Friday, March 23, 2012

Guide on how to recover from a failed or corrupted partition/hard disk

Recently my Rosetta, which is an 1TB external hard disk from Western Digital Mybook series had saw its day. It is the first WD hard drive that had failed over me and it is also the second external hard drive that failed, with the first one being Maxtor Basics 1TB. I had never saw it coming as I believed I took great care of it. Not a single drop, not even once. Initial inspection is that it is a software fault rather than a hardware fault because there is no 'clicking' sound a.k.a click of death. Actually I had this coming all along. Viewing the windows native Event Viewer had shows that the hard disk had suffered from some bad sectors since months ago, and Hardware Controller error few weeks ago. Yet I didn't bother to check through the Event Viewer. It is very rare for computer user to check through the Event Viewer unless there is a need to. I had no idea what causes it but every hard disk do have its own life span. Though WD lasted longer.

There are some great things to be relief of. First, that hard disk only stores some game roms which I had burned it via DVD few days before the disaster. So what's left of it are half of my 500GB of unwatched Animes (which I doubt I will spent time watching them) a couple of TV series and TVB dramas.

This unfortunate incident had proves the following statement to be true, and I will be remember it for the days to come in my whole life.

"All hard disk will certainly failed. Do not think IF my hard disk will fail. Instead, try to think WHEN will my hard disk fail."

Bearing this statement in mind, make sure you took the following steps to identify early symptoms of a hard drive failure.

1. Check through the Event Log for Critical or Error messages from time to time, say weekly to be safe.

2. If there is any bad sectors, even one, that drive might be failed in the days/months to come. Even if the bad sectors are fixed, it would be just delaying it from being deteriorating. Why? Because the bad sectors is only marked as bad or 'dirty' by the OS. So the OS will not write any further data to that sector, at its best. It means that you should start backing up that drive instantly.




Over the past few days I had spent quite some time trying to figuring out the best way to salvage the datas, or what's left of it. So I thought why not write an article that explains the best way to deal with situation such as this in case of the need arises again in the future (which I certain hope not). This article could also help those that experience the same problem that I had, I hope.

----------------------------------- 
Read the basic introduction on how NTFS works written by me, hopefully it is understandable to have a better understand on how NTFS works.





Brief Introduction on How NTFS Stores files.
Things involved:
MFT (Master File Table)

MFT Mirror


Basically MFT keep track of which files are stored in which section of your hard disk. And it starts with a small fixed size. The table will only expand when the current table size had been reached. A partition that stores many large files will have a smaller MFT table size than a partition that stores many smaller files, as there will be more entry in the MFT of the later partition. If the current MFT is full, then the OS will expand its size appropriately. It is often that MFT will be fragmented across the disk. As the name suggest, MFT mirror is just a backup of the original MFT.


MFT is located at the start of a sector whil MFT mirror is at the end of the sector. So in the event that the master MFT is damaged, the MFT mirror will be used to replace it, provided that the MFT mirror is good.


When you do a quick format, it basically replaces the MFT with a new one. So meaning that the previous MFT that points to the location where all your data stores are gone, yet the data is still present (provided that there is no further writing to the disk after the quick format). This is how data recovery after a quick format is possible. Different OS (I'm talking OS from Microsoft here, e.g. XP, Vista, and 7) will create different MFT size. XP create the least MFT size while 7 create the most. So you will be able to retrieve much data using data recovery software in XP than in 7. The following article explains my point in greater details:




On the contrary, Full Format resets the entire magnetic surface. Data recovery is still possible, but with greater difficulty.



There are also LLF (Low Level Formating) in which the binary 0 is written over the entire magnetic surface multiple times. Performing LLF guarantess that nothing is left on the surface, hence data recovery will be impossible afterwards.


----------------------


This article will assist in your attempt to repair and recover any data from your disk, but it will only work IF and only IF you have at least one (or more) of the symptoms below:

Symptoms:
1. No constant 'clicking' sound @ 'the click of death'.
2. Hard disk appears as Local Disk in My Computer with no viewable capacity. Double clicking it result in the following dialog to prompt:
- Do you wish to format your hard disk?
- F:\ is not accessible. The parameter is incorrect.


3. Right clicking it shows RAW, with 0 capacity.

* Proceed to Step 2 if you could not see your disk or partition listed under My Computer.


In addition, you must also certain that you are able to access the hard disk recently. If you pass, then rest assured that it could probably due to some hardware fault (e.g. the USB->SATA hardware controller fault for external hard drive), or the doings of some malware that corrupt your partition table or file system. What this means is that your files or data are probably still intact, and the damage is only done on the file system or partition table itself.


There are basically two goals that we are going to achieve here. The primary one is to fix the partition table or file system so that you could access the drive or partition as you used to. Failing the first goal, the next goal is to recover as many data as possible from the damaged disk.


How to read this guide?
Proceed through the steps accordingly is advisable. If one step proves to be success, then I'm glad to tell that this article had served its purpose. Else proceed to the next step.


Step 1 -Always start with chkdsk
If you cannot access your hard disk with the following symptoms, the best practice is to ALWAYS start with Windows chkdsk utility seeing that NTFS is Windows proprietary File System. Almost all problem can be fixed using chkdsk and would save you much trouble.

Enter the following command in command prompt (Win + R -> cmd)
chkdsk F: /f /x /v

Substitute F: with your hard disk path.

