Many hard drives fail in a way that just some sectors can not be read. This will often render the drive impossible to read as a standard drive and so make data recovery essential.

Sometimes it is possible to use the standard CnW recovery tools, for NTFS, Mac etc. If the disk has many bad sectors, the standard process can be exceptionally slow, and difficult to restart after a failure. The best option in these cases is to construct a disk image file which can the be used with the standard CnW tools. Download demo at any time.

With any failing drive it is always important to be careful. Too much reading may damage the drive further and make recovery impossible. If concerned, or data very critical it may be best to consult a hardware repair company. If data is desirable rather than critical, this can be a low cost way to make a recovery.

The disk image file is created used the Image Raw function and all options are then disabled, ie no file splitting (though for Raid 0 disks, the Raid 0 options must be set). The resulting file is same as would be produced using the Unix / Linux DD command. The added improvement is that areas can be skipped and imaging can be started part way through the disk, but the resulting file will be padded to emulate a complete DD image. This means it is possible to incrementally build up a complete, or nearly complete image of a disk with many bad areas, including padding sections that cannot be read at all.

The first procedure to start with is to try and image the complete drive - obviously storing the DD file on a new drive with a higher capacity. Reading should be seen to be reasonably fast, but typically disks with bad areas will stop, or go exceptionally slowly over bad areas. At these points if is often advantageous to skip over the bad areas and this is very easy using CnW Recovery software. The image file may be constructed in several stages, and not necessarily is sequence. It is possible to image the first 1GB and then the final 1GB. In this case, the middle GBs will be padded, and can be imaged later.

There is always a danger that the disk may fail totally while trying to do many retries on a bad sector. For this reason, it is worth imaging good areas (with no failed sectors) first.

Automatic skipping of bad areas
When the disk hits a large bad patch, there are options in the Configure, Hardware Config menu to allow automatic skipping of bad areas. For instance, one can set the program so that when it detected 10 bad sectors in a row, it will then skip the next 100. Forensically, this will leave a dubious image, but in practice, it does allow a usable image to be created in a sensible period of time. If the automatic skipping has jumped over important sectors, an attempt can be made to image these later. By skipping on the first read error of a disk, less strain is placed on the drive, trying to do many retries.

Recovering specific areas of the disk
This stage of recovery gets interesting, and can be very satisfying. Having made a partial recovery of the disk we try and track down where required files are stored, so that the correct area of the disk can be imaged. The procedure for this is to attempt a full recovery of the created image file using NTFS, FAT32 or MAC as relevant for the disk. Obviously, there needs to be enough data on the image file to read the main MFT, catalog file or directory. Using the log it will then be possible to see where the required files are stored. These areas can the be concentrated on to select areas of disk imaging. If only a few files are required from a disk, maybe then only 10% will need imaging saving time. The fragment column of the log, if clicked will show the size and location of the first 80 fragments of a file, again allowing a file to be reconstructed by partial imaging.

Various features in CnW will assist in selecting the correct areas to image. For instance, as long as the first sect of the $MFT is found, the NTFS recover routine can display the allocation of all the $MFT clusters. A similar function exists on Apple HFS+ disks. A function then allows just these very critical sectors to be added to the image file.

Typical failures
It is useful to know how many disks fail. It is very common for an area of disk to have problems, rather than the complete disk. Typically, disks get better near the end, but this does mean that problems reading are often related to areas of the disk where the main directory or catalog information is stored. It is also where many system files are stored. For recovery it is worth concentrating on the directory information and data files, rather than system files.

Shadow disk
Once a DD image has been created, it can be used to logically read the disk and recover files. A feature of CnW is that the original disk can be set up as a shadow disk to the image file. When a sector that has not be imaged is detected, the original disk is tried again. If the sector can be read, the DD image will be updated. This is a method so that even a partial DD image of the disk can be very useful. This works because unread sectors are all padded with the byte 0x5A ‘Z’. When a failed sector is read, the last 4 bytes of the padded sector contain the physical sector number.

Summary of recovery
● Try an determine if all of the disk needs imaging - if the disk has had light use only, the final 50% may still be blank
● Image good areas of the disk first
● Try and image the directory or catalog area
● If possible to image the boot sector and BPB and then MFT / Catalog
● Determine area of critical files
● Image the difficult areas last - the disk may fail in this process

A white paper on the subject
Incremental Imaging