A different type of data recovery solution needed - Query

[Pacific Blue IT]

Situation - Existing 250GB 2.5inch external drive.
Backed up to it at request of customer. Used Fabs.
Backup successful as far as logs concerned as well as a manual check.
At request of Customer I deleted their personal info off the computer including photos.
Customer goes over seas, leaves external HDD in storage, upon customers return they plug HDD into Laptop and is greeted with a no access error.
Places a call to me.
I set permissions to everybody giving us access to the drive, attempt to open the Fabs archive and get a message along the lines of unable to open - data corrupted or missing.
I've connected external to tech PC and using parted magic have successfully accessed Fabs backup archive folder and copied all contents to another drive.

All photos and files are corrupted, have run recuva and Parteds photo rec, pc inspector smart recovery as well as testdisk.

No avail, it seems that most recovery programs are looking for deleted data not data that is just sitting there as though it is available and therefore is ignored by the data recovery program, am I right?

Im wondering what I should do from here, spinrite, ddrescue? Have you guys come across a program that can rebuild jpegs similar to the way you can rebuild an AVI index? or can a data recovery specialist rebuild the data, the info is there as the jpegs etc have so many mb's in size in their properties.

Customer is very worried about their data, so I want to help as much as is possible.

Lesson learnt to self, never trust a customer supplied backup drive, always get a new one and make multiple copies before deleting.

 

[nextechinc]

For starters, remove spinrite from your vocabulary, it's only going to make a drive problem worse. Create an image of the drive using ddrescue. After the image is created, copy the image to a separate file so you have the original to revert back to if further recovery steps don't go according to plan. It's entirely possible that the image will be mountable and readable without any further modifications. Personally I would mount it using osf mount, then run a chkdsk on the mounted drive to try to repair any damage you may have done in your prior attempts to get the data back. Bottom line is never try to run any of the applications you mentioned prior to ddrescue until you have safely pulled every bit of readable data off of the drive. Then put the original drive aside and work off of your image files.

 

[HFultzjr]

If the cost of the data supports it.......send to the pros.

If not proceed with ddrescue as mentioned above. Some good tutorials on the site.

Harold

 

[Markverhyden]

Major failure here. A backup means that an original still exists. If the original is gone you no longer have a backup. You have an original.

Did you make an image of the drive before you started messing with it?

What is the drive enclosure? Proprietary or generic? Some of those USB2SATA bridges mangle the data on purpose.

 

[kjm_phd]

Some of those USB2SATA bridges mangle the data on purpose.

Really? To what end do they do this?

 

[lcoughey]

1. A tough lesson to learn about checking the copied data before deleting the originals
2. A tough lesson to learn about having multiple copies on separate devices to be considered a backup
3. Always use known healthy hard drives for client data
4. Be sure to get a clone of the drive, if you can, and only work with the clone...seek professional assistance if you run into any issues getting the clone...perhaps sooner than later, if the data has any value at all.

It may be too late to avoid this current situation, hopefully you can dig your way out without losing your shirt and hopefully we will all learn to be extra cautious with client data.

Good luck.

 

[Markverhyden]

Really? To what end do they do this?

One I know for sure is some OEM vendors "encrypt" the contents contents via the interface. Been a while but I seem to remember that it was Seagate or WD. The symptom is you pull the drive from the enclosure, mount it on a *nix box and do a scan. You see a few very large files but the type is unknown. It's been commented on here before.

Not sure why they do it. All of the OEM vendors offer encryption as an option. Maybe they are trying to use a compression technique to allow more storage. Who knows. Just very frustrating for users.

I've done a couple data recoveries on USB 2.5 drives a few years ago and it turned out the interface was actually part of the onboard controller.

I've not seen any third party enclosures doing anything odd. That's why I prefer them.

 

[Larry Sabo]

The encryption is performed by an IC on the USB-SATA portion of the PCB attached to the drive. Not all models enable encryption though. My Passport Elements, for example, does not enable encryption. In product delivered to countries where it is illegal to enable such encryption, it is also disabled, even for other models. WD MyPassport and MyBook models (other than the Elements version) are normally encrypted in western countries.

To recover data from a failing USB drive, one can either attach a compatible SATA PCB and transfer the ROM containing the "adaptives" that are unique to the drive to the new PCB, or wire up a SATA connector directly to the SATA portion of the USB PCB, bypassing the encryption circuitry. This lets you repair firmware problems (if any) and clone the drive to a physically healthy drive, recovering data from or surrounding corrupted/unreadable sectors. If the data is encrypted, you can't read it directly. Some data recovery equipment can (PC3000) but without that equipment, you would just restore the original (or replacement) USB PCB to the clone to access the data unencrypted. I believe the clone must be of the same make; not sure about model.

Why do they do it? I think it's so the data can be easily and quickly hardware encrypted as it is written to the drive. You just need to change the encryption key using the backup software that's on the virtual CD resident on the drive (WD Smartware). The key is on a section of the platters not accessible to users without data recovery equipment, which helps keep it secure.

I'm still learning this stuff, but that's my understanding of it.