Skip to main content

How I Recovered my Corrupted 2TB Hard Drive without having to copy everything to another Drive

So, a little back story. I have a 2 Terabyte external hard drive that's split into 3 partitions for backup; one for entertainment, one for work and one for personal projects. A friend of mine had a Lenovo laptop that was having challenges with installing WLAN drivers (you'd install the drivers and they'd keep giving an error that drivers aren't working. If you tried to uninstall them, they'd just reappear...but that's a whole different story).

Anyway, my friend decided to roll-back from Windows 10 to Windows 8 and wanted to copy one of the test builds from my 2TB HDD so I lent it to him. Little did I know that that Lenovo laptop had other plans for me. Upon connecting the external hard drive to the Lenovo laptop, it immediately read it as a FAT32 formatted drive (it was actually NTFS formatted) and had 1.82 TB free space of the "actual" size 1.82 TB. Where panic would have ensued for many, I managed to keep in the growing irritation at such a thing happening to the drive and did the only logical thing anyone would do. Google!

Well that was not all, to be frank. Full disclosure, I've studied computer forensics before and file carving fascinates me a lot. I also have a bunch of file recovery tools on my PC that I've been raring to use for ages.However, a concept that one needs to understand before studying forensics is how operating systems work and also how file systems work. The fact that the drive had just "acquired" a new file system from the messed up Lenovo clearly meant that no overwriting had happened yet. Fortunately, my friend had not tried to write any new stuff onto the 2TB HDD or messed with any recovery tools or they would have rendered some of my data un-recoverable.

Back on point, the data recovery theory that worked here was this: before you do any recovery, know what you need to recover. Is it the files that have been deleted, or is it the partitions that have been deleted/corrupted? In my case, it was pretty obvious that it was the partitions and the file system that needed fixing so I focused on that.

STEPS


  1. I launched my Caine VM so I could use the testdisk tool. I had to use a separate computer from the one I use on a day-to-day basis because I was not sure if it was a malware that had caused this problem and whether it could propagate itself via the 2TB HDD. 
  2. You can use Caine in live mode without having to install it on the computer. I then connected my 2TB HDD to the VM. 
  3. Trying to view it as a folder there gave me an error and a lot of folders with gibberish names so I closed that "folders screen".
  4. I then launched testdisk via the terminal (just type sudo testdisk on the terminal). If you do not work as sudo, it will fail to read the 2TB HDD since it will be a restricted profile.
  5. In testdisk, select Create a new log file.
  6. select the drive you want to recover and then select Proceed.
  7. select the partition table type, mine was EFI GPT (most likely this will be highlighted by default based on the best guess from testdisk)
  8. Select the Analyse option.
  9. the partitions will be listed and if there are any that are in good condition, back them up by selecting Backup
  10. Select Quick Search if there are any partitions missing (as was the case with mine).
  11. the partitions I was looking for were not available so i pressed Enter and opted for the Deeper Search in the next screen.
  12. this stage takes ages so you may as well leave it for a day or more while it checks the drive for any deleted partitions. Mine took over 24 hours but that may be because of the specifications of my VM and the host computer itself.
  13. after it is done it lists a variety of recovered partitions but you should look out for the ones with the names you had assigned to your partitions initially.
  14. you select each of them then press the left or right buttons on your keyboard to set it as a Primary partition and not a Deleted partition.
  15. After doing so, just verify their contents by pressing P to see if everything is in tact.
  16. One other thing you should be wary of is the start and end sectors for each partition. Avoid trying to recover partitions with overlapping sectors. If partition 1 is from 1000 to 2000, then you cannot recover partition 2 that is from 500 to 2500.
  17. After you are satisfied with the recovered partitions you can then select the Write option to write the changes to the file system.
  18.  In my case, one of the partitions had the boot sector missing but the backup was available. SO I then went on to duplicate the data from the backup boot sector.
This successfully resulted in the restoration of 2 partitions and I could access them easily. However, the first partition was not readable and that became a problem. So I had to repair it using the windows tool chkdsk. The steps are as follows:
  1. open the command prompt and type in chkdsk /f <drive letter>:.  The /f tag allows chkdsk to fix any errors in the disk.
  2. Allow it to fix the drive and also unmount the partition if it is in use (it will ask you to do this).
  3. after completion, the job was done and the drive was back to normal!
And that was how I recovered my 2TB drive without having to copy all the files to a different drive.























Comments

  1. Unknown2 April 2018 at 08:48

    Wow! This is epic. I had no clue at the beginning of what you were saying but the more I read on...ignited by intrigue I learned quite a bit from your experience.

    ReplyDelete

Post a Comment

Popular posts from this blog

Password Cracking: RainbowCrack table generation, sorting and usage

I had to do this demo after one of my students asked for my assistance regarding how to use this tool. Usually, I just assign different tools to them individually depending on the aspect of penetration testing we are covering (session hijacking, vulnerability scanning, etc) and then tell them to submit a report and a video demo of how the tool is used. Anyway, after a brief one-to-one discussion I realized the student had actually done the research on how rainbow tables operate (above and beyond the material in the lecture slides) so I figured that if he was here asking for assistance, he genuinely needed it. The tool is available at the RainbowCrack site.  A detailed description of this nifty tool can also be found here . So, firstly I had to generate the rainbow tables. The command line syntax is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index where: hash_algorithm  Rainbow table is hash algorithm specific. R
Post a Comment
Read more

Malware Analysis: A Python Malware on campus 1

So a few weeks back after a class I'd taken with them,  a number of my students told me of a particular malware that was affecting students' computers, in particular, computers running Windows OS. According to them, if you tried to open a folder that was residing on the USB stick with the malware, the malware would delete some of your files and convert folders into executable files. Granted, the likelihood of a random folder miraculously transforming into a single executable file was kinda "out there" but I figured I'd check it out and use that as a teaching moment for those interested in venturing into malware analysis. So I tasked them to bring me a sample of the malware so I could take a look at it and maybe figure it out. I advised one of them to download DumpIt  and then extract the memory dump from an infected computer using a clean flash disk and then bring it to me. How do you do this exactly? here's how: Download DumpIt . It's a portable
Post a Comment
Read more