By people who should have known better.
A friend called me the other day from a local computer repair desk. Eight files on their external drive wouldn’t open, and they hoped the computer repair people could recover the information. They were calling me because things weren’t going well.
Naturally, they didn’t have a recent backup, or they wouldn’t be needing help. However, it’s more complicated than that.
It’s almost as if the computer repair people went out of their way to destroy data.
Become a Patron of Ask Leo! and go ad-free!
The path to data loss
A repair shop mishandled a friend’s external drive and lost data due to improper preparation. Instead of preserving original files, the shop lost and damaged files. Despite my attempts with advanced recovery tools, I could only get some data back. Backups — including the shop’s — would have helped immensely.
First, do no harm
I’m not going to name the repair shop, because all I have to go on is my own speculation, word of mouth, and the results of examining the external drive in question.
One of the most important steps in any data recovery effort is to make sure you’re not making matters worse. Many recovery techniques, even if performed correctly, alter the data stored on the drive. This can overwrite other data that might be important for recovering additional files. That’s just the nature of data recovery.
Knowing that, the first thing you should do is take steps to ensure that no matter what, you can always get back to where you were originally: that you won’t make things worse.
The computer repair folks apparently failed to consider that. As a result, by the time I got a look at it, the disk had been manipulated extensively. You might say it had been stomped on. My chances of addressing the original problem were slim to none. The best I could hope for was some kind of partial recovery.
The lead-up
The initial symptoms were pretty simple: eight files suddenly appeared to be corrupt. They wouldn’t open. That’s it. Eight files out of perhaps thousands of files stored on this drive.
My friend had been backing up manually, and the most recent backup was a couple of months ago. Naturally, there was important stuff on that drive that had been created or updated since then.
When my friend got the drive back from the computer repair people, those eight files were back. Yay.
All the other files were gone. All of them.
So they went back to computer repair and asked “What happened?” followed by “Get my files back!”1
The computer repair folks attempted a second round of data recovery on the drive. The result was:
- The previous folder structure was completely lost.
- There were many duplicates of recovered files.
- Many of the recovered files lost their file names, replaced by a generic “file_nnn” numbered name.
- Many files were incomplete or damaged.
- Many files were missing.
And that’s it. That’s the best they could do. Only excuses were offered.
How to do no harm
At the beginning, the repair shop should at least have asked “Is this drive backed up?” and taken appropriate action if the answer was no. Heck, an experienced shop wouldn’t even ask; they’d assume the answer was no, and start by backing up the existing data.
I’ve often pointed out that image backups on working systems make for a great checkpoint. No matter what you do after the backup (like installing or updating software or making other changes), you can always restore the backup and be back where you were with no harm done.
You can see where I’m going with this.
Related
What’s the Difference Between a Clone and an Image?
The difference between a clone and an image boils down to what they contain: everything, or absolutely everything.For data recovery, though, a simple image backup isn’t enough. That includes only the files on the disk. What we needed was a clone: a bit-for-bit copy of the disk that shows exactly how the data is laid out, including the areas that claim to contain no data at all. It’s those claims that hold the potential for recovery.
So the first thing I did was clone the drive. Even though the repair folks had made a mess of things, this way I knew that no matter what, I wasn’t going to make things worse.
Clone caveats
There are at least a couple of situations where cloning might not work.
- Sometimes physical problems prevent the clone operation from completing. Then you need to decide whether to risk proceeding with other techniques anyway or hand it over to a data recovery service.
- Sometimes cloning isn’t exact. This is rare, and difficult to explain. While we think of a clone as being a bit-for-bit copy, depending on the cloning tool used, it’s possible that something in the copy might be changed in the process. Like I said, rare but possible.
However, there’s a very interesting upside: if the clone works without error, then you know that the disk’s media is intact. There are no physical errors present.
Even better, if you clone to a file — much like performing an image backup — you can set aside the original disk completely. You can quickly make additional copies of the cloned drive, mount them as virtual drives, and run most data recovery tools on that copy rather than the original. (This can often be faster if the original is a slower disk or connected via USB.)
So, yes. I cloned the drive.2
Tools used
Since the repair folks had already mucked about with the data, my chances were slim, but I went for it anyway.
