Re: Virus? USB 500GB external hard disk is now "raw format"
ralph
> Disk Investigator
> http://www.theabsolute.net/sware/dskinv.html
>
> ADRC Data Recovery Software Tools
> http://www.adrc.com/software/data_recovery_tools
Here is where I am.
The controller is good and the disk itself has not crashed.
So I created a systemrecoverycd boot cd which can freely recover all
photographs regardless of the fat32 tables.
The dd took 7 hours but now I have a duplicate disk to work with (keeping
the original pristine).
I'm looking up the photo-recovery feature of the latest systemrecoverycd.
Johnw
> Here is where I am.
> The controller is good and the disk itself has not crashed.
> So I created a systemrecoverycd boot cd which can freely recover all
> photographs regardless of the fat32 tables.
> The dd took 7 hours but now I have a duplicate disk to work with (keeping
> the original pristine).
> I'm looking up the photo-recovery feature of the latest systemrecoverycd.
Thanks Ralph, good luck.
ralph
>> I'm looking up the photo-recovery feature of the latest systemrecoverycd.
>
> Thanks Ralph, good luck.
Thanks for the encouragement. It's not done yet but I haven't given up
either. The new PhotoRec freeware seems perfect for recovering lost
photographs and MP3 files (of which I had many on that lost disk).
http://www.cgsecurity.org/wiki/PhotoRec
The dd command after booting to the systemrecoverycd I used was:
% tail /var/log/messages (which told me sdb was the 500MB & sdc was 1TB)
% date
% dd if=/dev/sdb of=/dev/sdc bs=4096k; date
The result, 7 hours later, was a copy of the original disk sdb
119235 records in
119235 records out
500107862016 bytes (500 GB) copied, 25203.6s, 19 MB/s
I am not sure what to do with the systemrecoverycd but I noticed it still
thinks the sdc is 1 terabyte (which surprised me as everyone said it would
"look" like 500 megabytes at this time).
If all my attempts to salvage the file allocation tables fail (I'm really
not sure how to proceed at this point as I do not know Linux), I can at
least run the new photo recovery cd program which saves lost photos and MP3
files (and many other formats) even from a dead disk
http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec
So the summary is that I have a copy of my original disk but don't know
what to do next. Am looking.
ralph
> I'm not sure what utilities will repair the disk but that's what the other
> people are here for on this newsgroup.
I just can't seem to find a tutorial for recovering photographs using the
free Photo Rescue CD http://www.cgsecurity.org/wiki/PhotoRec
This page tells me I have a common problem which hits people who store
photographs on an external drive. It says most likely the virus or Windows
corrupted something called the Master Boot Record (MBR).
http://linux.goeszen.com/second-hard-drive-appears-as-raw-after-fresh-xp-install.html
Assuming the Master Boot Record (MBR) is corrupted on the external Western
Digital 500 GB USB photograph storage drive, I've booted the Windows PC to
the free Linux SystemRescueCD and tried to recover all JPEG photographs
from the RAW disk.
But I'm stuck at this point not knowing how to proceed to save my lost
photographs due to Windows not recognizing the drive (calling it RAW).
Floyd L. Davidson
>On Mon, 24 Nov 2008 16:53:53 -0800, gsao...@yahoo.com wrote:
>
>> I'm not sure what utilities will repair the disk but that's what the other
>> people are here for on this newsgroup.
>
>I just can't seem to find a tutorial for recovering photographs using the
>free Photo Rescue CD http://www.cgsecurity.org/wiki/PhotoRec
Did I understand correctly that you have copied the
original disk to a separate disk?
>This page tells me I have a common problem which hits people who store
>photographs on an external drive. It says most likely the virus or Windows
>corrupted something called the Master Boot Record (MBR).
>http://linux.goeszen.com/second-hard-drive-appears-as-raw-after-fresh-xp-install.html
Well, one way to find out what is there, is to try
looking at it with something that can read it. I assume
your rescue CD has the fdisk program on it???
fdisk -l /dev/sdc
will tell you what the partition table on drive /dev/sdc
has in it. Or you can just do "fdisk -l" without
specifying the drive, and fdisk will print out all of
your drives (which means you don't need to even know
which one it is at the time).
