Data Recovery source

FAT file system

noreply@blogger.com (raden) — Sat, 18 Jul 2009 09:34:00 -0700

When a file is deleted on a FAT file system, its directory entry remains stored on the disk, slightly renamed in a way that marks the entry in FAT table as available for use by newly created files thereafter. Most of its name, and its time stamp, file length and — most importantly — location on the disk, remain unchanged in the directory entry. The list of disk clusters occupied by the file will be erased from the File Allocation Table, however, marking those sectors available for use by other files created or modified thereafter.

When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:

The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory. Whether this is the case can fairly easily be detected by checking whether the remaining name of the file to be undeleted is still present in the directory.
The sectors formerly used by the deleted file must not be overwritten yet by other files. This can fairly well be verified by checking that the sectors are not marked as used in the File Allocation Table. However, if, in the meantime, a new file had been written to, using those sectors, and then deleted again, freeing those sectors again, this cannot be detected automatically by the undeletion program. In this case an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.
The file must not have been fragmented, meaning that the sectors its data occupied on the disk must have all been in one uninterrupted sequence. Whether this was the case may or may not be detectable by the undeletion program, depending on the arrangement of other files on the disk.

Chances of recovering deleted files is higher in FAT16 as compared to FAT32 drives; fragmentation of files is usually less in FAT16 due to large cluster size support (1024 Bytes, 2KB, 4KB, 8KB, 16KB, 32KB and 64KB which is supported only in Windows NT) as compared to FAT32 (4KB, 8KB, 16KB only).

If the undeletion program can not detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the File Allocation Table. It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.

If the data of the recovered file is not correct, parts of the file may still be stored in other sectors of the disk. Recovery of those is not possible by automatic processes but only by manual examination of each (unused) block of the disk. This usually must be done by specialists that have very good knowledge of both the disk structure and the data being sought.

Norton UNERASE was an important component in Norton Utilities version 1.0 in 1981. Microsoft included a similar UNDELETE program in the final version of MS-DOS, but applied the Recycle Bin approach instead in later operating systems using FAT.

Privacy Policy

noreply@blogger.com (raden) — Thu, 16 Jul 2009 07:44:00 -0700

Privacy Policy for datarecovery-source.blogspot.com/

If you require any more information or have any questions about our privacy policy, please feel free to contact us by email at radenayu85@gmail.com.

At datarecovery-source.blogspot.com/, the privacy of our visitors is of extreme importance to us. This privacy policy document outlines the types of personal information is received and collected by datarecovery-source.blogspot.com/ and how it is used.

Log Files
Like many other Web sites, datarecovery-source.blogspot.com/ makes use of log files. The information inside the log files includes internet protocol ( IP ) addresses, type of browser, Internet Service Provider ( ISP ), date/time stamp, referring/exit pages, and number of clicks to analyze trends, administer the site, track user’s movement around the site, and gather demographic information. IP addresses, and other such information are not linked to any information that is personally identifiable.

Cookies and Web Beacons
datarecovery-source.blogspot.com/ does use cookies to store information about visitors preferences, record user-specific information on which pages the user access or visit, customize Web page content based on visitors browser type or other information that the visitor sends via their browser.

DoubleClick DART Cookie
.:: Google, as a third party vendor, uses cookies to serve ads on datarecovery-source.blogspot.com/.
.:: Google's use of the DART cookie enables it to serve ads to users based on their visit to datarecovery-source.blogspot.com/ and other sites on the Internet.
.:: Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy at the following URL - http://www.google.com/privacy_ads.html

Some of our advertising partners may use cookies and web beacons on our site. Our advertising partners include ....
Google Adsense

These third-party ad servers or ad networks use technology to the advertisements and links that appear on datarecovery-source.blogspot.com/ send directly to your browsers. They automatically receive your IP address when this occurs. Other technologies ( such as cookies, JavaScript, or Web Beacons ) may also be used by the third-party ad networks to measure the effectiveness of their advertisements and / or to personalize the advertising content that you see.

datarecovery-source.blogspot.com/ has no access to or control over these cookies that are used by third-party advertisers.

You should consult the respective privacy policies of these third-party ad servers for more detailed information on their practices as well as for instructions about how to opt-out of certain practices. datarecovery-source.blogspot.com/'s privacy policy does not apply to, and we cannot control the activities of, such other advertisers or web sites.

