[aklug] Re: Wife's hard drive is failing

From: Leif Sawyer <lsawyer@gci.com>
Date: Mon Nov 26 2012 - 09:16:40 AKST

Just to be nit-picky, my example pulled the first 2MB of data off the disk, which should be enough data.

If you only pulled 1KB, you don't have nearly enough for even a good partition table with headers

From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf Of David Prentice
Sent: Monday, November 26, 2012 8:42 AM
Cc: aklug@aklug.org
Subject: [aklug] Re: Wife's hard drive is failing

I tried Leif's technique to recover the partition table and I got a file out of it, but when I tried to sift the data out of it (which I may have been doing wrong) the most readable/interpretable data in the mess wound up being error messages that the partition table was bad. It is possible that 1024 bytes was not a large enough sample and that I was just getting the dummy RAID header. Since the drive has only ever been used as a single drive, not part of an actual RAID, I suspect that the raid header is just dummy filler.

When I was continuing to try to work with the drive, it started giving me a "clacking" head rattle. A death rattle, which reminded me of the clacking of a brown bear's jaw when it is really pissed off. Not that I've had CLOSE experience with that, mind you. But the comparison seems valid.

At that point I quit working on the bad drive. I had everyone who uses the computer SWEAR to me that there is NOTHING on the drive worth recovering "except some pictures". By which I mean several gigs of photo albums that my wife left there. Probably in folders on her desktop. The kids save almost all of their homework to Google Drive or my Dropbox. They all get gold stars for that. If I ignore the picture albums, all that is left to recover would be savegame files.

With that settled, I've set the bad drive aside. I'd like to bring it by on a Friday to see if anyone has any forensic recovery tricks, but at this point I think that is just an academic exercise. The drive may have a little life left in it, but I'm not very hopeful.

Suddenly, at home, everyone is very interested in where their data is saved and how often it is backed up. My 11yo son wants to know if we can store his Minecraft savegame directory in the Dropbox folder.

Anyone interested in an exercise in forensic data recovery on a Friday?

On Mon, Nov 19, 2012 at 12:19 AM, <bryanm@acsalaska.net<mailto:bryanm@acsalaska.net>> wrote:
On Sun, November 18, 2012 6:44 pm, Leif Sawyer wrote:
> Use dd to grab the first meg or so of the drive, and put the resulting file on
> a usb key or different drive, so your not exercising the failed drive during
> the next process.
>
> Use dd on the extracted file to search for a partition table, using seek to
> skip ahead in the file 1 byte at a time until you find the correct offset.
>
> Then you can dd the failing drive into a new drive, skipping ahead that
> offset, so that the partition table is written correctly on the new drive.
>
> I've done this with a couple of failed raid'd drives, and it has worked for
> me.
There is a utility called binwalk:
https://code.google.com/p/binwalk/

that will do the stepping-through for you, so you don't have to
manually increment the seek. I haven't used it personally, but
it's a great idea.

--
Bryan Medsker
bryanm@acsalaska.net<mailto:bryanm@acsalaska.net>
---------
To unsubscribe, send email to <aklug-request@aklug.org<mailto:aklug-request@aklug.org>>
with 'unsubscribe' in the message body.
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Nov 26 09:17:16 2012

This archive was generated by hypermail 2.1.8 : Mon Nov 26 2012 - 09:17:16 AKST