Checking my understanding of ddrescue


I've used the various tools in Rescue Remix several times to successfully get data back - mostly ddrescue. But I want to check my understanding of this incredible tool.

I understand the basic model. You use ddrescue to create a single image file of the damaged drive onto a working drive of equal or larger size.

My question is about the size of the image that's created. Does the ddrescue image contain only the data that's been used on the damaged drive or the whole thing? For example, if the capacity of the damaged drive is 100MB, but I know that only 20MB has been used, then will the ddrescue image be 20 or 100?

The reason I ask is that as drives continue to get astronomically large in capacity, and crash more often, our recovery efforts will take longer and longer. And we have to keep purchasing larger and larger recovery drives.

Finally, what if the 100MB drive has been completely encrypted? My guess is that the ddrescue image would be 100 in this case.

Experts, set me straight.

Many thanks!

The image that is created is

The image that is created is of the whole partition, and not just the used blocks. In this sense, gddrescue is filesystem agnostic.

It doesn't even look at the filesystem. So there is no way for it to distinguish between used and unused blocks.

The same thing applies to encrypted filesystems. The raw data is machine readable just as a non-encrypted filesystem. But to make sense of and of the data, you must decrypt the filesystem.

I reckon this would make file-carving mostly impossible.

Thanks for the reply,

Thanks for the reply, Andrew. I was afraid you were going to say that. Makes sense, I guess. It just makes it harder and harder to get data back from drives that break. I usually opt for smaller drives. But the people I help think differently.

As for encrypted drives, your comment is what has made me not encrypt the whole drive on my laptop. Say I encrypt the whole thing, it crashes, and won't boot up. ddrescue would pull an image, then what? Would I be able to mount it the same way as a non-encrypted image?

As for mounting the ddrescue image, under what conditions does it fail? Why would an image of a drive not mount? I've seen failures, I just want to understand why.


I would assume that you

I would assume that you would be able to mount the image if your provided the key - just as you need to do to boot into an encrypted partition. But data-carving is another story. You would have to decrypt the raw image as you fed it into the file-carving software.

Why would an image not mount? Because the filesystem is damaged. That can be caused by the drive failing and gddrescue is only able to recover a partial image. It can also be caused by a lot of other things that are not hardware related. In that case, it's best to try to repair a copy of the image, since repairing it may cause further data loss. You can alsways go back to the original and start again. So making an image of the drive is a good first step in most cases.

Thank you Andrew for your

Thank you Andrew for your patience responses. This is very helpful for me!

To continue... say I have one hard drive, with a single NTFS partition, that is not encrypted. And I'm using XP as the OS. It's damaged -- won't boot, etc.

I use gddrescue to make an image of the damaged drive onto a new clean drive. So now I have a single, large, image file of the damaged NTFS partition. What do you usually do next?

What is the properly formed mount command to attempt mounting this image?

Say I issue that command and the image fails to mount. Then what? From your previous response, I gather this means that the NTFS filesystem is damaged. Is there any way to repair the damaged NTFS filesystem using an image file?

Or is the next option to "Extract individual files from recovered image", as outlined in the DataRecovery documentation?

Are you able to load a recovered image file into software such as GetDataBack for NTFS? Have you had any success/experience with that?

Thank you for all your help!

It depends, if the image was

It depends, if the image was fully recovered, then I would be more optimistic about being able to mount it.

If the image file is named "file" and I created a subdirectory named mnt where I want to mount it, I would try:

sudo mount -r -t ntfs -o force,loop file mnt

If that failed, I would try ntfsfix

sudo ntfsfix file

and try again. If that fails, you can use testdisk to try to rebuild the MFT:

If that still failed, I would either skip to file carving or try Autopsy/Sleuthkit. It depends on your needs. If you want to recover a large amount of data, use file carving. If you are looking for a small number of specific files, you may have get results faster using the Sleuth Kit.

As far as proprietary software, I haven't found any that does any better than the free-libre file-carving tools that are available. I usually get back just about exactly the same files, if anything at all. In fact, I would be surprised if the proprietary software didn't base a lot of their engine on the free software file carvers.

Thank you again, Andrew! I

Thank you again, Andrew!

I appreciate your patient responses.