If you wish to disable cookies, you may do so through your individual browser options. More detailed information about cookie management with specific web browsers can be found at the browsers' respective websites.

Recovery software

noreply@blogger.com (raden) — Thu, 16 Jul 2009 07:17:00 -0700

Bootable

Data recovery cannot always be done on a running system. As a result boot disk, Live CD, Live USB, or any other type of Live Distro containing a minimal operating system and a set of repair tools.

List of live CDs

This is a list of live CDs. A live CD or live DVD is a CD or DVD containing a bootable computer operating system. Live CDs are unique in that they have the ability to run a complete, modern operating system on a computer lacking mutable secondary storage, such as a hard disk drive.

Rescue and Repair Live CDs

Billix – a multiboot distribution and system administration toolkit with the ability to install any of the included Linux distributions
Hiren's Boot CD – DOS-based computer rescue CD (partition, filesystem, and Windows tools)
Inquisitor – Linux-based hardware diagnostics, stress testing and benchmarking Live CD
RIP: (R)ecovery (I)s (P)ossible is a Linux-based CD with partition tool and network tools (Samba), based on the 2.6.17 kernel.
SystemRescueCD is a Linux-based CD with tools for Windows and Linux repairs, based on the 2.6 kernel.
Trinity Rescue Kit – Mandriva Linux-based CD for use on a Windows or Linux based system.
Ultimate Boot CD^[1] – Linux/freeDOS-based computer rescue CD (partition, filesystem, and Windows tools)
UBCD4Win^[2] – the Windows version of Ultimate Boot CD (BartPE based)
Parted Magic – GNU/Linux live CD with rescue and partitioning tool

BSD-based

Anonym.OS – an OpenBSD-based disk for secure anonymous web browsing
DesktopBSD – as of 1.6RC1^[3] FreeBSD and FreeSBIE based
DragonFly BSD
FreeNAS – m0n0wall based
FreeSBIE – FreeBSD based
Ging – Debian GNU/kFreeBSD based
m0n0wall – FreeBSD based
pfSense – m0n0wall based
Jibbed – NetBSD based

Debian-based

Damn Small Linux – very light and small with JWM and fluxbox, installable Live CD
DemoLinux (versions 2 and 3) – one of the very first Live CDs
Dreamlinux – installable Live CD to hard drives or flash media
Finnix – a small system administration Live CD. A PowerPC version is available.
Freeduc-cd – an educational live CD using Xfce realized with the help of UNESCO
gnuLinEx – includes GNOME
GNUstep – works on i386, AMD64, UltraSPARC, and PowerPC
grml – installable Live CD for sysadmins and text tool users
Kanotix – installable Live CD
Knoppix – the "original" Debian-based Live CD
MEPIS – installable Live CD
sidux^[4] based on Debian unstable (Sid), installable Live CD, DVD
Tuquito – created in Argentina
ULAnux/ULAnix – created in Mérida, Venezuela, and available on CD/DVD and USB forms

Ubuntu-based

These are based at least partially on Ubuntu, which is based on Debian:

CrunchBang Linux – installable Live CD, using Openbox as window manager
Edubuntu, Kubuntu, Xubuntu – installable Live CDs
gNewSense – supported by the Free Software Foundation, includes GNOME
gOS – a series of lightweight operating systems based on Ubuntu with Ajax-based applications and other Web 2.0 applications, geared to beginning users, installable Live CD
Linux Mint – installable Live CD
openGEU – installable Live CD
Sage – designed solely for the use of sage mathematics software
Ubuntu – installable Live CD
Super OS (formerly Super Ubuntu) – installable Live DVD, can be converted to a Live USB using the built-in cd2usb or usb-creator
TurnKey Linux – family of installable Live CD appliances optimized for ease of use in server-type usage scenarios
WeakNet Linux - installable Live CD with Security tools coded by members of WeakNet Laboratories

Data erasure

noreply@blogger.com (raden) — Mon, 13 Jul 2009 01:36:00 -0700

Data erasure is a method of software-based overwriting that completely destroys all electronic data residing on a hard drive or other digital media. Permanent data erasure goes beyond basic file deletion commands, which only remove direct pointers to data disk sectors and make data recovery possible with common software tools. Unlike degaussing and physical destruction, which render the disk unusable, data erasure removes all information while leaving the disk operable, preserving assets and the environment.

