I’m looking for some experience from the fellow geeks out there.

This is a bit of a long story so sorry in advance 🙂

Most of my free time for the past few weeks has been spent trying to salvage financial files for a friend of mine off a really damaged hard drive. When i say really damaged I mean that the partition on which the data may or may not still reside cannot be read by any windows rescue cd I have tried. Luckily I use Linux and I was able to create an image of the drive using gddrescue after realizing the normal windows tools were going to be useless. While I was able to create an image there is no tool I was able to find that could rescue the NTFS file system to the point of being able to mount it. So just like rom hacking I decided to try and decipher what was going on using my image file and a hex editor. I have found that somehow (and this makes no sense to me) the $MFT starting record is not aligned on a logical cluster so it’s impossible for the boot sector pointer to have a reference to it.
So getting this to mount seems like a futile effort. However, I did find the $MFT and it seems to be intact (just not aligned to a cluster boundary). I’ve been looking for a program that will search an image file for MFT records and try to pull the files off using the data attributes of the records but up to now have come up empty. All the tools that may be able to do this seem to only work if the boot sector is able to point to the MFT correctly, otherwise I just get some sort of “unable to determine volume type” error and can’t go any further. I’ve tried using programs like Autopsy with the same result. Other programs like Foremost and Scalpel only work on files with a defined Header and Footer (unless I’m missing something) and the files I’m looking for are Quickbook files which don’t have a set header and footer. I even tried a program that looked promising called FTK Imager but got the same “unable to determine volume type” error and couldn’t do anything more.

So not being one to easily give up, I’m about half way through writing my own tool to do this for me but I’m just curious if any of you fellow geeks have tried to do this or know of any tools out there that will accomplish what i’m trying to do.

Thanks.

the software photorec was recently suggested to me: http://www.cgsecurity.org/wiki/PhotoRec apparently it can recover almost anything off a hdd that is so damaged that the file system can no longer be read. perhaps it will help you.

[Greg Stevens]

Thanks for the suggestion but I’ve already looked into that one. It is one of the programs that uses headers and footers to find files. Wouldn’t work on a Quickbooks file.

I did find something called CnW that seems to do what I want but it’s not free and I’m not getting paid for this so that ain’t happening.

I’ve spent a lot of time looking for something that is free and have come up empty.

Within a few days though there should be something available if I can get my little program finished 🙂

• This reply was modified 10 years, 5 months ago by Greg Stevens.

A free utility by the PhotoRec company called TestDisk seeks out partitions that aren’t 100% right: http://www.cgsecurity.org/wiki/TestDisk

These are more geared towards recovering files rather than repairing the filesystem, but might help:
R-Studio: http://www.r-studio.com/ — has a free trial but does cost money. I’ve used it here at work to recover a lot of data for people.

Recuva: http://www.piriform.com/recuva — free, good for undeleting (essentially); might not work in this case.

GetDataBack is an old standby but costly: http://www.runtime.org/data-recovery-software.htm

I’ve used other tools as well (I deal a lot with people going “OH GOD WHERE ARE MAH FILES??!??!!!”), but those are probably the most useful. R-Studio is super good, although I haven’t had to use it in a few releases.

Thanks I’ll check those out sometime. I did find the files by manually searching for the MFT records, finding the data runs for the files, and manually extracting the data. Unfortunately even after all of that I found that the data was still corrupted. I kinda figured it would be (ddrescue showed 36GB worth of bad data which was basically everything). I did try testdisk. It was unable to find anything when I ran it.

There’s also Spinrite, but that’s a tool that 1) costs money and 2) should only be used as a last resort (not sending out for data recovery). I’ve heard of miracle stories with it and I’ve also read a lot of people talking about it being pretty bad. I used it once and it worked, so that was good, haha.

Bummer to hear about the lost data… hopefully they’ll learn their lesson about backups, now!

I’m not sure if you still have the drive, but… try ddrescue again. ddrescue takes TIME for it to do it’s job, but it has saved my rear-end before. I have a drive that “died” 3 years ago and can still extract data from the NTFS file system originally on it.

PhotoRec is also a great program if you have a shell script to organize by file extension. It claims to be able to detect fragmented files as well (I believe it, but have no way to test).