Please no flaming! ) I am not a "student" in the sense that has been getting toasted here as of late. I'm in my late 30's, studying D.F., working twds a CCE and trying to make a career change….as a result, family comes to me when their laptop's crash!
I have such a laptop with either a corrupted bootsector and/or about 30% of the sectors labeling as 'bad' on the HDD (these are the diagnostics that are coming up when simply booting up the laptop.) I've been asked to see if I can pull as many of the photos as possible off of it with no promises/no timelines..and obviously no kind of pay/contract )
I've begun with a forum search for info and come up with suggestions such as Deepspar software (I think that was the spelling) for HDD recovery. I have some basic tools available to me such as Ubuntu's Raptor to make an image, SimpleCarver to take unallocated space data, the FTK demo version for up to 5000 file analysis and such (from my CCE prep class). I guess, I'm asking how you seasoned experts would begin make an image first, then just hook up the HDD as a slave to see what can be directly copied? or use FTK and directly export what you could see and so on.
My other question is, is it possible to 'fix' the HDD after I've pulled as much off as possible can you 'repair' the boot sector/bad sectors or does it need to be wiped and then reloaded with XP etc.
Thanks in advance for your input again, as I mentioned, I'm on the learning curve as a working I.T. professional (in another discipline) and not a college student looking for help on an assignment…so if you want to just throw some crumbs to me and hold onto the entire loaf of bread , I'm happy to take the direction and see where that path leads in the learning process kind of makes it stick as lessons learned too…
Thanks again,
John
If the laptop tells you that boot sector may be corrupt, and 30% of sectors have failed, it sounds like a spoof virus program. They look convincing. Is it a program you loaded, or did the error message just appear. A disk with 30% bad sectors is unlikely to boot or do anything.
If the drive is really is dying, then an image is what is required. My take on it is a paper I wrote, describing how an image can be built up in sections, and not just a single run.
http//
There are also many hardware based products. The important point to watch is that the disk reads and retries are kept to a minimum. Too many failed retries may sometimes cause the drive to fail totally.
NB, in my experience, sector failures are mostly in directory areas at the start of the disk, and the final 90% of the disk can often be read with very few errors.
Don't try and repair the disk drive once data recovered. New drives are CHEAP, data loss or receovery, expensive.
Thanks Michael,
First instinct that it appeared to be a virus of some sort…I'm not sure at what point the message appeared also unsure of what the owners loaded just prior to that….thanks for the info.
John
You can use photorec (freeware) allright, as long as you have another disk to store the files.
It is also posssible that the issue is an alltogether different one, as pointed out previously.
The key is that you need ANYWAY to have a way to access the drive on another system (i.e. from another Operating system AND having enough free space for the image and for the recovered files).
An el-cheapo adapter like these can be used (example)
http//
similar things can be found online for much less than the above.
If you are not confident with Linux, there is a nice Windows tool to copy partially hard disks that also has a "backward" direction that in some cases can be of use (IF the issue is actaully connected with "bad" sectors)
http//
jaclaz
cheap free solution.
first triage the disk, download mhdd and scan the disk with that.
It will give you an idea of how damaged the disk surface is.
If the results of that are not too bad, i.e. all grey, not all red, then fire up Helix and in a terminal use dd_rescue to create a disk image.
if you're getting banding of coloured blocks in mhdd then you've got significant damage, take the disk to a pro.
If its one of the recent rash of Fake AV / Fake System Disk Utils - take a look at combofix.exe (http//
Keep in mind though, that it is not a paid client, and isn't designed for end-users, and may brick an otherwise working Windows install. Given what you've described though you may not have a lot to risk. If it works, it should get the PC to the point where a commercial AV scanner can be reinstalled and finish the job.
thanks to ALL for the replies. mscotgrove nailed this w/the virus. I did some further checking and after some online searching (which is what I should have done more of before posting, so I apologize0 I found that it is a trojan virus that cons people into paying to 'fix' this stuff…you know, I was actually at a SANS COINS presentation two weeks ago where the speaker mentioned this kind of virus attack…..embarassed it didn't ring a bell right away. Anyway, thanks to everyone. I know what to do from here.
Just for the edification of others (great suggestion mscotgrove), can you post something about how you definitively determined that the issue was a virus?
I have seen two such computers.
The best way to clean it was to remove the drive and then run Anti virus as an external drive.
The big suspicion was how the program knew there were so many bad sectors.