Software-based overwriting uses a software application to write patterns of meaningless data onto each of a hard drive's sectors. There are key differentiators between data erasure and other overwriting methods, which can leave data intact and raise the risk of data breach or spill, identity theft and failure to achieve regulatory compliance. Data erasure also provides multiple overwrites so that it supports recognized government and industry standards. It provides verification of data removal, which is necessary for meeting certain standards.

To protect data on lost or stolen media, some data erasure applications remotely destroy data if the password is incorrectly entered. Data erasure tools can also target specific data on a disk for routine erasure, providing a hacking protection method that is a less time-consuming than encryption.

Importance

nformation technology (IT) assets commonly hold large volumes of confidential data. Social security numbers, credit card numbers, bank details, medical history and classified information are often stored on computer hard drives or servers and can inadvertently or intentionally make their way onto other media such as printer, USB, flash, Zip, Jaz, and REV drives.

Data breach

Increased storage of sensitive data, combined with rapid technological change and the shorter lifespan of IT assets, has driven the need for permanent data erasure of electronic devices as they are retired or refurbished. Also, compromised networks and laptop theft and loss, as well as that of other portable media, are increasingly common sources of data breaches. If data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. Companies have spent nearly $5 million on average to recover when corporate data was lost or stolen.

Regulatory compliance

Strict industry standards and government regulations are in place that force organizations to mitigate the risk of unauthorized exposure of confidential corporate and government data. These regulations include HIPAA (Health Insurance Portability and Accountability Act); FACTA (The Fair and Accurate Credit Transactions Act of 2003); GLB (Gramm-Leach Bliley); Sarbanes-Oxley Act (SOx); and Payment Card Industry Data Security Standards (PCI DSS). Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.

Preserving assets and the environment

Data erasure offers an alternative to physical destruction and degaussing for secure removal of all disk data. Physical destruction and degaussing destroy the digital media, requiring its disposal and contributing to electronic waste while negatively impacting the carbon footprint of individuals and companies.^[2] Data erasure allows secure disposal of obsolete equipment and preserves the potential to refurbish a computer for future use, protecting viable IT assets.

Differentiators

Software-based data erasure uses a special application to write a combination of 1's and 0's onto each hard drive sector. The level of security depends on the number of times the entire hard drive is written over.

Full disk overwriting

There are many overwriting programs, but data erasure offers complete security by destroying data on all areas of a hard drive. Disk overwriting programs that cannot access the entire hard drive, including hidden/locked areas like the host protected area (HPA), device configuration overlay (DCO), and remapped sectors, perform an incomplete erasure, leaving some of the data intact. By accessing the entire hard drive, data erasure eliminates the risk of data remanence.

Data erasure also bypasses the BIOS and OS. Overwriting programs that operate through the BIOS and OS will not always perform a complete erasure due to altered or corrupted BIOS data and may report back a complete and successful erasure even if they do not access the entire hard disk, leaving data accessible.

Hardware support

Data erasure can be deployed over a network to target multiple PCs rather than having to erase each one sequentially. In contrast with DOS-based overwriting programs that may not detect all network hardware, Linux-based data erasure software supports high-end server and storage area network (SAN) environments with hardware support for Serial ATA, Serial Attached SCSI (SAS) and Fiber Channel disks and remapped sectors. It operates directly with sector sizes such as 520, 524, and 528, removing the need to first reformat back to 512 sector size.

Standards

Many government and industry standards exist for software-based overwriting that removes data. A key factor in meeting these standards is the number of times the data is overwritten. Also, some standards require a method to verify that all data has been removed from the entire hard drive and to view the overwrite pattern. Complete data erasure should account for hidden areas, typically DCO, HPA and remapped sectors.

The 1995 edition of the National Industrial Security Program Operating Manual (DoD 5220.22-M) permitted the use of overwriting techniques to sanitize some types of media by writing all addressable locations with a character, its complement, and then a random character. This provision was removed in a 2001 change to the manual and was never permitted for Top Secret media, but it is still listed as a technique by many offerors of data erasure software.

Data erasure software should provide the user with a validation certificate indicating that the overwriting procedure was completed properly. Data erasure software should also comply with requirements to erase hidden areas, provide a defects log list, and list bad sectors that could not be overwritten.

