Recovering data from a failed hard drive

So far, a couple of failed hard drives has failed for close friends or family. I just wish that everybody learns to back up valuable data, as some failures means that nothing can be recovered without sending the hard drive in to one of those places that charges more then 10000 SEK (~ 1000 EUR) to even try recovering it.

The last hard drive I worked on came from a friends sister's laptop, and among other tings it contained approximately 5 GB of pictures from many of he travels which she didn't have anywhere else. I'm going to briefly describe how that content was brought back.

The story begins when I was over to them, and they wanted a laptop fixed. Windows XP couldn't boot, it failed maybe 20 seconds into the process, and then rebooted the computer. For some unbelievable reason, XP by default reboots on errors, and the error message is only displayed the amount of time the bios uses before it starts to access the graphics card. That feature can be manually disabled in windows[I should add description], or by pressing F8 before Windows starts and choosing something similar to "do not reboot on error" (don't remember the exact wording). The reason for that rebooting habit is probably that Microsoft picked up that customers didn't like to see the blue screen of death, and just decided to restart the computer instead, leaving the user with no clue of what the problem could be.

Anyway, after a large number of reboots, it seemed like XP couldn't access either a specific file, or the registry (don't remember which now that I write this). It said nothing about bad sectors, hard drive failure or anything like that. Unluckily the computer didn't want to boot Knoppix, so I had to work in DOS, and her first partition wasn't visible at all, but her second partition chkdsk'ed ok. I was a bit reluctant to run fixboot fixmbr and such (and btw the recovery console from the winxp cd couldn't start either, without giving any errors...)

I gave up then, because I didn't have any good tool CD with me, and without anything Linux-ish, the chance of getting a valid error message seemed really small.

Somewhat later, I got to take their laptop home. I'we already borrowed an IDE to USB adapter from one of my brothers (which I bought earlier as a gift to him btw), so I could plug that hard drive into my Linux computer easily. Thought I should back up the data before I started using commands which potentially could destroy data on the hard drive. Still not expecting a failed hard drive, I started dd, but after only a couple of megabytes, it found the first bad sector (and unlike windows, gave a meaningful error message).

Knowing that there were bad sectors, I took the road of using dd_rhelp - a script which starts reading the hard drive from the beginning, and when it hits a bad sector, it continues reading from the largest unread block until it hits a bad sector in both the forward and reverse direction. The program started by reading few megabytes, then it read the last 25 GB without a problem, and then the errors started to show themselves. Apparently, the first 1.5 GB was the most damaged, in total slightly over 2000 bad sectors. I even tried freezing the hard drive (some people have had good luck recovering data that way) but those sectors couldn't be read. It was clear that areas around the bad sectors was affected as well, as the read speed dropped from several MB/s to only tens of kb/s in the vicinity of many of the bad sectors.

Even before dd_rhelp completed, I used sleuth kit and autopsy browser to check whether her images was present, and just browsing around, they seemed to be read ok, so I just let dd_rhelp run until it had checked every single sector. I must warn about one fact: dd_rhelp gets really slow when the numbers of bad sectors gets high, as it tries to determine the optimal next read position by going through a log-file which gets way to large when there are many errors. It took around 50 sec to compute the next read position towards the end, so the next time I might look around for a better tool.

When the data was saved, I dd'd the first partition unto an empty 15GB hdd which i happened to have around. Then connected it to a windows box and let it checkdisk it before moving an image of the drive back into the Linux box. Her almost empty D-partition actually didn't have any bad sectors, so I didn't have to do anything out of the ordinary to it.

Against my recommendation, they wanted me to try and recondition their hard drive first before they bought a new one. Unfortunately, That couldn't be done through the IDE to USB adapter, so I had to hook up an old discarded PC to the drive, and use software available from the hard drive manufacturer. In this case that meant the "Drive Fitness Test" software from Hitachi (available here). The hard drive could not be resurrected though, so they had to buy a new one.

I had all the data and hardware laying around in my room until they bough a new hard drive for the laptop. Then the normal nightmare of installing XP started. Everything actually went as nice and smooth as possible, but Microsoft really should make it easier to install all the updates from an "initial XP", as we probably run windows update five-six times with mandatory reboots in between before the computer was up to date, and that took a couple of hours. Anyway, I also made some images of the C partition onto the D-partition just in case, and that's when I noticed that the CPU fan was completely clogged with dust.

I actually couldn't see through the fins of the heat sink, so I blew most of it out with a vacuum cleaner (blowing a little in one of the holes, and sucking from the other). The remaining clogs was removed with the help of some bent soldering lead.

The last thing I did was to install realVNC to make it simple for me to help them installing additional software, like a virus scanner (which ended up to be the free AOL scanner). I didn't want to poke around with the computer longer then necessary because the power supply cord for the laptop had some kind of glitch in it. I actually stabilised it with the help of a "helping hand" and some rubber bands, which was the only way to get reliable power. I marked the power supply with "DO NOT USE - GLITCHY" (but in Swedish) and told them to never ever use it again. It later turned out that I got their old broken one (well, I probably would have save it as well - it works just fine if you would remove the contact).

Summary of tools used:

For future reference, I'm summing up some information about the tools I used:

IDE to USB adapter
Was used together with an adapter to attach 2.5" drives to connect the hard drive to my Linux desktop PC (running Fedora Core 6 at that time).
dd
Used for moving data to/from partitions. Not useful on harddrives with bad sectors.
dd_rescue
Alternative to dd which won't choke on bad sectors. (www.garloff.de/kurt/linux/ddrescue/)
dd_rhelp
A script which starts reading the hard drive from the beginning, and when it hits a bad sector, it continues reading from the largest unread block until it hits a bad sector in both the forward and reverse direction. The output is an image of the entire drive (or partition). It requires the dd_rescue tool. As the number of damaged sectors increased, the performance of the script dropped drastically. If there would exist a C version of it, use that instead. Home of dd_rhelp: www.kalysto.org/utilities/dd_rhelp/
Sleuth kit and Autopsy browser
Two programs which together are excellent at browsing around in an image of a hard drive or a partition. Wasn't really needed, but since I had it installed, why not take a peek at the data. This kit also contains tools that recognises signatures of different file types, which makes it possible to recover documents and pictures even when the file allocation table and directory entries has been completely destroyed (but success depends on the level of fragmentation for the disk). (www.sleuthkit.org/)
Foremost
Another program recognising signatures of different file types in a disk image or directly on a partition to recover documents and pictures when the file allocation table and directory entries has been completely destroyed. This tool wasn't needed this time, but has been tested by me previously. (foremost.sourceforge.net/)

Other References:

The Sleuth Kit Informer, Issue #2 March 15, 2003 has information on how to: (a) Extract individual partition images from a drive image; (b) Mount partitions inside a disk image using loopback devices.
Mounting disks with Linux's loopback device does exactly what the title says.