Nuked SD card after chkdsc or BCD change - any file forensics help?

  • Thread starter Thread starter a.k.a.
  • Start date Start date
A

a.k.a.

Greetings, everyone!

Can anyone provide advice on forensic approaches or utilities to try on a
nuked SD card? Or suggest the best forums to cross-post in?

In the middle of installing a multiboot of Server x64 RC2 and Vista x64 SP1
RC, I began encountering BSODs on shutdown of Vista. On reboot, Autochk
began to hang in Vista, and even on the occasions I could get into a Safe
Mode boot, the BSOD would reappear.

Somewhere in there, the path for the Vista boot was erased, and I used
EasyBCD to restore the entry successfully. That triggered Chkdsc instead of
Autochk on the next reboot, but no change in Vista's behavior. Amidst all of
this, I'd inadvertently left an SD card in a reader slot, and the contents
at some point got nuked.

(For those who begin to tut-tut, please know that Server has given me none
of the instability issues that the Vista x64 SP1 RC has. It installs drivers
without balking that Vista refuses to, and has none of the BSODs or Autochk
hangs of Vista x64. If anything, it's Autochk and Chkdsc that are the source
of the problem -- reacting to non-threatening driver problems and directory
mismatches by making the situation a whole lot worse.)

The SD card shows a large number of folder and blank file icons, with
gibberish as names and file extensions. (It's possible that these are
elements of the pre-existing folder and file structure, as there was about
1GB of info on it.) Double-clicking on anything leads to unreadable file
errors.

Undelete Plus finds the volume unscannable.

Thanks for offering your insights.
a.k.a.
 
Undelete Plus finds the volume unscannable.
Click to expand...

How old is the card? These have a limited lifetime (shorter than what I had
hoped for). It's possible yours has bit the dust?
 
a.k.a. said:
Greetings, everyone!

Can anyone provide advice on forensic approaches or utilities to try on
a nuked SD card? Or suggest the best forums to cross-post in?

In the middle of installing a multiboot of Server x64 RC2 and Vista x64
SP1 RC, I began encountering BSODs on shutdown of Vista. On reboot,
Autochk began to hang in Vista, and even on the occasions I could get
into a Safe Mode boot, the BSOD would reappear.

Somewhere in there, the path for the Vista boot was erased, and I used
EasyBCD to restore the entry successfully. That triggered Chkdsc instead
of Autochk on the next reboot, but no change in Vista's behavior. Amidst
all of this, I'd inadvertently left an SD card in a reader slot, and the
contents at some point got nuked.
(snippage)

The SD card shows a large number of folder and blank file icons, with
gibberish as names and file extensions. (It's possible that these are
elements of the pre-existing folder and file structure, as there was
about 1GB of info on it.) Double-clicking on anything leads to
unreadable file errors.

Undelete Plus finds the volume unscannable.
Click to expand...

You can run data recovery software on the card. I've heard that Undelete
Plus is good but I'd try some others, too. The ones that cost usually
will let you download a trial to see if they can recover the files. I
use Easy Recovery Pro, but it is expensive. People whom I respect have
recommended R-Studio and Restoration. YMMV.

http://www3.telus.net/mikebike/RESTORATION.html
PCInspector File Recovery -
http://www.pcinspector.de/file_recovery/welcome.htm
Executive Software “Undelete” -
http://www.execsoft.com/undelete/undelete.asp
R-Studio - http://www.r-tt.com/
File Scavenger - http://www.quetek.com/prod02.htm
Ontrack's EasyRecovery - http://www.ontrack.com/software/

I've also had very good luck with PhotoRescue:
http://www.datarescue.com/photorescue/

If consumer-level data recovery software will not help, then your only
recourse is a professional data recovery company such as DriveSavers.
This is quite an expensive proposition ($500+), but only you know the
value of your data.


Malke
 
Sharon, in this case, the card is at most 2 months old, bought based on a 4+
star rating at Newegg, so presumably reliable. I'll eventually reformat to
see if the card is corrupt, but of course it's too early to do so. Most
likely this was another one of those hidden Windows death traps. Grr.

a.k.a.
 
Malke, thanks for all of these leads! I'll give them a shot, and in a while,
will post back with whatever results they give.

a.k.a.
 
Incidentally, the weird thing about the Vista x64 Autochk hang was that,
waiting a bit, you could hear the audio Vista startup jingle! I even tried
ctrl+alt+del -> password -> enter on the premise it might actually log in.
The screen remained in B&W verbose mode, but the hard drive activity kicked
in again for several long minutes.

The Autochk hang occurred at the point where it said it was done with the
scan of all of the volumes.