Overwriting Standard	Date	Overwriting Rounds	Pattern	Notes
NIST SP-800-88 [1]	2006	1	Unspecified
NSA/CSS Policy Manual 9-12 [2]	2006	not approved		Degauss or destroy
U.S. National Industrial Security Program Operating Manual (DoD 5220.22-M)[3]	2006			not specified
U.S. DoD Unclassified Computer Hard Drive Disposition [4]	2001	3	A character, its complement, another pattern
U.S. Navy Staff Office Publication NAVSO P-5239-26[5]	1993	3	A character, its complement, random	Verification is mandatory
U.S. Air Force System Security Instruction 5020 [6]	1996	4	All 0's, all 1's, any character	Verification is mandatory
British HMG Infosec Standard 5, Baseline Standard		1	All 0's	Verification is optional
British HMG Infosec Standard 5, Enhanced Standard		3	All 0's, all 1's, random	Verification is mandatory
Communications Security Establishment Canada ITSG-06 [7]	2006	3	All 1's or 0's, its complement, a pseudo-random pattern	For unclassified media
German Federal Office for Information Security [8]	2004	2-3	Non-uniform pattern, its complement
Australian Government ICT Security Manual [9]	2008	1	Unspecified	Degauss or destroy Top Secret media
New Zealand Government Communications Security Bureau NZSIT 402 [10]	2008	1	Unspecified	For data up to Confidential
Peter Gutmann's Algorithm	1996	Up to 35		Originally intended for MFM and RLL disks, which are now obsolete
Bruce Schneier's Algorithm^[3]	1996	7	All 1's, all 0's, pseudo-random sequence five times

Data can sometimes be recovered from a broken hard drive. However, if the platters on a hard drive are damaged, such as by drilling a hole through the drive (and the platters inside), then data can only be recovered by bit-by-bit analysis of each platter with advanced forensic technology. Seagate is the only company in the world to have credibly claimed such technology, although some governments may also be able to do this.

Number of overwrites needed

Data on floppy disks can sometimes be recovered by forensic analysis even after the disks have been overwritten once with zeros (or random zeros and ones). This is not the case with modern hard drives. The bits on modern drives are so small that deviation of tracks between writes cannot be discerned by any means^{[citation needed]}.

According to the 2006 NIST Special Publication 800-88 (p. 7): "Studies have shown that most of today’s media can be effectively cleared by one overwrite" and "for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged."^[4]

According to the Center for Magnetic Recording Research, "Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure."^[5] "Secure erase" is a utility built into modern ATA hard drives that overwrites all data on a disk, including remapped (error) sectors.

Further analysis by Wright et al. seems to also indicate that one overwrite is all that is generally required

Data carving

noreply@blogger.com (raden) — Fri, 10 Jul 2009 22:33:00 -0700

Data Carving is a data recovery technique that allows for data with no file system allocation information to be extracted by identifying sectors and clusters belonging to the file. Data Carving usually searches through raw sectors looking for specific desired file signatures. The fact that there is no allocation information means that the investigator must specify a block size of data to carve out upon finding a matching file signature, or the carving software must infer it from other information on the media. There is a requirement that the beginning of the file still be present and that there is (depending on how common the file signature is) a risk of many false hits. Data carving, also known as file carving, has traditionally required that the files recovered be located in sequential sectors (rather than fragmented) as there is no allocation information to point to fragmented file portions. Recent developments in file carving algorithms have led to tools that can recover files that are fragmented into multiple pieces. Carving tends is a time and resource intensive operation

n73pu96dbe

noreply@blogger.com (raden) — Thu, 9 Jul 2009 08:34:00 -0700

n73pu96dbe

CHKDSK

noreply@blogger.com (raden) — Thu, 9 Jul 2009 07:56:00 -0700

CHKDSK (short for Checkdisk) is a command on computers running DOS, OS/2 and Microsoft Windows operating systems that displays the file system integrity status of hard disks and floppy disk and can fix logical file system errors. It is similar to the fsck command in Unix.

On computers running NT-based versions of Windows, CHKDSK can also check the disk surface for physical errors or bad sectors, a task previously done by SCANDISK. This version of CHKDSK can also handle some physical errors and recover data that is still readable.

