A client came to me with a failing 1 terabyte seagate hard drive and he desparately needed his Chief Architect files to be recovered. Chief Architect is a 3D design tool primarily for the design of houses which my client now did in his retirement , interestingly before he had decided to design homes he was a Professor of Computing.
He was very insistent that he see my data recovery workstation as he he had been to a number of shops , who claimed to do Data Recovery , who had no workstation nor could they explain in any detail what was wrong with the drive. In my experience this is very common, I am a self taught data recovery professional, but it is a very exacting field which can be learned if you pay for expensive tools and expensive courses.
The sorts of equipment you would expect to find at a data recovery shop are displayed in the picture below and from left to right they are ;
A specialsed Hard Drive repair tool for diagnostic and repair purposes , a chip reader for the ROM chips of hard drives and a hot air rework station for the removal and resoldering of the ROM chips used on the electronics of a hard drive.
Upon seeing my Data Recovery workstation , I would put a picture up but it is always messy, I was given the job.
The client had informed that he had a noticed a slowing of his computer and that recently Windows had perfomed a check of the drive as the filesystem had become corrupt.
This is bad news for Data Recovery as if the drive has started to fail and areas on the drive have become unreadable then the CHKDSK program will attempt to reallocate those corrupt blocks to new areas. Often the CHKDSK program decides the block is unreadable and reallocates that block anyway. Why is this bad well if that unreadable block is part of the filesystem , eg the master file table or an NTFS directory block then the system becomes unreliable. and files previously displayed as existing disappear.
A check of the drives SMART status indicated there were numerous CURRENT PENDING SECTOR and REALLOCATED SECTOR COUNT errors. The picture below is of a healthy drive but a drive with the above symptoms is going to fail catastrophically either the magnetic surface is failing or the read/write heads are failing.
Given that the drive was now not booting to Windows but indicating it needed formatting I plugged the drive into my Dolphin Data labs Firmware Repair Tool and I could then ascertain the following
- The health of the drives electronics , sometimes a drive can become unreadable due a failure of the electronics eg the READ AHEAD CACHE if that has failed then each block read will produce a CRC error.
- Does the drive initialise properly that is the heads become ready and the drives firmware can be read. So we check this by making a backup of the drives ROM and firmware modules.
- If the first 2 checkout the a low level scan of the drive is performed sector by sector and this gives us a good idea if its heads or the magnetic surface. The scan indicates in milliseconds the length of time it took to read a particular sector.
Since in this case we could scan the drive the next thing to do is an attempt to clone the failing hard drive to a healthy drive and fortunately we were able to do this although the drive was in such a poor condition that it took 4 days to clone and given. If you have been reading this post closely you may have wondered to yourself how it is that we scan the whole drive , albeit slowly , but the windows CHKDSK program decided that sectors scanned were unreadable. It gets back to the amount of time the chkdsk program will wait before trying to reallocate a sector and the methods scanning programs use to read that same sector
Data recovered to a Healthy Drive
So we have cloned a healthy drive so all is good now we just need to get the data. Well unfortunately no, Windows in it’s infinite wisdom has reallocated blocks belonging to the MFT and or NTFS directory structures during it’s chkdsk process and the healthy drive is unreadable without specialised tools.
If this CHKSDSK process had not occurred and we had the cloned the drive before the CHKDSK process the filesystem would be readable.but Windows makes the assumption the drive is in a fit state when in reality it is not.
We now need to use specialized software to scan the drive sector by sector to hopefully recover the filesystem and for this purpose I use R-STUDIO. With this drive we got parts of the file system back but not the files required.
R-Studio also allows us to do what is called a Raw Recovery and in this mode it scans the drive sector by sector and examines the contents of the sectors looking for signatures that denote the beginning and end of a particular file type. Most file types eg jpg’s , word documents have a signature which allows an experienced recovery professional to identify and the R-Studio to identify a particular file.
A raw recovery only works properly if the sectors of the file are layed out contigously and the file has not expanded greatly in size over time. Pictures eg JPG’s are often recoverable this way as they are rarely edited directly and so are only written once to the .hard drive.
R-Studio has a vast number of file types for which it has premade signatures embeddded within the program. You can find a list of which can be displayed at the following location http://www.r-studio.com/Data_Recovery_File_Types.shtml There will be the odd occasion when R-Studio does not have a premade signature available to perform a raw recovery as I foun d with Chief Architect. Fortunately R-Studio has built in tools allowing recovery professionals to create a signature for an unknown file type.
The picture below is the start of a Chief Architect file , called 9EileenSt.plan as viewed via a hex editor
and the picture below indicates the ending signature and we can enter both the start and end signature of the desired file into R-STUDIO.
Finally after a lengthy process I was able to recover the desired files one of which is shown below much to the clients satisfaction.