Nuked SD card after chkdsc or BCD change - any file forensics help?

Greetings, everyone!

Can anyone provide advice on forensic approaches or utilities to try on a
nuked SD card? Or suggest the best forums to cross-post in?

In the middle of installing a multiboot of Server x64 RC2 and Vista x64 SP1
RC, I began encountering BSODs on shutdown of Vista. On reboot, Autochk
began to hang in Vista, and even on the occasions I could get into a Safe
Mode boot, the BSOD would reappear.

Somewhere in there, the path for the Vista boot was erased, and I used
EasyBCD to restore the entry successfully. That triggered Chkdsc instead of
Autochk on the next reboot, but no change in Vista's behavior. Amidst all of
this, I'd inadvertently left an SD card in a reader slot, and the contents
at some point got nuked.

(For those who begin to tut-tut, please know that Server has given me none
of the instability issues that the Vista x64 SP1 RC has. It installs drivers
without balking that Vista refuses to, and has none of the BSODs or Autochk
hangs of Vista x64. If anything, it's Autochk and Chkdsc that are the source
of the problem -- reacting to non-threatening driver problems and directory
mismatches by making the situation a whole lot worse.)

The SD card shows a large number of folder and blank file icons, with
gibberish as names and file extensions. (It's possible that these are
elements of the pre-existing folder and file structure, as there was about
1GB of info on it.) Double-clicking on anything leads to unreadable file
errors.

Undelete Plus finds the volume unscannable.

Thanks for offering your insights.
a.k.a.

On Wed, 26 Dec 2007 15:46:50 -0500, a.k.a. wrote:
How old is the card? These have a limited lifetime (shorter than what I had
hoped for). It's possible yours has bit the dust?

--
Sharon F
MS-MVP ~ Windows Shell/User

a.k.a. wrote: (snippage)
You can run data recovery software on the card. I've heard that Undelete
Plus is good but I'd try some others, too. The ones that cost usually
will let you download a trial to see if they can recover the files. I
use Easy Recovery Pro, but it is expensive. People whom I respect have
recommended R-Studio and Restoration. YMMV.

http://www3.telus.net/mikebike/RESTORATION.html
PCInspector File Recovery -
http://www.pcinspector.de/file_recovery/welcome.htm
Executive Software “Undelete” -
http://www.execsoft.com/undelete/undelete.asp
R-Studio - http://www.r-tt.com/
File Scavenger - http://www.quetek.com/prod02.htm
Ontrack's EasyRecovery - http://www.ontrack.com/software/

I've also had very good luck with PhotoRescue:
http://www.datarescue.com/photorescue/

If consumer-level data recovery software will not help, then your only
recourse is a professional data recovery company such as DriveSavers.
This is quite an expensive proposition ($500+), but only you know the
value of your data.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Sharon, in this case, the card is at most 2 months old, bought based on a 4+
star rating at Newegg, so presumably reliable. I'll eventually reformat to
see if the card is corrupt, but of course it's too early to do so. Most
likely this was another one of those hidden Windows death traps. Grr.

a.k.a.

"Sharon F" wrote:

Malke, thanks for all of these leads! I'll give them a shot, and in a while,
will post back with whatever results they give.

a.k.a.

"Malke" wrote:

Incidentally, the weird thing about the Vista x64 Autochk hang was that,
waiting a bit, you could hear the audio Vista startup jingle! I even tried
ctrl+alt+del -> password -> enter on the premise it might actually log in.
The screen remained in B&W verbose mode, but the hard drive activity kicked
in again for several long minutes.

The Autochk hang occurred at the point where it said it was done with the
scan of all of the volumes.

Anyone know another forum where this issue should be reported?

a.k.a.

"a.k.a." wrote:

For the successful recovery of pictures from SD card, take the help of
Stellar Phoenix Digital Media Recovery Software. Stellar Phoenix
recovers lost, deleted and formatted digital photos / pictures /
images / audio files from removable media, after an accidental
deletion, media format or corrupt media. Apart from the SD card it
also provides data recovery from Memory Sticks, Flash Cards, Sony
Memory Stick, IBM Micro Drive, MMC Cards, XD Cards, Secure Digital
Card, Zip Disks, Mini Disks.
For more information visit: http://www.stellarinfo.com/digital-media-recovery.htm

Richard,
I'll do so. This is a brand new drive, though, with the latest firmware
flash. What's puzzling about the hangs is that they only occur in Vista x64.
The Server 2008 x64 that's mounted on the same drive has never seen a single
hang of this sort.
a.k.a.

"Richard Urban" wrote:

Thanks for this suggestion. I'll check it out as well.

Of the many docs that were stored temporarily on the SD card, the most
important were PDFs. I've heard PDF described as a hi-performance graphics
format, so this one may be worth it if it decodes PDF.
a.k.a.

"whiteurls@xxxxxx" wrote:

As promised, I am writing back with test results from a comprehensive survey
of file / disk recovery software. I'm sure there are other programs about, so
if anyone wants to send me a link to another program in the next day or two
before I fully restore the SD card, I'm happy to test it out as well, and
describe the results.