Windows NT-based CHKDSK

CHKDSK can be run from the Windows Shell, the Windows Command Prompt or the Windows Recovery Console. One option for CHKDSK is the use of the Command-line/R parameter, which allows the program to repair damage it finds on the hard drive.

Conducting a CHKDSK can take some time, especially if using the /R parameter, and the results are often not visible, for various reasons. The results of a CHKDSK conducted on restart using Windows 2000 or later operating systems are written to the Application Log, with a "Source" name of Wininit or Winlogon and can be viewed with the Event Viewer.

The standard version of CHKDSK supports the following switches :

filename	FAT only. Specifies the file or set of files to check for fragmentation. Wildcard characters (* and ?) are allowed.
path	FAT only. Specifies the location of a file or set of files within the folder structure of the volume.
size	NTFS only. Changes the log file size to the specified number of kilobytes. Must be used with the /l switch.
volume	FAT and NTFS (NTFS support is unofficially supported but works normally). Specifies the drive letter (followed by a colon), mount point, or volume name.
/c	NTFS only. Skips checking of cycles within the folder structure.
/f	Fixes errors on the volume. The volume must be locked. If Chkdsk cannot lock the volume, it offers to check it the next time the computer starts.
/i	NTFS only. Performs a less vigorous check of index entries.
/l	NTFS only. Displays current size of the log file.
/p	Checks disk even if it is not flagged as "dirty".
/r	Locates bad sectors and recovers readable information (implies /f and /p). If Chkdsk cannot lock the volume, it offers to check it the next time the computer starts.
/v	On FAT: Displays the full path and name of every file on the volume. On NTFS: Displays cleanup messages, if any.
/x	NTFS only. Forces the volume to dismount first, if necessary. All opened handles to the volume are then invalid (implies /f ).
/?	Displays this list of Chkdsk switches.

When running CHKDSK from the Recovery Console the options are different. The /p is not read-only as in the standard version but corrects errors :^[1]

/p	Fixes errors on the volume. Same as the /f option in standard CHKDSK.
/r	Locates bad sectors and recovers readable information (implies /f and /p). Takes much longer to run than /p by itself.

A typical result:

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 318 unused index entries from index $SII of file 0x9.
Cleaning up 318 unused index entries from index $SDH of file 0x9.
Cleaning up 318 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

 14996645 KB total disk space.
 10187752 KB in 88054 files.
    30784 KB in 5774 indexes.
        0 KB in bad sectors.
   164341 KB in use by the system.
    65536 KB occupied by the log file.
  4613768 KB available on disk.

     4096 bytes in each allocation unit.
  3749161 total allocation units on disk.
  1153442 allocation units available on disk.

Vista result (App Event Log):

Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.                        
 79232 file records processed.
 332 large file records processed.
 0 bad file records processed.
 2 EA records processed.
 44 reparse records processed.
 105198 index entries processed.
 0 unindexed files processed.
 79232 security descriptors processed.
 Cleaning up 1 unused index entries from index $SII of file 0x9.
Cleaning up 1 unused index entries from index $SDH of file 0x9.
Cleaning up 1 unused security descriptors.
 12984 data files processed.
CHKDSK is verifying Usn Journal...
 35789792 USN bytes processed.
Usn Journal verification completed.
Windows has checked the file system and found no problems.

 78175231 KB total disk space.
 12902428 KB in 54029 files.
    36068 KB in 12985 indexes.
        0 KB in bad sectors.
   187407 KB in use by the system.
    65536 KB occupied by the log file.
 65049328 KB available on disk.

     4096 bytes in each allocation unit.
 19543807 total allocation units on disk.
 16262332 allocation units available on disk.

Known issues
Sometimes the check after CHKDSK invoked with the /f or /r option on reboot still fails, giving the error "Cannot open volume for direct access" on startup, due to an application (anti-virus, anti-spyware, firewall, and the like) that locks up the partition before CHKDSK can access it. This has been improved in Windows XP Service Pack 2, but still happens occasionally. One fix is to set the /SAFEBOOT option in the boot.ini tab after running msconfig.^[2] This puts the system in a minimal/low-resolution mode.