Now, assuming you find a partition table that has
something in it, you can mount a partition by doing
something like this:
mount -t msdos /dev/sdc1 /mnt
which will work for an msdos file system. You might
have to try "vfat" instead. It depends on how you
formatted the disk originally. You may or many not
have a directory named /mnt to mount it on, and if not
you can make a directory and mount it, using any name you
like:
mkdir /sdc
mount -t vfat /dev/sdc1 /sdc
And of course /mnt must exist. But that probably isn't
what you want anyway. What you want is to mount one of
your regular disks so that you can copy files to it.
That might be more tricky, depending on what you have on
your rescue CD and how your other disks are formatted.
If they are hpfs file systems, you can mount one of them
like this, assuming it is the /dev/hda1 drive:
mkdir /cdrive
mount -t hpfs /dev/hda1 /cdrive
If you get that far, it's just a matter of copying
everything from /mnt to /cdrive.
>Assuming the Master Boot Record (MBR) is corrupted on the external Western
>Digital 500 GB USB photograph storage drive, I've booted the Windows PC to
>the free Linux SystemRescueCD and tried to recover all JPEG photographs
>from the RAW disk.
>
>But I'm stuck at this point not knowing how to proceed to save my lost
>photographs due to Windows not recognizing the drive (calling it RAW).
Well... if the MBR actually is corrupted, you're going
to have one heck of a time. The problem is that you
can't tell what *should* be there. Or maybe you can...
try the above and determine if it is or is not okay, and
if not we can talk about how to "fix" it.
Of course, it might be that the MBR is fine, but what has
been trashed is the filesystem itself. If that is the case,
fdisk will give you a nice partition table, but trying to mount
it will fail. In that case, run fsck on it:
fsck -t msdos /dev/sdc1
Note that I have no idea what or even if fsck can do for
any of the standard Windows file systems; and I highly
suspect the answer is just about nothing. Which again
probably means you are out of luck...
--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) fl...@apaflo.com
Johnw
Try this search criteia in google. If you get any other error messages,
google.
recover images raw drive
http://www.google.com.au/search?hl=en&q=recover+images+raw+drive&btnG=Google+Search&meta=
http://preview.tinyurl.com/6y8wvd
kony
<ralph...@gmail.com> wrote:
>On Mon, 24 Nov 2008 16:53:53 -0800, gsao...@yahoo.com wrote:
>
>> I'm not sure what utilities will repair the disk but that's what the other
>> people are here for on this newsgroup.
>
>I just can't seem to find a tutorial for recovering photographs using the
>free Photo Rescue CD http://www.cgsecurity.org/wiki/PhotoRec
Did you find a virus on your system? Were similar image
files wiped out simultaneously on your OS partition? The
point is, without evidence of a viral cause, steps to
salvage what some virus did to someone somewhere, may be the
wrong tangent.
>
>This page tells me I have a common problem which hits people who store
>photographs on an external drive. It says most likely the virus or Windows
>corrupted something called the Master Boot Record (MBR).
>http://linux.goeszen.com/second-hard-drive-appears-as-raw-after-fresh-xp-install.html
No, it doesn't tell you that. It says a fresh windows
install can't see the capacity of large hard drives. It has
nothing to do with your situation if you had the same
reasonably modern windows Xp installation with Sp1 or newer
and suddenly your drive shows up as raw.
Again, unless you have detected a virus (and hopefully you
have scanned for one) the most likely problem is drive
failure or enclosure failure.
>
>Assuming the Master Boot Record (MBR) is corrupted on the external Western
>Digital 500 GB USB photograph storage drive, I've booted the Windows PC to
>the free Linux SystemRescueCD and tried to recover all JPEG photographs
>from the RAW disk.
>
>But I'm stuck at this point not knowing how to proceed to save my lost
>photographs due to Windows not recognizing the drive (calling it RAW).
The point the article author made was to simply boot linux
and copy the data off because when his system booted linux
the files were accessible. If when you boot the CD, you
still can't see the files, the exercise is over, it didn't
work.
If the files are valuable enough, send the drive to a data
recovery center. Otherwise web search for some data
recovery software that scans the drive and copies what it
finds to another drive, not writing to that drive.
Johnw
> I just can't seem to find a tutorial for recovering photographs using the
> free Photo Rescue CD http://www.cgsecurity.org/wiki/PhotoRec
Have a look at these.
tutorial PhotoRec
http://www.google.com.au/search?hl=en&q=tutorial+PhotoRec&btnG=Search&meta=
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
http://preview.tinyurl.com/ytbkba
ralph
> tutorial PhotoRec
> http://www.google.com.au/search?hl=en&q=tutorial+PhotoRec&btnG=Search&meta=
> http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
> http://preview.tinyurl.com/ytbkba
Excellent! Will try. I thought this was going to be easy to rescue the RAW
disk thousands of photos but it has turned out to not be intuitive. It's
like working with unexploded ordnance ... even simple things become
difficult without precise instructions as hit or miss doesn't work with
photo rescue efforts.
phil-new...@ipal.net
Precise instructions to recover depend on first knowing precisely what is wrong.
