From failed drive to hero in many steps

Tue Dec 11 06:13:34 EST 2012

It may have been helpful for you to know about SysRescueCD, a live Linux 
distribution optimized specifically for data recovery. It is based on 
Gentoo and is available as a simple ISO file that is intended to be 
burned to CD, although it can also be put onto a bootable USB stick. 
More information here:

http://www.sysresccd.org/

In addition to including "dd_rescue" which as you discovered would be 
the most important tool, it comes with a number of utilities to mount 
and repair NTFS beyond the capability of native Windows.

A particularly important tool that you didn't turn out to need is 
"PhotoRec," which is capable of recovering recognizable data files even 
when the file system container is unmountable or substantially missing. 
It works by having intimate internal knowledge of a fairly long list of 
common data file formats, such as JPEG image and MS Word DOC, hunting 
through raw disk clusters and piecing them together like a jigsaw 
puzzle. It is included in SysRescueCD but can be downloaded 
independently, and there is also a Windows version:

http://www.cgsecurity.org/wiki/PhotoRec

Although "PhotoRec" is less effective with natively compressed formats 
such as DOCX, SXW, and ODT, it is very effective with everything it 
recognizes, often approaching 99% recovery for JPEG.

Finally, CrashPlan is a cloud backup service that supports Linux clients 
as well as Windows and MacOS clients. The software is free, allowing you 
to back up one computer to your other computers, but there is an 
optional CrashPlan Plus service that allows unlimited backup to their 
cloud from one computer for about $6 per month or unlimited backup from 
up to ten computers ("family plan") for about $12 per month, with 
discounts as much as 50% for paying a year or more in advance. You can 
elect various levels of encryption for your cloud data, the middle level 
of which uses a passphrase to encrypt a 448-bit session key without 
which your data would be unrecoverable even under a subpoena to the 
cloud provider:

http://www.crashplan.com/consumer/download.html?os=Linux

Note that the CrashPlan client for Linux can run in a quasi-documented 
"headless" mode on a machine that has no GUI at all and is remotely 
controlled over the network. In fact, I often control the headless Linux 
client by connecting to it from a Windows client over the network. The 
Linux client is written in Java and runs fine under OpenJDK, including 
in headless mode using headless OpenJDK (for which Debian has package 
"openjdk-6-jre-headless"). Although the quasi-documentation could be 
better, it is here:

http://support.crashplan.com/doku.php/how_to/configure_a_headless_client

-- Mike

On 2012-11-18 at 20:20 -0500, Mark Komarinski wrote:

> This is going to be long and rambling, so tl;dr: Make sure you have
> backups.  If you're like me, read on.
>
> Wife's hard drive in her netbook died last Thursday morning. Died bad.
> System would see the drive but wouldn't boot, neighbor tried to use a
> live CD, she even broke down and bought a one-time support help from the
> vendor.  Everyone told her the drive and data was gone.  This was not a
> week after I told her to clean off her iPhone and get some of the photos
> moved to her netbook to free up space. Let's just say this was one of
> the few times she listened to me .
>
> I didn't get home until late Thursday after all this diagnosis was
> complete.  I had on hand:
>
> netbook with unbootable drive
> 2 16GB USB sticks
> Linux server in the basement with ~600GB free in LVM
> Win 7 desktop with 256GB SSD
>
> Time to channel my inner MacGyver.
>
> Downloaded Ubuntu Live on one of the USB sticks, boot the netbook and
> start poking.  Drive is spinning and recognized, partition table appears
> sane, but trying to mount the 300GB NTFS partition results in many nasty
> messages into the kernel ring buffer.
>
> Can I clone the drive somehow, maybe get dd to get a copy of the data?
> Server downstairs becomes an NFS server.  Fire up dd and get an I/O
> error within 5MB.  Looks like that's it.
>
> Or not.  I found and downloaded copies of dd_rescue and dd_rhelp.
> dd_rhelp uses dd_rescue to copy an entire partition and skips over bad
> blocks, retrying them again later on.  That took about 2 days to run to
> completion.
>
> Now I have a 300GB NTFS image on my Debian server.  Tried to use
> mount.ntfs - nope, still had problems.  Tried ntfsfix - which oddly
> enough doesn't work with image files, only partitions.  Ok, make a 300GB
> partition and dd the image into the new partition.  6 hours later, I
> have a partition, but ntfsfix still doesn't like it. Looking online
> suggested Win 7's chkdsk could do something better. But how do I get an
> image or partition available to a system with only a 256GB disk?  Yup,
> iscsi.
>
> Fire up iscsitarget on Debian pointing at the partition (keeping the
> image for safe keeping in case I really screw up and have to start
> over), start the iSCSI initiator on Win 7, and now I have...well...a
> disk.  Windows 7 decides it's worthy of a drive letter, but not worthy
> enough to show me the what's on it.  Since I have a drive letter and
> it's not the boot disk, I can run chkdsk on it without needing to
> reboot.  chkdsk /f a few times showed it repairing the same errors and
> Win 7 now gave me a drive label, but still wouldn't show me what was
> there.  I then tried chkdsk /r which checks for bad blocks.  Let that
> run for an hour or so.  Still nothing.
>
> In a bit of desperation, I shut down all the iSCSI stuff and again tried
> to use ntfsfix.  Different errors, but still didn't look right. Then I
> figured maybe there's enough of the filesystem to use mount.ntfs
>
> It did.
>
> Fortunately most of the corruption appears to be in the OS/swap/random
> junk area as I was able to rsync her entire home folder to a safe
> location.  I'm now the hero that saved 2 years of photos, a stack of
> Word docs, and got a kiss on the cheek as compensation.  All in all, not
> bad.
>
> rr_rhelp: http://www.kalysto.org/utilities/dd_rhelp/index.en.html