lcoughey wrote:Step 1 would be to get a full sector-by-sector clone of the drive. Step 2 is then to recover the data from the clone.
Yeah I considered that. Here's what happened:
Software cloningFirst, I tried at least half a dozen cloning software apps. They all won't allow a clone, because the drive looks not initialized and unallocated (raw). This is the case whether I remove the drive from the enclosure and connect via SATA, or through the enclosure's USB adapter chip.
If I go through USB and don't type in the password (or if I go through SATA):
Mecrium Reflect - can't select the drive ("raw", "unformatted", "need to format")
EaseUS ToDo - can't select
Acronis True Image - can't select
Active@ Disk Image - can't select ("disk empty")
O&O DiskImage - can't select
Paragon Hard Disk Manager- I/O error
If I go through the adapter and enter the password and get it to say "drive is unlocked", as I described before, it just keeps searching and will recognize a drive and assign a letter, but never recognize any allocated space...so all the programs mentioned just hang during their drive-finding phase, waiting to figure out if there's a logical drive available.
The only software that would even allow an attempt was Stellar Phoenix Windows Data Recovery. The problem there was both the "clone" and the "image" functions would take too long. I'm talking literally years. When the process begins you see a block display of sectors. It appeared about 50 blocks wide, and maybe 200 blocks long. I let the clone function run for a full 24 hours...and there were 7 blocks complete. Pretty much the same story with the image function.
So I moved to hardware...
Hardware cloningI got a
Dyconn Dubbler Dock, which does a sector by sector clone from one drive to another via SATA without the need for a computer. The problem there is, with my problem drive, the dock doesn't behave as it should...
As you can see on the dock, there are 6 lights...one for each drive bay, and four to indicate progress during a cloning process. When I use two drives (same model as my problem drive), the light display seems like you might expect:
You insert each drive, and power on the dock. A blue light next to each drive bay is illuminated to indicate a good connection. When you press and hold the clone button, the lights go off, and you release. Then, as the instructions say, a cyclical lighting sequence begins. Basically, the two drive bay lights flash simultaneously and continuously, and the progress LED lights snake back and forth. This is how you know the process is working. Once it is 25% complete, the first LED stays illuminated, and the snake pattern continues among the final 3...and so on. Once the process is complete, all lights are solid illuminated.
However...
With "the problem drive" in HDD bay 1...and any other drive in the destination by HDD2...the light process starts like normal, and then the HDD2 light shuts off, and the progress lights stop flashing. The dock is left with only HDD1 light illuminated. And that's how it stays, seemingly forever. I let it run for at least 12 hours, with two different destination drives. (When the process worked like normal between the two good drives (all the same 3TB size as the bad drive), it took about 8.75hrs to complete).
The problem is, I have no way of knowing if the clone of the bad drive worked...because I have no feasible way to inspect the data. Although the clone
did behave as the bad drive does: showing in disk manager as not initialized, unallocated space. But that doesn't mean all the sectors are the same, it could just be the destination drive was simply wiped.
Trying anywayGiven that the process was allowed to go for more than the needed time, I went ahead as if the clone was accurate...
I attached the USB adapter from the enclosure (where the encryption/decryption takes place) to one of the clone drives and attached to the computer. The virtual CD for the WD Unlocker software appeared...but when I try to initialize it, it immediately says "too many failed attempts" for the password. (This normally happens if you enter an incorrect password 5 times.) But in this case, I can't enter a password at all.
The same thing happens if I try to go through the Smartware software and attempt to enter the password there...I don't get a chance to enter anything.
When you get the "too many failed attempts" error, it says you can either disconnect and reconnect the drive and try again, or format the drive. So since this was a clone, I went ahead and formatted it. Of course it then showed up fine. I could see the drive like normal.
Data RecoveryI went ahead and started an Advanced Recovery process with Stellar Phoenix WDR Pro. According to the software, you can "recover data from a formatted volume or removable media by using 'Advanced Recovery' option of Windows Data Recovery. If a volume or removable media is formatted and all data is lost from that drive, you can recover that data performing this type of recovery."
I let that scan for about 15 hours and at that point it appeared to start over, searching for metadata in each cluster again. So I stopped the process, and the "files" it recovered were all system/drive junk. I didn't expect anything from this anyway though, as the data was all encrypted anyway, so it's not as if simply formatting the drive should make that go away and the files recoverable from a data recovery program. (That wouldn't be very good encryption, now would it?)
So what I'm going to do now is use the Smartware and set up a password lock on this newly formatted drive, and then try to use it as I was using the other one. At least this way, I can confirm there isn't any problem with the adapter chip (as, if I get any of the same behavior/error on this newly formatted drive, then I'll know there's a problem there too, at least.)
Any more ideas for ways to attack this?