Initialized hard-disk recovery
August 11, 2005 4:38 PM Subscribe
How to recover data from an initialized drive in Windows Server NT?
Somehow our IT guy has managed to initialize most of our drives (internal and USB) this morning. We're looking down the barrel a bit as these hold nearly all of the data important to our company and the backup system doesn't seem to be up to scratch.
As there is a bunch of other issues with the server as well, I have been asked to research the data recovery possibilities of the initialized drives. My understanding is that the data has not been written over so how do we get it back? I've started the web search but any emergency Ask Mefi advice would be grand!
Somehow our IT guy has managed to initialize most of our drives (internal and USB) this morning. We're looking down the barrel a bit as these hold nearly all of the data important to our company and the backup system doesn't seem to be up to scratch.
As there is a bunch of other issues with the server as well, I have been asked to research the data recovery possibilities of the initialized drives. My understanding is that the data has not been written over so how do we get it back? I've started the web search but any emergency Ask Mefi advice would be grand!
A full NTFS format will write over the data. A quick one will not, but it may well corrupt it. If the previous filesystem still exists, you could try mucking around with the partition table, but chances are, the filesystem metadata that stores the links has been written over if its been initialized, meaning that even if the data is physically on the disk, there's nothing to tell it where that data starts/stops. If you had fragmented files... oops.
There are programs that will search for individual files for you, but all I've ever had to do is recover the partition table, so I can't really help. Sorry, & best of luck.
posted by devilsbrigade at 7:54 PM on August 11, 2005
There are programs that will search for individual files for you, but all I've ever had to do is recover the partition table, so I can't really help. Sorry, & best of luck.
posted by devilsbrigade at 7:54 PM on August 11, 2005
Response by poster: OK. Thanks. We haven't fired the IT guy but we have hired a pro so it's just fingers crossed now.
posted by figment at 8:43 PM on August 11, 2005
posted by figment at 8:43 PM on August 11, 2005
Best answer: The first step must be to sector-copy any and all critical drives to new media. Yes, expensive, but it may save your ass.
After that, you're looking at either a data recovery service (typically $500/drive and up, up, up) or use of partition recovery software. Initialization doesn't actually overwrite the disc, it is true, but it definitely hammers the metadata files that told the OS where to look for any files. It's just possible that partition recovery could locate pretty recent versions of those metadata files and find, oh, >50% of your files, but the lousy luck here is that 50% of your files to begin with are unwanted OS crap that is easily reinstalled. Any kind of files with complex data -- i.e. not a flat file database, not a Word document -- are best mentally written off right now, as you may not get a usable version back.
As for firing the guy, well, you will want to do a serious post-mortem. You'll probably want a heavy-duty consultant in to look at you, the procedures, and the IT guy's chops. A day or two of intensive scrutiny by another set of eyes, a white paper of recommendations. That is, if you haven't fired him by morning, which a lot of places would do.
I have an old war story. The help desk I worked for, at a Big Six accountancy, had a "wipe and reinstall" procedure we used frequently. It had a stupid name like "fresh start". Most consultants only lightly used their laptops for e-mail and Powerpoints. This Indonesian girl, very pretty and quiet, brought her laptop in for some configuration problem and it got placed in a pile for ... you guessed it, wipe and reinstall. The guy did a bang-up job, it was ready the next morning. "Are all my files still there?" she asked me. I looked at the service record and said, carefully, "It says you dropped this off for a fresh start. For us, that means reformat and reinstall Windows. That wasn't right?"
There was an ugly pause. And an Indonesian girl turned white as a sheet before my eyes. Her laptop held all the data for her small team.
There were no more fresh starts, after that.
posted by dhartung at 9:31 PM on August 11, 2005
After that, you're looking at either a data recovery service (typically $500/drive and up, up, up) or use of partition recovery software. Initialization doesn't actually overwrite the disc, it is true, but it definitely hammers the metadata files that told the OS where to look for any files. It's just possible that partition recovery could locate pretty recent versions of those metadata files and find, oh, >50% of your files, but the lousy luck here is that 50% of your files to begin with are unwanted OS crap that is easily reinstalled. Any kind of files with complex data -- i.e. not a flat file database, not a Word document -- are best mentally written off right now, as you may not get a usable version back.
As for firing the guy, well, you will want to do a serious post-mortem. You'll probably want a heavy-duty consultant in to look at you, the procedures, and the IT guy's chops. A day or two of intensive scrutiny by another set of eyes, a white paper of recommendations. That is, if you haven't fired him by morning, which a lot of places would do.
I have an old war story. The help desk I worked for, at a Big Six accountancy, had a "wipe and reinstall" procedure we used frequently. It had a stupid name like "fresh start". Most consultants only lightly used their laptops for e-mail and Powerpoints. This Indonesian girl, very pretty and quiet, brought her laptop in for some configuration problem and it got placed in a pile for ... you guessed it, wipe and reinstall. The guy did a bang-up job, it was ready the next morning. "Are all my files still there?" she asked me. I looked at the service record and said, carefully, "It says you dropped this off for a fresh start. For us, that means reformat and reinstall Windows. That wasn't right?"
