How do I minimise any further damage?

PrintPrintEmailEmail

As a general rule, avoid (or at least minimise) any further access to the device. In particular, avoid LONG RETRIES and/or WRITING to the device like the plague. This also means avoiding any data recovery tools that purport to REPAIR your disk. Such tools need to use the (possibly corrupted) system and device drivers to access the disk, with all the inherent issues listed below. Furthermore, to repair a directory, it HAS to overwrite what it considers wrong in that directory - which means overwriting the only list (OK, B-Tree ;) of what files are on the disk and which sectors of the disk belong to which file. (Keep in mind that on a 500 GByte disk drive, there are roughly a billion sectors - so it is not realistic to attempt piecing them together manually. Arguably, the directory is the most important part of the disk. There is indeed room for such tools but they should only ever be run on a clone - not the irreplaceable original.)
There are two separate domains that we need to be vigilant about: Physical access to the raw data sectors on the disk (hardware) and logical meaning of that information (volume and directory structures, system and user files).

  • Physical: When a storage device starts failing, the effects can quickly snowball into catastrophic failure. Typically, a shock might have resulted in a minor chink to the disk surface. This in turn is likely to make the data sector in that location unreadable. When the operating system attempts to access that sector, it will fail and automatically retry a number of times. (In fact, at every retry, the internal operating system of the disk drive itself will attempt to read the content of that sector in order to move it to a working location - and retry a number of times before giving up.) Every time the magnetic head passes over that location, it is likely to wobble significantly and worsen the chink into a gouge. (Imagine a supersonic car passing over and over again over the same speed bump..) Very quickly a circular scratch appears across the disk and the magnetic head is badly damaged. Worse, a new head is likely to be damaged also as soon as it attempts to read that sector.
  • Now, more often than not, such damage is likely to happen in the most used part of the disk drive: the directory. That is why it is not a good idea to leave a computer retrying to boot or copy an important file off the disk. Chances are that it will do a lot more damage in the process, hammering the drive with retries to an unreadable sector.
  • One of the first steps in professional data recovery is to make a sector-for-sector clone of the failing disk onto a good working drive. First, we ignore unreadable sectors and clone every readable one. Then we make additional passes (both forward and backwards) with tighter and tighter retry/correct settings until we copy as many sectors as physically possible. This is in stark contrast to the blind retry policy of the operating system (and some "recovery" programs that should know better..).
  • Logical: Sometimes, the physical sectors are perfectly fine but a runaway piece of softwre, a glitch or some malware has overwritten an important part of the disk - such as the boot blocks, partition map, directory, etc. Again, rebuilds or repairs may be warranted but should only ever be attempted on a sector clone of the disk because (as stated above) such repairs overwrite very important information and if it didn't work, you have no way of going back in time.. Clones give us the flexibility to try various approaches without risk.

Every access to a storage device can potentially overwrite something important. Once overwritten, it is gone. Even restarting the computer flushes all caches and writes temporary files. If you have erased something by mistake, just pull the plug. (Something erased is internally seen as available space. The more activity - even an orderly shutdown - the more chances to overwrite the raw sectors which still contain your data.)