Damaged Hard Disk

From CGSecurity
Jump to: navigation, search

En.png english version De.png deutsche Version Es.png versión español Fr.png version française It.png versione italiana Ru.png Русская версия

Bad sectors are the most common form of hard disk physical damage. They are early signs of a disk crash as it deteriorates over time. A bad sector is a sector on the disk which data cannot be written or read (read errors) due to physical damage or inconsistencies of parity checking bits on disk (CRC or Cyclic Redundancy Check error). To recover your data, the best method is to copy/clone the drive's data to another hard disk before attempting to recover it.

The new disk must be at least exactly the same size (check the number of LBA sectors) or larger; when larger, it's usually not a problem because the number of heads per cylinder and sectors per head will be the same if both disks use LBA mode. Windows may have some problems in dealing with bad sectors on a damaged hard disk, so the best solution is to use a Linux OS to copy data to another hard disk.

You can also use TestDisk to help analyze the sectors copied from a hard drive with physical problems onto a good drive.

Booting from Knoppix, a Linux LiveCD

If you don't have a Linux OS installed, download the Knoppix LiveCD , a free bootable CD with a fully functional Linux OS that runs only in memory!

  • Burn the .iso file to CD
  • Boot from the CD-ROM
  • At the boot prompt, type knoppix lang=us for a US keyboard/language.
  • You are automatically logged in as the user 'knoppix' on a GUI console.
  • Launch a Konsole/terminal
    (Note: Knoppix has a separate 'Konsole as root' choice, but copy/paste functions are deactivated in it, so we always recommend using the method described below for gaining root privileges from the normal user Konsole.)

Knoppix comes with TestDisk, PhotoRec, dd and dd_rescue. To access hard disks, you need to run these utilities with root (Administrator) privileges.

  • To become root from the Knoppix user account, select the Konsole and type sudo -s, then press the Enter key.
  • Now you can use all of the powerful root commands you need for full disk access from this console.

Note for users of Knoppix version 4.0.2 CD:
To use TestDisk under Knoppix 4.0.2, you need to resolve a library problem by first executing:

ln -s /usr/lib/libntfs.so.7 /usr/lib/libntfs.so.5 

before running testdisk.

Note for users of Knoppix version 5.1 CD:
To use TestDisk under Knoppix 5.1, you need to resolve a library problem by first executing:

ln -s /usr/lib/libntfs.so.10.0.0 /usr/lib/libntfs.so.9 

before running testdisk. This problem shouldn't occur under any other Knoppix versions or with the Linux version avaible from our Download area.

Identifying an HDD's device

linux.png Identifying an HDD's Linux device

To list connected hard drives and partitions, the commands fdisk or lshw can be used:


lshw -C disk
       description: ATA Disk
       product: ST380013A
       vendor: Seagate
       physical id: 0.1.0
       bus info: scsi@0:0.1.0
       logical name: /dev/sda
       version: 3.06
       serial: 3JVA1WTE
       size: 74GiB (80GB)
       capabilities: partitioned partitioned:dos
       configuration: ansiversion=5 signature=00001a7f

fdisk -l

Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00001a7f

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1          91      730926   82  Linux swap / Solaris
/dev/sda2              92        9729    77417235   83  Linux

On Linux kernels after about 2.6.20 all PATA/IDE, SATA, SCSI, and USB drives will show up as /dev/sd? where ? is the assigned drive letter.

Previous kernel versions will show PATA/IDE as /dev/hd? where ? is depends on the location on the PATA bus.

macosx.png Identifying an HDD's Mac OS X device

To identify the disk/partition numbers,

  • Start the Terminal program, found in the /Applications/Utilities folder.
  • type diskutil list in the terminal

There are two types of devices:

  • raw devices /dev/rdisk*, communication is direct with the disk.
  • buffered devices /dev/disk*, data transit via buffer.

When using dd or other duplication programs, always use raw device.

In Mac OS X, partitions are labeled with "slices". An example in a volume in GPT format is typically s2, i.e, rdisk4s2.

