CHKDSK: Using a sledgehammer to crack a nut

Written By: Ontrack

Date Published: 22 January 2014 00:00:00 EST

CHKDSK: Using a sledgehammer to crack a nut

The power of CHKDSK may be mighty, but if you’re only cracking a nut is it too much? A little background: originating in 15th century England, a sledgehammer was a large iron hammer primarily used for construction.

Most of us have encountered hard drive problems from time to time and many of us have resorted to the hard drive-equivalent known as CHKDSK which will destroy anything in its path to beat the NTFS volume into submission and allow the user to mount the volume. If you can follow along with the CHKDSK display, or even review the CHKDSK log after the volume is mounted, often you will see that it has sacrificed items like data attributes and index entries. The loss of these items can cause loss of data and corruption to the file system. Many times this damage runs deep enough to be irreversible.

While taking a sledgehammer to your volume in order to get to your data may sound like the only solution, please know that you have options. As IT professionals, we often feel that we need to continue trying to fix the problem and provide a solution to the end user. It becomes difficult to acknowledge or even identify when we are in over our heads. At times like this we may need one of the sledgehammer’s smaller cousins.

When calling upon a builder’s hammer or tack hammer to prevent data loss in these situations, your first priority is finding a way to preserve the current state of the data. There are a couple ways of doing this:

  1. You can create a sector level image of the drive with a software solution such as FTK imager, or using a DD command in a Linux based system. This process also gives you further insight into the integrity of the drive. If you are receiving many errors while trying to create such a low level image of the drive, you are probably dealing with a hardware failure and not just some logical damage.
  2. If it is a virtual disk, you could create a snapshot and only allow the changes to take place in the snapshot. This process preserves the original state of the system and increases the chances of recovering the data using more delicate means.

Now that you have taken all the proper precautions, you can consider allowing the mighty CHKDSK to run, but in a read-only mode to assess the situation. Even this has been found to cause some damage in the past in effort to get the volume to a point that will allow all phases of CHKDSK to run, so it is still advisable to create some form of backup prior to running this. This mode will give you the same on-screen and text file reports indicating what CHKDSK will want to do to the file system to correct the damage, but many of these messages are rather cryptic unless you have a very deep understanding of the file system.

When the damage is only logical, there are now great software solutions that are available to assist in copying off this data and handling the file system corruption in a more delicate manner than allowing CHKDSK to beat it into submission. By using a tool like Ontrack® EasyRecovery™, you are able to preview the file structure you would be able to retain and check for your important files prior to copying off the data. All “fixes” that are made are all virtual and based on read-only assessments of the drive, preventing further data loss.

Looking back on the title of this piece, CHKDSK really is like using a sledgehammer to crack a nut. While it will probably get the job done, most likely he will obliterate the shell (structure) and the precious nut inside (the data). All sledgehammer (and Peter Gabriel) references aside, the best practice is almost always to back up your data onto another drive to create some form of redundancy, allowing you to limit the potential for data loss. After that, you want to ensure you have the correct tools at your disposal to handle these situations and you fully understand what the tools are doing to the data. Many times data loss situations are worsened due to attempted solutions performed without thinking of what the outcome will be or how it will modify the current situation. If at any time you have questions or doubts about what this may be doing to your system remember that there are experts trained to deal with delicate data loss situations, but every modification makes the recovery more difficult. Ontrack’s data recovery engineers are ready to assist you with your data recovery needs.

Subscribe

KLDiscovery Ontrack Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB, United Kingdom (see all locations)