Hello all received a 500GB hard drive from a client, going through normal procedures to obtain an image of the drive, after almost 5 hours and the drive image at less then 5% completed obviously there was something wrong. There are some strange noises coming from the drive, when I aborted the imaging process the log reported over 13 pages of bad sectors on the disk. Wondering opinions does the feasible obtion seem to be to send it out to a data recovery specilist there definitely sounds like there is something faulty going on inside the drive, but when connected via the write blocker to make the image the drive shows up fine in Window's to be imaged just once that process begins thats were the issues are. Any opinions? thanks a lot
Option 1 Always check your jumper configurations
Option 2 Have you tried adjusting your error granularity and sector read buffers down to 1 byte
The imaging takes a lot lot longer but it has worked for me in the past
Option 3 Have you tried imaging the drive in it original host?
I've had phantom drives in the past that just will. not. image! Pop them back in the original machine with a helix disk and it images no problems for no apparent reason.
Hope this helps
Steve
Have checked Jumpers, I will adjust those settings but my main concern was it was taking a lot longer to begin with and you can hear definitely odd noises coming from the drive. The original host is not an option for right now as it is in Washington and I am in NY, I will change those settings and attempt again, thank you.
Note that this is not advice, per se, as I don't know the circumstances, but just a consideration…
If you are not in the data recovery business and do not have advanced data recovery tools handy, I would suggest that you consider stopping and sending the drive to a reputable data recovery firm. Make sure to maintain the chain of custody if you do. Also, if you are an expert representing a party in a civil suit I would consider contacting your client's lawyer to explain the situation and get advice as to how to proceed.
I have witnessed attorneys alleging spoliation on the part of forensic investigators when a drive fails during imaging and the question that comes up is "If you thought that there was a problem, why didn't you stop and send the drive to a data recovery firm?"
This is especially true if you are not a court appointed master but are representing one of the parties in a civil suit. Drives fail, even during imaging, but it can complicate matters if don't take steps to protect your reputation.
Thanks seanmcl yes that was definitely my though, ive come to the conclusion that this definitely needs to be sent out to a data recovery firm. I appreciate the responses
This should have been stopped as soon as you heard the drive making weird noises. If the heads are crashing and you continue ot read the drive in sequence you can just damage more data. A heads swap at an early stage is the answer in these circumstances.
Do not screw around with jumpers and try again, you stand a very good chance of just making it worse.
The process has stopped and we are in contacts with a data recovery firm
If you are just going the examine the hard drive and not required to recover data, and if the bad sectors are consecutive, then you can acquire the image of the working sectors, simply by excluding the bad ones. If the total number of bad sectors do not constitute an area which is big enough to hold the files of interest, you can exclude them, acquire the working sectors, and then add required number of sectors in place of the bad ones, and then re-create the hard drive logically.
I agree with Paul. Once a drive begins making nose and it seems to have issues reading data the collection should be stopped and you should documents everything.
Assuming the disk is NTFS, then at 5% image it is very likely that at least the first extent of the $MFT will have been read. With a following wind, you may actually have the full $MFT.
If the full $MFT has not been imaged, it may be considered that this is the most important area of the disk to image, it is unusal to be in more than about 10 fragments
This means that it will be possible to locate areas of the disk that are most important, and maybe areas that are not important. As it is possible that the disk may fail at anytime (even for a data recovery company) this information should be used to ensure as much data as possible is recovered. Once known critical files have been imaged/recovered the rest of the disk can be imaged.
If you decide to use a recovery company, very close co-operation could pay dividends by assuming that a 100% image may not be possible.