Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
calvin76
Posts: 4
Joined: 01 Feb 2020, 15:14

Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

#1 Post by calvin76 »

Hello everyone,

I am really struggling with recovery of a failed 2TB hard drive. Usually testdisk works "turn-key" for me, but not this time, and I'm seeking help from more experienced users who know what's really going on.

The user believes he had a power surge. Windows now says the drive is unreadable, unformatted, etc. - both attached natively and through a USB enclosure. He declined. Drive was attached to a Windows PC.

I cloned the drive to a flat-file disk image using ddrescue. I got 2 TB minus about 24 mb of errors, which I thought was quite encouraging.

That's when the trouble begins.

PATH 1A
-------
As I often do, I created metadata to turn the flat-file into a VMware virtual disk, so I could snapshot, copy, give myself fallback positions, etc.

Testdisk finds all sorts of partitions that don't make sense - too many, too small, and reports they can't be recovered. It also reports the familiar "check the harddisk size: HD jumpers..." message that I've seen before. I also get messages about Invalid FAT boot sectors. I did get a "D FAT16 >32M partition once" but it was not recoverable.

I've tried quick/deeper search, different partition types, but nothing seems to produce anything actionable EXCEPT one instance. The only thing it ever offered to write was a Mac HFS partition from sectors 3906027124 to 3906564063. I feel like this can't be correct. My understanding is that the drive was just one big 2 TB volume.

I have a tiny bit of hesitation because the virtual disk size, despite creating metadata to match, is JUST smaller than the actual disk. I've read here that important information is sometimes at the end, so I'm paranoid about that - should I be?


PATH 1B
-------
I'm using Photorec for the first time. Running it against this disk produces files with extensions I've never heard of (GPG, etc.), and monstrous file sizes - e.g. 6 GB. Ultimately I'm looking for digital photos and videos. Would Photorec behave differently if I excluded all file types except JPG, GIF, etc.? Does specifying them all change its behavior/interpretation of what it sees?


PATH 2
------
I am running ddrescue again onto a physical 2 TB drive, just to have something happening in parallel to my other activities. It is running similarly to the first time. This is in part to mitigate my paranoia about the "end" of the disk from PATH 1A, but also to have a "gold" copy set aside physically in case anything I've done has altered the image file.


At this point, I feel like I'm throwing darts. I've taken incomplete notes and it's totally against my usual, methodical approach. If this scenario looks familiar to someone, any advice would be greatly appreciated.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

#2 Post by cgrenier »

Was the disk encrypted using bitlocker/truecrypt/veracrypt/... ?

calvin76
Posts: 4
Joined: 01 Feb 2020, 15:14

Re: Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

#3 Post by calvin76 »

Hello. Thank you for both approving the topic, and replying. I greatly appreciate your expertise.

To the best of the user's knowledge, the drive was not encrypted. Knowing what I do about him, it likely was not. This was just an ordinary home PC. Did something I mentioned in the original post prompt you to ask this?

Since my last post:

- a "photorec" run against the vmware VMDK copy of the disk, looking for JPGs, found nothing

- I have, attached to a PC:
- the original hard disk <-- this is currently ddrescue-ing to an image file on my NAS, just over half done.
- a physical ddrescue-d clone of the original <-- I have not performed any operations on this that could modify it.
- a blank 2TB disk <-- I am currently cloning the previous disk onto this, via dd, to provide a fallback position. It's about 75% complete.

Also worth mentioning: when I said "the user declined" in my original post, I was referring to a prompt to format the unreadable drive.

Thank you again.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

#4 Post by recuperation »

calvin76 wrote: 01 Feb 2020, 15:17 Hello everyone,

I am really struggling with recovery of a failed 2TB hard drive. Usually testdisk works "turn-key" for me, but not this time, and I'm seeking help from more experienced users who know what's really going on.

The user believes he had a power surge.
[1] Why? I don't know how I could come to that conclusion.


Windows now says the drive is unreadable, unformatted, etc. - both attached natively and through a USB enclosure. He declined.
[2]"He declined." What? Having bitten into the hard drive?

Drive was attached to a Windows PC.

I cloned the drive to a flat-file disk image using ddrescue. I got 2 TB minus about 24 mb of errors, which I thought was quite encouraging.
[3] "I got 2 TB minus about 24 mb of errors" Usuable output or file length?

That's when the trouble begins.

PATH 1A
-------
As I often do, I created metadata to turn the flat-file into a VMware virtual disk, so I could snapshot, copy, give myself fallback positions, etc.

Testdisk finds all sorts of partitions that don't make sense - too many, too small, and reports they can't be recovered. It also reports the familiar "check the harddisk size: HD jumpers..." message that I've seen before. I also get messages about Invalid FAT boot sectors. I did get a "D FAT16 >32M partition once" but it was not recoverable.

I've tried quick/deeper search, different partition types, but nothing seems to produce anything actionable EXCEPT one instance. The only thing it ever offered to write was a Mac HFS partition from sectors 3906027124 to 3906564063. I feel like this can't be correct. My understanding is that the drive was just one big 2 TB volume.

I have a tiny bit of hesitation because the virtual disk size, despite creating metadata to match, is JUST smaller than the actual disk. I've read here that important information is sometimes at the end, so I'm paranoid about that - should I be?
That depends on the length of the recovered file in [3]


PATH 1B
-------
I'm using Photorec for the first time. Running it against this disk produces files with extensions I've never heard of (GPG, etc.), and monstrous file sizes - e.g. 6 GB. Ultimately I'm looking for digital photos and videos. Would Photorec behave differently if I excluded all file types except JPG, GIF, etc.? Does specifying them all change its behavior/interpretation of what it sees?
If i remembered correctly it does because Christophe Grenier recommended to rather have it all checked. This is probably the effect of throwing the clusters of the other files into the game.