Neither of us know what that is.
This is more of a forensics situation. If my goal is just to recover, then I
work to find out what is there so I can figure out what to do to recover. If
the drive is physically readable, then the next think I look at is of the MBR
is consistent. If so, then I check to see if the partitions are what I think
they should be. If so, then I see if I can mount them in READ ONLY mode.
One problem with all this is that there are few filesystem types that Windows
knows how to read. So if I have a situation like this with an external drive
on Windows, that drive gets moved to another computer running Linux, and the
two computers get networked together (but not to the internet). Then I can do
a file share to let Windows get the files back and store them on a new empty
drive.
--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |
phil-new...@ipal.net
| I am not sure what to do with the systemrecoverycd but I noticed it still
| thinks the sdc is 1 terabyte (which surprised me as everyone said it would
| "look" like 500 megabytes at this time).
Can you get a web page that gives specifications for the EXACT model of drive
you actually have? I'm wondering if maybe its one of those boxes that has 2
drives of 500 GB, and arranges them in a RAID configuration, and the RAID
configuration somehow got changed from level 1 (mirrored presenting a single
500GB space) to level 0 (concatenated presenting all the space as 1 TB).
It may be that the RAID is done in Windows driver software, and then Linux
will NOT see that configuration. Maybe Windows doesn't see it now, either.
Franklin
<news:ggurp...@news1.newsguy.com>:
> In rec.photo.digital ralph <ralph...@gmail.com> wrote:
>
>| I am not sure what to do with the systemrecoverycd but I noticed it
>| still thinks the sdc is 1 terabyte (which surprised me as everyone
>| said it would "look" like 500 megabytes at this time).
>
> Can you get a web page that gives specifications for the EXACT model
> of drive you actually have? I'm wondering if maybe its one of those
> boxes that has 2 drives of 500 GB, and arranges them in a RAID
> configuration, and the RAID configuration somehow got changed from
> level 1 (mirrored presenting a single 500GB space) to level 0
> (concatenated presenting all the space as 1 TB).
>
> It may be that the RAID is done in Windows driver software, and then
> Linux will NOT see that configuration. Maybe Windows doesn't see it
> now, either.
>
Hi Phil, this situation seems to be getting more and more involved!
Surely the FIRST thing to do is post (crosspost if appropriate) to the
IBM storage group. This will be to the chagrin of some regular posters
in ACF.
Next is NOT to blindly run a defrag, scandisk or fdisk in hope that one
of them might do something useful because they can each cause damage in
this situation.
Then, as you say, restore the MBR. Apart from the Microsoft partition ID
sig, all the MBR can probably be recovered if there are still partitions
on the drive at all. The Storage group can advise what automated
software they will talk him thru. Svend provides Findpart (which is
freeware) but his tools often need reasonable user expertise.
http://www.partitionsupport.com/utilities.htm
I'll assume the PBS is ok although it seems this drive has had a failure
in both system areas and file areas. Next is a choice between (a)
checking which of the two FATs is in the best condition and ISTR Findpart
may also do this or (b) seeing what damaged sectors there are.
There are lots of architectural limits occurring here. I forget all the
details: XP will access the hard drive itself even beyond the 137 GB
limit but ISTR version 6.22 of MS's Fdisk/format wont create or format a
partition bigger than 32GB but version 7 will. Either could be on a W98
system. MS's Scandisk & defrag are limited to 127 GB. The W98 system
may not be able to see beyond 137 GB of the drive (48 bit LBA arrived
with ATA-6). So who knows what happened as part of this HDD's setup or
how it managed to work in practise. The lost clusters now being picked
up by scandisk are not a good sign because they might have been needed in
a repair.
To have a guess *maybe* this drive has been moved between systems with
different HDD addressing conventions or there has been some unwelcome
changes made in the motherboard settings. Or maybe surface damage
instead that didn't automatically get mapped out for some reason.
The Storage group might talk the OP thru this. I've seen Svend walk a
user thru recovery but that was some years ago and he may not be able to
now.