SSD NTFS Recovery Case Study

📌 Project Overview

This case study documents the forensic-style recovery of a 2TB NTFS-formatted disk that became inaccessible due to logical filesystem corruption.

The disk was detected at the hardware level but failed to mount on both Windows and Linux systems. The objective was to recover maximum data while preserving original media integrity using a controlled, forensic-safe workflow.

Initial Symptoms

Disk detected as /dev/sdX
Partition table present
Volume not mountable
Windows unable to access filesystem
Linux mount attempts returned errors
Installer reported disk access failure
Disk reported full capacity but directory structure inaccessible

These indicators suggested logical filesystem corruption rather than catastrophic hardware failure.

SMART Analysis

SMART diagnostics reported:

Overall health: PASSED
Pending sectors: Non-zero
Reallocated sectors: Low / None

Interpretation

No immediate mechanical failure
Early-stage sector instability suspected
Filesystem likely corrupted due to unstable I/O combined with full disk condition

SMART “PASSED” does not guarantee data integrity.

Probable Causes

Sudden power interruption
Unsafe device removal
NTFS journal inconsistency
Disk operating at 100% capacity
Weak sectors causing repeated read retries

Conclusion: Logical corruption with early hardware instability.

Recovery Strategy

Step 1 — Block-Level Imaging

Tool used: ddrescue

Reason:

Sector-by-sector cloning
Logs unreadable sectors
Minimizes repeated stress
Preserves exact disk state

Command used:

sudo ddrescue -f -n /dev/sdX /dev/sdY rescue.log
sudo ddrescue -d -r3 /dev/sdX /dev/sdY rescue.log

A complete clone was created before any repair attempts.

Step 2 — Operate on Clone Only

All further recovery operations were performed on the cloned disk to ensure:

Original disk preserved in read-only state
Safe experimentation with repair tools
No additional degradation of unstable sectors

Step 3 — Filesystem Recovery

Tools used:

TestDisk
PhotoRec
ddrescue

Recovery order:

Analyze partition structure
Repair NTFS boot sector if damaged
Attempt MFT-based recovery
Use raw carving only if metadata unrecoverable

Metadata recovery was prioritized over file carving.

Recovery Outcome

Majority of data successfully recovered
Minimal sector-level loss
Some files partially corrupted due to unreadable sectors
NTFS structure largely restored

Key Lessons

Clone first, repair later
Never operate directly on failing media
SMART “PASSED” does not mean safe
Full disks increase corruption risk
Avoid virtualization for hardware-level recovery
Follow the 3-2-1 backup rule

Tools Used

Kali Linux (Live Environment)
ddrescue
TestDisk
PhotoRec
SMART diagnostic utilities

Skills Demonstrated

Block-level disk imaging
Filesystem corruption analysis
SMART interpretation
NTFS recovery methodology
Forensic-safe workflow design
Risk-controlled recovery execution

Environment Setup

All recovery operations were performed using Kali Linux in Live Boot mode via a bootable USB drive.

The system was not installed on the internal disk. Running from a live environment ensured:

No writes were made to the affected 2TB disk
The original operating system did not auto-mount or modify the filesystem
Recovery tools operated in a controlled, isolated environment
The integrity of the source media was preserved

This approach minimized contamination risk and maintained forensic safety throughout the recovery process.

Conclusion

The original disk was preserved throughout the recovery process. All operations were performed on a cloned replica to maintain data integrity and prevent irreversible loss.