Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

general windows data recovery. 4

Status
Not open for further replies.

markoneil

Technical User
Feb 28, 2002
1
CA
Well in no way am i an expert in data recovery techniquesso please dont flame me. I have no formal training on it but have managed to do a fair amount of research over the last year. I work in the service department of a major computer retailer in Vancouver and have been in the service department for 3 years. Most of the problems i specialize in solving seem to be software related issues on the windows side of things. I do also work on hardware troubleshooting but am not as interested in that area.

I have done about 20 data recoveries in the past year due to software issues or file corruptions, like bad mbr or lost partition tables or erased fats.

i am interested in sharing some of my observations on the little bit of data recovery that i have done to help others who have little experience in data recovery(like me), or to spark up some conversation that i can learn from.(maybe some of my self taught techniques are not very good. any input would be appreciated. and keep in mind that i have no formal training in this area. It is all learned by reading and alot of experimenting.

Over the past year i have had a lot of requests from clients to help them with issues dealing with lost data on their home or work computer. most of the time their computer has one drive containing their os and data, and the drive simply will not boot. sometimes this is due to a bad drive, and other times it is due to data corruption. Anyway these are some of the steps that i take when helping a client through this type of difficulty.

After booking the drive into our service department, the first thing I do is to put it into my test bench(my test bench is just a celleron system, with onboard video, a fdd, and two open ide chanels) and see if the drive is in physical working order. I try to make sure that the drive is spinning up, and is recognized by the bios of my test bench. If it is not then I try to match the controller of the hard drive with one of the known good controllers from other bad drives we have collected over time. If it spins up and is recognized then great.

Now because I still want the customer to be able to take his drive to a data recovery specialist I try to do as little with the customers drive as possible. So the next thing that I will do is to duplicate or clone the drive. Now we don’t have a hardware drive duplication machine so I use the latest version of Norton ghost.(I have read a lot of documentation regarding ghost and duplication. Those who do data forensics do not like to use ghost because, even though it will do a sector by sector copy, it will not copy a sector from the source drive to the exact same sector on the destination drive. For example, it does not necessarily copy the contents of sector 69764 of the source drive to sector 69764 on the destination drive. But everything will be in the same place relative to the boot sector. I believ this also has something to do with the geometry of the drive or something like that.) When I use ghost I use a new switch. The –ir switch instruct ghost to do a sector copy including all the formatted and unformatted space.

Now that I have a duplicate of the drive I can work on it without fear of doing any more damage to the integrity of the clients original drive. Usually at this point I will try to boot from the drive and see what happens. Usually nothing. I will try to boot up with a win 98 disk and see if I can see the drive. If I can then I will look at the contents including looking for any signs of virus activity in the autoexec.bat, config.sys, win.ini and system.ini files. If everything looks ok then I will fdisk the mbr and re sys the drive. Of course if the customer wants any of the files that are listed then I can copy them at this point in time. If I was not able to see the drive or got a unspecified drive error then usually this is a clue that I need to look and see if there are any valid partitions. If I fire up fdisk and find that there are no partitions, then I will try to use Norton disk doctor to rebuild the partition table. There have been very few instances that this has not solved the problem and made the drive bootable again or at least readable with a dos boot disk or in another windows system.

Now failing these attempts, and the drive is not bootable or readable then out comes Norton disk edit, a hex editor, but I will only use this tool to take a quick scan of the drive to see if anything appears to be there. A lot of times I can get an idea if the drive was formatted from here as well. One thing I would love to be able to do with a hex editor is to learn how to manually rebuild the partition table rather than using programs to do it. I would still probably use a program if I knew how but would at least have the knowledge to go in and tweak it manually if the program did not work.

Finally I use an copy of tiramisu32 to try and rescue any data that is still not readable. I find it usually takes any where from 1 to 3 hours to run and finds pretty well anything that has not been written over. After it runs I can then copy all the files it finds to another hard drive and then go through them in another system to make sure they are readable and not corrupted. If they are ok, which in most cases they are, then I can call the client and let them know what we have.

Now I know that I could save myself a lot of work by just running tiramisu right at the beginning but I like to play a little and see if I cansolve a problem that is fixable, like rebuilding a bad partition table or restoring a second fat. I look at it as a good opportunity to learn.

Now keep in mind after reading this that these are only a few of the things I try and again I have had no proper training in this. These are all things I have learned on my own. I hope this will start up a discussion on general data recovery for consumers and some of the techniques or tools used, and maybe even some of the methods you follow or order you do things in. again keep in mind that this is mostly used for the home user or small business.

Looking forward to your comments
 
Gidday Mark
Name`s Col from Brisbane Australia.
I`m pretty much in the same boat, just haven`t travelled as far as you, just starting out. You can reach me at warrigal9@icqmail.com if you are inclined to talk to a newby.
 
how do i recover or where can i d/l rundll32.exe at? please help me!!!!
 
Hello Mark..nice outline but I have some specific problems with WinXP you might be able to solve. My original WinXP became unoperable after I pulled out my motherboard and put in a new one with a newer CPU. You can guess, XP absolutely refused to boot and I had not familiarized myself with the recovery agents in XP before my upgrade. I logged on the same machine in my WinMe drive so I can access the internet for clues as for recovery. I followed the steps (similar to install) and it got to a point where it was registering components and 13 minutes remaining and it always stopped functioning at this point. I restalled WinXP to the same HD and partition but to another folder (Windows2) I can boot to that, but having two similar OSes side by side does create problems. My main problem is that I have encrypted files from the original install that I cannot access from the second install. It will not ask me for a password but simply deny me access because i did not sign on in that User Name as I cannot, Is there a way to transfer the password lists and user lists to the second Windows folder...or how can I finish the recovery of the first install. Microsoft Q281653 tells me to use the $oem$ folder structure to copy files during installation and to read the deplo.doc that is located in the XP cdrom. Since I only work on my computer, that is all the experience I have along with my wifes and a few relatives but I need clearer instruction than that. Do you have any? Thanks, Mike Millard z1ironmike@aol.com
 
Windows Xp is hardware specific, more so than any previous version.
As you mentioned that you have or had encrypted files is going to be next to impossible to retrieve without professional data recovery.
Encrypted file system (EFS) under windows requires you to have administrator priviledges, since you lost those along with the registry, simple recovery is not going to work.
At this point any more attempts that you make is only going kill any changes at a successful recovery.
Seek the services of professionals.

Sorry! Klon Shugart
Data Recovery Specialist
Microsoft Certified/ mcp 2000
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top