LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel
User Name
Password
Linux - Kernel This forum is for all discussion relating to the Linux kernel.

Notices


Reply
  Search this Thread
Old 06-06-2018, 11:22 PM   #1
linuxshekar
LQ Newbie
 
Registered: Jun 2018
Posts: 3

Rep: Reputation: Disabled
SATA hard disk data recovery


Hello Dear Members/Friends,

My name is shekar.
I just joined the group today.
This is my first question.

I got a virus infected Windows 10 laptop SATA hard disk-HGST-320GB.
The disk is NOT detected by any of linux tools.
My host system is a ubuntu 16.04LTS 32 bit laptop.

dd, ddrescue, testdisk, parted, lshw, lsscsi, lsusb, lspci,
knoppix virus tools, etc etc .....
all the above fail to detect the sata hdd.
Disk is spinning and sounds healthy when connected to sata port
directly or through USB encloser.
Not visible in dev space. No entry in /dev/ .
open or fopen fails : No such file or directory.
thats assuming disk is present in /dev/sdb OR /dev/sdc OR /dev/sdd ..,
/dev/sda is my laptop disk with ubuntu.
Is there anyway I can retrieve at least one most importand folder.
Where do I start wring custom drivers? How do I directly access disk
in c or assembly language.
Am fluent in C, x86 assembly language and to some extent systems
programing kernel/drivers.

Thank you
Shekar
 
Old 06-07-2018, 06:07 PM   #2
RandomTroll
Senior Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 1,032

Rep: Reputation: 166Reputation: 166
A virus can't have made it not-appear in /dev/sd? or any other hardware detection scheme, which you have tried. Could it be /dev/hd?
 
1 members found this post helpful.
Old 06-07-2018, 06:10 PM   #3
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,073

Rep: Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813
What messages appear in the system log when you connect the drive?
 
Old 06-07-2018, 06:29 PM   #4
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 17,241

Rep: Reputation: 2638Reputation: 2638Reputation: 2638Reputation: 2638Reputation: 2638Reputation: 2638Reputation: 2638Reputation: 2638Reputation: 2638Reputation: 2638Reputation: 2638
Generally it is best to connect directly, but in this case (for the messages requested) might be best to use the USB enclosure. That way you can get a proper timeline. Plug the drive in and run something like this and post it - increase the number in need to get all relevant messages.
Code:
dmesg -T | tail -n 20
 
Old 06-08-2018, 05:15 PM   #5
linuxshekar
LQ Newbie
 
Registered: Jun 2018
Posts: 3

Original Poster
Rep: Reputation: Disabled
SATA hard disk data recovery

[QUOTE=RandomTroll;5864855]A virus can't have made it not-appear in /dev/sd? or any other hardware detection scheme, which you have tried. Could it be /dev/hd?

No . Its a laptop SATA hard disk from HGST 320Gb capacity.
My guess is its a boot sector virus, which wiped out track 0 and more.
Hence the controller sitting in the hard disk is not able to report its details
when probed. Probably cant locate track 0 and MBR or GPT ...
Hence the BIOS or any linux tools I mentioned wont detect it when probed.

The solution am looking for is to directly probe the disk controller to read sector 0.
OR commands to move read/write head to different tracks would help to find what really happened. Its relatively new disk. This happened when children took it for playing games.
Thanks
Shekar
 
Old 06-09-2018, 11:10 PM   #6
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000
Try to find it in the BIOS setup. Check the drive connections. Make sure they are sound. It sounds like the drive is dead. Can Windows find it?
 
Old 06-15-2018, 10:32 AM   #7
Poison Nuke
Member
 
Registered: Aug 2012
Location: Germany
Posts: 40

Rep: Reputation: Disabled
Quote:
Originally Posted by linuxshekar View Post
My guess is its a boot sector virus, which wiped out track 0 and more.
Hence the controller sitting in the hard disk is not able to report its details
that is wrong. you can wipe out track 0 by your own, but you still have a device like /dev/sda. The controller does not care about the contents of the disc.


The only thing, which might be possible, that a virus was able to overwrite the firmware of the controller. But this is totally useless. In the first place, there are way to many different harddiscs out there, nobody would make such an effort for nothing (the computer is useless afterwards).



It is more likely a eletrical issue. You could try connecting the disc to another computer. Or you have an identical hard disc somewhere, which works, and exchange the PCB.
 
