1

This is a HP 15 computer running Windows 10 and its internal HDD is failing/dead, I believe physically. It hasn't started making unusual sounds/clicks, and it doesn't seem a major head crash has occurred, just physical bad sectors; I don't want to try booting to it and just want to rescue the files.

It went from working fine to randomly shutting down restarting overnight, and for a while I could get to the desktop; a few boots after that, I could get to windows recovery, and at one point, I ran chkdsk /r /i; there were a large number of "file segment unreadable" bad sector records; it corrected a bunch of things, but after about a day, it seemed to hang and wouldn't even show progress any more, so I had to shut down. After that I couldn't even get Windows System Recovery Options to appear; past this point it always booted to a black screen and I can only get to BIOS.

Booting from a linux USB and running fdisk -l lists these partitions:

  • 1 - Windows recovery environment
  • 2 - EFI system
  • 3 - Microsoft reserved
  • 4 - Microsoft basic data (~450 GB)
  • 5 - Windows recovery environment
  • 6 - Microsoft basic data

All partitions except 3 and 4 (which has the data) mount; #4 fails with error:

ntfs_attr_pread_i: ntfs_pread failed: Input/output error
Failed to read NTFS $Bitmap: Input/output error
NTFS is either inconsistent, or there is a hardware fault, or it's a SoftRAID/FakeRAID hardware.

It then recommends running chkdsk /f and booting to windows, but I'm worried about chkdsk being too dangerous to run. Every read/write cycle has the potential to cause further damage, so my hope is to use ddrescue to clone to an external HDD.

However, the important files are very few in number and probably under 50-100 MB in total. However I don't know exactly where they are (but it should be obvious subfolders of Desktop/My Documents and such), and can't access the filesystem to locate it as it's corrupt and don't know how to see the folder structure.

So this is my question.

Is it still safest to use ddrescue to image the whole drive, or is there a way to get just the small amount of data I need without causing too much damage despite the damaged file system?

Is there anything else I should do, or any free utility I could use to make this safer or get more information about the state of the hard drive?

I'm trying to minimize the number of read/write cycles because it seems like a situation where each attempt causes more potential damage. I've never used linux before and don't know anything about commands or parameters and any even "obvious" advice would be helpful to me (I have very very little computer knowledge so I apologize if this question is unfit for superuser.)

Hogstrom
  • 1,587
forgotten
  • 11

2 Answers2

0

In a situation like this one of my prime rules would be there should be zero write cycles. Faced with iffy data I would make no attempt to recover anything on the disk. Instead, I would use tools that read the disk and write the data out elsewhere.

I have never had to recover files from damaged media, every recovery I have ever done has involved blown up control data (partition table, RAID arrays etc.) That being said, I've had the best success with R-Tools. I have yet to find anything that stumped it, even drives that other programs swore there was nothing there. Note that it has a demo version for download that will let you see if it can find your data or not. (The only crippling of the demo is that it has a severe limit on the size of files it will actually recover.)

If the structures are intact enough that you can simply go to the files you want and recover them that is what I would do. If there are holes in it you're going to have to scan for your data--and at that point you're reading everything anyway, step #1 should be to make an image and work with that.

(I have no connection to R-Tools other than being a satisfied customer.)

Loren Pechtel
  • 2,694
0

I ran chkdsk /r /i

That was a bad idea. CHKDSK should never be used if there's the slightest suspicion of physical failure. Always check the SMART status first.

However, the important files are very few in number and probably under 50-100 MB in total. However I don't know exactly where they are (but it should be obvious subfolders of Desktop/My Documents and such), and can't access the filesystem to locate it as it's corrupt and don't know how to see the folder structure.

This tells you nothing about the actual locations of those files on the HDD.

Is it still safest to use ddrescue to image the whole drive, or is there a way to get just the small amount of data I need without causing too much damage despite the damaged file system?

The best you can do / could have done with free tools is to run ddru_ntfsbitmap, included in ddr_utility, which can 1) parse the $Bitmap to generate a mapfile for ddrescue so as to only recover the allocated clusters, and also, 2) dump the $MFT. If the $Bitmap file is damaged, 1) won't work, or won't be reliable, but there's still a (small) chance that 2) can work, as the $MFT is usually located much further, around the 3GB mark. Then you'd have to be able to analyze the MFT with a hexadecimal editor, looking for the MFT record of each one of the files you're looking for, so as to get a list of their data runs. Then, with a similar method as this, it should be possible to generate custom targeted ddrescue commands so as to extract only the clusters corresponding to those particular files. Needless to say, this is some seriously challenging task for a regular computer user.

And if the issue of the HDD is related with a weak / failing head (producing a typical pattern of alternating “stripes” of good / bad areas, see the screenshots here or here), it is unlikely that you will get everything you need without getting the drive properly serviced in a specialized data recovery laboratory.

EDIT 20211104 :
Regardless of the specific case that was described in the original post, if someone is looking for an answer to the question asked in the title, a solution which is not free but still relatively cheap (compared with a full blown data recovery service from a specialized laboratory) is using HDDSuperClone in combination with DMDE. HDDSuperClone exists in free version which is pretty much a GUI equivalent of ddrescue, with some enhancements, but this particular feature requires the “pro” license (last time I checked, it was possible to purchase a time-limited license for a one-time-job, for a fraction of the cost of an unrestricted license). The aim is to rely on the filesystem analysis obtained from DMDE to target the corresponding areas of the failing drive and clone only those areas, which is indeed the least damaging option — again, provided that the filesystem structures are still perfectly readable. Disclaimer : I have not personally tried that method.

GabrielB
  • 893