Retrieving data from a corrupt Windows NTFS drive

Retrieving data from a corrupt Windows NTFS drive

Summary: Many of us have probably dealt with a corrupt hard disk at some point or another, and may have experienced some data loss with it. This is unfortunate, and steps can be done in advance to prevent data loss, such as making sure a good backup is running properly.

TOPICS: Open Source

Many of us have probably dealt with a corrupt hard disk at some point or another, and may have experienced some data loss with it. This is unfortunate, and steps can be done in advance to prevent data loss, such as making sure a good backup is running properly. But, things happen, and when the hard disk is bad physically or the filesystem on it is corrupted, a sinking feeling comes over you when you realise that you may not be able to get your files back.

No matter what the operating system, if the disk is physically bad so that the head no longer works, or the disk does not spin up, there is not much hope other than having a professional data restoration service try to physically remove the platter. Sometimes, the PCB (the circuit board attached to the disk) is faulty and can be replaced to restore functionality of the disk.

If the problem is strictly software, such as the filesystem being corrupt, there is hope. I've had countless times that the Windows NTFS filesystem becomes corrupted out of the blue, and the user is in a state of panic thinking that the drive is completely bad. But, take a deep breath, step back, and try running various utilities on the disk and see if you can recover any data. A few suggestions that I tend to keep in mind are:

- I recommend using a non-Windows operating system for trying to connect to the Windows disk in order to copy the data from it. I know it sounds counteractive, but I've had much better luck using GNU/Linux to view a corrupted Windows disk, than trying to access the disk in a Windows system. I don't know if it is because of an issue with the Windows NTFS driver vs. the GNU/Linux NTFS driver accessing the same disk in different ways, or something else. Even times where Windows does not see the NTFS partition at all, a GNU/Linux system can see and access it just fine. Give it a shot. Any new Live CD of a GNU/Linux distribution should work. I like Knoppix and sometimes the Fedora Live CD which both have repair tools available. Or even better just plug the drive into a running GNU/Linux PC. What's even better is that GNU/Linux has support for a huge variety of filesystems as well (unlike Windows which only supports Microsoft formats), so this concept can be applied to FAT32 (Microsoft), HFS (Macintosh), and many other filesystems as well.

- Use the newest version of a GNU/Linux CD if possible. This will include the latest version of the Linux kernel as well as newest version of the "ntfs-3g" support.

- If you must use a recovery program in Windows, do not use one that makes changes to the disk. I have found that some utilities in Windows make the situation worse, and lessen the chance of recovering any data on the disk! If you must use a utility that is going to modify the contents of the disk, try to clone the drive with a block copy first, then allow the utility to make changes to the cloned copy. In GNU/Linux, the dd program would do this, or use a utility like dd_rescue/ddrescue (in GNU/Linux) that will read from the corrupt disk, and copy the recoverable data to another disk where the filesystem can be further repaired. dd_rescue is mainly aimed at trying to copy data from a physically damaged disk to another disk where additional repair tools can be run on the salvaged data. Check the man page for dd_rescue for more information. Clonezilla may also be able to do a block copy of a corrupted disk, although I have not tried it for this purpose.

Often times, a GNU/Linux system will see the drive and you can then get to the files and copy them elsewhere for backup, like a network file server. Once you can see the data on the corrupted disk, copy the data from it as quickly as you can. Other times, you may have to force it to mount the disk, with a command such as :

mount -t ntfs /dev/sda1 /mnt/ntfsdisk -o force

Where the directory /mnt/ntfsdisk must exist ahead of time, and you must be running the mount command as root. Or, GNU/Linux gives you the option to mount it strictly in readonly mode, to ensure that no changes can possibly be made to the disk:

mount -t ntfs /dev/sda1 /mnt/ntfsdisk -o force,ro

Again, the man page is your friend, check it out for the "mount" utility to get the entire list of options available.

If you still cannot access the NTFS data after mounting it as above, there is also a NTFS repair tool that you can run on the disk while it is not mounted. It's called "ntfsfix". Read the man page for more information. This tool can write back to the drive, so use with caution.

There are a slew of proprietary applications on Windows that offer "data recovery", so if the open source tools do not work, and you make a copy of the corrupted drive, you have nothing to lose by trying them. But, I've never needed to look for one because I've been able to perform basic software recovery with open source instead.

What tools have you used to recover Windows data?

Topic: Open Source

Chris Clay

About Chris Clay

After administering Linux and Windows for over 17 years in multiple environments, my focus of this blog is to document my adventures in both operating systems to compare the two against each other. Past and present experiences have shown me that Linux can replace Windows and succeed in a vast variety of environments. Linux has proven itself many times over in the datacentre and is more than capable for the desktop.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Excellent Review
    • Ubuntu Live CD

      With the Ubuntu live cd you can just load Ubuntu and back up any files you need to back-up

  • Great post! Thanks for giving us an option on how not to experience re-occurring data lost. Your recommendations are very much appreciative. :)
    IT Support23
  • I have a friend at work whose windows based computer would not boot, and she had a lot of photographs she wanted to retrieve. I gave her a copy of Partition Magic, and she got all her data back by using xfburn, to copy it to a CD, and then transfer it to her new computer. I've used to add, and remove partitions, transfer files, etc. It's a GREAT tool.
  • Good article. I’d add the following tips:

    - Turn off auto CHKDSK on your Windows systems so it does not screw things up.
    - if you do use any FixTools (CHKDSK and the such) always make a sector by sector copy (Linux DD, FTK imager, …) of the disk before running any of those tools.
    - Since most Windows users are not familiar with Linux, they may like to use a Windows Recovery program that does not write to their source disks. Users should install a new system first then use the corrupt drive as a slave to that system. Never install to the corrupt system.

    Before anything happens, a preventive measure I’d advise is to use an online backup service (Carbonite, Mozy, CrashPlan, …) that is always working in the background so that if a problem occurs then you can always restore from that backup to your new disk.

    Robert Winter, Head of Data Recovery Engineering, Kroll Ontrack
    Robert Winter-b6e86