Advice needed: data recovery from NTFS disk using ddrescue and Ubuntu
Hello everybody out there in Lunix land.
Before getting to my need for advice, a quick introduction as this is my first post. Back in the late 80s and early 90s when I was doing my PhD (Artificial Intelligence) I made ends meet by working as a sysop on Solaris machines. I'm afraid, however, that I have no Linux experience. Not having much time to delve into innerds for years, it's been easier to struggle along with Windoz. Anyway, my problem: In May of this year my external USB drive (A Lacie 250GB) suddenly stopped working. The last time I'd backed up data on it was at the end of 2005, so I nearly killed myself. If memory serves, there was about 150GB of data on the drive (give or take 20GB) almost all raw camera files. I removed the drive from the enclosure and found it was a Maxtor 7Y250PO (Maxline Plus II ATA-133). I tried connecting directly to an IDE cable but smartdrive reported a failing attribute 05. I immediately disconnected the drive, put it in a ziplock bag, and stuck it in the freezer. Then I began my research. Although various utilities such as Spinrite and GetDataBack would be useful on a corrupt drive, I quickly came to the conclusion that for a hardware failing drive the best control seemed to come from a GNU utility called ddrescue by Antonio Diaz. Not knowing much about the different distribs, I looked for LiveCDs and found Ubuntu. I used it to make an install onto my desktop. This machine has a 40GB SATA primary drive, and so I created a 10GB partition during Ubuntu installation for the system, plus there is another 479MB partition that was also created (scratch space?). Grub boots by default to Ubuntu (I'd rather default boot to Windows as these machine is my server driving printers, fax machines, VOIP phones, etc.) but I'll figure that out later. Unfortunately, at that point I had an accident and spent the next 2 months in hospital. This week is the first time I've been physically able to go up a flight of stairs and get to my server. So, I'm now ready to continue where I left off. I have a Seagate Barracuda 7200.10 320GB SATA drive that has never been formatted that I figure on using as the target drive for the image from the dying drive. I've opened the case of the computer and I'm planning on using ddrescue in spurts while keeping the failing drive sitting on ice packs with a huge fan blowing across it. Anytime it seems to be heating up or failing I'll blonk it back into the freezer for a few hours (although I'm worried about power surges at start up, so I'd rather minimize this by swapping out ice packs as needed). Once I've pulled whatever I can from the Maxtor to the Seagate, I can use GetDataBack or spinrite to try to recover the files (there's a utility in perl that turns a ddrescue logfile into a dos .bat file of spinrite commands, even! ). Where I need advice, however, is around Ubuntu and ddrescue, since I'm a Linux newbie. I've not installed ddrescue yet, but I have downloaded version 1.2. Is there anything special I should look out for while installing it on Ubuntu? While surfing I found an article on toad .com (sorry, as it's my first post I can't post URLs, do a goggle on ddrescue, kernel and toad) which mentions that kernal logging of error messages slows things down considerably. It gives a way of stopping fsync on each log message. I'm not sure if this is specific to RedHat or if it applies to Ubuntu as well, and if so, if the instructions are valid. Am I missing anything? Does anyone have any other advice? |
Quote:
so you do not erase something by error. You may want to consider Trinity Rescue Kit (I think it has ddrescue built in, although I cannot find the info on their website) http://trinityhome.org/Home/index.ph...=1&front_id=12 worth a look as well http://www.cgsecurity.org/wiki/TestDisk maybe also helix or the coroner's kit (maybe maybe, not sure) http://www.e-fense.com/helix/ Anyway, looks like you have looked quite a bit into the issue My advice would be maybe fiddle with linux for 1 week or 2 before doing the rescue Quote:
Quote:
just edit /boot/grub/menu,lst Quote:
Quote:
see option noatime (use command man fstab for more info) Good luck PS: not a specialist of data recovery , but would be very interested to know how things goes for you anyway welcome to LQ PS: I quoted trinity bec of NTFS support, but you should be aware that linux is beta for ntfs see the ntfs project. This does not matter for ddrescue |
Hello there and welcome to LQ, hope you like it here.