I started with Recuva. I let it scan the entire drive and recover everything it could. It recovered a bunch more files besides those recovered by the repair shop. The problem is that we didn’t know whether these files were the originals that we wanted or artifacts of the botched recovery efforts.
For reasons I can’t explain, it felt like I could do better. Or, rather, I could at least do more.
I ended up trying a new-to-me data recovery tool: Hasleo Data Recovery. The initial scan and first 2GB of data recovery were free, so it was a simple decision to at least give it a try.
It scanned for a very long time, well over 24 hours. When it was done, it listed many more files than Recuva had. I ended up purchasing the program and using it to copy and recover all of them. Once again, I didn’t know if these were originals or artifacts of the prior recovery attempts, but they represented more possibilities of recoverable files.
Now what?
Regardless of the recovery tool used, the bottom line is that I was left with a collection of files that may or may not be damaged, may or may not have the correct filename, and no folder structure at all.
Rather than try to sift through everything — something my friend could do later if so inclined — I focused on a specific file with a specific name and content that my friend had identified as the single most valuable thing to recover.
All the files with that name were incomplete and not useful.
What I needed was a specific, somewhat unique string of characters — like, say, “sarsaparilla” — to look for. My friend gave me an earlier copy of the document, so I had a few of those. Then I could search through all of the recovered files for that string.
The problem is that the files were of a variety of types. And after recovery, the types might not even be correct. So we needed to search all of the files.
We could use a command-line tool called “FindStr” to search for all occurrences of a string in a set of text files, but not all the files were text files, so that wouldn’t help.
I have a tool called PowerGrep3 that can search many file types, not just text. I turned it loose, searching for a string we knew would be in the document we were looking for, and a day later, I got my results. There were lots of hits, but none of them were useful. At best, we had older versions of that important document, not subsequent revisions.
Partial success but mostly failure
I gave my friend a hard disk containing the files I’d recovered. It included music, pictures, videos, and more. If they want to, they can look in this collection for other things they later realize are missing.
But as for that most important document, I came up empty-handed.
I can’t say with certainty that I would have been able to recover more had I gotten the disk before the repair shop stomped all over it, but I like to think I could. I would have at least had a better chance of understanding what started this sequence of events in the first place.
Do this
Back up. I think by now you know this. (My friend and I are working to set something up appropriate for their usage.)
More importantly, though: first, do no harm. If you’re a repair shop, back up what your customers give you first. If you’re taking a machine or disk to a repair shop for data recovery, do what you can to back up the drive before you hand it over. If a traditional backup won’t work, consider attempting a clone.
But, again, back up, and back up regularly.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: I’m under the impression that stronger words may have been used.
2: I used Macrium Reflect X, but there are many good clone or clone-only tools out there.
3: “Grep” is the name of a powerful string-searching tool included in Linux, MacOS, and their predecessors. There are versions available for Windows, but that’s not what I used here. PowerGrep is a different program that leverages “grep” as a description of what it does. It also has the distinction of having the worst user interface I’ve ever encountered.
Whenever I repair someone’s computer I back it up. Sometimes I feel a little guilty copying someone’s data if I’d forgotten to ask permission, but it was 100% for their benefit.
When my laptop lid broke I encrypted all my data files before bringing it in for repair. I might have missed some in obscure locations, but even if the tech was nosey, I don’t believe he’d bother to look into my AppData files. After that, I left those encrypted because next time I mighn not be able to get in to encrypt my files.
This is sometimes a no-win situation from the consumer’s point of view. They often want to protect everything (standard folders, registry, local folders, paging file, Windows itself) from being snooped on, but that then renders the machine unbootable without a whole-disk password (the simplest solution). If they’re dealing with a hardware issue, that may be OK, but the moment anything software enters the picture the tech is left with no way to address or even investigate the problem.
Bottom line: find a tech you can trust.
PS: I also do the same, back up first.
Check out Spinrite by Gibson Research.
I did, but this was an SSD, and SpinRite only fixes HDDs.
The latest release purportedly supports, and repairs SSD drives too, but I’m not sure how it does so. Since I can’t currently afford it, I haven’t done any research yet.
Ernie
To be clear, it doesn’t FIX SSDs. It can scan them, and apparently doing so can result in a performance improvement on SSDs that have been in service for a while.
