The problem of damaged hard drives is familiar to many: the drive starts to malfunction, the system freezes, files suddenly disappear. In such situations, conventional recovery methods can only aggravate the problem, causing data to be overwritten.
The best solution is to create a disk image and work with it, not the original.
In this article we will look at how:
The dd utility is usually recommended for creating a disk copy. However, it works on the "all or nothing" principle: if the disk contains damaged sectors, dd may freeze.
The ddrescue utility is more efficient. It:
Now let's create an image:
Command parameters:
We define the layout and partition table:
The following can be seen from the output:
Alternative methods of image analysis:
/dev/loop0
Now the sections are displayed as /dev/loop0p1, /dev/loop0p2, /dev/loop0p3.
The losetup utility is part of the util-linux package. Key -P, which appeared in version 2.21, allows you to automatically scan and add partitions when a loop device is connected.
To check the version use the command:
If you have an old losetup, without -P, can be used kpartx:
If the file system has been damaged, mounting may fail. Then it is worth using other methods, which are described further in the article.
Try running the command:
In this case, the disk will not be overwritten with new data, and you can recover deleted data using TestDisk or PhotoRec . Both utilities are free and work with various file systems.
1. Install TestDisk if it is not there:
However, ntfs-3g is more flexible and can:
The best solution is to create a disk image and work with it, not the original.
In this article we will look at how:
- copy the entire disk to an image file;
- mount the damaged partition and extract files;
- Recover deleted files or damaged NTFS file system.
Step 1. Create a disk image with the ddrescue utility
If a disk is "dying", the first thing to do is create an image of it. Trying to work with the disk directly can only make the situation worse.The dd utility is usually recommended for creating a disk copy. However, it works on the "all or nothing" principle: if the disk contains damaged sectors, dd may freeze.
The ddrescue utility is more efficient. It:
- skips broken blocks and continues copying;
- creates a damage map (mapfile), allowing the process to continue in the event of failures;
- allows you to combine copies of disks, for example from two different attempts.
Creating an image
First, let's define the disk name ( /dev/sdX):
Bash:
lsblk
Bash:
sudo ddrescue -d /dev/sdX image.img mapfile- /dev/sdX- original disk;
- image.img— the file where the image will be saved;
- mapfile— file — a control map of bad sectors (allows you to restart the image creation process without starting over).
How do I know how much data I was able to recover?
While running, ddrescue shows:- number of read and skipped sectors;
- copy speed;
- how many times did you try to reread the damaged blocks?
Step 2. Analyze the image contents
Now we have an image image.img, but what's inside?We define the layout and partition table:
The output may look like this:
The following can be seen from the output:
- Partition Table: gpt (GPT layout).
- The third partition is sda3 (NTFS), that's what we need.
- Section starts at 105906176B.
Let's look at the file system type.
- If we are recovering files from a Windows partition, we are looking for NTFS .
- If we are working with a Linux partition, we are interested in ext4, ext3, xfs, etc.
- If we are looking for a boot partition, it is often FAT32 (for example, an EFI partition).
Alternative methods of image analysis:
Step 3. Connect and mount the image
Now we need to access the desired partition. To do this, we will create a disk emulator in Linux that will open access to all partitions.Using losetup
Create a loop device to work with the image. This is a virtual device that allows you to work with the disk image as if it were a regular physical disk. To create it, use the command losetup:Conclusion:
/dev/loop0
Now the sections are displayed as /dev/loop0p1, /dev/loop0p2, /dev/loop0p3.
The losetup utility is part of the util-linux package. Key -P, which appeared in version 2.21, allows you to automatically scan and add partitions when a loop device is connected.
To check the version use the command:
losetup from util-linux 2.37.2
If you have an old losetup, without -P, can be used kpartx:
Mounting the desired partition: sda3, NTFS
Now let's create a mount point:Mountable section /dev/loop0p3:
Flags uid And gidallow not only the root user, but also the regular user to work with files.
If the file system has been damaged, mounting may fail. Then it is worth using other methods, which are described further in the article.
Step 4. Extract files
The files are now available in /mnt/recovery. You can copy them:If you need to copy while preserving the structure and rights:
For archiving:
Step 5. Finishing the job
After copying the data, you need to disable the loop device:What to do with the error device is busy
Use fuserto find processes that are holding a mount:Then terminate them with the command:
That's it for the basic steps. Let's move on to the difficulties you may encounter in the process and options for solving them.
What to do if NTFS partition is not mounted
instead If the NTFS partition is damaged, the standard driver may refuse to mount. Let's use ntfs-3g .Force NTFS Mount
If the standard command mount -t ntfsdidn't work, try disabling the standard driver and explicitly specify ntfs-3g:File system recovery with ntfsfix
If you receive the error "NTFS is inconsistent", "$MFTMirr does not match $MFT" or "The disk contains an unclean file system", proceed to the repair. You can fix a damaged NTFS partition using ntfsfix.Try running the command:
What does ntfsfix do?
- Clears the dirty bit that may prevent mounting.
- Fixes major file system errors.
- Sets the check flag chkdskso that Windows can correctly restore the partition the next time it boots.
If nothing helps, use chkdsk in Windows
If even ntfsfix does not solve the problem, it is better to boot into Windows and run chkdsk:Here D:- this is the letter of the damaged partition, yours may be different.
Recovering Deleted Files with TestDisk and PhotoRec
If a situation arises where files have been deleted, you should remount the disk in read-only mode (RO). This will prevent data from being overwritten. If this is a system disk, it is recommended to boot from a flash drive and also mount it in RO.In this case, the disk will not be overwritten with new data, and you can recover deleted data using TestDisk or PhotoRec . Both utilities are free and work with various file systems.
Recovering file structure with TestDisk
The TestDisk utility is worth using:- if the partition has become “unreadable”, but the file structure remains;
- if a disk or flash drive requires formatting after a failure, but the files still exist.
1. Install TestDisk if it is not there:
2. Run TestDisk:
How can I recover files now?
- Select disk ( image.img ) → Proceed .
- Select Intel (MBR) or EFI/GPT .
- Select Analyze , press p to see the files.
- If the files are visible, select Write to repair the damaged file table.
- If they are not visible, use the PhotoRec utility.
- Reboot your system and try mounting the partition again.
Recovering Individual Files with PhotoRec
The PhotoRec utility is worth using:- if files are deleted and not visible in TestDisk;
- if the file system is damaged and files are needed by signatures (file types).
- Install PhotoRec - it comes with TestDisk.
- Run the utility:
How to recover files?
- Select disk.
- Specify which partition to search for files from.
- Select which file types to recover ( JPG, DOC, PDF ).
- Specify the folder to save the data.
- Start the search.
Using ntfs-3g when working with NTFS
If an NTFS partition is damaged (for example, due to a disk failure or improper shutdown), the standard NTFS driver in the Linux kernel (ntfs) may not mount it at all, or may mount it in read-only mode with errors.However, ntfs-3g is more flexible and can:
- force mount of "dirty" NTFS partitions;
- work with damaged MFT (Master File Table);
- Fix file system errors with ntfsfix.
Alternative emulation methods: qemu-nbd
If losetup doesn't work, you can emulate a physical disk using qemu-nbd. This is a utility that uses network block devices (NBD) to work with disk images:Disabling:
Conclusion
Key findings:- Do not work directly with a damaged disc.
- Create an image before attempting to recover data.
- Use losetup, TestDisk, PhotoRec to recover.