PATH 2
------
I am running ddrescue again onto a physical 2 TB drive,
[4] command parameters? -necessary because of your size issues
[5] testdisk logfile?
[6] ddrescue logfile?

https://www.gnu.org/software/ddrescue/m ... anual.html
[...Ddrescue does not write zeros to the output when it finds bad sectors in the input, and does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps without wiping out the data already rescued...] => rescue file may be shortened at the end, logfile will tell

=> lots of missing information => reduced help chances => Christophe Grenier himself only answers once or twice => my knowledge is very limited

calvin76
Posts: 4
Joined: 01 Feb 2020, 15:14

Re: Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

#5 Post by calvin76 »

Hello and thank you.

Regarding your questions:

[1] User did not elaborate on why he suspected a power surge.

[2]"He declined." What? Having bitten into the hard drive? <-- I failed to elaborate in my original post. He declined Windows's suggestion to format the disk when trying a USB enclosure on another PC.

[3] "I got 2 TB minus about 24 mb of errors" Usuable output or file length? <-- I was referring to 2 TB "rescued" with "errsize" ~24mb. Resultant image file was only 1.82 TB. Original disk was 2 TB.

[4] command parameters? -necessary because of your size issues <-- Command parameters for both image file creation and disk-to-disk rescue are below.

[5] testdisk logfile? <-- attached
The Testdisk log is from a 2 TB hard drive to which I ddrescue-d the first drive
Command line was simply ddrescue /dev/sda /dev/sdb
I let it run through its first pass, and eventually stopped it after several days

[6] ddrescue logfile? <-- attached
I do not have the original ddrescue log. However, the following is from a re-do, currently about 80% complete. Hopefully what's in there is useful. If not, I can follow up after it finishes, interrupt the process and restart based on advice, etc.


Thank you again. Yours or anyone's expertise is appreciated.
Attachments
ddrescuelog.zip
(16.9 KiB) Downloaded 196 times
testdisklog.zip
(1.26 KiB) Downloaded 169 times

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

#6 Post by recuperation »

calvin76 wrote: 07 Feb 2020, 05:11 [3] "I got 2 TB minus about 24 mb of errors" Usuable output or file length? <-- I was referring to 2 TB "rescued" with "errsize" ~24mb. Resultant image file was only 1.82 TB. Original disk was 2 TB.

[4] command parameters? -necessary because of your size issues <-- Command parameters for both image file creation and disk-to-disk rescue are below.

[5] testdisk logfile? <-- attached
The Testdisk log is from a 2 TB hard drive to which I ddrescue-d the first drive
Command line was simply ddrescue /dev/sda /dev/sdb
I let it run through its first pass, and eventually stopped it after several days

[6] ddrescue logfile? <-- attached
I do not have the original ddrescue log. However, the following is from a re-do, currently about 80% complete. Hopefully what's in there is useful. If not, I can follow up after it finishes, interrupt the process and restart based on advice, etc.


Thank you again. Yours or anyone's expertise is appreciated.
If you stop the recovery process you can't expect your target to be as big as the source.
Always use a logfile because it allows you to stop and continue.

You might copy the target to another drive to have a copy to play with and let the recovery process continue to fill up the target drive afterwards.

calvin76
Posts: 4
Joined: 01 Feb 2020, 15:14

Re: Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

#7 Post by calvin76 »

Hello again.

Please help me understand the following:

If the original disk is 2 TB, ddrescue finishes the pass entirely, and has only 24mb of errors, shouldn't I have at least 2 TB minus 24mb of data?

The ddrescue to the image file ran for ~6 days. During this time, the error size dropped from 29mb to 24mb or so. The ddrescue to the physical HDD was ended shortly after the first pass completed.

Are you suggesting that a critical piece of information is in that missing data, and I should let this current ddrescue, in progress to an image file, run even longer? It's nearly complete its initial pass:
rescue.png
rescue.png (3.75 KiB) Viewed 1715 times
I currently have:
A. the original disk, which is on the bench, being rescued to an image file on a NAS. That process is represented in the image above.
B. a new disk, to which the original disk was dd-rescued on a single pass
C. a second copy of (B)
D. a VMDK file, converted from the original 6-day rescue via metadata creation.

The testdisk log I sent is the experience on both (B) and (D). My concern is that the extra time in the first pass did not reveal and critical data.

Is there value in allowing ddrescue to run for weeks?

Is it possible to perhaps experiment on a copy of this disk by re-creating the partition table in place with what I believe it was? My understanding is that the partition consumed the entire disk. If this has a chance to work, how could I go about it?

Thank you again for your time.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Attempting to recover Windows 2TB hard disk, seeing unusual output, seeking advice

#8 Post by recuperation »

calvin76 wrote: 07 Feb 2020, 19:46 Hello again.

Please help me understand the following:

If the original disk is 2 TB, ddrescue finishes the pass entirely, and has only 24mb of errors, shouldn't I have at least 2 TB minus 24mb of data?
Which pass?
Are you suggesting that a critical piece of information is in that missing data, and I should let this current ddrescue, in progress to an image file, run even longer?
This is up to you to decide. You might as well ask me: Is it worth trying a data recovery?

Is there value in allowing ddrescue to run for weeks?
See above.

Is it possible to perhaps experiment on a copy of this disk by re-creating the partition table in place with what I believe it was? My understanding is that the partition consumed the entire disk. If this has a chance to work, how could I go about it?
I answered the question already without you even asking it. I gave you a hint what to do.
Read the manual:
https://www.gnu.org/software/ddrescue/m ... anual.html

Read and try to understand your ddrescue logfile. It is not difficult.
Your logfile tells a different story than your screenshot.

Locked