The parameter /f will attempt to fix any bad sectors, /x will prompt a message asking you to dismount the drive if there are any other process that is accessing it, and /v prints some extra logs on the console screen (semi-verbose). 

NOTE: It is not advisable to interrupt while chkdsk process is running as it could lead to disk inconsistencies or causing unforeseable damage to the disk itself. Thus do not run chkdsk under a bad weather condition and ensure a consistent electric supply to your computer (install a UPS unit just to be safe). You never know when will the disaster strike next.



# Data Recovery
Data recovery is possible if one or more of the following criteria is met and there is no further write(s) to the disk afterwards.
1. Accidentally deleted a partition
2. File deletion

NOTE: Data Recovery process might take up to days/weeks if there are many bad sectors present on a disk. Only try to recover IMPORTANT data if the progress is slow.



Step 2 - Identify the missing disk / partition
If you could not see your hard disk on My Computer, try to go to Disk Management (right click on My Computer -> Manage -> Storage -> Disk Management) and see whether your disk is listed there. The point is to get the disk path, e.g. F:. If your disk is not listed there, try booting into a Linux system and see it could detect your disk. In case that you doesn't have any Linux OS to boot, try using Ubuntu Live CD (http://www.ubuntu.com) to boot. All you need to do is download the image, burn, and then boot it.


Booting into Linux
Follow the steps below to mount your drives.
1. Open up terminal.
2. Enter 'fdisk -l' to list the available detectable (both unmounted and mounted) partition/disk.
3. Find your hard disk path, e.g. sda1.
4. Enter 'mount -ntfs -o -force sda1 /media/ntfs'. This will force mount the partition.
5. If it failed, then you could use the ntfsfix utility to attempt for a fix. 
Enter 'sudo ntfsfix sda1'.

If the above steps failed, it would probably means that fixing the partition table will no longer work. So the next step is do figure out a way to retrieve the data as many as posible instead of hoping to access the same partition again.


Step 3 - Getting to know Data Recovery Software
The following list of software are the list of reputable ones that I had tried and worked. 
- TestDisk
- GetDataBack for NTFS / FAT
- Active Disk Recovery
- R-Studio


* Others are Shareware except TestDisk.


WARNING: DO NOT TRY HDD REGENERATOR as it is a scam ware, despite how many testimonials that are posted in its website. I had personally tried it and it doesn't work. Why you ask? Well I had re-run it several times and for each runs the same bad sectors appears. To make things worst, it progress slowly. I had tested it on a 1TB drive and run it for 12 hours, and it only progress 0.25%!

I had yet to try out SpinRite but I doubt it will work, just as HDD Regenerator.


TestDisk (Freeware)
testdisk is a freeware program that comes with absolutely no warranty. It is a no brainer to see this type of disclaimer given the nature of it - FREE.


Follow the steps below:
1. Select 'Don't create log'. You could create it if you want, but there is a high chance that you won't bother to look at it.


2. Select the disk that you want to recover data from. Make sure that the reported size of the disk is exactly the same as the disk.


3. Select Analyze. Testdisk will then find any partition (deleted or undeleted) that is present on the disk. If it yield no result (which is very rare), you could try for Deeper Search.


4. After analzying you would probably see your partition there. Enter 'P' to list the files. This ensures that your files are still there, even with a damanged partition table. 


*At this point you could attempt to recover the files from it to any destination. The bad thing about this is you could not view the copy progress as there is no progress bar to look for. So you wouldn't know when will the progress ends or how far have it gone. The good news is you could then proceed to the next step by using other user friendly software that will do the same job, if not better.

5. If you are currently in the file list view, enter 'q' to quit the view. Press 'Enter' and select 'Write'. TestDisk will then ask whether you want to write the file structure. Confirm and reboot your PC. 

NOTE: I had used TestDisk to retrieve several files and some of the files that are retrieved ends with weird file extension. Using other software to retrieve similar files turned out to be just fine.


Active File Recovery, GetDataBack, R-Studio (Shareware)
If you had come to this step there is a high chance that your data is still recoverable. Using data recovery specialize software such as Active File Recovery, GetDataBack, and R-Studio are recommended as they are created in a user friendly manner to retrieve your files as easy as possible.


Personally I prefer Active File Recovery due to the progress bar that report how many file size are left during recovery sessions and you could skip copying files having bad sectors (i.e. corrupt). It is fine to copy corrupted files such as video as the worst that it could be is several seconds of gliberish image. Executable files, images or documents probably fare the worst of all as every bit counts.

Conclusion
Hopefully at this point you are able to retrieve your data or probably having your partition fixed. Comments are welcomed to further improving this guide.




--------------------------
References
ntfsfix- http://linux.die.net/man/8/ntfsfix
TestDisk - http://www.cgsecurity.org/wiki/TestDisk
Active File Recovery - http://www.partition-recovery.com
GetDataBack - http://www.runtime.org/data-recovery-software.htm
R-Studio - http://www.r-studio.com
NTFS Recovery after Quick Format - http://www.r-tt.com/Articles/NTFS_Recovery_after_Quick_Format


Advanced Topics
How to fix ‘$MFTMirr does not match $MFT (record 0)’
Advanced NTFS Boot and MFT Repair (TestDisk)
Recover Data from a Dead Hard Drive using ddrescue

--------------------------
Download Links
GetDataBack NTFS/FAT v4.25
RStudio 5.4.134259 Corporate Edition [x86/x64]