CHKDSK: Using Thor’s Hammer to Hang a Picture
The power of CHKDSK may be mighty, but could it be too much for a mere human to handle? Many of you know Loki and Thor from recent comic book and movie references, but their history runs much deeper than the silver screen. For those of you who follow Norse mythology, you will understand the references. For everyone else, here is a quick synopsis: Loki is a Norse god who is a trickster and is known in many texts as the god of mischief while Thor is the Norse god of thunder and battle. We have all encountered times when it appears that Loki has been released on our computer’s hard drive, and we find ourselves needing to find a solution.
We can choose to call upon Thor, also known as CHKDSK which will destroy anything in its path to beat the NTFS volume into submission and allow the user to mount the volume. If you can follow along with the CHKDSK display, or even review the CHKDSK log after the volume is mounted, often you will see that it has sacrificed items like data attributes and index entries. The loss of these items can cause loss of data and corruption to the file system. Many times this damage runs deep enough to be irreversible.
While taking the hammer of Thor to your volume in order to get to your data may sound like the only solution, please know that you have options. As IT professionals, we often feel that we need to continue trying to fix the problem and provide a solution to the end user. It becomes difficult to acknowledge or even identify when we are in over our heads. At times like this we need another lesser known Norse goddess of protection, named Hlin.
When calling upon Hlin to prevent data loss in these situations, your first priority is finding a way to preserve the current state of the data. There are a couple ways of doing this:
- You can create a sector level image of the drive with a software solution such as FTK imager, or using a DD command in a Linux based system. This process also gives you further insight into the integrity of the drive. If you are receiving many errors while trying to create such a low level image of the drive, you are probably dealing with a hardware failure and not just some logical damage.
- If it is a virtual disk, you could create a snapshot and only allow the changes to take place in the snapshot. This process preserves the original state of the system and increases the chances of recovering the data using more delicate means.
Now that you have invoked Hlin’s protection, you can consider allowing the mighty CHKDSK to run, but in a read-only mode to assess the situation. Even this has been found to cause some damage in the past in effort to get the volume to a point that will allow all phases of CHKDSK to run, so it is still advisable to create some form of backup prior to running this. This mode will give you the same on-screen and text file reports indicating what CHKDSK will want to do to the file system to correct the damage, but many of these messages are rather cryptic unless you have a very deep understanding of the file system.
When the damage is only logical, there are now great software solutions that are available to assist in copying off this data and handling the file system corruption in a more delicate manner than allowing CHKDSK to beat it into submission. By using a tool like Ontrack® EasyRecovery™, you are able to preview the file structure you would be able to retain and check for your important files prior to copying off the data. All “fixes” that are made are all virtual and based on read-only assessments of the drive, preventing further data loss.
Looking back on the title of this piece, CHKDSK really is like using Thor’s hammer to hang a picture. While it will probably get the job done, most likely he will embed the picture into the wall using shear force and will likely crush the delicate picture (data) and the frame (structure) to get it to work instead of finding a nail and hanging the picture properly. All Norse god references aside (even though they are cool), the best practice is almost always to back up your data onto another drive to create some form of redundancy, allowing you to limit the potential for data loss. After that, you want to ensure you have the correct tools at your disposal to handle these situations and you fully understand what the tools are doing to the data. Many times data loss situations are worsened due to attempted solutions performed without thinking of what the outcome will be or how it will modify the current situation. If at any time you have questions or doubts about what this may be doing to your system remember that there are experts trained to deal with delicate data loss situations, but every modification makes the recovery more difficult. Kroll Ontrack’s data recovery engineers are ready to assist you with your data recovery needs.
Author: Ted Persing RDR Engineer Kroll Ontrack