The SD card that was overwritten was recovered almost completely intact by 3
programs of 17 that I gave this job to. I could only afford to buy one
program of these three, so it may be that, on purchase, the other 2 programs
turn out to have bells & whistles that will put you in better stead.

The three programs that worked were Kroll OnTrack's EasyRecovery
Professional [$200-500, depending on features], Easeus' Disk Recovery Wizard
[$80], and BinaryBiz's Virtual Lab [$150 for up to 100GB].

EasyRecovery managed to do something that none of the other programs could:
Rename the top-level folder structure on the SD card. Remarkably, even though
the other two programs did not complete this part of the recovery task, they
nevertheless managed to reproduce intact all of the subfolder names perfectly.

The advantage of VirtualLab is the capacity to recover Mac partitions and
files.

Finally, Disk Recovery Wizard has two minor disadvantages: It has very poor
document preview capabilities, and the developers have not bothered to give
the interface a native English-speaking proofing.

For all intents and purposes, though, under these recovery conditions, DRW
does just as complete a job as EasyRecovery. In fact, if you want the
top-level folders renamed, just keep a demo copy of EasyRecovery on your
drive, run its scan, and rename the top-level folders based on its results.

So, the winners are:

Kroll OnTrack Data Recovery EasyRecovery Professional [recovered 2500 files]
[$200-500 for differing feature sets]
http://www.ontrackdatarecovery.com/d...very-software/
* Recovered everything, including folder structure, and all folder names
* Will conduct a physical device search

Binary Biz Virtual Lab [$150 for 100GB] [1575 files recovered]
http://www.binarybiz.com/vlab/windows.html
x Recovery of over 100GB requires purchase of more recovery 'quota'
* Recovered everything, including folder structure
* Identified all folder names, with sole exception of top level folders
* Recovers Mac partitions & files
* Will conduct a physical device search

EASEUS Data Recovery Wizard Professional [recovered 2500 files] [$80]
http://www.easeus.com/datarecoverywizardpro/index.htm
x Misnamed one folder, but all contents were there
x Poor file previews
x Still makes plenty of English mistakes in instructions & alerts
* Recovered everything, including folder structure
* Identified all folder names, with sole exception of top level folders
* Will conduct a physical device search


Here is how other programs performed:

Active@ - Undelete [$40]
http://www.active-undelete.com/
x Recovered nothing

Arax - Disk Doctor
http://www.disk-doctor.com/
x Recovered nothing

CONVAR - PC Inspector File Recovery & Smart Recovery [freeware]
http://www.pcinspector.de/Sites/file...htm?language=1
x Found very little of the missing data

File-Saver [$60]
http://www.file-saver.com/undelete/
x No demo available, so no results to compare

GetData - Recover My Files & Recover My Images [$70; try before you buy]
http://www.getdata.com/
x Recovered no folder names, but was able to restore the folder structure
x Lots of garbage TXT files
- Must use File Recovery, not Partition Recovery, to get most files
* Will conduct a physical device search
* Good doc preview variety [including PDFs]

Iolo - Search & Recover [$40]
http://www.iolo.com/sr/4/
x In Vista, fatal runtime errors even before scan started

Brian Kato - Restoration [freeware]
http://www3.telus.net/mikebike/RESTORATION.html
x No physical drive search; hence, in this case, recovered none of the
missing data
* Stand-alone EXE (i.e., no installer)

O&O - DiskRecovery [$100; limited to 100 files]
http://www.oo-software.com/home/en/p...odiskrecovery/
x Poor file previews
x No naming of files; no folder structure

Piriform - Recuva [freeware]
http://www.recuva.com/
x Recovered nothing

QueTek Consulting Corporation - File Scavenger [745 PDFs found] [$50; free
demo]
http://www.quetek.com/prod02.htm
x No naming of files; no folder structure
x No file preview
* Stand-alone EXE (i.e. no installer)
* Will recover files up to 64KB for free

R-Studio [$80; try before you buy]
http://www.data-recovery-software.ne...Download.shtml
http://www.r-studio.com/
Extended Viewer [plug-in; includes vast range of file formats, like PDF &
images] [free]
http://www.data-recovery-software.ne...Download.shtml
x No naming of files; no folder structure
x Missed quite a number of PDFs
x Lots of garbage TXT files
x No PDF preview

StellarPhoenix Windows Data Recovery [$100; try before you buy]
http://www.stellarinfo.com/file-recovery-software.htm
x No naming of files; no folder structure
* Even in demo, opened all MS Office files in Office itself

Symantec Norton SystemWorks 2007 [including Norton Utilities Disk Doctor]
http://www.symantec.com/home_homeoff...build=standard
x Unable to do physical device search
x In Vista x86, couldn't uninstall; Symantec updater sends you to the (as
yet unreleased) install of 2008 BEFORE it identifies the uninstall issue and
sends you the Symantec software Removal Tool, which only worsens the
situation; even DD 2008 quit when printing initial diagnostic report

Touchstone - Undelete Plus [freeware]
http://undelete-plus.com/
x Recovered nothing


Hope this is of use -- especially to you, Malke, who steered me to several
of these programs.

Happy New Year to all!
a.k.a.

"a.k.a." wrote: