Sponsor for PC Pals Forum

Author Topic: Data recovery: Survival Guide (Part 1)  (Read 8103 times)

Offline Clive

  • Administrator
  • *****
  • Posts: 73669
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
Data recovery: Survival Guide (Part 1)
« on: March 11, 2004, 13:41 »
I make no apologies for making  this extremely long post regarding data recovery.  I could have simply inserted the url but we all know that urls often disappear when you need them most.

01 Mar 04 [PC Pro]

Davey Winder reveals how to salvage your lost work without suffering a nervous breakdown.

There are folk who claim never to have seen the dreaded blue screen of death, whose hard disks have never so much as spluttered, let alone died, who would never be stupid enough to delete the wrong file, accidentally format the wrong partition or otherwise screw up their data. Then there are the rest of us.  What's worse is that this kind of thing has a habit of happening when you least expect it. To deal with these situations, you need something that can point you in the right direction and offer measured response without a knee-jerk reaction. Basically, you need something that will save your skin. This is why we're bringing you the 'Data disaster survival guide'. Just about every component that goes into making your PC can be replaced, from a fried CPU or blown power supply to memory chips and graphics cards. Even the little battery on the motherboard will need changing if you keep your PC for long enough. There's one component, however, that isn't replaceable, and it's the most valuable of all - your data. This isn't an issue if you keep regular, reliable, tested backups, but we deal in the real world here at PC Pro and time and time again we run into people who should know better. If you're one of them, get your backup and recovery strategies sorted out now. The sooner you do it the better, as you never know when a file is going to get corrupted or when a hard disk will die. However, in the worst-case scenario, where you've lost some important data, there is a reasonable chance that it can be recovered.

How difficult that recovery process is, how long it will take to perform, whether you'll be able to do it yourself or need to send it away to a specialist data-recovery firm, and how much it will cost to repair depends on the circumstances of the loss.  Let's deal with the DIY end of that scale first - data recovery doesn't come much easier than restoring files that have been accidentally deleted. As you already know, dropping a file into the Recycle Bin or hitting Delete doesn't physically remove your file from the hard disk. The OS merely changes the data so that it's flagged as deleted from the perspective of the PC, and the 'free space' created by this illusion can then be overwritten by other applications. It's during this process of overwriting that the original data starts to get deleted, but even then not completely unless you're using a secure-deletion utility like Eraser (www.heidi.ie/eraser). Such packages can employ the Guttmann method of overwriting each deleted file, with 35 passes of scrambled data effectively destroying the original.

Even formatting a drive doesn't necessarily delete the data on it; an FDISK might well verify the integrity of drive blocks, but it isn't a file eraser. Formatting weaknesses can be evidenced if you've ever purchased a second-hand PC or hard disk. With the right undelete tools, it's a relatively quick and painless process to reconstruct the data from the previous owner, even when they thought they were doing the right thing by formatting the drive before sale. This can have potentially devastating security and privacy implications, especially if the previous owner had used that drive to store pictures of child pornography, for example. It isn't too far-fetched to suggest that you could be using such a drive, formatted by the seller and yourself, within your home environment for a year or two, only for those images to remain intact enough to be discovered by a forensic examination. Although this is an unlikely extreme, it does illustrate that even in seemingly the worst-case scenario of file deletion the chances of recovering your lost data are realistically good.  The success of the software-recovery process is determined by whether anything has overwritten your data.

So, the golden rule of post-deletion panic is don't do anything that might write over the original. Never restore data to the same drive you're rescuing it from, as the attempt can destroy the files you're trying to save. This also leads to perhaps the most common mistake of all: in their panic, the unwary user may go and buy a recovery tool. This is where the problem starts, because no matter how good the software, if you haven't installed it before the deletion the very act of doing so may well overwrite some or all of the data you want to save. Luckily, any such tool worth its money will provide an option to run from CD, so make sure you use it.  Of course, this assumes you can access the drive. If the PC won't boot, you may have to remove the drive and find a separate PC that you can attach it to as a slave drive in order to access the data within. We'll take a closer look at resurrecting dead computers in a moment, but first let's look at getting at that so-called deleted data.  

It's all about using the right tools for the job, and there are plenty advertised at considerably differing costs. One of the most powerful and reasonably priced comes in the form of X-Ways WinHex (www.winhex.net). Costing about £80 - a lot less than many data-recovery firms charge just to estimate how much they'll charge you for rescuing your data - WinHex isn't suitable for cases of mechanical failure and comes with the 'can do more harm than good' disclaimer for the terminally stupid.  In my experience, it's a must-have tool for the data disaster-recovery toolkit. It's a hexadecimal editor (disk, file and RAM), but comes with loads of forensic analysis and data-recovery features built around that core. A built-in directory browser for FAT12, FAT16, FAT32 and NTFS makes finding data a breeze if you're comfortable with hex.  Drive imaging is also built in, and an automatic recovery mode can be applied that uses file masks such as *.jpg or *.doc. You can even recreate complete nested directory structures for FAT drives.

