NTFS Disk Recovery

Version 1.0
Author: Skip Frizzell < sfrizzell [at] canton-pc [dot] com >

1 Situation

Mary, the daughter of a friend is in college: her Windows XP laptop constantly reboots and, we suspect, has a bad hard drive. The system will boot a live CD (Ubuntu 9.10 Karmic Koala Desktop), and data on the hard drive can be read. During boot, the live CD identifies disk errors and tries unsuccessfully to repair them.

2 Backup

Securing the information on the hard disk is priority #1. We don't know what's wrong with the disk, so we need to make a backup disk image before we attempt a repair. From a command prompt a directory is created at /media/server on the laptop's live cd environment to mount a drive share to back up the laptop hard disk.

The server has previously been configured with an NFS share, but the live CD doesn't have the NFS client installed. Fortunately the Ubuntu live CD can download and install programs from the apt repository.

LiveCD$ sudo apt-get install portmap nfs-common

Now that the nfs client is installed we can mount the share and have a place to put the disk image

LiveCD$ sudo mount server:/storage/share /media/server

Now the share on server looks like a local partition mounted at /media/server we can create our disk image.

LiveCD$ sudo fdisk -l

Disk /dev/sda: 250.0 GB, 250000000000 bytes
255 heads, 63 sectors/track, 30394 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000001
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1       16708   134206978+   7  HPFS/NTFS

fdisk -l shows us the hard disk is /dev/sda and that there is one NTFS partition. Now we can use dd to create a disk image. Caution: dd allows you to read from and write to a device directly. A careless command here can destroy your data. Measure twice and cut once.

LiveCD$ dd if=/dev/sda of=/media/server/laptop_disk.img

Normally, dd takes a while to make a disk image but we get a disk error almost immediatly and dd aborts. Fortunately there is ddrescue, actually there are two ddrescue programs, we are using the GNU ddrescue program. ddrescue works almost exactly like dd, except that it is intended to work on faulty drives and can compensate for disk errors. ddrescue does not come on the live CD and is not available in the APT repository, but we can download it from the web, place it in the already mounted nfs share and install it from there.

LiveCD$ sudo dpkg -i gddrescue_1.11-1_i386.deb
LiveCD$ sudo ddrescue -v /dev/sda mary_inspiron_6000.img mary_inspiron_6000.log

ddrescue successfully images the disk. The next task is to make a copy of the disk image so that, in the event that an attempt to fix the disk image goes bad we can, at least, get back to this point with a minimum of effort. We will do all our work on the image (mary_inspiron_6000.img), and keep the original (mary_inspiron_6000.img.orig) untouched as an archive and reference.

LiveCD$ cp -p mary_inspiron_6000.img mary_inspiron_6000.img.orig

Now comes the fun part, looking to see what we can save.

3 Recovery

Recovery goes surprisingly well, with one exception that I'll detail later. I mount the working image (mary_inspiron_6000.img) as the d drive on a virtual Windows XP machine I have set up for disk recovery and run a variety of tools against it.

diskpart gives information on the disks and their partitions on Windows XP

C:\Documents and Settings\sfrizzell>diskpart

DISKPART> list disk

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online        12 GB      0 B
  Disk 1    Online        56 GB      0 B

DISKPART> select disk 1

Disk 1 is now the selected disk.

DISKPART> detail disk

QEMU HARDDISK
Disk ID: 41AB2316
Type   : IDE
Bus    : 0
Target : 1
LUN ID : 0
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 2     D                NTFS   Partition     56 GB  Healthy

The first tool I use is chkdsk.exe, "Chkdsk.exe is a command-line tool that verifies the logical integrity of a file system on a Windows XP Professional volume."

C:\Documents and Settings\sfrizzell>chkdsk /r d:

The type of the file system is NTFS.
CHKDSK is verifying files (stage 1 of 5)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 5)...
Correcting error in index $I30 for file 56146.
Correcting error in index $I30 for file 56146.
Sorting index $I30 in file 56146.
Index verification completed.
CHKDSK is recovering lost files.
Recovering orphaned file 6A82D2~1 (56129) into directory file 56146.
Recovering orphaned file 6A82D25B245A4B1D94281AC1E2272B77 (56129) into directory
 file 56146.
Recovering orphaned file 3BEA32~1.DB3 (56145) into directory file 56146.
Recovering orphaned file 3bea32c5-d9da-4696-a242-338575562c22-inq.db3 (56145) in
to directory file 56146.
Recovering orphaned file 3BEA32~1.XML (56147) into directory file 56146.
Recovering orphaned file 3BEA32C5-D9DA-4696-A242-338575562C22.xml (56147) into d
irectory file 56146.
Recovering orphaned file 3BEA32~2.DB3 (56149) into directory file 56146.
Recovering orphaned file 3bea32c5-d9da-4696-a242-338575562c22-preinq.db3 (56149)
 into directory file 56146.
Recovering orphaned file 3BEA32~3.DB3 (56150) into directory file 56146.
Recovering orphaned file 3bea32c5-d9da-4696-a242-338575562c22-errors.db3 (56150)
 into directory file 56146.
Recovering orphaned file manifest.db3 (56151) into directory file 56146.
CHKDSK is verifying security descriptors (stage 3 of 5)...
Security descriptor verification completed.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.
  58597055 KB total disk space.
  32117188 KB in 48418 files.
     18992 KB in 6501 indexes.
       264 KB in bad sectors.
    131935 KB in use by the system.
     65536 KB occupied by the log file.
  26328676 KB available on disk.
      4096 bytes in each allocation unit.
  14649263 total allocation units on disk.
   6582169 allocation units available on disk.

