Recovering an entire disk: which steps to follow?

[Rockz]

Hello,

When preparing a bootable Ubuntu Live USB key from Windows, I made a giant mistake and quick formated a 2TB HDD. I realized it during formating, so I cancelled the operation from the Windows explorer GUI. On this disk was running a 1GB Ubuntu guest in a VirtualBox. I immediately shutdown the PC through the WIndows explorer dedicated functionaliity, then I tried some testdisk on it, then I removed the SATA and power cables from it.

In testdisk 6.2 is told that both MFT and its backup are corrupt

So I'm beeing shipped another copy of the same 2TB HDD tomorrow, and am ready to follow with a third-party software: Zero Assumptions Recovery, GetDataBack For NTFS, as advised in the testdisk documentation.

However, I read that it's safer to clone the faulty HDD first, by using UNIX "dd" sectore cloning for example. I'm knowledged on doing this.

But I need to understand:
- Do recovery softwares write on the faulty disk? I've in mind that they only read it, dynamically build a MFT into RAM, and allow user to copy files to any other safe partitions
- I have a faulty 2TB to recover, and a supposed healthy and blank 2TB to receive the recovered files: If I use a recovery software on the faulty disk, without cloning it on the other disk with "dd", I'll have 2TB free space to receive the recovery
- On the other hand, if I clone the faulty disk on the other one, with "dd", I'll need a third HDD to receive the recovered files, and I don't have a third HDD

Thanks in advance for your inputs, I really have very important work data on this disk, and I'm learning to be cautious as of now I must prepare the recovery process before powering on the disk to recover data from, I can't risk damaging its data more with unrecommended and successive trials.

[cgrenier]

Can you try using TestDisk 6.14 or 7.0-WIP ?

[Rockz]

Hi, thanks for help. Sure, I'll do this in the evening and will be back to you in 2 hours maximum.

By the way, I wrote a mistake in the main topic. I've been using v6.14 until now, DOS version on a Win98 bootable USB. I'm gonna try with the latest 7.0-WIP.

Edit: I just performed the same recovery attempt with v7.0-WIP Win 32 bits, but got no better result: "Advanced --> Boot --> Repair MFT: MFT and mirror are corrupt".

The partition boot sector is OK, as testdisk mentions. In Windows also, the partition still gets mounted at startup, still has the same drive letter and the same partition name. Its contents just appear blank/empty.

I think I won't startup Windows anymore with the disk I'm trying to rescue powered on or SATA-wired: there are installed programs on the drive letter path of this disk, and Windows may try to write to it, which will damage it more. This disk does not contain the bootable/Windows partition, but contains a single 2TB Win-compressed NTFS partition, holding a mix of static files and installed Windows programs/games.

[Rockz]

Hello, I created a bootable USB with a recovery software, tested it, and now have the faulty drive and the new one (initialized as non-GPT, with a single NTFS partition quick formated) both connected as SATA to the motherboard (the clean new disk is SATA slot 1, the faulty one is SATA slot 2). BIOS is all defaults, except SATA AHCI enabled (as opposed to IDE), SATA native enabled (as opposed to Legacy) and SMART enabled. I ran no error checks on the new drive, well I started one from Win7, aborted it and soft-resetted the PC (looked like it would be a 12 hours long operation).

Any advice before I jump in? :p

Edit - 2014-04-14:
Ok, a professional got my data back, using both Zero Assumption Recovery and GetDataBack For NTFS. They both recovered the same in this situation, with important "plus" for GetDataBack:

- In the "Lost Dirs" folder (where the MFT was damaged/cut/broken I guess), GetDataBack found back the original directory structure, only cutting the one or two missing nodes in the absolute file path. On the contrary, ZAR took all found directories, the same ones, but restored them with poor respect of the original path. For example with this files structures:
G:\documents\work\companyname1
G:\documents\work\companyname2
G:\documents\home
--> GetDataBack restores :
[foobar}\work\companyname1
[foobar}\work\companyname2
[foobar}\work\personal
[foobar}\home
--> ZAR restores :
[foobar}\work
[foobar}\companyname1
[foobar}\companyname2
[foobar}\home
So ZAR tends to flatten files paths.

- When I formated my 2TB HDD by mistake, a VirtualBox VM was running. I canceled the WIndows formating process while it was stilml running, then did shutdown Windows immediately the normal way. So the VM got dirty stopped. I had 3 directories for the VM: "VirtualBox VMs", "VirtualBox VMs-bak-0", "VirtualBox VMs-bak-1" (the 2 last ones are manual backups I maintain regularly)
--> GetDataBack restored it fine, that's the main VDI file and its associated snapshots. THis for the main folder and the 2 backups ones. I started back VirtualBox with no probelm, and could see in startup logs that the "/boot" mount point FS was beeing checked, since at last run, I did abort Linux in a dirty way
--> ZAR did the same, but only failed to restore the main VM folder snapshots: those were totally blank files (it's about 2 files, from 500 MB to 10GB, the main VDI file is a fixed 100GB file). The backup folders snapshots were finely restored. Maybe there's a reason to find in the fact that those were the last files in usage when the disk got formated and the machine powered off

Finally, I needed GetDataBack 5 years ago, and today still does not want to change. I will let you know if some backup files are corrupt or not. I did restore all with ZAR, except the VirtualBox VMs in the end. I don't have enough disk space nor time to restore all from GDB this time. I have a bunch of PNG files from GetDataBack GUI, to remind of the folder structures, and recreate it myself by hand from a ZAR restore process. So GDB really lacks some text UTF-8 export process of the MFT files tree. It only allows to save the application state at this step. The ZAR recovery (analysis plus copy) took 24 hours, both disks connected on a different SATA channel, ZAR running from an USB PE Windows XP (made with UBCD4Win; note that such a Windows 7 bootable tool, with win7pre, will fail due to ZAR packaging: "Side-by-side configuration is incorrect" error). I checked the entertainment stuff, like some CDs or DVDs I sent on the HDD: they are finely restored by ZAR.

Last note: Hope you see I'm precise enough not to be a business person or any guy which try to advertise one product over the other. Those are just facts from experience, with documentations read and tools fine-tuned, which could give other results on a different situation.