This is a quick guide, how to recover data lost on a hard drive.
Software used
-GetDataBack NTFS (available on Hiren's Boot CD)
-partition magic 8 (for windows, probably not available)
-fsync (command line for synchronising 2 folders)
This process took about 4 hrs 30min
1) pre-scan: 1hr 30min
2) backup data: 2hr 30 min
3) restore data: 30 min
The drive was originally 80GB, and was formatted with NTFS on a Windows XP Korean OS. It was a portable USB drive. What happened; I was copying some files on to his disk for him and it had a virus, which infected my computer, so we couldn't use safely eject because the virus was writing to the disk, so I pulled it out as it was running, then re-inserted it and the disk was corrupted!
The disk was formatted NTFS, which means you really shouldn't pull out the disk unless you use safely eject. If you keep powering it off, and pulling it out, when the drive hasn't finished flushing its read/write cache, eventually you will run into data loss.
In this case, I had to pull it out, while it was running, since it had a few autorun.inf viruses. (These viruses are common, and spread by the autorun.inf file, at the root of the drive, so when you plug in a USB, it automatically runs the viruses, which are defined in autorun.inf)
I pulled it out, since the virus was read/writing to the disk continuously. (I got infected!) We then reinserted it and got an error saying the drive was invalid. If you see the picture above, it shows what happened when queried by system drive properties. 0KB of DATA!
My friend was sad, since all his good photos and memories were on the drive, but fortunately for him, I happened to have run into the same situation before. The data wasn't really lost, as you know, probably the filesystem was corrupted, so it wasn't showing the files. I assured him that I could get the files back.
The first thing I tried to do was a checkdisk, by right clicking on the drive in my computer and running it, however it disappeared instantly and didn't even bother to scan the drive, so I tried the command line chkdsk f: /f however this was as useless as before.
I determined that an easy fix wouldn't be possible and we would need to use some recovery software. I had a copy of Hiren's boot CD , and ran get-data-back-NTFS from it.
(A note about Hiren's boot CD . This CD can nearly do anything, if you need to recover data, or setup a fresh PC and arrange partitions, and so on..)
Opening up Partition Magic 8 in windows, showed that the drive was still there and showing as NTFS, however running the partition magic check for errors, errored out on us ironically.
Running GetDataBack NTFS was the only alternative I could think of.
GetDataBack NTFS is a software that scans a selected disk that was previously NTFS, and trys to read the information and displays it for your recovery. If you decide to use GetDataBack NTFS method, there are a few steps to follow and be aware of.
1) Time to pre-scan drive with GetDataBack NTFS.
(about 2 minutes per GB*)
2) Available drive space to recover to. You need another drive, to recover the data to. You should not recover the data to the same drive. It means you need equivalent of free space on a separate disk to backup.
3) Time to recover with GetDataBack NTFS to your backup drive
(about 5 min per GB*)
4) Time to put the shift the data back to the original drive.
(about 1 minute per GB*)
*depending on your disk speed, and other factors, CPU, RAM etc
When you use GetDataBack NTFS, you need to select the drive that you want to scan, and then start scanning it. It takes a long time. I recommend after the scan that you save your project file, so rescanning is not necessary if you need to re start the process
When you get to step 4, it will display some choices, to recover a certain file system. You may be confused, which one to choose, but you can always come back to step 4 after recovering from one. I am not certain, but you MUST choose the green icon one if you want to recover Unicode (non English characters eg 한국어) data. In this case the hard-disk had Korean files and folders, so I used it.
Note if you chose a red icon choice when recovering Unicode partition data, it will recover the files, however they will recover corrupted!
This is step 5: recovery tree
As you can see on the left, there are ?? characters. This is because GetDataBack NTFS or my OS, doesn't display Unicode characters. You can see a folder list of deleted folders and we will recover the relevant ones
Simply right click on the folders/files to recover or press F5 and copy to your backup disk. You can copy as many as you like at one time. Copying a new folder will queue it, and allows you to walk away while it recovers the data. It takes a long time, so this is quite convenient.
This is a screenshot of the recovering desktop. Note that the Unicode characters appear as ??? question marks, but in the explorer they are in Korean characters.
I am testing that the data is actually recovered, as you can see, there are photos appearing in thumbnails view, which means the data been recovered is not corrupted.
I have recovered all the data, which totals up to 30.3GB of irrecoverable photos, and some music and videos, if you understand Korean you will be able to see the 3rd folder down is photos, the 2nd down is music, and the rest are dramas and movies.
OK, now the data is safely backed up to my local hard drive, we now need to format the corrupted drive to FAT32, and then shift the data back onto the drive. Since it is 30.3GB it will take about 40mins-1 hour roughly. I will also setup a fsync script, which will synchronise the backup folder to the new folder, so if it gets interrupted we can start it again, without re-transferring already copied files, and having to click yes to the constant, Are you sure you want to copy this already copied file prompts.