If WinHex itself is too complex, it's also possible to use (or buy separately) the bundled Davory, which undeletes and recovers files from logically corrupted or formatted drives with a friendlier, wizard-driven front end. A 'try before you buy' version of Davory (www.x-ways.net/davory/) will tell you if it can find and repair files up to 200KB in size. Whichever software you use, the procedure follows a similar path, opening the logical drive where the deleted file once was and finding the disk sectors where the data is still stored. This can be achieved by way of searching for a text snippet such as 'invoice number' or 'Dear Yvonne', for example, or by filename or filetype. Davory makes a filetype search particularly easy and is my preferred route for recovering lost JPEGs from digital camera media.  

The Professionals

Almost certainly a 'dead granny', but one that serves to illustrate how state-of-the-art data recovery has become, is the rumour that the default method of taking a hard disk out of commission for the US National Security Agency is to shoot holes into it. It may just be an urban myth, but it's a good one and proves the point that forensic computer science has come a long way. If enough skill and money are thrown at deleted data, it can almost always be retrieved.  A professional data-recovery service will examine hard disks in 'clean rooms' of the kind used during the manufacturing process. Clearly, this is the best option if your drive has been physically damaged. In this safe environment, and no matter how badly damaged the drive is, it can usually be got up and spinning again in order to mirror the data it contains. I've seen images of computers that have been under water for hours, melted in fires or crushed by falling masonry, yet despite physical damage to the machinery the data remains pretty much intact.   It's getting at it that's the problem, and this requires a specialist. Data-recovery companies will never work on the original data once they've managed to gain access to it. Instead, they'll produce a mirror image, recreating the damaged data bit by bit. This is vital in any case where computer forensics are involved -preparing evidence for a court case, say - but equally so for straightforward data recovery. By making an exact copy, which itself can be copied, you get more than one bite at the recovery cherry.

If something goes wrong, the original disk image is still intact.  MFM (magnetic force microscopy) is one of the more advanced techniques along with MFSTM (magnetic force scanning tunnelling microscopy), and both are derived from SPM (scanning probe microscopy), which can be employed to recover data from even the most damaged of hard disks. Use a search engine if you want more detail on how they all work, but suffice to say they grab an image of the magnetic field at the surface of the disk by measuring the force gradient as a magnetic tip attached to a cantilever is moved across the surface.  Not only are these devices expensive, but they also require a trained operator. Throw into the mix the fact that recovering even a single file is a time-consuming process and you start to understand why data-recovery companies charge such high rates. You might also realise that deleting data from magnetic media isn't an easy thing to do, thanks to the building up of 'data layers' on a hard disk.  The main problem is that the disk-writing device isn't 100 per cent accurate when it comes to writing in exactly the same location at every pass.

The reasons for this are varied, but include media-sensitivity fluctuation and field-strength fluctuation over time. This is best thought of in terms of 0s and 1s for the original data writing, but 0.95 and 1.05 for the first overwriting of 'deleted' data, 0.90 and 1.10 for the second and so on. This doesn't make any difference to the hard disk, as the circuitry is such that the values are close enough to be regarded as 0 and 1. However, use a top-end digital-sampling oscilloscope and specialist software to analyse the sampled waveforms and it becomes relatively easy to recover one if not two previous layers of overwritten data. Unfortunately, such services don't come cheap and, unless the data is vital to your business or of such sentimental value you can't afford to lose it, it's often cheaper to cut your losses and buy a new hard disk. It might also explain why the majority of cases sent to data-recovery services by business users are likely to be funded by insurance claims.  

However, if you need that data back intact and your hard disk has screeched, groaned or clicked pre-expiry, a specialist is your only option. If the drive is still up and running, you can try to back up the data; once it has been powered down, though, don't try to reboot, as this can reduce your chances of a successful recovery, since the heads may take even more of a battering as they try and spin up.
« Last Edit: July 03, 2008, 22:38 by Clive »

Offline Tony

  • Loyal Member
  • *****
  • Posts: 3367
    • http://www.sugrue.ndo.co.uk
Re: Data recovery: Survival Guide (Part 1)
« Reply #1 on: July 03, 2008, 17:52 »
where are the Para's when you need em, Afghanistan I'll bet .....that article definitely needs some Para's don't ya think Clive  ;D
Athiesm is a non-prophet organization.

Offline Clive

  • Administrator
  • *****
  • Posts: 73669
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
Re: Data recovery: Survival Guide (Part 1)
« Reply #2 on: July 03, 2008, 22:44 »
I've done my best for you Tony.   ;D


Show unread posts since last visit.
Sponsor for PC Pals Forum