Anyone know another forum where this issue should be reported?

a.k.a.
 
If a drive constantly hangs when doing an auto check, or when running
chkdsk, I would certainly run the drive manufacturers hard drive test
utility from a bootable floppy or CD.

--

Regards,

Richard Urban
Microsoft MVP Windows Shell/User
 
The SD card shows a large number of folder and blank file icons, with
gibberish as names and file extensions. (It's possible that these are
elements of the pre-existing folder and file structure, as there was about
1GB of info on it.) Double-clicking on anything leads to unreadable file
errors.

Undelete Plus finds the volume unscannable.

Thanks for offering your insights.
a.k.a.
Click to expand...

For the successful recovery of pictures from SD card, take the help of
Stellar Phoenix Digital Media Recovery Software. Stellar Phoenix
recovers lost, deleted and formatted digital photos / pictures /
images / audio files from removable media, after an accidental
deletion, media format or corrupt media. Apart from the SD card it
also provides data recovery from Memory Sticks, Flash Cards, Sony
Memory Stick, IBM Micro Drive, MMC Cards, XD Cards, Secure Digital
Card, Zip Disks, Mini Disks.
For more information visit: http://www.stellarinfo.com/digital-media-recovery.htm
 
Richard,
I'll do so. This is a brand new drive, though, with the latest firmware
flash. What's puzzling about the hangs is that they only occur in Vista x64.
The Server 2008 x64 that's mounted on the same drive has never seen a single
hang of this sort.
a.k.a.
 
Thanks for this suggestion. I'll check it out as well.

Of the many docs that were stored temporarily on the SD card, the most
important were PDFs. I've heard PDF described as a hi-performance graphics
format, so this one may be worth it if it decodes PDF.
a.k.a.
 
As promised, I am writing back with test results from a comprehensive survey
of file / disk recovery software. I'm sure there are other programs about, so
if anyone wants to send me a link to another program in the next day or two
before I fully restore the SD card, I'm happy to test it out as well, and
describe the results.

The SD card that was overwritten was recovered almost completely intact by 3
programs of 17 that I gave this job to. I could only afford to buy one
program of these three, so it may be that, on purchase, the other 2 programs
turn out to have bells & whistles that will put you in better stead.

The three programs that worked were Kroll OnTrack's EasyRecovery
Professional [$200-500, depending on features], Easeus' Disk Recovery Wizard
[$80], and BinaryBiz's Virtual Lab [$150 for up to 100GB].

EasyRecovery managed to do something that none of the other programs could:
Rename the top-level folder structure on the SD card. Remarkably, even though
the other two programs did not complete this part of the recovery task, they
nevertheless managed to reproduce intact all of the subfolder names perfectly.

The advantage of VirtualLab is the capacity to recover Mac partitions and
files.

Finally, Disk Recovery Wizard has two minor disadvantages: It has very poor
document preview capabilities, and the developers have not bothered to give
the interface a native English-speaking proofing.

For all intents and purposes, though, under these recovery conditions, DRW
does just as complete a job as EasyRecovery. In fact, if you want the
top-level folders renamed, just keep a demo copy of EasyRecovery on your
drive, run its scan, and rename the top-level folders based on its results.

So, the winners are:

Kroll OnTrack Data Recovery EasyRecovery Professional [recovered 2500 files]
[$200-500 for differing feature sets]
http://www.ontrackdatarecovery.com/data-recovery-software/
* Recovered everything, including folder structure, and all folder names
* Will conduct a physical device search

Binary Biz Virtual Lab [$150 for 100GB] [1575 files recovered]
http://www.binarybiz.com/vlab/windows.html
x Recovery of over 100GB requires purchase of more recovery 'quota'
* Recovered everything, including folder structure
* Identified all folder names, with sole exception of top level folders
* Recovers Mac partitions & files
* Will conduct a physical device search

EASEUS Data Recovery Wizard Professional [recovered 2500 files] [$80]
http://www.easeus.com/datarecoverywizardpro/index.htm
x Misnamed one folder, but all contents were there
x Poor file previews
x Still makes plenty of English mistakes in instructions & alerts
* Recovered everything, including folder structure
* Identified all folder names, with sole exception of top level folders
* Will conduct a physical device search


Here is how other programs performed:

Active@ - Undelete [$40]
http://www.active-undelete.com/
x Recovered nothing

Arax - Disk Doctor
http://www.disk-doctor.com/
x Recovered nothing

CONVAR - PC Inspector File Recovery & Smart Recovery [freeware]
http://www.pcinspector.de/Sites/file_recovery/info.htm?language=1
x Found very little of the missing data

