Retrieving data from a corrupt Windows NTFS drive

Summary:Many of us have probably dealt with a corrupt hard disk at some point or another, and may have experienced some data loss with it. This is unfortunate, and steps can be done in advance to prevent data loss, such as making sure a good backup is running properly.

Many of us have probably dealt with a corrupt hard disk at some point or another, and may have experienced some data loss with it. This is unfortunate, and steps can be done in advance to prevent data loss, such as making sure a good backup is running properly. But, things happen, and when the hard disk is bad physically or the filesystem on it is corrupted, a sinking feeling comes over you when you realise that you may not be able to get your files back.

No matter what the operating system, if the disk is physically bad so that the head no longer works, or the disk does not spin up, there is not much hope other than having a professional data restoration service try to physically remove the platter. Sometimes, the PCB (the circuit board attached to the disk) is faulty and can be replaced to restore functionality of the disk.

If the problem is strictly software, such as the filesystem being corrupt, there is hope. I've had countless times that the Windows NTFS filesystem becomes corrupted out of the blue, and the user is in a state of panic thinking that the drive is completely bad. But, take a deep breath, step back, and try running various utilities on the disk and see if you can recover any data. A few suggestions that I tend to keep in mind are:

- I recommend using a non-Windows operating system for trying to connect to the Windows disk in order to copy the data from it. I know it sounds counteractive, but I've had much better luck using GNU/Linux to view a corrupted Windows disk, than trying to access the disk in a Windows system. I don't know if it is because of an issue with the Windows NTFS driver vs. the GNU/Linux NTFS driver accessing the same disk in different ways, or something else. Even times where Windows does not see the NTFS partition at all, a GNU/Linux system can see and access it just fine. Give it a shot. Any new Live CD of a GNU/Linux distribution should work. I like Knoppix and sometimes the Fedora Live CD which both have repair tools available. Or even better just plug the drive into a running GNU/Linux PC. What's even better is that GNU/Linux has support for a huge variety of filesystems as well (unlike Windows which only supports Microsoft formats), so this concept can be applied to FAT32 (Microsoft), HFS (Macintosh), and many other filesystems as well.

- Use the newest version of a GNU/Linux CD if possible. This will include the latest version of the Linux kernel as well as newest version of the "ntfs-3g" support.

- If you must use a recovery program in Windows, do not use one that makes changes to the disk. I have found that some utilities in Windows make the situation worse, and lessen the chance of recovering any data on the disk! If you must use a utility that is going to modify the contents of the disk, try to clone the drive with a block copy first, then allow the utility to make changes to the cloned copy. In GNU/Linux, the dd program would do this, or use a utility like dd_rescue/ddrescue (in GNU/Linux) that will read from the corrupt disk, and copy the recoverable data to another disk where the filesystem can be further repaired. dd_rescue is mainly aimed at trying to copy data from a physically damaged disk to another disk where additional repair tools can be run on the salvaged data. Check the man page for dd_rescue for more information. Clonezilla may also be able to do a block copy of a corrupted disk, although I have not tried it for this purpose.

Often times, a GNU/Linux system will see the drive and you can then get to the files and copy them elsewhere for backup, like a network file server. Once you can see the data on the corrupted disk, copy the data from it as quickly as you can. Other times, you may have to force it to mount the disk, with a command such as :

mount -t ntfs /dev/sda1 /mnt/ntfsdisk -o force

Where the directory /mnt/ntfsdisk must exist ahead of time, and you must be running the mount command as root. Or, GNU/Linux gives you the option to mount it strictly in readonly mode, to ensure that no changes can possibly be made to the disk:

mount -t ntfs /dev/sda1 /mnt/ntfsdisk -o force,ro

Again, the man page is your friend, check it out for the "mount" utility to get the entire list of options available.

If you still cannot access the NTFS data after mounting it as above, there is also a NTFS repair tool that you can run on the disk while it is not mounted. It's called "ntfsfix". Read the man page for more information. This tool can write back to the drive, so use with caution.

There are a slew of proprietary applications on Windows that offer "data recovery", so if the open source tools do not work, and you make a copy of the corrupted drive, you have nothing to lose by trying them. But, I've never needed to look for one because I've been able to perform basic software recovery with open source instead.

What tools have you used to recover Windows data?

Topics: Open Source

About

I have been a systems administrator of both Windows and Linux systems for over 17 years, in educational institutions, enterprises, and consumer environments. Throughout the years running Linux and Windows side by side, I have seen Linux countless times surpass Windows in performance, reliability, cost savings, and more recently user expe... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.