Advice Regarding Data/File Recovery?

[LABFE]

I know there is currently a thread similar to this, but I want to ask some slightly different questions. As a fairly new tech, I'm trying to figure out what types of situations where customer data is at risk that I might should decline the job and refer the customer to a professional data recovery service rather than trying to tackle it? I want to do data recovery on a basic level (ie. customer isn't sure of issue, I run diagnostics and learn hard drive is near failure so I get image and run Fabs). But I just don't want to get in over my head and lose a customer's important files. I also don't want to spend a lot of money on equipment/tools at this time although I may get more in depth with data recovery in time to come.

Further, to be ready on this basic level what tools are popular? Do DDRescue, Clonezilla, Macrium Reflect, and Grsync basically do the same thing? Is one better or more suitable for this purpose than the others? Are there other tools I need to be adding or considering? All feedback is appreciated; you might save me from some headaches.

 

[MDD1963]

Any customer should be made aware that any drive can fail permanently at any moment, however statistically unlikely; given odd problems, clicking noises, etc., failure becomes much more feasible. Your examining drives first with Gsmart and then with assorted tools (DDRescue, Gparted, Reflect) to try to clone and/or recover (Recuva or equivalent) his/her data does not make an inopportune failure your 'fault'. If however, the customer were attempting to recover 4 million dollars in bitcoins, I might recommend a true data recovery firm, where $2500 in charges might be warranted.

I will let some of the much more data-recovery-versed/ experienced folks here give recommendations on which tools might be more prone to success than others under a variety of circumstances for problem/near failure drives, but, if in doubt, image first, then tinker....

 

[JoeTech]

If I hear grinding noises or see physical damage to the drive then I always refer them to professional data recovery services since you are more likely to only make things worse.

 

[lcoughey]

You may want to check out the resources section of this site. Here is a link to a guide on how to triage a hard drive - https://www.technibble.com/forums/resources/how-to-triage-a-hard-drive.17/

 

[brandonkick]

I simply ask the client how much their data is worth.


What would it mean if you lost this data forever?
Is it even possible to replace this data?
Would your company close?
Would you incur great finical loss if the data on this drive were to be lost?


I usually put it in those terms. I've recommended a few of the "hey this is super serious but I'm super cheap" people
to the $300 DDR service. Ask yourself, will I lose more in money if my business is down for a week because I was
too cheap to get it done professionally the first time. Because once the drive is in a critical state, then you need
heavy duty data recovery professionals and they do not come cheap. Usually the cost of fixing a really screwed up
drive is far more than if you had just sent it out in the first place.

If a customer is looking for some family photos, maybe a few documents they had and the such then I don't worry
alot about taking a crack at it. If it's mission critical data, I don't touch it.

 

[LABFE]

Thanks for the insight. Anyone use DDRescue-GUI in Parted Magic? Compared to straight DDRescue command line? I understand that the GUI does not have a reverse option; will this be critical to data recovery? DDRescue-GUI a winner or stick with command line? I prefer fastest and most efficient over geeking out, but want to learn the best option.

Additionally, about how long should DDRescue take on a 300GB hard drive (only about 160GB of it is being used if that is highly pertinent)? After 30 minutes has elapsed it still says 'Starting ddrescue.' Nothing is wrong with the drive, this is just a practice run.

 

[Romaniac]

Are you using the GUI mode?

I can only speak for command line, but once I hit start, it begins immediately. Being stuck on 'Starting ddrescue' doesn't sound right.

 

[OaksLabs]

Thanks for the insight. Anyone use DDRescue-GUI in Parted Magic? Compared to straight DDRescue command line? I understand that the GUI does not have a reverse option; will this be critical to data recovery? DDRescue-GUI a winner or stick with command line? I prefer fastest and most efficient over geeking out, but want to learn the best option.

Additionally, about how long should DDRescue take on a 300GB hard drive (only about 160GB of it are being used if that is highly pertinent)? After 30 minutes has elapsed it still says 'Starting ddrescue.' Nothing is wrong with the drive, this is just a practice run.

I work with a bunch of Windows-only techs, and the command line and Linux bother them. To get them to use DDRescue, I've setup a Ubuntu PC, and installed this (https://launchpad.net/ddrescue-gui) GUI for DDRescue. I've never worked with the Parted Magic GUI.

Notes:

• Make sure that you've told DDRescue to overwrite the output device if you are doing drive to drive cloning.
• The GUI I use does have an option to start at the end of the drive -- is this what you meant by reverse?
• The GUI and the command line program are the same thing. The GUI calls the command line program and passes it all the parameters.
• Data recovery will never be fast. I had a drive ~2 weeks ago that was bad, and the read speed was always around 200K/s. It took 8 days to duplicate the 500GB HDD with DDRescue, but after a CHKDSK on the new drive the PC booted and all the data was intact.
• Make sure you don't have any of the partitions mounted, and that you're specifying the whole drive to by copied:
  
  

  /dev/sdb -> /dev/sdc     //This is the whole drive
  /dev/sdb1 -> /dev/sdc     //This is one partition being moved to the whole drive.

