have this data back? If it is 4 or more digits, you may just want to send the drive to a professional recovery firm. You know, the people who have a clean room and laboratory for doing this stuff rather than a room full of dusty (non-computer) books, a desk made of scrap wood and telephone books, and no computer equipment younger than 4 years old. Get the point? I’m not a pro. Take this advice with that in mind.
  3. Make a copy of the hard drive. Once this is done, we can work on the copy and not worry about messing up the original data. Making a copy of the copy is not a bad idea. This is NOT a copy and paste operation. I’m not sure if the best way of doing this is even possible under Windows. Never fear, though. Just download ubuntu, burn it to disk, and boot it up. We don’t need to install it, just run it in ‘live’ mode. If you are using Apple/OSX, this step can also be done with MacPorts. Technically, you can also install in cygwin on Windows, but I find installing cygwin more difficult than just grabbing the ubuntu live cd, so we are going down that path.
    1. Enable universe in Ubuntu’s repository and update the package database
    2. Install GNU’s ddrescue (sudo apt-get install gddrescue). Note, this is not the same thing as the original dd_rescue (ddrescue in apt) or dd_rhelp. GNU’s ddrescue is like dd_rescue + dd_rhelp, only written in C instead of the sh frontend that dd_rhelp gives you.
    3. Figure out which hard drive is the one you want to recover and the one you want to write the copy to. cfdisk and file will be your friends in this area. (Amusingly, it turns out fdisk (which I’ve always used) should be avoided, from the fdisk man page: “fdisk is a buggy program that does fuzzy things - usually it happens to produce reasonable results. Its single advantage is that it has some support for BSD disk labels and other non-DOS partition tables. Avoid it if you can.”). For now on, assume hda is the troubled device, and that the current directory is a folder on a drive that has the capacity equal to or greater than hda.
    4. In your workspace, make a copy of the partition table (cfdisk -P t /dev/hda > hda.part). This will come in handy. I have seen this return non-sense results in OSX. Don’t know why, but it is actually less important there (continue reading for why).
    5. Now copy that device entirely. Copying the full device, instead of the desired partitions, has its advantages, ease of use of the resulting images is NOT one of them: sudo ddrescue /dev/hda hda.bin hda.log
    6. Grab coffee, tea, sleep, TV, a movie, study, whatever. If the drive is not too big and in reasonable shape, this may only take an hour or so. If there are issues, this can take 10, 12 hours to complete. If there are lots of issues, it may never finish. See that third argument, if we keep that around, ddrescue can pick up where it left off. Just ^c to kill if you need to shut things down and restart the operation the same way you started it to pickup where the logfile left you.
  4. We now have a full, bit-for-bit copy of the troublesome disk at hda.bin. Unplug the troublesome disk, as it should no longer be necessary and we want to preserve its state as much as possible. In OSX, mounting this thing is annoying, except its not (just double click it, and wait a while, Finder will eventually mount it. I like my control though.). There may be losetup in OSX, but I know there isn’t a loop option for mount. I’ll take the losetup route in hopes that it is more compatible. Look at the partition table (you made a copy at 3.4, right?). Look for the start sector of the partition you want to mount. Multiply that number times the sector size (USUALLY 512, but really, I do not know of a reliable way of discovering the sector size! input here is desired) and use this for the -o option for losetup. Assuming 62 for the start sector of the first partition: sudo losetup /dev/loop0 sda.bin -o 31744. /dev/loop is now equivalent to what /dev/hda1 would have been. Mount it as usual: sudo mount /dev/loop0 /mnt/hda1. Copy your files. If there is no corruption you are done. Mounting readonly is not a bad idea (-o ro).
  5. Missing partitions. I have seen some seriously messed up partitions. Sometimes someone will reinstall windows with a drive > 137GB plugged in, and all of a sudden, it doesn’t show up right because pre-sometime, WinXP did not recognize such drives and rewrote the partition table. There are lots of utilities from the likes of acronis and partition magic for repairing partition tables. I have never seen them do something that the (free) gpart couldn’t do. No, not gparted, gpart (the trouble with having 14000 pieces of software available to you at a moment’s notice is that naming collisions occur). To run this on the full disk image, do the losetup without the -o option, and it will behave like /dev/hda instead of /dev/hda1. Gpart is potentially destructive. Working on a copy of a copy of a disk image is not a bad idea. For such a copy, cp is fine.
  6. Corrupt files, corrupt file system. Again, working on a copy of a copy of a disk image may be preferable here. If the latter is suspected, fsck and related utilities are probably your best friends, though not close to 100% reliable. Photorec and testdisk are good tools for recovering corrupted files. More utilities in this area are listed below. If those are exhausted, you may be edging for the paid software realm. I have seen Ontrack’s Easy Recovery (Windows only?) software work quite well on a corrupted file system. However, at the time I was using it, it was my first step for data recovery. In retrospect, I am 95% confident that gpart would have done the job, in much less time than it took me. Consider this the only semi-recommendation for non-free software in this document.
  7. Drive not recognized by BIOS? First, see 2). If you still want to try this yourself, you are in cross-your-fingers territory. When here, the idea is to get the drive in a state to accomplish 3) as quickly as possible before the drive completely bites the dust (if it hasn’t already). Ideas here are to give the drive a good thwap on the side to try to unjam the heads (if they are jammed). Another idea is to put it in a ziplock in the freezer for a few hours. The ziplock is to keep out moisture, the freezer is to contract the metal parts so there is less rubbing (you know the ring around the pipe, changes in temperature cause it to get stuck). The freezer method is often used to get rid of the scratching noise which is usually the heads rubbing against the platter. The corollary to this is that as the drive heats up, the problem will return. If you have a peltier around, it might help keep the temperature down, though do something about the moisture! Have spare drives around (strongly preferable of the same manufacturer, even better, the same model)? Try swapping out the daughter cards. I’ve seen people double boil their drive (for the opposite of the freezer effect), though I would not do this. Twist it back and forth real fast to get the platters spinning before applying power is another method. The list goes on. The more desperate you get, the more wacky things you might try. Prayer goes here. Again, once the drive is recognized by your system, procede to 3) as quickly as possible.

