Recovering lost files

There’s an article at that gives a good overview of using testdisk and PhotoRec. Testdisk should be able to recover at the partition level and PhotoRec should be able to just pull the files out of a damaged partition. Truth is Hard drives fail in a number of different ways and some of those can give the same error messages. Not too long ago my brother had a laptop hard drive failure, it gave a “no partition found” kind of error message. We talked about a utility such as ghost4linux (g4l) which includes dd_rescue which does a remarkable job with failing disks.

However, I was out of town at the time and by the time I was back he had sent it to a data recovery company. It turns out that it was just as well, the read write head had actually fallen off. He said occasionally it would boot and the drive geometry was visible and correct, but realistically there was no way that data could have been recovered short of rebuilding the drive, which is what the data recovery company did.

Anyway, a week or so back, I had a call from a customer that had a similar problem. The laptop wouldn’t boot suddenly. They had already bought a replacement laptop by the time they called me, but they needed the information off the drive, it had not been recently backed up. I booted up the laptop and saw the “partition not found” or “no partition found” (at this point I don’t recall the exact wording.) I loaded the bios configuration and saw the drive was detected and thought this was a good sign. I took the laptop with me and got to work.

I first removed the drive and plugged it into an external adapter. Controller failure was my first suspicion. So, I plugged the usb adapter into my desktop and it saw /dev/sda show up, but no partitions found (no /dev/sda1)… hmmmm. Ok, this reinforces the no partition found message. So, I start looking around for software that can fix a partition table. gpart and the above mentioned testdisk come to the top of my search. I used gpart, at first very cautiously…. From the description of the software it can guess partition information from the data on the disk in the even you’re partition table is either missing or damaged. In this case, it found one 76GB NTFS partition which was the one I was hoping to see.

The fact that gpart saw this confirmed that the disk was likely ok, we just had a damaged partition table. After doing a test run where gpart reads the information and doesn’t write it, I got up the nerve to write the partition table back to the disk. After this, my desktop saw not only /dev/sda but /dev/sda1 as well and I was able to mount and browse the partition. All the files seemed intact.

I then went about cloning the disc with g4l (ghost4linux) running in dd_rescue mode (just in case). It turns out there were no read problems during the entire process. The only background I have as to what preceeded this “failure” was that they were in process of changing firewall exceptions for a specific program. It’s not clear if Windows crashed during this changing of settings, or if the reboot was merely required to complete the process. When they attempted to reboot, that’s when things failed to come back up.

One thing that you might take away from this, is that although it may seem that you’re data is gone/unreachable….. doesn’t mean that it really is. If you’re getting rid of a machine (even one that’s drive seems to have died). It’s worth trying to be REALLY sure and using something like DBAN (Dariks’ Boot and Nuke) which I’ve referred to several times.

   Send article as PDF   

Similar Posts