Windows 7 user data saved with Linux

By apexwm, 20 July, 2011 17:20

Just today I had the pleasure of helping another user recover their data when the Microsoft tools failed. The recommended method to recover Windows is to boot to the recovery tools partition, by pressing F8 and select "Repair my computer" option. When doing this, the Windows environment would attempt to load, and would eventually freeze when the Windows 7 background comes up. So much for that.

The drive was removed and connected to another Windows PC however it would only see the recovery partition and not the OS/system partition on the disk, where the valuable data is stored. So much for that.

So, I grabbed my Knoppix Linux boot CD and booted it up on the machine with the issues. It saw both partitions, and mounted them. However, the catch here is that it would not mount the OS/system partition by default, because it was unmounted incorrectly the last time it was used in Windows (probably due to the crash). So, I had to manually run the command as root "mount -t ntfs /dev/sda3 /mnt/sda3 -o force" to mount the disk as /mnt/sda3. The "-o force" option is not used by default, so in this case this was the only way to force this partition to mount and ignore the filesystem state. Then, it showed up in the file explorer as a mounted volume.

We were also able to traverse the directories and all of the files appeared to be in tact. We hooked up a spare external USB drive pre-formatted with NTFS, and were able to copy all of the files to it (basically copied the entire user's profile folder). A couple of IE files failed, probably due to corruption, but the data as a whole was successfully backed up and quickly too, which indicates more of a software problem rather than a hardware problem (usually bad disks have very slow performance especially when the bad sectors are trying to be accessed).

Based on what I am seeing so far, it appears that the NTFS filesystem and/or partition was corrupted to the point where Windows would no longer recognize it. Thankfully, Linux seems to have more rigorous tools which can get around the issues. I've had this exact same experience in the past with Windows XP. It only goes back to my previous statements in the past about how unstable NTFS seems to be. I've seen ACLs and files disappear on Windows file servers using NTFS connected to a SAN and SCSI arrays. Corruption should just not happen out of the blue like this. We will see later for sure, as Windows 7 will be re-installed on the machine and if it bombs then, it will be a good indication of a bad hard disk. Plus Dell's diagnostics will be run on it as well, just as an extra precaution.