This week is the first time I've been physically able to go up a flight of stairs and get to my server. Congratulations! I've opened the case of the computer and I'm planning on using ddrescue in spurts while keeping the failing drive sitting on ice packs with a huge fan blowing across it. Anytime it seems to be heating up or failing I'll blonk it back into the freezer for a few hours (although I'm worried about power surges at start up, so I'd rather minimize this by swapping out ice packs as needed). As far as I know the theory behind the freezer method (or urban legend, depends on how you look at it) is that metal parts have different heat dissipation qualities so when you freeze the drive parts that are stuck (are sposed to) shrink unequally and have a chance to settle and get unstuck. While drives in general operate "better" (longer, as in Mean Time Between Failure) at moderate temperatures this method obviously only works if some parts are stuck. If you power on the drive and you hear repeatedly ticking noises (head trying to re-align itself) you most likely are looking at a different type of failure. Just my experiences. I've not installed ddrescue yet, but I have downloaded version 1.2. Is there anything special I should look out for while installing it on Ubuntu? Installing ddrescue from source should be no problem provided you have the compiler and dependencies installed. stopping fsync on each log message. I'm not sure if this is specific to RedHat or if it applies to Ubuntu as well, and if so, if the instructions are valid. As far as I can see it's distro-agnostic Syslog (syslogd/klogd) info, and (temporarily) changing config should not be a problem. If you run Syslog-NewGeneration though you may need to read the man page for equivalent options. Am I missing anything? Does anyone have any other advice? I don't see anything missing. There's some things you could do to make for a smoother (or less error prone) ride like - doing a dry-run with another disk. Practice doesn't really make perfect but at least you've got a chance of ironing out any wrinkles, get an idea of process time, etc, etc, - dropping to runlevel 1 before the actual dd (only if you're comfortable enough with the commandline). This way no resources are hogged by the Desktop Environment and no users, network connections or scheduled jobs can interfere with the main process, - making sure you have enough room for logging. Once ddrescue has run you should make a backup of the backup (preferably on read-only media) so you always have an untainted copy if something goes awry. Good luck! |
Quote:
and linear expansion can you also consider clean-room + specialist recovery company Quote:
slowly to help heads to come to position. Might help. No personal experience. Quote:
Depending on whether this is worth the risk you may or not want to use smartmontools to diagnose the error. Saying that I believe the more you read the drive the more you may endanger your data You may want to disable/enable smartd (as root) service smartd stop I do not know but imagine ubuntu has it running by default? |
thanks a million for the replies
Thanks to both emmanuel_uk and unspawn for the replies and really useful information.
I may well fiddle a bit with Linux and do a dry run at runlevel 1 before hitting the real thing. If I dry run with the unformatted target drive, do I need to do anything to it before the real run to put it back into a pristine state or will the image write over it? I will, of course, do a detailed report on whatever I get as a final result (even if only to say the drive died completely after 12 seconds and subsequently set fire to my house :D ). On the freezer method, yes the idea is based on contraction, but once you take it out it's a good idea to keep it running as cold as possible as heat build up can cause expansion which can result in immediate head crash (well, that's the theory). Thanks again! |
If I dry run with the unformatted target drive, do I need to do anything to it before the real run to put it back into a pristine state or will the image write over it?
I'd zero out the drive just in case. "dd if=/dev/zero of=/dev/hdb" for example if it's the second IDE HD. It would be interested to know what the backup will result in and if GNU/Linux FOSS tools for recovery can help, we do have some. Since you didn't mention (or I didn't read) the FS, here's a short list: Rescue tools for files on ext2, ext3, NTFS, FAT Foremost: http://foremost.sourceforge.net/foremost.html Magic Rescue: http://jbj.rapanden.dk/magicrescue/ The Sleuth Kit: http://www.sleuthkit.org/sleuthkit/ Rescue tools for FAT Fatback: http://prdownloads.sourceforge.net/b...ack-1.3.tar.gz Rescue tools for NTFS: NTFSUndelete (part of ntfsprogs): http://man.linux-ntfs.org/ |
Quote:
Given that we are talking about a 250GB drive with upwards of 150GB of data, I'm not going to go mad on trying multiple approaches to data recovery. I'd like to recover the data, but not to the extreme of having to restore that big an image a dozen times :). I'm going to read over the various links that yourself and emmanual_uk have posted and reflect a bit before deciding on next steps. Thanks again for your help. |
afzal_b you are welcome
(always astonish me how much mods know, I suppose that is why they are mods) We forgot to mention hdparm, which allow you to tune "HD speed", that id dma mode etc. Plenty of doc on the web: http://gentoo-wiki.com/HOWTO_Use_hdp...ce_performance Quote:
depending how fast the utilities are, or you may want to be very conservative. Anyway to use with care. Some distros tune automatically HDs (mostly when installed, so if you are going to use live cd, hum especially, maybe some will try to set dma mode to ATA100 directly, some use the most cautious approach and do no tuning. Have some thoughts (dry runs) maybe about this one as well PS: Helix gots at least sleuthkit autopsy (Web front-end to sleuthkit) foremost a dd version http://dcfldd.sourceforge.net/ I know ddrescue is good at dealing with read error I do not know if dcfldd can do the same |
You need to choose between pushing the HD or not depending how fast the utilities are, or you may want to be very conservative.
My approach would be to eliminate as much bottlenecks as safely possible and take care to not introduce new ones. For the 'victim drive' I would stay with defaults as much as possible. (always astonish me how much mods know, I suppose that is why they are mods) Each mod has her/his strenghts, but knowledge is not the only nor prime criterium Jeremy uses to choose moderators. Since I'm one of the LQ-sec moderators experience with forensics is a necessity. I should have mentioned earlier the 'victim drive' should always be mounted read-only to keep the system from trying to "correct" stuff. Be careful of any automounting mechanisms. TCT/Sleuthkit are toolkits I generally would recommend only as a last choice before paying for Clean Room Ops. While not impossible to use they are forensic toolkits which means the learning curve is steep, you really must practice before using it and even then nobody sane will give any guarantees wrt ROI. |
Quote:
|
And the advice to minimize unwanted activity was good. I had problems copying a flaky drive and when I removed network and DSL activity from interrupting it I had better luck. The closer you can let it have it's undivided attention focused to copying the drive only, the better off you are. Good luck.
|
All times are GMT -5. The time now is 11:26 PM. |