Wednesday, 13 February 2019

ntfs - Any way to recover a file with bad blocks (CRC error in Windows)?


What I see is this:



  • Windows complains when reading a file because the CRC for it mis-matches its calculated CRC.

  • This means NTFS has a CRC for the file.

  • I expect the offending block/sector can be known, or at least guessed.

  • I also expect that "wrong data" can be read from the disk.

  • If the bits of "wrong data" were inverted one by one, by brute force we could find the correct data.

  • A file could thus be recovered using statistics and brute-forcing bits to match the CRC.


My question is, does any software do this kind of thing? Any way I could do it (I'd be happy enough to get the CRC, the drive's "wrong" data, know which is the offending block/sector there, and write a script to brute it myself, if relevant directions are given).


By the way, this is a mechanical HDD.


Edit: After taking a look with hex editors and such, I noticed that a bad block appears as garbage, such as filled with zeros or a copy of the last block (this seems to depend on the program), so in order to get the "real data" that is corrupted, we'd have to disable some hardware-correction that refuses to read a block which is bad. I believe this is called ECC. Also, I expect that if just a few bits are marking a block as "bad", then some 32-bit checksum from Windows could be used to brute force a match.


So this question may be answered simply with guidance to do this by myself.



Answer



Unfortunately, what I wanted to do is not possible (NTFS does not store a CRC, the hard drive does).


However, I recommend SpinRite, as it is in the process of recovering a hard drive (with a painfully slow speed of some GBs per day, occasionaly I mount the filesystem to see how's the state of the files).


It may or may not work for you, so if the data is worth a few thousand dollars, go to a specialized hard drive recovery place. It's terribly costly but sometimes experts get data out of unlikely situations.


Oh, and one last recommendation: if the data is worth a few thousands, DON'T touch the drive. Don't mount it anymore, don't dare to boot from it, don't run chkdsk, don't do ANYTHING. It might compromise the drive's chance to being recovered.
But if it's a drive with songs, movies, or other non-important content, don't miss the chance to play with it to your heart's content! :)


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...