Saving data recovered from a hard drive that crashed - how to sort out current from tmp and old files

I recently lost access to my Seagate eSATA HD after my Mac froze up and I had to do a hard shut down of both the Mac and my eSATA drive.

When plugged in, OSX says I must initialize the disk before use (Windows says the same thing, but uses the word "format"). I figured out the drive is now in RAW format.

I found a nifty little program called Recover My Files, (which cost a cool $69.95, far less than professional data recovery services) and ran a scan on my drive. It found what appears to be all of my files, but it doesn't look quite like what it did on the drive. Several top level directories are gone, and their content folders and files just spread out in the list.

All of this is OK by me, but when I try to save the files to another location, the software says my selected files take up 2.43 TB of space to save! The eSATA drive itself was only a 500 GB hard drive, so I don't know how it could find 2.43 TB to save. And I had only used around 350 GB of space on the drive.

I did go through and found it had several duplicates for many of the files, that looked like maybe older versions or temp versions (with a ~ in font of the file name). I'm not sure how all these files could fit on that drive, but maybe I am misunderstanding something.

Anyhow, I want just to save the correct files. A) I don't have space for all that stuff, my max to copy to is 500 GB (minus used space), and B) I don't want to have to sort through all of those files to get the one's I need (assuming there are tons of dupes in there).

Anybody have any experience with this Recover My Files software, or my similar scenario to give me some help?

What was the filesystem on the drive before?

Given the size and that you're using it on both Mac and Windows, I assume it was FAT32. (A tiny disk might be FAT12 or FAT16; a Windows-only disk might be NTFS or exFAT; a Mac-only disk might be HFS+.)

So on the downside, FAT is easy to corrupt. On the upside, depending on how it was formatted, you may have one or more backup file allocation tables; you may find that there's still a usable copy.

In any case, I've never even heard of "Recover My Files" before; The Sleuth Kit is how I've recovered disks in the past, and I've heard good things about PhotoRec which looks like it automatically does what I'd do by hand with TSK. And FAT is a simple enough filesystem that you can crawl through it with nothing but a hex editor and some patience.

Yeah, well I thought it was NTFS (I didn't really think about it after I formatted it the first time before using it a year and a half ago so I can't remember) but when I ran this Recover My Files software it has FAT as the virtual directory with all my files.Anyway the part that has me really stumped is how is there 2.4 TB of data to be saved off of a 500 GB hard drive? And how do I get past all of those crazy duplicate file versions to the current versions? Do you have to deal with that using Sleuth Kit? What about plugging into Linux (or Ubuntu)?

JAG2007 2010-03-11 02:05:04

FAT basically represents every file as a linked list of clusters. Corruption could cause linked lists to wander off into non-allocated or non-existent blocks, and many files' linked lists may overlap. I'm not surprised that it looks like you have much more data than could possibly exist on media. In the past, I've used TSK alongside a hex editor to point TSK at only blocks that look good to me, always working on a **copy** of the damaged disk, under Linux.

ephemient 2010-03-11 02:27:37

I have very little experience with this sort of stuff. What is a hex editor? When you say linux, do you mean like Ubuntu? And what do you mean exactly by working on a copy of the damaged disk?Thanks!

JAG2007 2010-03-11 13:28:57

@JAG2007 The first rule of disk recover is to take an image of the whole disk before doing anything -- this is easy with `dd` or `dd_rescue` or `dd_rhelp`. Everything you do from this point on will be using the image, in case there's something wrong with the original hardware. Meanwhile, you can use `badblocks` to scan the original disk, and perhaps use `sg_format` perform a media-level format too, though I'm not sure how well it works on eSATA.

ephemient 2010-03-13 02:59:17

@JAG2007 Assuming your disk used MS-DOS partitioning and FAT32 filesystem, the next step I would take is to open up documentation on their structural layouts (since I don't remember them off the top of my head, http://en.wikipedia.org/wiki/Master_boot_record http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx). Opening up the saved image in a hex editor lets you view the raw bytes on disk image and read them as if you were the computer.

ephemient 2010-03-13 03:09:26

@JAG2007 Now you can walk through the image by hand as if you were the computer; TSK's `fls` etc. tools are useful for automating some of this. You can edit the image to remove egregious errors, do things such as swapping the allocation table with a better backup, or zero out stuff you don't even want to try to recover. Then build a list of files to recover, and script up `icat` to extract each one out.

ephemient 2010-03-13 03:14:59

@ephemient - thanks for all the instruction. Before I saw all of this what I did is download and install Ubuntu on my old PC. I plugged the external drive in and when I did, Ubuntu simply recongized it and all the files were just there. So I copied them onto my desktop, and I'm formatting the drive on my Mac, so I'll be able to migrate them back to it.Thanks again!

JAG2007 2010-03-15 00:54:57

ansaurus

tags:

views:

answers:

Saving data recovered from a hard drive that crashed - how to sort out current from tmp and old files

related questions