Data recovery from damaged hard disk

I really would like to know what would you say if you left your boss laptop on his desk running a defrag software (JkDefrag) and a few hours later he calls you shouting that it doesn’t boot anymore. Well, you would probably say more or less the same things I did (huh, let’s just not write them here 🙂 )! For some reason the piece of junk (notebook) reboot itself while the defrag operation was in progress and most of the data was corrupted. Symptoms?

  • Windows Vista not booting after POST
  • mount command (Linux) not mounting Windows NTFS partition

While trying to resist the impulse to boot Windows recovery disk to run chkdsk, I stumbled upon a great live linux distribution called Trinity Rescue Kit (TRK from now on), which helped me to recover part of the lost/corrupted data.

Disclaimer: I am not responsible for any damage or corruption to your hardware, software or data. Continue reading at your own risk.

“Why not simply run chkdsk” you may ask. As I said, I was tempted to run this program from my Windows recovery disk. But my boss data was too valuable for this risky attempt, since chkdsk could have simply deleted file chunks or marked whole sectors as damaged. I needed to get boss data back. The method I’m going to explain will teach you how to clone the entire disk to a remote partition, so you can work on the disk clone image with your favorite software (Get Data Back, etc.). You will need another PC with a working LAN connection to the computer hosting the damaged disk.

Let’s begin. First, you need to share a folder over your network so you can write the disk image file into it. If you are using Windows XP, follow this tutorial from Microsoft KB. Just be sure it both has read/write permissions and enough space to hold the whole cloned drive file.

Now download and burn TRK image file to a disk. Here is a direct link to the download page:

http://trinityhome.org/Home/index.php?wpid=5&front_id=12

Once you are ready, put the disk into the computer with the damaged drive and reboot it: after the POST sequence you should be able to see TRK booting up. If it isn’t booting, you may need to change boot order in your BIOS. Refer to your motherboard manual on how to do that.

From TRK boot menu, choose “Run Trinity Rescue Kit (default)” and press ENTER. TRK will load and try to auto-configure your network card (requires a DHCP server active somewhere on your network). If it fails, don’t panic. When boot process is complete, run “setip eth0” from the command line (I’m assuming you just have an ethernet adapter and it is called eth0) and answer to the ip address, netmask, gateway and DNS questions. To check if your network is properly configured and working, try to ping the computer which shares the folder. Assuming its IP is 192.168.0.1, the command you have to use is ping 192.168.0.1 . Please don’t skip this step, as you may guess, it is imperative to get your network working. In case you need to access the Internet from the junk computer, you need to add a default route for your gateway, using the route add default gw GATEWAY_IP command. If, for any reason, the ping command complains about timeouts, double check your network configuration and cables.

Before we can run the clone tool, we need to tell TRK to mount the remote folder we shared before. In order to do this, we can use the smbmount command, which is part of the SAMBA suite. Replace SHARE_SERVER_IP with the IP of the server which is sharing the folder to write the image to, XXX with the username to access the share and YYY with the relative password.

smbmount //SHARE_SERVER_IP/share_name /mnt0 -o username=XXX,password=YYY,lfs

Don’t forget the lfs part of the command, otherwise samba will probably copy only up to 2GB of data to the remote shared folder. Now we can start cloning the disk. If you don’t know the Linux name for your disk, issue the mountallfs command and check which disk is failing to mount. Let’s say the failing disk is hda1. The command to use is:

ddrescue -r3 /dev/hda1 /mnt0/rootfilesystem.img logfile-hda1

Now check the content of the folder you shared over the network: the image file should be there. Simply try to open it with your favorite NTFS data recovery software. Give GetDataBack a try, seriously, it saved my ass more than once. If that doesn’t work, you can try one of the other methods listed on TRK procedures page (check References). Once your done with data recovery, finally boot your Windows Recovery disk and run a chkdsk on the broken drive.

References

TRK Procedures: Dying disk – How to recover files from damaged disk from best to worst scenario
Windows XP: sharing a folder – Microsoft Knowledge Base article on how to share a folder over your network
Ubuntu: sharing a folder – UbuntuGuide article on how to share a folder using SAMBA