Chkdsk repairs the volume, now we reverse the backup procedure and use dd across the nfs share to copy the repaired image back to a new hard drive. Now it is time to test the repaired partition and see if it will boot. SUCCESS! the disk boots and we now have a repaired system.

Now that we have the system repaired, it's time to discuss that problem I mentioned that we would get to later. The image has been placed on a new hard disk that is much larger than the image we have 93 GB of free space we would like to be able to access. Although Windows reports the paritition as healthy the Linux tools I used to try and extend the partition all reported an error that prevented them from extending the partition.

Fortunately, Microsoft provides a tool for extending a disk partition. diskpart will extend an existing partition into free disk space, but does not extend system partitions. No problem, using a USB to Hard Drive cable the disk can be attached to an existing system. While attached to that system it is not the system drive and can be extended easily and surprisingly quickly.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 2     E                NTFS   Partition     56 GB  Healthy

DISKPART> select volume 2

DISKPART> extend

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     E                NTFS   Partition    149 GB  Healthy

After the disk is placed back in the laptop it boots and works without a problem.

4 Conclusion

Linux provides an extremely versitile toolbox for repairing problems. It accomplishes this, in many cases, by bypassing the structure of an operating system and addressing the hardware directly. It's neworking allows information to be passed between machines quickly and efficiently and the virtualization makes it possible to present as other operating systems and environments. With all of Linux's strengths, in some situations bypassing the operating system is not the best solution and a Windows system command is the proper tool for the job.

While all this is exciting and enjoyable from a technical standpoint, the important thing is that Mary's laptop is working again and she can go back to school and be successful.

5 Links

Setting Up An NFS Server And Client On Debian Lenny

http://www.howtoforge.com/setting-up-an-nfs-server-and-client-on-debian-lenny

Ddrescue - Data recovery tool

http://www.gnu.org/software/ddrescue/ddrescue.html

Virtualization With KVM On Ubuntu 9.10

http://www.howtoforge.com/virtualization-with-kvm-on-ubuntu-9.10

Troubleshooting Disks and File Systems

http://technet.microsoft.com/en-us/library/bb457122.aspx

USB 2.0 to SATA/IDE Hard Drive HDD CD-Rom 3.5/2.5 Converter Adapter Cable

http://www.amazon.com/Drive-CD-Rom-Converter-Adapter-Cable/dp/B001MW7058

6 FAQ

Q: Why do you didn't use System Rescue CD?

A: To be honest I used the tools at hand and the ones I was familiar with. I was very concerned that the Ubuntu Workstation CD tried to repair the NTFS partition before I had a chance to image it. I have downloaded System Rescue CD and will be evaluating it for future use, thank you for the recommendation!

Should the need arise I may also evaluate GetDataBack NTFS, but it is a pay application and I prefer free as in pizza.

Q: Why not mention testdisk?

A: I didn't use it. I checked out it's list of features and I didn't need any of them for this job... that being said, it looks like an awesome tool and it will be going into my toolbox. http://www.cgsecurity.org/wiki/TestDisk

Q: What virtualization software did you use (Virtualbox...)?

A: Apologies for the lack of detail, it didn't seem relevent at the time since any virtualization technology should do the job. I used kvm for this recovery and included a helpful link above.

Q: rather than using diskpart to grow the partition, I suggest using parted/gparted or ntfsresize (part of ntfsprogs).

A: Not a question, but here goes anyway: again, apologies for my lack of clarity. A whole lot of failed attempts and incomplete successes were snipped from this document to provide just the meat of the article (I blame it on having read to many man pages).

gparted failed to resize the partition and returned an unknown error. My assumption was that even though I had imaged the disk and moved the image to a known good hard drive some flag on the NTFS partition was not cleared by chkdsk and was reporting a phantom error to linux.

I don't recall attempting ntfsresize, it will also go in my toolbox for next time!

Thank you to everyone that took the time to reply! Your suggestions will make me better the next time I have to do data recovery.