[aklug] Re: Wife's hard drive is failing

From: David Prentice <ak.prentice@gmail.com>
Date: Mon Nov 26 2012 - 08:42:00 AKST

I tried Leif's technique to recover the partition table and I got a file
out of it, but when I tried to sift the data out of it (which I may have
been doing wrong) the most readable/interpretable data in the mess wound up
being error messages that the partition table was bad. It is possible that
1024 bytes was not a large enough sample and that I was just getting the
dummy RAID header. Since the drive has only ever been used as a single
drive, not part of an actual RAID, I suspect that the raid header is just
dummy filler.

When I was continuing to try to work with the drive, it started giving me a
"clacking" head rattle. A death rattle, which reminded me of the clacking
of a brown bear's jaw when it is really pissed off. Not that I've had CLOSE
experience with that, mind you. But the comparison seems valid.

At that point I quit working on the bad drive. I had everyone who uses the
computer SWEAR to me that there is NOTHING on the drive worth recovering
"except some pictures". By which I mean several gigs of photo albums that
my wife left there. Probably in folders on her desktop. The kids save
almost all of their homework to Google Drive or my Dropbox. They all get
gold stars for that. If I ignore the picture albums, all that is left to
recover would be savegame files.

With that settled, I've set the bad drive aside. I'd like to bring it by on
a Friday to see if anyone has any forensic recovery tricks, but at this
point I think that is just an academic exercise. The drive may have a
little life left in it, but I'm not very hopeful.

Suddenly, at home, everyone is very interested in where their data is saved
and how often it is backed up. My 11yo son wants to know if we can store
his Minecraft savegame directory in the Dropbox folder.

Anyone interested in an exercise in forensic data recovery on a Friday?

On Mon, Nov 19, 2012 at 12:19 AM, <bryanm@acsalaska.net> wrote:

> On Sun, November 18, 2012 6:44 pm, Leif Sawyer wrote:
> > Use dd to grab the first meg or so of the drive, and put the resulting
> file on
> > a usb key or different drive, so your not exercising the failed drive
> during
> > the next process.
> >
> > Use dd on the extracted file to search for a partition table, using seek
> to
> > skip ahead in the file 1 byte at a time until you find the correct
> offset.
> >
> > Then you can dd the failing drive into a new drive, skipping ahead that
> > offset, so that the partition table is written correctly on the new
> drive.
> >
> > I've done this with a couple of failed raid'd drives, and it has worked
> for
> > me.
>
> There is a utility called binwalk:
> https://code.google.com/p/binwalk/
>
> that will do the stepping-through for you, so you don't have to
> manually increment the seek. I haven't used it personally, but
> it's a great idea.
>
> --
> Bryan Medsker
> bryanm@acsalaska.net
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Nov 26 08:42:30 2012

This archive was generated by hypermail 2.1.8 : Mon Nov 26 2012 - 08:42:30 AKST