A friend of mine ask me to do Data Recovery for a customer of his. When I got the drive I knew that it had bad sectors, but it was not clicking or making any noise.
I hooked the drive up, write blocker etc… and started to imgae it (DD) using FTK Imager. The Imaging process was going very slow (I expected this from past experience of imaging bad drives).
The process froze at around 72 hours with just under 50% completed when the HDD began to click (I let it go for a little longer because I had cases that the HDD stopped clicking and I was able to fully image the drive).
With just around 50% of the HDD Imaged, I added what I had of the DD image to FTK 1.72 and began acquiring same.
The tree structure of the drive was there (Like you would see in a normal drive), so I went to Documents and Settings and looked at all users profiles. All PDF's, DOC's, XLS's, on all these profiles (even the names of these files) seemed in order like any normal drive.
When you try to open any of these files it gives you a error "Unable to read file" and it just opens these files likes there is nothing in them (Blank).
May be this is dumb question But why did this happen?
In these cases I only usually get free space and/or garbage. In this case I got a full file structure where everything seems in order (naming, paths etc..). But when you try to open any of these files, they are completely empty.
Any thoughts?
Note I just woke up, so cope with me on my grammar D
I think this is because in FTK, the tree structure is derived from parsing the MFT/FAT. If your MFT is intact, then FTK would show you the directory tree based on that, not that it had scanned the entire disk looking for files.
For your drive you could try something like ddrescue, to see if you can get a bit more of the drive copied.
A friend of mine ask me to do Data Recovery for a customer of his. …<snip>
I hooked the drive up, write blocker etc… and started to imgae it (DD) using FTK Imager. …
This does not really relate to your original question, but I'm curious - since it's a "customer" data recovery issue - Why did you opt for a write blocker?
Given that simply signing the drive should not be an issue (if you're using Windows), and the drive is known to be "bad", then you may have better luck without the added intermediate hardware.
bgrundy,
"This does not really relate to your original question, but I'm curious - since it's a "customer" data recovery issue - Why did you opt for a write blocker?"
1. Just force of habbit…
2. I had better success of seeing and/or acquiring any drive when I used Digital Intelligence write blocker then connecting it via USB, Firewire and/or IDE
I like "Ontrack easy recovery plus" for data recovery from "bad" drives. Have had much success using it. Also have had great success with the (free) Roadkil app "Unstoppable Copier".
I realize I'm not really addressing your question, sorry bout that, just throwing it out there. I honestly don't ever reach for write blockers and FTK when I'm doing a data recovery.
(FYI I'm just a student, don't have any interest in Knoll-Ontrack or the Roadkill guy)