I just wanted to make a note of the tools I used to recover my mother's Windows XP NTFS harddrive that had a corrupted partition table. I will list the tools I used in order that I invoked them and some brief notes about each. I'm not going to list all the details because there are other sites with extensive details on how to use these tools. Besides, your hard drive crash will be different to mine.
To summarise I replaced the old hard drive with a new one that was at least three times as big as the old one and installed windows on it. I then added the busted hard drive to my system by disconnecting the CD drive and moving the cabling from the CD player to the old drive. I booted with my USB key running a linux live CD and used the "gddrescue" tool to create a raw disk image of the busted hard disk and saved it on the new disk. From there I removed the busted disk, reconnected the CD drive then booted up windows and used the tools below to extract information from the disk image.
Now the details.
First piece of advice. As soon as you detect that your hard disk is broken STOP USING IT. You need to plan what you'll do to recover the data and then do that. Don't just go poking around because you might only get one chance to recover the data. That is, your corrupted hard disk now has a limited lifetime and you don't want to waste time running "dir" repeatedly in the vain hope that it will do something.
Second, you'll need to get a new working hard drive that is at least three times as big as the original. This is because you're going to create a disk image of the old drive, copy that disk image and then retrieve files off the disk image.
Third, don't put the drive in a freezer like some people suggest. It will just mean that the drive will get condensation on it and get further damaged. By all means keep it cool while running with a heat sink or fan but don't freeze it.
1) Trinity Rescue Linux Live CD or Knoppix : Make a bootable CD or USB key using trinity rescue linux to boot up a linux system that can be used to recover your busted NTFS hard disk. Knoppix is ok too but doens't natively contain gddrescue which is listed below. I used a USB key because in order to install the old hard disk in the system I disconnected the CD drive and moved all it's connectors over to the broken harddrive. (I don't have any spare cabling)
2) ddrescue / gddrescue : Not to be confused with "dd" or "dd_rescue" this is a linux tool that can be used to create a disk image. The idea here is you point the tool at your busted harddisk and save an image of the disk to the new working disk. The advantage of gddresuce / ddrescue over "dd" and "dd_rescue" is that gddrescue will quickly build a disk image out of the readable parts of your busted hard disk first and then it will grind over the non working bits to see what it can retrieve. After this make a copy of the disk image because we're going to muck around with it. If you mess up the copy then you can delete it and make another copy of the original. I found that copying this file in Windows was much quicker than in linux. Note that this part of the process can take hours and hours (Took about 12 hours for a 20G drive for me)
All the tools from this point can be run from Windows. Some also work in Linux too.
3) testdisk : Use this to potentially reconstruct the partition tables and NTFS MFT on the disk image you created with gddresuce. This didn't work in my case but it might work for you. Then you can mount the disk image and just copy your files out of it. (VDK does this for windows. In linux you can just use )
4) photorec : If testdisk couldn't get the disk image mountable then use photorec to try to find file signatures and pull files out of the image. When this tool works it pulls files out that have well known file formats (jpg, doc, pdf etc) but it isn't able to retrieve the proper file names or directories. Huge note : In photorec you have the option of only retrieving files of a certain type and ignoring useless stuff like .exe or .dll files. Don't do this! Let the tool retrieve everything. I tried limiting the tool to .jpg and .doc and it only got about 2% of my files back. By letting it retrieve everything it was somehow able to get a lot more .doc and .jpg files. I just deleted all the files I didn't want later.
5) PhotoRec sorter from Builtbackwards : This tool takes the files generated by photorec and puts them into directories based on file type. So one directory for jpg, another for doc, another for pdf etc. Doing this makes sorting through the thousands of files much more convinient and you can just delete directories with unuseful files (like .dll or .exe)
All the tools below have other equivalent software that perform the same functions. I just picked ones that were freeware and worked in Windows.
6) Anti-Twin : This tool finds duplicate files and deletes or moves them. Photorec seems to generate a lot of duplicates. I imagine this is because the way it works is it looks at the raw contents of the disk and pulls files out. I guess the windows operating system must sometimes end up storing multiple copies of the same file in different places. You probably aren't interested in duplicates so use this tool to find and get rid of duplicates. I found that about 20% of the files retrieved by photorec were duplicates.
7) Mihov EXIF renamer : This took takes EXIF information embedded inside a jpeg created by a camera and tries to rename the jpg file accordingly. Generally this means naming it with the date and time it was taken. One major drawback of this tool is that it creates a copy of the files it renames instead of just renaming them. This is tedious because if you have files with and without EXIF information there's no easy way of telling which ones were succesfully copied and which ones were not. Maybe there's a better tool out there.
So now I'm going to present my mother's recovered files on Mother's day. I think she'll be very happy.
Update : I found a better EXIF based renamer called Namexif 1.5. It renames files with EXIF data and leaves the others alone which is perfect for what I want.
In addition I found that with photorec another problem I was having was that I was selecting the wrong "Partition Table Type". The program automatically selected "NONE" but I was using "Intel". I think it's best to use whatever the program automatically selects. Same goes for testdisk.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment