Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Referred from another area: "bad" ddrescue image


  • Please log in to reply
11 replies to this topic

#1 Nick10213

Nick10213

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:06:47 PM

Posted 07 September 2013 - 05:03 PM

The current situation is that I have a .ddrescue image from PartedMagic that won't mount.  I was in virus/malware removal, and the person helping me has been stumped.  He referred me here; the following is a link to the thread:

http://www.bleepingcomputer.com/forums/t/502250/unable-to-boot-into-anything-resembling-windows/

(It may be more beneficial to work your way back from the end...it's a little long:
http://www.bleepingcomputer.com/forums/t/502250/unable-to-boot-into-anything-resembling-windows/page-5)

 

I recently posted a summary of what I can remember happening...things were pretty quick, and I don't remember the exact sequence down to the last detail, but I have given a general timeline of how things went:

 

 

This whole thing happened pretty quickly and I wish I could remember the sequence of events better; I think windows stopped booting on its own before I tried any of the boot repair programs on it, which is what prompted them in the first place.  That may be due to the failing drive, but I myself am not so sure that's the case.  I'm not the best at diagnosing problems (especially hardware related), but I know the very first thing that set this off was a virus/bad program of some kind.  The symptoms of that involved the computer not responding for significant periods of time allowing only brief moments of use.  Following that, repeated attempts at doing things before windows booted (but not boot repair related; antivirus related) resulted in the computer not booting up at all.  THEN came attempts at boot repair, followed by complete black screen/flashing underscore at bios.  I think before that, DELL diagnostic at least said there was a hard drive attached.  After the attempts at boot repair, I think it stopped recognizing the hard drive completely.  But, not Ubuntu.  Ubuntu saw it, and I could see files, but when I tried to access the drive it froze (I'm assuming it attempted to mount it when I clicked on the files...maybe it was mounted before that, in order to see the files in the first place?  I get the concept, but don't know the process), eventually to the point where I had to power down out of Live Ubuntu. 

 

"doing things before windows booted" = running pre-windows virus removal tools; AVG rescue disk, windows defender, sophos, tried to find means to scan the hard drive from ubuntu.

 

I'm only thinking that it was a virus because the initial problem with freezing happened before; when I received help here for it, nothing worked until the person instructing me had me run combofix.  The one helping me with the hard drive said this is only hardware related, but would combofix repair hardware related symptoms?   If so, then I'm wrong in what I think happened, which is entirely possible.

I will gladly provide any necessary information that I can.


Edited by Nick10213, 07 September 2013 - 05:18 PM.


BC AdBot (Login to Remove)

 


#2 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:06:47 PM

Posted 16 September 2013 - 11:36 PM

So...have I lost all my data?  If this would better be directed to another forum, I'd be happy to post there.  I was directed here after the person helping me was unable to successfully mount the ddrescue image he had me make.



#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,379 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:47 PM

Posted 17 September 2013 - 04:06 PM

The simple way to test the hard drive for functionality...would be to run the appropriate hard drive manufacturer's diagnostic.

 

The hard drive itself may be OK, but the partition structure could be damaged.

 

Since this is the Internal Hardware forum...let's see if we can determine if the hard drive itself functions as it should.

 

Who is the manufacturer of the hard drive?

 

Louis



#4 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:47 PM

Posted 04 October 2013 - 08:11 AM

Hi Nick,

I have been watching your topic and I am actually going through the same process we performed again - I have a client whose hard drive is dying and I am copying it to an image file just as we did with yours. The important thing at this point is not to lose hope! There are still a few tools available to recover data such as PhotoRec, and once I have this image file complete I am willing to try a few more things if you are interested.

Louis - This user was in the malware removal forum due to a suspected virus, and it turned out to be a failing hard drive with bad sectors. We ran ddrescue from Parted Magic to copy the entire drive to an image file, but we are unable to mount the image file to view the contents, and I have tried as many variations of the command as I can think of. Everything is documented in the original post. The user has a new laptop and would like to get his files out of the ddrescue image. Elise referred me here but if there is a better place to post please let me know!

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 56,379 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:47 PM

Posted 04 October 2013 - 08:27 AM

:thumbup2: , although it's not a hardware issue when trying to view an image made from a hard drive known to be failing.  I would suspect that the image itself is corrupt, since the source was not necessarily in the best of health.

 

This is as good a forum as any for the time being :).

 

Louis



#6 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:06:47 PM

Posted 04 October 2013 - 02:50 PM

I've been extremely busy, and haven't had a chance to make any more progress of my own with it (which may be a good thing).

The problem with answering those questions (Louis) is that the hard drive was on a computer that had to be returned, so I don't have much information about it.  All I have left is the image.  I'd like to try whatever I can to get as much data off as I can.

Thank you for your help,
Nick



#7 hamluis

hamluis

    Moderator


  • Moderator
  • 56,379 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:47 PM

Posted 04 October 2013 - 04:53 PM

Understood...but an image is just another file.

 

If the file cannot be read/accessed by Windows or some programs designed to do so...I don't see a light ahead.  I've made backups from failing drives and the result was just a glut of corrupted/damaged file data that could not be read by any program at my disposal.

 

If the program used to make the image...cannot unlock/open/access the contents...well, no harm in trying...but I would not be hopeful :).

 

Louis



#8 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:47 PM

Posted 08 October 2013 - 03:33 PM

Understood...but an image is just another file.

Louis: That is a concept that took me forever to understand - everything is a "file" to the computer! :)

I understand your point completely, but I also think we recovered a large amount of information from the drive and should be able to recover something from it, there were a few factors that make it more interesting.So I feel like there should be a way to get the data out, whether it's trying to recover the partition with Testdisk or trying to recover raw files with Photorec - the 137mb errsize tells me the majority of the data should be accessible! I am not as familiar with these tools and wanted to refer Nick to a public forum where others can assist. Have you used either of these tools or do you recommend anything else to try?