Is that different from running chkdsk /r ?
Any time I work on anyone’s computer, my first question is “Is there anything on here that you need, or want to keep?”. If the answer’s “yes”, I clone the system/affected drive before doing anything else, then proceed with my work. I do the same with my own computers, and I’d never do less for friends/family. The thing I can’t understand is why the so-called ‘techs’ who worked on Leo’s friend’s computer didn’t know that they should do the same.
Any time I need to perform some procedure on a computer that could result in any damage, before proceeding, I ask the owner if they want me to do so, especially since I’m not a certified/professionally trained technician. I’m self-taught, and I’ve learned my ‘craft’ mostly through making mistakes and learning from them, combined with reading/researching how-to’s related to whatever problem I’m attempting to resolve. If I don’t know how to do anything, I do my research before making any attempt at repair/recovery.
In my opinion, based on what I’ve read here, the ‘techs’ at the computer repair shop need to ‘go back to school’, or find a different job.
Ernie
Even if they say “yes”, I’d still clone/back up. It’s not uncommon for folks to realize that something was important only after it’s been lost.
The thing I can’t understand is why someone who is a friend of Leo doesn’t perform regular system image and incremental backups. I’m sure he’s mentioned that to them more than once.
Believe it or not, I have friends for whom technology is not the main topic of our conversations. (And I do have other friends that at least feel guilty about not backing up.)
had similar happen to me. took computer in for service – they ended up putting in new ssd (was a hdd), told them I wanted them to backup all my folders, pics, docs etc, and put on new ssd. I kept the old hdd. when I got computer back the data transferred to ssd, was a bunch of crap! nothing, docs, pics, etc ended up from the hdd. pissed me off, there were irreplaceable old pics, docs, docs from my house sale/purchases, copies of med records, wills, everything!
nothing came out on the ssd. still have the hdds, but dont know how to try to get info off, (oldie here), when I took disks back they said they were damaged, couldnt do anything. UGH! wish I could trust someone to try to recover any stuff off of them….that stuff is priceless and irreplaceable. BTW, I had backup set to auto, and when I went to look to replace with backup…nothing…now I manually take files etc and put them on an external, thumbdrive and another computer.
If you have the old hard disk, you might look at getting an external USB container (turning it into an external HD), or one of these cables that do it without the box: https://go.askleo.com/ama/B07PVX682Q
First step, perform a system image backup of the original drive. Then, start taking system image an incremental backups of your system drive. If you’d been backing up, you wouldn’t have lost those files.
Years ago when working as a Federal I.T. Specialist (I’m now retired) I got to go to a week of computer forensics training. This training, using furnished specialized software and hardware, became useful in recovering original data files for court room use. As you mentioned, using these professional tools an exact copy of the hard drive is made… and then ALL work of data recovery is done on the copy… not the original. Stuff DOES happen from time to time and a pro doesn’t want that STUFF to happen on the original drive. If messed up it could result in a criminal going free due to data loss and/or corruption. Every repair shop should follow very strict guidelines and procedures to make sure NO HARM IS DONE like you pointed out.
I concur with Wayne, especially in a case of BSD.
Nowadays I get a hard drive as identical to the original as possible and make a clone and check the clone to make sure that all of the files have copied.
When doing a reload or upgrade, I learned this the hard way when I manually copied the user account files and various program data files.
When trying to copy large directories, Windows would occasionally hit a bad file and kick out of copying.
I assumed it was completed so I would wipe the drive and reload Windows and other programs.
When I would try to recreate the User account directories, I would find some missing with no way to recover them.
I like a clone AND an image now.
The old rule is: “If you have one backup then you don’t have a backup”.
You mentioned some recovery software not working with ssd, is this because of the trim setting?
I have Recuva, PhotoRec and Testdisk. I recently came across Disk Drill data recovery software for both Windows and Mac. Their website makes it sound very good, but we all know about advertising.
Have you come across Disk Drill and what are your views on it?
SpinRite only fixes HDDs because it reads the physical sectors on a HDD which are stored magnetically in a ferrous oxide (AKA rust) layer on the disk. The physical composition of an SSD is completely different so it doesnt work.