data recovery using: r-studio, getdataback, nucleus kernel, stellar phoenix
Got a computer that wouldn’t start. Owner says she got a power surge.
The owner desperately wants to recover some accounting data (and if possible email address book and some excel and word documents from my documents). Her 2 sons also ask about their mp3’s.
I say I’ll do my best.
At the office, I see windows xp won’t boot… not even safe mode. I boot bartPE, but viewing the HDD proves near impossible.
I run a chkdsk (hdd is NTFS, and just 20 GB in size), and it finds many bad sectors… it cleans thing up, but then crashes part-way through the process. I try it again, and it gets most of the way through, but seems to freeze just after verifying USN… after 30 minutes, I pull the plug.
I then try my usual trick of plugging the drive into an existing XP system (making sure its set as a slave drive), and boot up… but I get to just after the windows start screen (the one with the moving horizontal bar)… Ie the part where the screen goes black for 1 or 2 seconds… I wait for the logon screen, but the screen just stays blank. The corrupt drive makes seeking noises for a minute or two, then goes quiet.
I try the same thing with a different PC, but get the same result. It looks like a faulty drive attached to an XP system can actually stop XP from booting (even if it boots from a non-faulty drive!)
Using BartPE seems to be the best way to get at the drive.
I figure: its time I got some serious data recovery software. So I try out the 4 that seems to get the best reviews.
Of course, not being able to start XP is my first obstacle. But I install them and take a look anyway.
At first, I like r-studio and getdataback, as they have the option to make an image of the drive/partition, and then work from the image file (thus saving wear and tear on a failing drive).
Nucleus and stellar work directly on the drive, and I suspect are useful when you just want to restore a few files.
I jump back into BartPE, and try running these programs from “bart”.
- Getdataback complains about a missing DLL file… so I give up and try the next one.
- R-studio started creating an image file, but takes 10 second each time it hits a bad sector… so after 1 hour, and less than 1% of the drive imaged (and the drive gets hot and less reliable after 40 minutes), I decide to try the next one.
- Nucleus Kernel Fat and Ntfs : Insists on doing a very long scan of the drive… after 10 minutes and 1% of the drive scanned, I stop and try the next one.
- Stellar Phoenix Recovery Suite has a reasonably fast scan (it scanned the 20GB drive in just 15 minutes). After that I saved the scan info the disk on my own drive, then selected the files to restore (total of about 600Mb), and I managed to copy them to my drive in about 45 minutes… Not very fast, but good enough.
After all this, I decided I need to find something that can image a drive quickly, and that will run with bartPE. I’ll give ghost 8.2 a try, but not sure if it will work with ntfs (nor how fast it is when dealing with bad sectors).
But the important thing is I restored the important data (minus the mp3s… that could have taken many hours of heat-generating, drive-destroying work).
All up, quite time-consuming (and expensive), but the customer is very happy to get her data back.
I get the data back to her (she is very grateful) and give her various options on where to go from here.
She initially wants to buy a new box, but given that upgrading the existing system to a new HDD, some more ram, and a DVDRW, all costs about half of a new system (and I assure her that it will be fast enough for her needs), then she goes for the “upgrade”.
So I install the new parts, install windows xp, install antivir, winpatrol, spywareblaster, nero, run autoPatcher, do some additional tuning, and the “old” system is ready to go (and quite quick too).
Whenever this happens,I don’t even try booting
to run chkdsk, safe mode etc.
Plug the drive straight into another pc and
get an image.The less work the suspect hard drive
has to do the better.
I use a custom PE disc with a few imaging tools
and also a few different Linux bootable forensics discs which can grind out an image ignoring bad sectors,faulty partition tables etc.As you say,XP is not real happy booting with a faulty disc in the system.
The whole key is getting am image before the
suspect drive collapses.
And of course with hard drives increasing in
size constantly, there’s a lot more data to
lose!
Cheers.
Forgot to mention getting an image successfully
allows you the luxury of getting all the data at
your leisure because you are not waiting for the
drive to die.
In the Windows world, Easy Recovery Pro is
the best data recovery software I have.
Lots of options.
Expensive though.
I’ve had some success with chkdsk in the past, but it obviously depends on the kind of failure.
Now that I know there are better alternatives available, I’ll take a look around (at the time, I didn’t have time to do much searching around).
I actually don’t have much time at the moment either, but I’ll eventually evaluate a few more recovery tools (like ERP).
I totaly agree with imaging the drive as quickly as possible, and then working on the image.
Another reason to run imaging software,(depending
on the work you undertake).
I once had a hard drive die unexpectedly while
working on a customer’s pc.
Threatened to sue me and caused a few stressful
times.
Run images and charge the customer.Beats getting
caught with a disaster.
It only happened once,but once is enough!
hmmm, I’ve wondered what I would do if a customers PC had a catastrophic failure of a component while I was working on it.
Yep, If it involves the risk of data loss, then tell the customer the backups will cost extra (I’d say some will take the risk and save some money, others won’t).
Thanks for the tip mate.
Quite a few shops have signs up and/or on the
invoices write:
“We will not be responsible for data loss and all backups are the customer’s responsibility”.
That’s going to get messy if the PC is newish
and wasn’t brought in with hard drive problems.
Especially if the clause is not specifically
signed by the customer.
Any machine used in business,or for important data,I won’t do a thing until I have a
known good image.
Last year I had a 30 day old 80GB totally collapsed. It was replaced under warranty,
but all the data was gone.
Luckily I was only called to diagnose it.
But it could have happened while I was working
on it.
The one disaster has made me a bit paranoid,
but better safe than sorry.
I just tried phoenix, r-studio and getdataback, after a massive problem (1 new hard drive, motherboard and processor) that lost me a 250GB drive. My backup strategy failed. I am going to buy better backup software, and I shall do the reinstalls as a test, to make sure it all works.
GetDataBack was best.
They all worked, but not all worked fully.
Phoenix recovered far too many empty files (eg old version that had been deleted) – could be my fault for not getting settings right. Very simple software, but too simple if you want any power.
R-Studio ok, better than Phoenix… you can get it to do more.
But both had problems above 128GB mark. I had set up a 192 partition and a 64GB partition above it. Only GetDataBack could find the high partition (the 64GB). It missed it at first, but I set up a partial scan starting at the 190GB mark, and it found the lot. All my source code (I am a programmer) – it saved me going back 3 weeks to my monthly CD safety net.
Phoenix simply couldn’t go above 128GB.
R-Studio blue-screened and the machine switched off, once it got above 128GB.
I found your comments here very useful, so I am trying to return the favour, by commenting back. (Even if you did just take us apart in the Ashes.)
Hi Andrew,
Thanks for the comment.
I have since found SelfImage great for making an image of a drive, and then using getdataback to work on the image generated
It sounds like your setup corrupted the 250GB drive… which is a bit different to recovering a drive that was once fine, but has started to break down.
Anyway, glad I could help.
I don’t know anything about cricket. I’m more a soccer guy, but only during the world cup (Viva Italia!!!)