Case Study: Data Recovery from a Non-Standard External Hard Disk enclosure.

----Synopsis----

An Acomdata external hard drive failed and its data needed to be recovered.

The device made a high-pitched noise when powered up. It was disassembled and the hard disk was removed.

----Imaging----

The 500 Gig internal 3.5 inch disk was imaged using a USB-to-SATA adapter and gddrescue.

$ sudo ddrescue -r 500 -v /dev/sdc image log

Several bad blocks were found, but after a few dozen passes, only a single block was unrecoverable. The imaging process took 18 hours.

----Partition Table----

The enclosure contains a drive with a proprietary partition table. When plugged into a computer, the enclosure's firmware produces two devices. The first is a CDROM image of the various manuals and drivers for the device. The second device is the actual storage drive. When the internal drive is plugged directly into a computer (without the enclosure), there is no partition table detected by any OS.

Tesdisk was used on the image file and a GFI partition (actually, an NTFS filesystem) was detected starting at 256680 blocks (About 125 Megabytes).

$ sudo testdisk image

Alternatively, a hex editor can be used to find the beginning of the NTFS filesystem. The NTFS signature (0xEB 0x52 0x90 0x4E 0x54 0x46 0x53 0x20) was found at 0x7d55000. Midnight Commander's Hex Viewer was used to view the file and find that value.

~$ printf %d\\n 0x7d55000
131420160

Convert from bytes to blocks:
:~$ bc
bc 1.06.94
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
131420160/512
256680

----Potential Corruption----

There was one bad block, and therefore one block filled with zeros instead of the native data:

$ cat log
# Rescue Logfile. Created by GNU ddrescue version 1.9
# current_pos current_status
0xC7D56E00 -
# pos size status
0x00000000 0xC7D56E00 +
0xC7D56E00 0x00000200 -
0xC7D57000 0x73A8EAF000 +

That bad block is 0xC7D56E00. Converted into bytes:
$ printf %d\\n 0xC7D56E00
3352653312

Subtract the filsystem offset to find the location of the bad block relative to the NTFS filsystem:

$ bc
bc 1.06.94
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
3352653312-131420160
3221233152
#convert into NTFS blocks - NTFS uses 4096 bytes per block.
3221233152/4096
786433

So block (i.e. "cluster") number 786434 is the one with the missing block.

Use ifind to determine if that block is used:

$ sudo ifind -f ntfs -d 786434 -o 256680 image
0-128-1

Use istat to get information about that inode:

$ sudo istat -f ntfs -o 256680 image 0-128-1|less

As it turns out, that's part of the $MFT. The block as well as adjacent blocks were viewed to look for damage:

$ bc
bc 1.06.94
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
#get the previous two blocks:
3352653312-1024
3352652288
$ sudo dd if=image of=brokenblock bs=1 count=2048 skip=3352652288
2048+0 records in
2048+0 records out
2048 bytes (2.0 kB) copied, 0.00618151 s, 331 kB/s

