Corrupted NTFS filesystem recovery

The quick guide to recovering a corrupt Windows NTFS filesystem from a dead or dying hard drive:
1) If the drive does not power up or respond at all to host I/O, replace the drive controller board with a compatible one (i.e. from an identical drive purchased on Ebay), unless it is a drive known to not work with a controller board swap. Don’t bother doing this if the drive responds but clicks when accessing certain files. If a controller swap doesn’t get the drive to at least respond to ID, the drive has serious problems and will require professional service (or a do-it-yourself head stack/preamp replacement, and possible reserved region rewrite…not for the faint of heart).
2) Put the hard drive in a Linux system with excess hard disk capacity.
3) Attempt to mount the partition. Recover any utterly irreplaceable files immediately, in order of necessity. You may not be able to get anything, and it may take several reboots if you “poke” the drive in the wrong place, but if you do get something, at least you know you have _that_.
4) Use dd_rescue, and dd_rhelp if necessary, to make a “clone” image of the drive. The clone image can be a file or it can be another blank hard disk. This may take several weeks and the drive may die while it is being cloned. Not much you can do if that happens but send it in to the recovery house like you would have had to do anyway.
5) Attempt to loop-mount the NTFS filesystem (mount -o loop /tmp/image.img /mnt). If it succeeds, try to copy the data you need out of /mnt that way. Very likely that the filesystem will not mount. Even more likely that it will mount, but then attempting to read certain files crashes the kernel.
6) If you couldn’t get the files you need, copy the image to a sufficiently sized blank hard disk if you hadn’t already (dd if=/tmp/image.img of=/dev/hdd bs=10M), and then attach the cloned drive to a Windows XP machine. Do NOT allow Windows to “Chkdsk” the drive when it boots.
7) If Windows blue screens when it looks at the drive while booting up, wipe out the partition table in Linux (dd if=/dev/zero of=/dev/hdd bs=512 count=1). This will cause Windows to effectively ignore the drive.
8) Use EasyRecovery from Ontrack in “Advanced” mode to scan the disk for directory structure, and recover as necessary. The result can be copied to another disk or uploaded to a FTP server.

Hints for EasyRecovery:

  • Don’t bother with the Undelete tool because it does not deal with massive filesystem corruption.
  • The Format recovery tool will only work on an existing NTFS volume, which it won’t see because yours is corrupted.
  • The Raw scan should only be used a last resort because it omits all file and directory names, resulting in a disorganized mess. However, it may find files that the Advanced scan does not, because they have been severed from the directory structure by corruption. If you know the contents of the file you are looking for, you can do a Raw recovery, and then “grep” through the files for a pattern that you know is in the interesting file.

If EasyRecovery cannot find your file, use a hex editor to search through the raw disk image for a piece of the file contents. You may get lucky and find it in the hex dump, and use the hex editor to save it to a file, or copy and paste from the hex editor to another program. If you don’t, well, time to decide if that file is worth $500+ for an attempted professional recovery…

Leave a Reply