Old 06-17-2018, 09:53 AM   #8
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000
The OP seems pretty knowledgeable, so this might work: https://www.hdat2.com/ It communicates directly with the hard drive.
 
Old 06-20-2018, 07:37 PM   #9
linuxshekar
LQ Newbie
 
Registered: Jun 2018
Posts: 3

Original Poster
Rep: Reputation: Disabled
SATA hard disk data recovery

Quote:
Originally Posted by Poison Nuke View Post
that is wrong. you can wipe out track 0 by your own, but you still have a device like /dev/sda. The controller does not care about the contents of the disc.


The only thing, which might be possible, that a virus was able to overwrite the firmware of the controller. But this is totally useless. In the first place, there are way to many different harddiscs out there, nobody would make such an effort for nothing (the computer is useless afterwards).



It is more likely a eletrical issue. You could try connecting the disc to another computer. Or you have an identical hard disc somewhere, which works, and exchange the PCB.
==================================================================================================== ==============
YES I totally agree with what what you say.
I have tried with all software tools experimenting even with USB enclosure.
MBR ( track 0 ) is gone bad OR controller is hacked/gone bad,
Even the BIOS routines fail to detect it

Replacing with the matching controller is the option am currently looking into.

Another idea is to connect the disk to a development kit and directly
talk to the disk controller.
Any suggestions for embedded dev kits.

MY ONLY contention is to get back the DATA however.

Thanks
Shekar
 
Old 06-20-2018, 11:28 PM   #10
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000Reputation: 1000
At this point I would recommend a professional recovery service. Swapping controller boards seldom works. You generally need boards manufactured within a week of each other. Manufacturers are constantly tweaking the firmware to accommodate changing specifications of the components involved.
 
Old 06-25-2018, 04:01 PM   #11
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 382

Rep: Reputation: Disabled
I got a virus infected Windows 10 laptop SATA hard disk

"pics or it didn't happen". how do we know you know it's infected? you could have a bad cable. you could have broken a pin on a connector or slit a line on your mb.

go to the manufacturer's webiste. they probably have a diagnostic tool (likely for Windows 8/ Windows 10 only) that will see the drive if it's connected.

if it's not connected you have bad wires or a toasted controller. a toasted controller would be rare. you can replace one yourself but i'd rather say send it to the mfg.

OR

if it is, either wipe the drive (incl sector 0) and then update it's bios and reload your stuff , or send it back to the manufacturer let them help you (may not be worth the $$ shipping, but they'll do it). linux is not "going to fix that", lnux is not shipped with a binary blob you would need.

Last edited by X-LFS-2010; 06-25-2018 at 04:11 PM.
 
Old 06-25-2018, 04:09 PM   #12
Poison Nuke
Member
 
Registered: Aug 2012
Location: Germany
Posts: 40

Rep: Reputation: Disabled
Quote:
Originally Posted by X-LFS-2010 View Post
if it is, either update it's bios or send it back to the manufacturer. linux is not "going to fix that", lnux is not shipped with a binary blob you would need.
you can boot linux from a read-only storage. That is as close as possible to "binary blob". So yes, linux CAN fix that. You can even start another Windows in a virtual machine from that read-only storage. If you know what you do, you can do absolutely _everything_ what is possible to do with a computer. At least more easily as with Win or Mac.

If the virus was really able to infect the firmware of the disk, than of course you need a firmware update, but in most cases you can ask the support of the manufacturer to get a new firmware and flash it.
 
Old 06-25-2018, 04:11 PM   #13
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 382

Rep: Reputation: Disabled
.......xxxx delme
 
Old 06-25-2018, 08:21 PM   #14
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,187

Rep: Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037
It is pretty simply. Put the hard disk in a USB enclosure. Connect to a known good Linux laptop. Tail -f /var/log/syslog while plugging.

If it shows up as sdx you can continue using various tools. If it does not show up as /dev/sdx the drive is defect. It doesn't say a thing that the drive is spinning. 9 out of 10 defective hard disks spin.

Very basic troubleshooting and elimination of causes. Forget about viruses and viruses overwriting firmware as long as you have not done basic troubleshooting.

jlinkels
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is data recovery possible after format hard disk with Linux ? ganeshbarc Linux - Newbie 7 12-03-2012 04:17 AM
Hard disk Recovery data aneel434 Linux - Newbie 4 02-02-2012 01:49 PM
Data recovery from a crashed hard disk vharishankar General 8 11-01-2006 05:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel

All times are GMT -5. The time now is 04:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration