Sunday, July 7, 2013

Why Can Linux Systems Sometimes Recover Data Windows Can’t?


Why is it that you can use a Linux-based computer or Linux Live CD to recover data Windows could not?

Background: Earlier this year I had a problem with a SSD drive that Windows would recognize anymore. But eventually a bootable Parted Magic 2012-10-10 did the trick. See this solved thread. One question stuck with me from that moment…
Question: I am aware that Linux is generally a bit more technical and raw, but can someone roughly outline why a Linux system (or in fact only that particular one, since Ubuntu did not do the trick) is capable of still accessing/communicating with a half-corrupted device when Windows isn’t?
  • Do they just ignore any potential indicators that something might be wrong?
  • Are there any concrete reasons at all?
  • Was it just luck that this particular environment was able to get the SSD to response if only for a limited time?
While it certainly could have been luck, there’s likely more than a few factors at play. Let’s investigate.

The Answer

Usually this comes down to what, exactly, is being accessed and how, exactly, the device is failing. For instance, if the SSD in question is unable to retrieve, say, sector 5 and will start stalling as soon as anything reads sector 5, the difference may simply be due to what different systems automatically access once they recognize a new disk.
When Windows detects a new disk, it will read the partition table and automatically attempt to open any filesystems it knows how to read. If any of the structures/blocks being read during this “mounting”-process trigger your faulty SSD to go bye-bye, the difference with that specific linux distribution is simply that it may not automatically mount all the partitions in question, or may, when mounting, simply read a different subset of sectors (the implementation of NTFS in Linux is very different from the one in Windows — while the on-disk format is the same, it is up to the OS which structures it deems necessary to read. Windows may read secondary copies of the MFT, or it may start precaching some data and that could be the difference. Ubuntu is in a similar boat — it is not geared towards recovery out of the box, it will attempt to mount any filesystem it finds on newly discovered media, automatically. It is for this reason that specialized distributions geared towards recovery are a better bet, as they only do what you explicitly ask them to as opposed to doing things automatically.
Of course, you may simply have gotten lucky, too. I don’t know enough about the failure mode of the SSD to say.
Linux generally does not ignore indicators that something is wrong. It will receive the same SCSI errors from the SATA chipset as Windows will — if you look at the kernel log, on a faulty disk you will see lots of error messages. It depends on what programs are actuallly accessing the disk what will happen next. If it’s software geared towards recovery, it may try to reread the same sector a limited number of times, it may skip it, etc. Usually the best bet is to get an image of the drive with as many sectors read cleanly as possible, and then try to recover your data from that image (doing any analysis directly on the drive is a bad idea usually since its condition may worsen and just because you were able to read something once, that does not mean you will be able to read it again.)
A lot of it is the way the environment handles the file system, and the ACLs or the hard drive.
Windows is going to do everything it can on its own to obey its ACLs, and sectors marked as bad or empty. So NTFS or Fat partitions created and maintained in Windows as well as Windows MBRs will be handled by Windows as Windows marked it.
Also, if the drive is failing the more you use it the more likely it is to encounter a major problem and the environment will crash. Then how the OS handles that comes into play, Windows will BSOD or reboot, the windows boot process will throw MBR messages, missing file messages (NTDLR.dll is missing or corrupt) and stop, because these bad files are required.
When you use a live disk, you are not relying on any of this. A bad MBR is bypassed because you boot off of the disk. A bad sector that corrupted the NTDLR.dll is not needed. Everything is on the disk. You can then attempt a read. If it encounters a ‘blank’ sector or bad bit, that environment handles it however it was programmed to do. Ubuntu likely would rather maintain normal OS behaviors and continue on with what is most likely to be happening. The sector is blank, do something else. That sector is bad, stay away, do not read again do not write or it will cause problems.
A recovery platform however, is going to want to read all data. The file markers say the file should be on 0,5, 13…. if the filesystem reports 13 is missing, ignore the blank header and read the file anyway, or read the bad sector as best as it can and try to recover.
Also, Windows CAN do alot of this with third party applications, Recuva can find alot of these “missing” files, for one. But you don’t want to be in an environment that may write back to the disk and cause true permanent loss.
I did simplify this, and add some interpretation, but it should fill in some blanks for what you are asking.

Retweet this story

No comments:

Post a Comment