There was an ugly pause. And an Indonesian girl turned white as a sheet before my eyes. Her laptop held all the data for her small team.
There were no more fresh starts, after that.
posted by dhartung at 9:31 PM on August 11, 2005
Perhaps too late, but I'd try downloading the demo of R-studio and have it do a scan. If it says it can recover data I'd be inclined to believe it and spring for the license.
posted by Good Brain at 10:36 PM on August 11, 2005
posted by Good Brain at 10:36 PM on August 11, 2005
I have used iRecover in a similiar situation. Everything was saved, even from a previous format, which was kind of spooky.
posted by raaka at 11:09 PM on August 11, 2005
posted by raaka at 11:09 PM on August 11, 2005
If you're serious about recovering this data you should really hire a company that specializes in that task. I've used dtidata in the past to recover a 600 GB RAID 5 array. They got all the data back but it wasn't cheap, almost 6 grand. Your costs will be significantly cheaper if none of the drives are physically damaged. If your business livelyhood depends on the data it's worth the cost.
posted by white_devil at 6:00 AM on August 12, 2005
posted by white_devil at 6:00 AM on August 12, 2005
dhartung writes "The first step must be to sector-copy any and all critical drives to new media. "
This is the key. You can mess around with the copies and not worry about damaging your originals any further.
realcountrymusic writes "Fire the IT guy, more for not backing up than for nuking the company at lunchtime."
Well I wouldn't be nailing the IT guy to the cross just yet. The mass erase of data on a server is a pretty common accident; one of the reasons we keep tape. And it's quite possible, I'd even say common in smaller companies, for managers not to allocate sufficent resources to back up until they've been heavily burned.
dhartung writes "And an Indonesian girl turned white as a sheet before my eyes. Her laptop held all the data for her small team."
Your organisation sounds like it would have had firm data handling policies. And I'd bet those policies forbid keeping the only copy of any required data on something as prone to failure/theft/accidental erasure as a laptop hard drive. In which case the data loss would have been almost entirely her fault. I lecture about this all the time and the only ones who listen are the people that have already been burned.
posted by Mitheral at 11:33 AM on August 12, 2005 [1 favorite]
This is the key. You can mess around with the copies and not worry about damaging your originals any further.
realcountrymusic writes "Fire the IT guy, more for not backing up than for nuking the company at lunchtime."
Well I wouldn't be nailing the IT guy to the cross just yet. The mass erase of data on a server is a pretty common accident; one of the reasons we keep tape. And it's quite possible, I'd even say common in smaller companies, for managers not to allocate sufficent resources to back up until they've been heavily burned.
dhartung writes "And an Indonesian girl turned white as a sheet before my eyes. Her laptop held all the data for her small team."
Your organisation sounds like it would have had firm data handling policies. And I'd bet those policies forbid keeping the only copy of any required data on something as prone to failure/theft/accidental erasure as a laptop hard drive. In which case the data loss would have been almost entirely her fault. I lecture about this all the time and the only ones who listen are the people that have already been burned.
posted by Mitheral at 11:33 AM on August 12, 2005 [1 favorite]
The mass erase of data on a server is a pretty common accident; one of the reasons we keep tape.
Fair enough. And figment's "IT guy" didn't bother to institute a backup policy that worked. Like I said, that's the firing offense, not wiping the drives. The title "IT guy" should mean, first and foremost, backup specialist. Whenever I consult on an enterprise or personal computer problem, I start by backing everything I'll be working on up, personally. Even if the helpee says everything is backed up. It's the first lesson in IT guy school.
posted by realcountrymusic at 2:37 PM on August 12, 2005
Fair enough. And figment's "IT guy" didn't bother to institute a backup policy that worked. Like I said, that's the firing offense, not wiping the drives. The title "IT guy" should mean, first and foremost, backup specialist. Whenever I consult on an enterprise or personal computer problem, I start by backing everything I'll be working on up, personally. Even if the helpee says everything is backed up. It's the first lesson in IT guy school.
posted by realcountrymusic at 2:37 PM on August 12, 2005
Response by poster: Thanks all. As it turns out, a proper tape backup system had been budgeted for September. As some of you have pointed out, a full backup system is an expense that small companies like ours are unwilling to commit to until something like this happens. Lesson Learnt.
posted by figment at 3:52 PM on August 12, 2005
posted by figment at 3:52 PM on August 12, 2005
« Older How can I recover more quickly from my workouts? | Free Anonymous Counseling in New York City? Newer »
This thread is closed to new comments.
posted by realcountrymusic at 6:22 PM on August 11, 2005