File-Saver [$60]
http://www.file-saver.com/undelete/
x No demo available, so no results to compare

GetData - Recover My Files & Recover My Images [$70; try before you buy]
http://www.getdata.com/
x Recovered no folder names, but was able to restore the folder structure
x Lots of garbage TXT files
- Must use File Recovery, not Partition Recovery, to get most files
* Will conduct a physical device search
* Good doc preview variety [including PDFs]

Iolo - Search & Recover [$40]
http://www.iolo.com/sr/4/
x In Vista, fatal runtime errors even before scan started

Brian Kato - Restoration [freeware]
http://www3.telus.net/mikebike/RESTORATION.html
x No physical drive search; hence, in this case, recovered none of the
missing data
* Stand-alone EXE (i.e., no installer)

O&O - DiskRecovery [$100; limited to 100 files]
http://www.oo-software.com/home/en/products/oodiskrecovery/
x Poor file previews
x No naming of files; no folder structure

Piriform - Recuva [freeware]
http://www.recuva.com/
x Recovered nothing

QueTek Consulting Corporation - File Scavenger [745 PDFs found] [$50; free
demo]
http://www.quetek.com/prod02.htm
x No naming of files; no folder structure
x No file preview
* Stand-alone EXE (i.e. no installer)
* Will recover files up to 64KB for free

R-Studio [$80; try before you buy]
http://www.data-recovery-software.net/Data_Recovery_Download.shtml
http://www.r-studio.com/
Extended Viewer [plug-in; includes vast range of file formats, like PDF &
images] [free]
http://www.data-recovery-software.net/Data_Recovery_Download.shtml
x No naming of files; no folder structure
x Missed quite a number of PDFs
x Lots of garbage TXT files
x No PDF preview

StellarPhoenix Windows Data Recovery [$100; try before you buy]
http://www.stellarinfo.com/file-recovery-software.htm
x No naming of files; no folder structure
* Even in demo, opened all MS Office files in Office itself

Symantec Norton SystemWorks 2007 [including Norton Utilities Disk Doctor]
http://www.symantec.com/home_homeof...ish&module=NUCWV&error=OScheck&build=standard
x Unable to do physical device search
x In Vista x86, couldn't uninstall; Symantec updater sends you to the (as
yet unreleased) install of 2008 BEFORE it identifies the uninstall issue and
sends you the Symantec software Removal Tool, which only worsens the
situation; even DD 2008 quit when printing initial diagnostic report

Touchstone - Undelete Plus [freeware]
http://undelete-plus.com/
x Recovered nothing


Hope this is of use -- especially to you, Malke, who steered me to several
of these programs.

Happy New Year to all!
a.k.a.
 
a.k.a. said:
As promised, I am writing back with test results from a comprehensive survey
of file / disk recovery software. I'm sure there are other programs about, so
if anyone wants to send me a link to another program in the next day or two
before I fully restore the SD card, I'm happy to test it out as well, and
describe the results.
(snippage)

Hope this is of use -- especially to you, Malke, who steered me to several
of these programs.
Click to expand...

This was an awesome, awesome job of reporting results with detailed
reviews of all products. Aside from being extremely happy that you found
something that worked (and as a long-time user of Easy Recovery Pro in
my business I knew it was good but you explained why), I am really
appreciative of all the work you put into this post. Thank you so much.
Because of you, I'll definitely take a look at BinaryBiz because of its
support of Macs. I had never heard of it before. Not only am I a Mac
user myself, more and more of my clients are buying Macs so I'm really
pleased to have your review. It sounds like Easy Recovery Pro is still
the best for PCs, but BinaryBiz is worth trying.

I hope you don't mind, but I'm going to forward your post to a tech
colleague; he'll find what you wrote just as useful as I did. Thanks
again for your amazing work, and congratulations on recovering your data.

Happy New Year,


Malke
 
Malke,
Don't mind in the least if you send it around. I'm very glad to give
something back to the forums -- I get a lot out of them every day. Thanks a
lot for your help!
a.k.a.
 
Just a few errata to the review:
- Easeus says Disk Recovery Wizard is compatible with 64-bit installs of
Vista / Server.
- Kroll Ontrack EasyRecovery does not uninstall in x86. I'm querying the
support forum now.
- Ignore the figure of how many files a program recovered. I meant to edit
it out, as it wasn't indicative of the overall completeness. Many of the
files were junk, it seems, although I didn't do a survey.
- Recovery My Files in fact didn't recover the folder structure the second
time through. (I retried, because I couldn't remember how much of the folder
structure it had retrieved.) Odd that it was so erratic.
 
Back
Top