Note you can use the windows disk management to format drives, or you can even use the format utility by right clicking on a drive. I prefer the partition magic way, so it follows
First select the disk (disk2 in partition magic), and delete basically everything on it. Here I am deleting the F: NTFS Partition.
Delete the extended partition.
You should be left with an empty, unallocated partition. Good.
Now right click and create a primary partition, which is FAT32, and takes up 100% of unallocated space, so you are using the whole drive.
You should see in partition magic now, that disk 2 is one single FAT32 partition. So hit apply. If not, undo your changes and make it look like this, then apply it.
When you hit apply it will perform the actions, delete the partitions, and create a FAT32 partition.
When Partition magic has done its magic, open up the new drive in Windows explorer and notice the properties. You can see it is FAT32 and has Free Space now. So it is ready to shift the lost data back into.
Now I will setup an fsync script, which will copy the backed up files to the 'new' disk. An fsync script is very useful, since it can be stopped at anytime and then resumed. If you have a large amount of data being transferred, you don't want to have to restart the process if you interupt it, since you will be prompted by a lot of windows boxes and the data transfer will need to start all over again.
This is the code I used in the batch file fsync_files.cmd
@echo off
set _srce=d:\danni
set _dest=f:\danni
md %_dest%
fsync %_srce% %_dest% /f
pause
This is quite a simple script. Just open up notepad and paste in the above code, and then modify it so your Source folder follows the set _srce= and your destination folder follows the set _dest=
Be careful that you dont get the 2 the wrong way around, else you will overwrite your source files with your destination files (overwriting the source!)
Run the script, and ensure that fsync is sitting in the same folder as the script!
Fsync is copying files from d:\danni to f:\danni. As you can see 2 files have copied and the first folder is already showing in the destination folder.
In this case I interupted the copying process, and started over again. You can see that 222 files are in the destination already, and 29 files copied in this run of the script, so I didn't need to start over again!
Thats it, I hope you can find this guide useful, and next time you lose data, try out this method!
Wednesday, March 25, 2009
Tuesday, March 24, 2009
Data loss after unsafe removal part 1
So today I was transferring files to my friends portable harddrive plugged into the USB on my laptop, and because it had a few autorun.inf viruses on it, it infected my PC and I couldn't safely eject since it was read/writing all the time (virus activity).
So I pulled the thing out, and of course being NTFS it now shows up as a RAW drive, unformated 0KB total size, 0KB space used, when right clicking properties in my computer.
I ran partition magic 8 in windows XP and you can see that drive is still there, and the file system seems ok, but anyway, tommorow I will
1) use get-databack-NTFS from Hiren's Boot CD, and wait 2 hours for it to read the drive data and chose the data to backup - 2 hours
2) shift the data off the drive onto my laptop drive (requiring about 50GB of free space) taking about 1 hour
3) format the drive to FAT32, since I think it is safer! - 2 minutes
4) shift the data back across - 1hour
So you can see there goes about 4 hours of downtime for this guy, lucky I know what I am doing, he would have just re-formatted and started again, but 4 hours is no problem, leave it running in the background and keep working on my VM project.
Moral of the story: Always have NOD32 installed before plugging in a strangers USB drive, and disable autoruns if you're not running the latest version 4! Also scan and clean, then you can safely eject it properly. I ALSO recommend to use FAT32 as the data container, as it seems to get corrupted less easily, if you insist of NTFS for the extra benefits eg, files bigger than 4GB, extra security, not being able to read on windows 9x (benefit?), then make sure you eject it properly and set your deivce manager for quick removal option.
So I pulled the thing out, and of course being NTFS it now shows up as a RAW drive, unformated 0KB total size, 0KB space used, when right clicking properties in my computer.
I ran partition magic 8 in windows XP and you can see that drive is still there, and the file system seems ok, but anyway, tommorow I will
1) use get-databack-NTFS from Hiren's Boot CD, and wait 2 hours for it to read the drive data and chose the data to backup - 2 hours
2) shift the data off the drive onto my laptop drive (requiring about 50GB of free space) taking about 1 hour
3) format the drive to FAT32, since I think it is safer! - 2 minutes
4) shift the data back across - 1hour
So you can see there goes about 4 hours of downtime for this guy, lucky I know what I am doing, he would have just re-formatted and started again, but 4 hours is no problem, leave it running in the background and keep working on my VM project.
Moral of the story: Always have NOD32 installed before plugging in a strangers USB drive, and disable autoruns if you're not running the latest version 4! Also scan and clean, then you can safely eject it properly. I ALSO recommend to use FAT32 as the data container, as it seems to get corrupted less easily, if you insist of NTFS for the extra benefits eg, files bigger than 4GB, extra security, not being able to read on windows 9x (benefit?), then make sure you eject it properly and set your deivce manager for quick removal option.
Labels:
autorun.inf,
format,
Hiren's Boot CD,
ntfs data loss,
partition magic,
virus,
windows XP
Subscribe to:
Posts (Atom)