Disk Duplication

Once you have verified the device names for your damaged disk and the new one to copy its data to, in a command-shell (CLI) or terminal console (not from within any OS on the damaged hard disk), you can start to duplicate the data.

The classic method using 'dd'

dd is very powerful and can be used to write from disks to files and files to partitions or volumes. However, it is recommended that you try using ddrescue or dd_rescue first, as dd was not conceived to work with damaged and may use suboptimal ways to recover the data, if at all possible, skip to one of the ddrescue section.

  • To copy a disk as root, run:
dd if=/dev/old_disk of=/dev/new_disk conv=noerror,sync

conv=noerror,sync is used for disks with bad blocks, where the intent is to replace bad blocks with zero placeholders and continue copying.

  • To copy the disk to an image file:
dd if=/dev/old_disk of=image_file conv=noerror

As a user under Mac OS X or as a Ubuntu user, always prepend the sudo command to dd and add your user password to validate the command.

Be careful! If you are copying a disk, the destination must also be a disk, not a partition. If you are copying a partition, the destination partition must be large enough. Copying the whole disk is recommended.

Disks should be copied on sector boundaries. T The sector size of most hard drives is currently 512 bytes but the industry is starting to move (post 1999) to a 4KB (4096 byte) sector size. Check your disk specifications to find out.

NB: The UNIX/Linux communities employ the term block to refer to a sector or group of sectors. For example, the Linux fdisk utility normally displays partition table information using 512-byte blocks while also using sector to help describe a disk's size with its phrase, 63 sectors/track. You want the block size for dd to be a power of 2 multiple of the disk sector size.

The default block size for dd is 512 bytes, the operand bs= is used to increase the block size. Bigger block sizes will greatly increase the speed of the copy to a point. That point depends on many factors, but 256K - 500K will be pretty good for most systems. If the block size ends with a ``b, ``k, ``m, or ``g, the number is multiplied by 512, 1024 (1K), 1048576 (1M), or 1073741824 (1G) respectively.

To read/write the disk using a 1MB block size (16 x 512 Byte sectors), the following are equivalent:

  • bs=1048576
  • bs=2048b
  • bs=1024K
  • bs=1M

Example commands: (use the appropriate device names for your system)

  • To copy a disk to a second disk using a 256KB block size, (512 x 512 byte sectors):
 sudo dd bs=262144 if=/dev/hda /dev/hdb conv=noerror,sync
  • To duplicate an entire disk to another disk using a 16KB block size (32 x 512 byte sectors) and replacing bad block data with zeros:
 sudo dd bs=16384 if=/dev/rdisk0 of=/diskcopy conv=noerror,sync
  • To copy a volume/partition from a disk to a partition on another disk using a 256KB block size:
 sudo dd bs=256K if=/dev/rdisk0s2 of=/dev/rdisk1s2 conv=noerror,sync
  • To copy a disk or partition to a file, If a path is not specified, the file will be created in the current directory:
 sudo dd bs=512K if=/dev/rdisk0s2 /home/john/rdisk0s2.dd conv=noerror

Kurt Garloff's 'dd_rescue'

If you believe there are many damaged sectors on the drive, you can try using Kurt Garloff's 'dd_rescue' (dd_rescue) instead of dd.

The best method: Antonio Diaz's GNU 'ddrescue'

The best solution - both faster and more efficient - seems to be Antonio Diaz's 'ddrescue' (ddrescue)

# download ddrescue
wget http://download.savannah.gnu.org/releases/ddrescue/ddrescue-1.8.tar.bz2
# extract the source code
tar xjf ddrescue-1.8.tar.bz2
# compile ddrescue
cd ddrescue-1.8
./configure && make
# first, grab most of the error-free areas in a hurry:
./ddrescue -n /dev/old_disk /dev/new_disk rescued.log
# then try to recover as much of the dicy areas as possible:
./ddrescue -r 1 /dev/old_disk /dev/new_disk rescued.log

Early detection of bad sectors

Modern hard disks can detect physical problems using SMART Monitoring.

Return to TestDisk