We help IT Professionals succeed at work.

How to undelete a single file that has a bad sector

Dale303
Dale303 asked
on
How can I recover a deleted file that has a bad sector? I've done loads of deleted file recoveries in my time and loads of file with bad clusters before but never have I had to deal with both at the same time.

The file is a Windows 7 desktop VM vhd on a Hyper-V 2008 R2 server and the bad sector doesn't appear to have mangled anything important but the automatic backup failed (probably due to the bad sector) so the last working backup we have is pretty old. The file would not copy due to cyclic redundancy errors (even xcopy /c wouldn't work) and my incredibly ill thought out backup batch routine managed to delete the original (note to self: always expect the unexpected).  Of course I shut down the system immediately after I realised what had happened.

Anyway, how do I go about recovering this single file?
Are there any undelete programs out there that can do 'in situ undeletes' rather than 'recoveries'? I'm just worried any recovery utilities that rely on copying data elsewhere will also fall foul of that Cyclic redundancy error.

Or am I just going to have to wait until I get a second drive and do a sector by sector clone of the drive and hope the recovery works from there? Will this even work?

Any other ideas?
Comment
Watch Question

EASUS Data Recovery Wizard has a specific option for ingoring bad sectors:
http://www.easeus.com/datarecoverywizard/help/ignore-bad-sectors.htm

Other recovery programs may have similar options.

According to this link, it's basically impossible to do a "in situ undelete" with NTFS:
http://forum.piriform.com/?showtopic=31725


If the file wasn't deleted, bad block copy for Windows could've copied everything but the bad sector over:
http://alter.org.ua/soft/win/bb_recover/


As for whole-drive cloning/imaging, I have used ddrescue to recover data from drives with bad sectors. Sometimes I've been able to reduce to amount of "lost" data to zero after repeated runs:
http://www.forensicswiki.org/wiki/Ddrescue

Once the drive is cloned or imaged, you can use a data recovery tool to recovery the deleted file.
Distinguished Expert 2019
Commented:
try the HDDRegenerator : http://www.dposoft.net/hdd.html      

it recovered many bad drives for me
Distinguished Expert 2019

Commented:
try hddRegenerator, it saved many drives for me :
http://www.dposoft.net/hdd.html
Another "hard drive repair" program is SpinRite.
https://www.grc.com/sr/spinrite.htm

Personally, before attempting to repair a drive, I'd either image it or copy everything I need off of it.
Distinguished Expert 2019

Commented:
yes, but it seems not  to be updated for a long time now...
I guess there's the question of whether it needs to be updated, if it still works.
Distinguished Expert 2019

Commented:
after more than 10 years in it world?  come on now...

Author

Commented:
This is interesting. Okay so I've cloned the drive and now an hour in to a 3 hour EaseUS Data Recovery Wizard Scan . There's still a long way to go but the scan has not so far found the deleted VHD itself but is finding a lot of stuff that's inside the vhd. Trouble is, there are 14 other VMs on that disk and it's finding things inside those too and it's not currently telling me which files belong to which VHD.

While I'm waiting, are there any specific VHD undelete tools around that anyone can recommend?
If you're recovering from the cloned drive, you shouldn't have to worry about the corrupted sector.

You can use PhotoRec to specify a file type to restore. This blog post mentions your problem, and how to recover only VHD files using PhotoRec:
http://natesbox.com/blog/data-recovery-finding-vhd-files/
I initially just ran PhotoRec just to see if and or what it could even find. After running for several hours, I was happy to see it found thousands of files. Upon closer inspection of the files I found that they were actually files that were inside the actual VHD’s. This makes sense because of how PhotoRec searches for files. I needed to create a custom PhotoRec file signature extension to handle the VHD files. www.cgsecurity.org/wiki/Add_your_own_ext…

Using a hex editor I opened several VHD files from my archive and noted thay all started with “conectix”. I then created photorec.sig in the PhotoRec directory with the following inside:

vhd 0 "conectix"

I then re-ran PhotoRec, this time using the options to only select my custom signature extension. It then began recovering VHD files. It found around 6 header signatures, and after some time had dumped them all out. I was able to mount one using diskmgmt.msc on my Windows7 laptop. The other VHDs were all unable to mount due to corruption or other factors.

More info on adding a signature to Photorec:
http://www.cgsecurity.org/wiki/Add_your_own_extension_to_PhotoRec

You can set PhotoRec to only recover from the free space on the drive, so it won't see the other VHDs.


Alternatively, there are tools specifically for recovering VHDs, but they're not free, although they have free trials so you can see if the software will be able to recovery the VHD before buying:
http://www.systoolsgroup.com/hyper-v-recovery.html
http://www.vhdrecoverytool.com/

Author

Commented:
Thanks guys. I never got around to finishing the full scan as I managed to find a week old backup that was good enough for the user but I'll be adding all your useful comments to my list.