Hopefully by now, your data is recovered. If not, Google and 2) are always options. If so, the next step is post-mortem analysis and prevention. Besides doing 1) so we don’t have to suffer the adrenaline rush and severe depression this situation caused us in the first place (really, I’ve seen some bad situations. Once, I saved a TA’s 6 years worth of doctoral res(and file systems). earch after the school’s computer people told him to spend 10-15k on a professional recovery with less than a 30% chance of success. I accomplished this in less than an hour plus network transfer time. The bum never paid me and gave me bad marks after I rejected his offer for a date to the theatre. Hopefully he at least learned the backup lesson.). The drive may be dying (S.M.A.R.T. analysis can give us an idea of drive failure potential, though it predicts only about 50% of failures). If you are using a desktop or other machine without a battery backup, you may want to consider investing in a UPS. These things will effectively give you a clean power source, less subject to the fluctuations in the main power lines that can be so common and so harmful to computer equipment and file systems. If you are confident in the drives health you can delete the partitions, repartition, and copy the files back from the mounted image. If you are confident of the image’s and drive’s health at this point, you can even copy the image straight back (dd if=hda.bin of=/dev/hda). This gets you your partitions back for free.

This entire document assumes you want a substantial portion of the drive recovered. If there are only 1 or two files on it, you may be able to get by with a simple cp of the various files if you can manage to mount the file system. I have seen different OS’s refuse and accept drives that others would refuse to mount; so this may be possible even if it didn’t work on your machine. Nevertheless, I prefer ddrescue due to the error checking it does for me.

All programs mentioned in this document, except those by Acronis, Partition Magic, and On Recover are freely available and in apt on my debian system.

Documents that may be helpful, including some more utilities not mentioned above:

One Response to “Hard Drive Recovery 101”

  1. Lux says:
    May 7th, 2008 at 09:48 -0500

    You are the man!

Leave a Reply