Nick: Don't give up just yet, we still have a few things to try!

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#9 hamluis

hamluis

    Moderator


  • Moderator
  • 56,379 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:47 PM

Posted 08 October 2013 - 04:35 PM

i myself had never heard of "ddrrescue" prior to this topic.  But...if the result is a file of any sort...I'd have to assume that "ddrescue" has to be able to open said file, since it created it.

 

As for TestDisk...I've never used it with any success but other members have (at various times) reported success using it for recovering data from hard drives and overcoming partition problems.

 

My experienc with data recovery tools shows that every attempt is a hit or miss proposition...the effort doesn't guarntee success.  If the result of using such tools indicates file corruption, I'd say that the effort was unsuccessful.

 

Since the current result...stems from using Parted Magic...I would try their forums, http://forums.partedmagic.com/ , since the membership there is more likely to have experienced same/similar issues with tool.

 

Ditto for TestDisk...their forums would be more likely capable of advising you/OP on what you might be able to do with their tool.

 

That's the way that I would approach it, bearing in mind that no attempt at data recovery is a given if the hard drive is damaged (as this one seems to have been).

 

The hardware gurus here at BC frequent this forum, it remains to be seen if any of them have any ideas that may be of assistance in this situation (IMO).

 

Louis



#10 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:47 PM

Posted 11 October 2013 - 12:43 PM

Hi Louis,

i myself had never heard of "ddrrescue" prior to this topic. But...if the result is a file of any sort...I'd have to assume that "ddrescue" has to be able to open said file, since it created it.

It's a great tool! More information can be found here, and to summarize, it's a data recovery tool that "copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors." It is very similar to the UNIX dd with additional functions, there is a little bit of info on the dd Wikipedia page about the tool as well (under section: Data Recovery). I typically use the tool to create an image file of a failing hard drive or scratched CD-ROM, over which you can run several passes and fill in the data from failing sectors. The resulting file "should" be an accurate image of the hard drive that can then be copied back to a disk or mounted from within an OS, but in this instance I cannot figure out why we cannot mount the image file. The extension ".ddrescue" was added by my choice and is not required.

As for TestDisk...I've never used it with any success but other members have (at various times) reported success using it for recovering data from hard drives and overcoming partition problems.
Since the current result...stems from using Parted Magic...I would try their forums, http://forums.partedmagic.com/ , since the membership there is more likely to have experienced same/similar issues with tool.
Ditto for TestDisk...their forums would be more likely capable of advising you/OP on what you might be able to do with their tool.

I have used it once or twice and it did just that, but I am not familiar enough to put together a step-by-step for a remote computer without setting up a mini-lab, so looking at those forums / posting up the issue could definitely make a difference, thank you for the suggestion!

That's the way that I would approach it, bearing in mind that no attempt at data recovery is a given if the hard drive is damaged (as this one seems to have been).

Isn't a damaged hard drive one of the main reasons you would need data recovery? :P I understand the sentiment but I also believe it's worth trying all available options.

The hardware gurus here at BC frequent this forum, it remains to be seen if any of them have any ideas that may be of assistance in this situation (IMO).

This is definitely a unique one, but based on the events so far I believe the data should be recoverable still, so if anyone has any input it is always appreciated!

Nick: Based on Louis's suggestion, I created a new thread at the CG Security forum, and I am currently waiting for it to be approved by a moderator. They maintain the software TestDisk and PhotoRec which can be very powerful recovery tools. Although I have used these a few times in the past I am hoping someone there will be able to guide us through the correct procedure, and if not we can try a few things of our own by making a (backup) copy of the image to work with.

I am going to be out of town 10/16 through 10/27 but I will continue to monitor the progress of the threads and reply when I can.

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#11 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:06:47 PM

Posted 11 October 2013 - 01:34 PM

Thank you both for your interest in solving this problem.  I do feel a little like a bystander to this whole situation at this point, but I also do agree that given the relatively small error size (0.05%), there should be some data somewhere that should be accessible.  From my limited vantage point, there should be some way to rewrite the area of the image that corresponds to the boot sector of the original drive to make it "look" correct so it can be mounted, but I really have absolutely no idea, nor do I even know that's what the problem is.  Anyway, I will be keeping an eye out for any help offered by you or others, and willing to try different solutions.

Again, thank you for your time and assistance.



#12 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:47 PM

Posted 12 October 2013 - 10:52 AM

Hi Nick,

Thank you both for your interest in solving this problem. I do feel a little like a bystander to this whole situation at this point, but I also do agree that given the relatively small error size (0.05%), there should be some data somewhere that should be accessible. From my limited vantage point, there should be some way to rewrite the area of the image that corresponds to the boot sector of the original drive to make it "look" correct so it can be mounted, but I really have absolutely no idea, nor do I even know that's what the problem is.

I am happy to help! I believe at this point we will go one of two directions depending on the software used. Option A is TestDisk which can help repair / recover the partition in the image file, which would allow us to mount it then copy off the files you need. Option B is PhotoRec which can recover files from a damaged file system, and I am leaning toward the latter but have only used it once, which is why I started that thread over at CG Security. I received the approval today and the link is below:

http://forum.cgsecurity.org/phpBB3/best-way-to-approach-recovery-of-ddrescue-image-t2958.html

I also welcome any and all help from our experts here, ultimately I want to try a few more things to see if we can get the data out of the image based on the events so far, and there should be enough space on Nick's external drive to create a backup copy of the image if needed. If I can provide any additional information I will be more than happy to do so!

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users