Aug 15, 2008

Some Useful Data Recovery Tips

Focus of the post:- Share my data recovery experience


  • Case I - Software Fault
One fine day i was just reading about NTFS partition in the OS Dinasaur book by Galvin[out of the 3 writers this is the easiest name to pronounce] for my endsem exams.I just read the line the cluster size[allocation unit] is configured when an NTFS partiton is formatted.I remembered the default cluster size was 4096 bytes,reading the book i decided to test what other cluster sizes are available."NTFS does not deal with individual sectors of a disk but instead uses clusters as the unit of disk allocation.A cluster is number of disk sectors that is a power of 2.The cluster size is configured when an NTFS file system is formatted.The default cluster size is the sector size for voulmes upto 512MB[that is 512bytes],1KB for volumes upto 1GB,2KB for voulmes upto 2GB, and 4KB for larger volumes.This cluster size is much smaller than that for the 16-bit FAT file system,and the small size reduces the amount of internal fragmentation."[OS Principles,find more here and here].Before you make some opinion about me i must tell you that i am 100% adept with partitions and partitioning.I had 3 primary partitions and 9 logical drives in the extended partition.The last two logical drives were empty for linux distros so i deleted the last drive.As soon as i clicked on "delete logical drive" the system just restarted.After the reboot i found that i had lost 3 logical drives,one of the lost logical drives had 213GB of data.The berserk WDM utility  showed 1348GB of unallocated space more than the harddisk itself!!!.I cursed the Windows Disk Management utility, it reminded one of my friends talks,he used acronis disk director for partitioning and he lost one of his paritions in a similar way.I figured out the cause for this erratic behaviour - Never mix partitioning process with different utilites.This is a rare case and the whole data recovery process costed me at least 15marks but fortunately i got a short note question on NTFS in exams for 5 marks.I tested many data reovery utilites to recover 100% (213 GB of data).This isnt a detailed review of recovery softwares but contains a important word about each one of them.

Data recovery softwares have different modes depending on how you lost your data:-Format Recovery,Deleted Reovery(accidental file deletion),RAW Recovery(last resort),etc.Make sure you choose the correct one.

Ontrack Easy Recovery
I trusted this software the most.Initially the soft didnt recognize the filenames and folder structure.But after i converted the unallocated space into NTFS volume it recognized the data and folder structure(i didnt format it).Formatting the unallocated space would have made the data recovery more difficult.After going to Advanced Data Recovery>>Select Partition>>Advanced Options:-Select partition type(NTFS),Advanced Scan,>>Select Use MFT if you havent formatted the partition.Specifying this info the software immediately recognized my old NTFS volume.The software reovered 80% of my data.The software failed to recover saved web pages that were recoverd by file scavenger.

PC-Inspector file Recovery
Good old freeware with dirty Interface.Few audio and video files were corrupted while recovering!!.But the same files were recovered correctly by File Scavenger.The software did recover gigs of webpages but most of them were corrupted.Dont forget to spend a little time with the software interface.

File Scavenger v3.2
File Scavenger is an expert with NTFS partitions.It recovered 5gigs of documents and web pages which Ontrack and PC Inspector failed to recover.Except file scavenger no other utility was able to recover 100% of my data.It can recover data from even RAID arrays.

R-Studio
Lost file names and folder structure.Poor performance.

Acronis Recovery Expert bundled with Disk Director Suite
Initially i was looking for a utility that could undelete a partition but Active@ Partition Recovery just failed to work.I tested Acronis at last and laughed on myself.One click and everything was restored back to normal!!!.The partition was undeleted in just one click.I verified the integrity of files and everything was untouched.What a fool i have been all this time testing the capabilites of the recovery softwares.

Here are few utilites that failed to recover a single BIT of data
Active @ Partition Recovery
0&0 Disk Recovery v4.1 and bunch of other lesser known utils downloaded from the internet

Lessons learnt:-
Backup your data regularly.
NeverAvoid mixing partitioning process with different utilites like Acronis Disk Director,Partiton Magic and Windows Disk Management.
Pack your PC during exams.

Do's and Donts in case you loose a partition
  • Try to recover the partition with data recovery softwares that can undelete a partiton.Most of the data recovery softwares lack this mode so go for a dedicated one like Acronis Recovery Expert or DiskInternals Partition Recovery.This will save you the pain of scanning the whole file system and saving individual files.
  • Never format the partiton with a different or same file system in case you have a damaged file system or corrupt partition table
  • If the data recovery software doesnt pick up your lost drive then try to allocate the unallocated space and dont forget to check the "Do not format this partition" tab.
  • Case II - Some HDD fault
If you broke your IDE HDD's pin or managed to burn your HDD's DMA chip then HDD will be detected in BIOS but Windows wont load(you wont be able to reinstall either).I came across two hard disks of such fault.One of which was my own Seagate 7200.7 80GB IDE HDD[3 years ago] with broken pin and another was a SATA WD 250GB disk given to me by bro's friend  for data reovery[20 days back].Initially it looked to me some OS DMA fault or virus work but the problem was with HDD itself. I tried Acronis bootable DD CD,Hitachi's DFT,Seagate SeaTool,reinstalling windows but you will get an error everywhere.I wasnt surprised on the Linux Boot as i recovered by data three years back with a KNOPPIX Live CD.This time i used Ubuntu.If you have the faulty drive installed,Windows wont even load from a working drive with the working HDD installed as primary!.Linux will take a long time to boot and even a 1GB file will take hours to copy.
Lesson learnt:- Never loose hope.

  • Case III - Human Fault
I remember i was  struck with a data disaster 6 years ago when i was new with computers.At that time i was resizing my 12Gb partition to 15GB[secnodary partition] with Partition Magic,frustated by the long process i just pressed the reset button.Windows ME on the primary partition worked fine.Each bit of data was precious to me in the dialup age.I  used a utility called Drive Rescue by Alexander Grau to to recover the data .Its discontinued and it had the same interface as the new PC Inspector File Recovery by Convar.
Lessons learnt:-Always be patient.

Data Recovery using Linux

Recover data from Windows partitions using Linux [Download here]

The pdf "Recovering Data from Windows Systems by Using Linux" is short and precise, teaches the stuff quickly published by the Open Source Software Lab at Microsoft..Basically it teaches how to create images of partitions.Dont forget to read the comments at the original page.There are specialized linux distro's for forensic analysis and data recovery too like F.I.R.E.

HowtoGeek:Use Ubuntu Live CD to Backup Files from Your Dead Windows Computer
Darknet:Complete list of linux distro's for forensic analysis,data recovery and security

Dont forget to post your comments,questions and suggestions.

2 comments:

Jordan said...

Good recovery tips.Recently my data has lost due to accidental deletion.I have used Stellar Phoenix data recovery software to recover my data.It recover maximum of my data.Software graphical interface is very attractive and very easy to use.
http://www.stellarinfo.com/

James Maxwell said...

These are good. Data Recovering is a slow process, we have do it very carefully without doing any mistakes. People do some mistakes regularly, we can know them here, make sure that you are not doing these mistakes.

Post a Comment