 

[LABFE]

Are you using the GUI mode?

I can only speak for command line, but once I hit start, it begins immediately. Being stuck on 'Starting ddrescue' doesn't sound right.

I am using the GUI mode. I let it run over night. It does say "Time Elapsed: 16.31 hrs" but it also still says "Starting DDRescue." I stopped the first practice run after about 40 minutes last night because of it still saying "Starting DDRescue" but I decided to let this one run. When I stopped the first scan I checked the external drive that I am placing the image on and it had begun creating the image file however it was still only kilobytes in size. The activity light on the external drive is also flashing, but the "Starting DDRescue" message staying on still concerns me that it's not going to complete the image.

 

[discipulus]

We use R-Studio and DDRescue on everything except serious issues. If Linux recognizes the drive, then we will attempt recovery. One drive took 2 months to completely image. And the customer was fine with that. We recovered all of their data. If it's got a hardware issue or the computer doesn't see the drive, we send it to a clean house.

 

[LABFE]

I work with a bunch of Windows-only techs, and the command line and Linux bother them. To get them to use DDRescue, I've setup a Ubuntu PC, and installed this (https://launchpad.net/ddrescue-gui) GUI for DDRescue. I've never worked with the Parted Magic GUI.

Notes:

• Make sure that you've told DDRescue to overwrite the output device if you are doing drive to drive cloning.
• The GUI I use does have an option to start at the end of the drive -- is this what you meant by reverse?
• The GUI and the command line program are the same thing. The GUI calls the command line program and passes it all the parameters.
• Data recovery will never be fast. I had a drive ~2 weeks ago that was bad, and the read speed was always around 200K/s. It took 8 days to duplicate the 500GB HDD with DDRescue, but after a CHKDSK on the new drive the PC booted and all the data was intact.
• Make sure you don't have any of the partitions mounted, and that you're specifying the whole drive to by copied:
  
  

  /dev/sdb -> /dev/sdc     //This is the whole drive
  /dev/sdb1 -> /dev/sdc     //This is one partition being moved to the whole drive.

Well the command line nor Linux bother me; I just see it that why start learning commands when I can use a GUI that streamlines the process unless using the command line mode provides greater capabilities. I believe the DDRescue-GUI I'm using in Parted Magic is the same that you reference and have on your Ubuntu machine.

In this practice run I'm attempting to place an image of the hard drive in the laptop on an external drive so I can mount it and run Fabs to recover personal data. I plan on getting into cloning a drive to a new hard drive shortly. Regarding the reverse, I have just been doing a lot of reading on TN regarding data recovery and using DDRescue and it seems like I've seen people talking about "sending it in reverse" when it "hangs" to speed up the process. One person actually commented that the DDRescue-GUI did not have the "reverse option which is crucial to data recovery." Thanks for informing me regarding amount of time it takes so now I know about what to expect. Regarding making sure none of the partitions are mounted: the GUI was giving me an error message when selecting the image destination that "The file you selected already exists. Blah, blah, blah... Do you want to accept this file as your outuput file?" When I select 'yes' it follows with a box that says "You have selected a Disk to recover to rather than an image, so please enable the option labeled 'Overwrite output Disk or partition' in the settings." But if I mount the external drive first with 'Parted Magic Mount' I can select the external drive and name the ".img" file such as "backup.img." To reiterate, I'm trying to create an image of the drive so I can mount it and run fabs. I'm obviously doing something wrong I'm just not sure what it is.

 

[LABFE]

We use R-Studio and DDRescue on everything except serious issues. If Linux recognizes the drive, then we will attempt recovery. One drive took 2 months to completely image. And the customer was fine with that. We recovered all of their data. If it's got a hardware issue or the computer doesn't see the drive, we send it to a clean house.

So do you use R-Studio and DDRescue interchangeably or based on the set of circumstances? How do you decide which to use? Hardware issue such as the drive grinding or other things to look for?

 

[LABFE]

Update: I'm going to run through the DDRescue command line mode (using the guide here on TN posted above) and perhaps that will help me figure out the correct use of the GUI as there is no guide/tutorial anywhere that I can find.

 

[discipulus]

So do you use R-Studio and DDRescue interchangeably or based on the set of circumstances? How do you decide which to use? Hardware issue such as the drive grinding or other things to look for?

First the drive is connected to the system to see if it's recognized. If the drive is recognized, we will look at the Smart Attribute Data to see how many failed sectors there are. If the R-studio recovery moves slowly, we will use DDRescue to image the drive to our file server, and then we will mount the image in R-Studio and recover files that way. Most drives can be recovered just using R-studio. If all of our r-studio machines are busy we image the drive. The drive that took 2 months was reading at like 500 kb/s. Most drives aren't that bad.