Look at it:
$ hd -v brokenblock
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 09 |..............>.|
00000200 46 49 4c 45 30 00 03 00 00 00 00 00 00 00 00 00 |FILE0...........|
00000210 07 00 01 00 38 00 01 00 c8 01 00 00 00 04 00 00 |....8...........|
00000220 00 00 00 00 00 00 00 00 04 00 00 00 07 00 00 00 |................|
00000230 3e 09 00 00 00 00 00 00 10 00 00 00 48 00 00 00 |>...........H...|
00000240 00 00 18 00 00 00 00 00 30 00 00 00 18 00 00 00 |........0.......|
00000250 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
00000260 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
00000270 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000280 30 00 00 00 68 00 00 00 00 00 18 00 00 00 02 00 |0...h...........|
00000290 4c 00 00 00 18 00 01 00 05 00 00 00 00 00 05 00 |L...............|
000002a0 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
000002b0 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
000002c0 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 |. ....... ......|
000002d0 06 00 00 00 00 00 00 00 05 03 24 00 42 00 6f 00 |..........$.B.o.|
000002e0 6f 00 74 00 00 00 00 00 50 00 00 00 90 00 00 00 |o.t.....P.......|
000002f0 00 00 18 00 00 00 03 00 74 00 00 00 18 00 00 00 |........t.......|
00000300 01 00 04 80 48 00 00 00 64 00 00 00 00 00 00 00 |....H...d.......|
00000310 14 00 00 00 02 00 34 00 02 00 00 00 00 00 14 00 |......4.........|
00000320 89 00 12 00 01 01 00 00 00 00 00 05 12 00 00 00 |................|
00000330 00 00 18 00 89 00 12 00 01 02 00 00 00 00 00 05 |................|
00000340 20 00 00 00 20 02 00 00 01 05 00 00 00 00 00 05 | ... ...........|
00000350 15 00 00 00 52 aa c8 68 9e ab 9d 61 07 e5 3b 2b |....R..h...a..;+|
00000360 eb 03 00 00 01 02 00 00 00 00 00 05 20 00 00 00 |............ ...|
00000370 20 02 00 00 00 00 00 00 80 00 00 00 48 00 00 00 | ...........H...|
00000380 01 00 40 00 00 00 01 00 00 00 00 00 00 00 00 00 |..@.............|
00000390 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
000003a0 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 |. ....... ......|
000003b0 00 20 00 00 00 00 00 00 11 02 00 00 00 00 00 00 |. ..............|
000003c0 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000003e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 09 |..............>.|
00000400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000600 46 49 4c 45 30 00 03 00 6a 10 00 02 00 00 00 00 |FILE0...j.......|
00000610 08 00 01 00 38 00 01 00 78 01 00 00 00 04 00 00 |....8...x.......|
00000620 00 00 00 00 00 00 00 00 05 00 00 00 08 00 00 00 |................|
00000630 20 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 | ...........`...|
00000640 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 |........H.......|
00000650 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
00000660 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
00000670 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000680 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 |................|
00000690 00 00 00 00 00 00 00 00 30 00 00 00 70 00 00 00 |........0...p...|
000006a0 00 00 18 00 00 00 03 00 52 00 00 00 18 00 01 00 |........R.......|
000006b0 05 00 00 00 00 00 05 00 3e 69 5a 35 f3 a2 c7 01 |........>iZ5....|
000006c0 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
000006d0 3e 69 5a 35 f3 a2 c7 01 00 00 00 00 00 00 00 00 |>iZ5............|
000006e0 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 |................|
000006f0 08 03 24 00 42 00 61 00 64 00 43 00 6c 00 75 00 |..$.B.a.d.C.l.u.|
00000700 73 00 00 00 00 00 00 00 80 00 00 00 18 00 00 00 |s...............|
00000710 00 00 18 00 00 00 02 00 00 00 00 00 18 00 00 00 |................|
00000720 80 00 00 00 50 00 00 00 01 04 40 00 00 00 01 00 |....P.....@.....|
00000730 00 00 00 00 00 00 00 00 a6 8e 46 07 00 00 00 00 |..........F.....|
00000740 48 00 00 00 00 00 00 00 00 70 ea 68 74 00 00 00 |H........p.ht...|
00000750 00 70 ea 68 74 00 00 00 00 00 00 00 00 00 00 00 |.p.ht...........|
00000760 24 00 42 00 61 00 64 00 04 a7 8e 46 07 00 00 00 |$.B.a.d....F....|
00000770 ff ff ff ff 00 00 00 00 20 02 00 00 00 00 00 00 |........ .......|
00000780 80 00 00 00 18 00 00 00 00 00 18 00 00 00 02 00 |................|
00000790 00 00 00 00 18 00 00 00 80 00 00 00 50 00 00 00 |............P...|
000007a0 01 04 40 00 00 00 01 00 00 00 00 00 00 00 00 00 |..@.............|
000007b0 a6 8e 46 07 00 00 00 00 48 00 00 00 00 00 00 00 |..F.....H.......|
000007c0 00 70 ea 68 74 00 00 00 00 70 ea 68 74 00 00 00 |.p.ht....p.ht...|
000007d0 00 00 00 00 00 00 00 00 24 00 42 00 61 00 64 00 |........$.B.a.d.|
000007e0 04 a7 8e 46 07 00 00 00 ff ff ff ff 00 00 00 00 |...F............|
000007f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 |.............. .|
00000800

(Alternatively, hd could have been used:
$ hd -v -n 4096 -s 0xC7D56A00 image)

The zeroed-out block begins at 0x00000400 and there was almost nothing but zeros there anyway according to the repeating pattern of blocks. The filesystem on the image was then mounted:

$ mkdir mnt
$ sudo mount -o loop,offset=131420160 image mnt

And an inventory of the filesystem was made:

$ ls -sh1tR mnt/ >filelist 2>errlist

The files were then copied to another drive and there was no loss of data.

----Alternative----

It's possible to mount the filesystem on the device without imaging it.

(Assuming the device is /dev/sdc)

sudo losetup -r -o 131420160 /dev/loop0 /dev/sdc
mkdir mnt
sudo mount /dev/loop0 mnt

and then to safely unmount it:
sudo umount /dev/loop0
sudo losetup -d /dev/loop0

----Add your case!----

Do you have an interesting Data Recovery experience using Free/libre tools?

Log in or register and add it to the list of Ubuntu-Rescue-Remix.org case studies.