Asking data recovery advice in community forums, is not without risk.

Online Community Support Forums and data recovery advice

I like helping people when it comes to disk and data loss related problems. A few decades ago I was a frequent visitor and contributor of hard disk related Usenet newsgroups, for example “comp.sys.ibm.pc.hardware.storage”. And more recently I decided to spent a little time on this hobby again to find that newsgroups are very much a thing of the past.

At appears the place of the newsgroups is largely taken by online community forums maintained by hardware and software oriented websites. Newsgroups were largely non-moderated but back then the quality of solutions was high. All online forums I tried are moderated. When it comes to data loss en data recovery advice, quality, I found was quite shocking (bad).

Karma

Most forums feature a karma system. If you answer a lot of questions, your status will increase. People can also reward answers which will also grow your karma. Idea is, the more Karma, the higher your status and the more authoritative your answers are.

Still, even the most senior members in the forums I checked are unable to give accurate advice when it comes to data loss and recovering data. Their advice and suggestions are often plain wrong or even dangerous.

In the forum my company maintains I estimate at least 75% of what I type to customers is questions, requests for more information, screenshots and log files. In online community support forums at least 75% is supposed solutions. You can’t propose a solution until you fully understand the issue and underlying mechanisms involved. I know they all mean well, but asking for advice on data recovery in a community support forum almost equals playing Russian Roulette.

In this post I will try to address a few of the most common mistakes and false information I encountered.

“In the land of the blind, the one-eyed man is king”

You can always try, can’t you?

Ask 10 people for advice on which data recovery tool to use, and you get 10 different answers

Getting data back is often possible due to the fact that pointers to files, and the actual file content is still available. In certain scenarios, downloading and installing 10 different data recovery tools increases the chance that pointers and file data are written over.

A common solution and why it is a bad advice, chkdsk.

Run Chkdsk, run a disk check, run chkdsk /r, etc. ..

Absolutely. Bad. Idea.

First of all, it goes against the first basic principle of not changing anything on the disk that contains the lost data. But, there are situations in which I do. Sometimes I do sin against this rule. I some times make tiny little changes, for example using a disk editor. Like editing the partition table. But in such a case I know what I am doing, I keep track of what I am doing and I know how to undo it.

Chkdsk is like a black box. You start it, it runs and then you live with the consequences, good or bad. And I have seen it go bad plenty of times. Chkdsk’s goal is a consistent file system. Chkdsk changes file system structures. Chkdsk sometimes deletes files. Chkdsk can be bugged, I have observed it change NTFS partitions into FAT16. And you can not roll those changes back.

It is true that older versions of chkdsk were more limited than the modern chkdsk utility and that old bugs may have been fixed. Chkdsk changed a lot over the years.

Common (wrong) solution for an unrecognized file system

Format the disk

Sure, formatting a disk will take care if the unrecognized file system. But it will not bring your data back. And it violates the sacred rule “Thy shalt not change the drive’s contents”.

Even worse, on a SSD Windows will issue a ‘TRIM command’ when you format a drive, which signals to the SSD that all affected data blocks can be erased. After which even file recovery software will no longer to be able to recover any data.

I have even seen this bad advice on the (community) support forums of a certain, well known, often suggested, free file recovery program. Shocking!

Bad solution for a myriad of disk and data loss related problems

Run Spinrite

The guy who wrote Spinrite calls it the worlds best data recovery utility. Although it may recover data as a side effect in some situations, it is not a data recovery tool.

What Spinrite does (in a nutshell) is this: It reads sectors using a software BIOS interrupt. This allows the program to read sectors a level below the file system. If it can’t read the sector, it will try again, over and over, upto 2000 times. It then writes the sector back with it’s best guess of what should be in the sector. There is absolutely no guarantee that the data Spinrite writes back, is the correct, original data.

Writing data to a ‘bad sector’ will trigger a hard disk to reallocate the sector. It will store the address of bad sector in a table so it is never used again (the grown defect list). The data is then written to a different, a spare sector.

As a side effect, due to the reallocation of bad sectors you may be able to access a disk that you could previously not because the bad sectors do not cause Windows to hang anymore. It is this side effect that is responsible for the supposed miracles Spinrite performs.

Spinrite not killing an unstable disk is pure luck

The thing that makes Spinrite really dangerous is it trying to read a sector 2000 times. Add to that a disk’s firmware itself will also perform re-reads when it hits a unreadable sector. To recover from a single UNC (uncorrectable) error the disk may take already seconds to minutes.  If you have 88 bad sectors, it will do that for each of those 88 sectors. If you have 654 bad sectors it will do it 654 times (* 2000 * the times the disk retries).

Now the last thing you want to do to an ill behaving disk is to stress it. Every successful read could be the last read. A better strategy is to leave the bad spots alone as much as possible, and first get the easy to read sectors and copy them to another disk. Most times that will already give you the bulk of the data without trashing the disk unnecessary.

The assumption that there is a backup of important disk structures. Always.

Maybe the backup partition table is intact

Disks partitioned using a ‘legacy’ partition table don’t keep a backup of this structure. So, there is no backup unless you made one yourself.

Modern GUID Partition Table (GPT) disks do keep a backup. So, if you have a fairly modern PC, the disk’s partitions may be described in a GPT. Also, since legacy partition tables can not address disks > 2TB, larger disks will also contain a GPT ‘partition table’.

 

Maybe the disk can be repaired using the backup MFT

It appears a wide spread misconception that there is a backup of the MFT on a NTFS disk somewhere.

This can probably be explained by the presence of the (hidden) file $MFTMirror on NTFS volumes. Truth of the matter is that this ‘mirror’ is not a complete backup of the $MFT file. It only backs up the first few records of the MFT.

People only need ONE word to see what’s wrong with a disk

The filesystem is RAW – (Expert:) Okay, then there is a problem with the partition table

When you search the forum, you see the ‘expert’ keeps giving his explanation over and over.

A possible reason is that the ‘expert’ once was able to fix a RAW file system by repairing the partition table. Because it is true that a corrupt partition table can cause a RAW drive.

Basically, a RAW file system indicates that Windows was unable to determine the file system. If you look at the above illustration a partition record points to a boot record. It contains a sector address with the location of this boot record. If it points to some arbitrary sector address which is in fact not a boot record Windows will be unable to determine the file system.

However another option is, that it points to a corrupt boot record. In this case the partition table is intact and not causing the RAW file system.

Now the boot record is pointing to the MFT. Or it should be. Again, it either correctly points to the MFT, but the MFT is corrupt. Or, the boot record contains erroneous data and points to an arbitrary cluster while there is fact a valid MFT present. In both situations the file system can not be determined.

So. While the expert may be right, there is also a good chance he is not. There is a chain of structures, that if broken at any point will result in a RAW file system.

Much of the data recovery advice appears to be based on hearsay or anecdotal ‘evidence’. Think twice before following it.

Do you have experiences with data recovery advice in public forums? Did the advice help you or did it make matters worse? Did you simply give up because a forum member told you it was hopeless? To share use the comment section below.