DOS-based CHKDSK

The MS-DOS 5 bug

The version of CHKDSK (and Undelete) supplied with MS-DOS 5.0 has a bug which can corrupt data. This applies to CHKDSK.EXE and UNDELETE.EXE with a date of 04/09/91. If the file allocation table of a disk uses 256 sectors, running CHKDSK /F can cause data loss and running UNDELETE can cause unpredictable results. This normally affects disks with a capacity of approximately a multiple of 128 MB. This bug was fixed in MS-DOS 5.0a. A Microsoft Knowledge Base article^[3] gives more details on this.

Consistency checking

noreply@blogger.com (raden) — Mon, 6 Jul 2009 02:17:00 -0700

The first, consistency checking, involves scanning the logical structure of the disk and checking to make sure that it is consistent with its specification. For instance, in most file systems, a directory must have at least two entries: a dot (.) entry that points to itself, and a dot-dot (..) entry that points to its parent. A file system repair program can read each directory and make sure that these entries exist and point to the correct directories. If they do not, an error message can be printed and the problem corrected. Both chkdsk and fsck work in this fashion. This strategy suffers from two major problems. First, if the file system is sufficiently damaged, the consistency check can fail completely. In this case, the repair program may crash trying to deal with the mangled input, or it may not recognize the drive as having a valid file system at all. The second issue that arises is the disregard for data files. If chkdsk finds a data file to be out of place or unexplainable, it may delete the file without asking. This is done so that the operating system may run smoother, but the files deleted are often important user files which cannot be replaced. Similar issues arise when using system restore disks (often provided with proprietary systems like Dell and Compaq), which restore the operating system by removing the previous installation. This problem can often be avoided by installing the operating system on a separate partition from your user data.

Recovery techniques

noreply@blogger.com (raden) — Mon, 6 Jul 2009 02:16:00 -0700

Two common techniques used to recover data from logical damage are consistency checking and data carving. While most logical damage can be either repaired or worked around using these two techniques, data recovery software can never guarantee that no data loss will occur. For instance, in the FAT file system, when two files claim to share the same allocation unit ("cross-linked"), data loss for one of the files is essentially guaranteed.

Preventing logical damage

noreply@blogger.com (raden) — Sat, 4 Jul 2009 00:19:00 -0700

The increased use of journaling file systems, such as NTFS 5.0, ext3, and XFS, is likely to reduce the incidence of logical damage. These file systems can always be "rolled back" to a consistent state, which means that the only data likely to be lost is what was in the drive's cache at the time of the system failure. However, regular system maintenance should still include the use of a consistency checker. This can protect both against bugs in the file system software and latent incompatibilities in the design of the storage hardware. One such incompatibility is the result of the disk controller reporting that file system structures have been saved to the disk when it has not actually occurred. This can often occur if the drive stores data in its write cache, then claims it has been written to the disk. If power is lost, and this data contains file system structures, the file system may be left in an inconsistent state such that the journal itself is damaged or incomplete. One solution to this problem is to use hardware that does not report data as written until it actually is written. Another is using disk controllers equipped with a battery backup so that the waiting data can be written when power is restored. Finally, the entire system can be equipped with a battery backup that may make it possible to keep the system on in such situations, or at least to give enough time to shut down properly.

Recovering data after logical damage

noreply@blogger.com (raden) — Thu, 2 Jul 2009 02:29:00 -0700

Logical damage is primarily caused by power outages that prevent file system structures from being completely written to the storage medium, but problems with hardware (especially RAID controllers) and drivers, as well as system crashes, can have the same effect. The result is that the file system is left in an inconsistent state. This can cause a variety of problems, such as strange behavior (e.g., infinitely recursing directories, drives reporting negative amounts of free space), system crashes, or an actual loss of data. Various programs exist to correct these inconsistencies, and most operating systems come with at least a rudimentary repair tool for their native file systems. Linux, for instance, comes with the fsck utility, Mac OS X has Disk Utility and Microsoft Windows provides chkdsk. Third-party utilities such as The Coroners Toolkit and The Sleuth Kit are also available

Some kinds of logical damage can be mistakenly attributed to physical damage. For instance, when a hard drive's read/write head begins to click, most end-users will associate this with internal physical damage. This is not always the case, however. Another possibility is that the firmware of the drive or its controller needs to be rebuilt in order to make the data accessible again.

Disk imaging

noreply@blogger.com (raden) — Thu, 2 Jul 2009 02:28:00 -0700

The extracted raw image can be used to reconstruct usable data after any logical damage has been repaired. Once that is complete, the files may be in usable form although recovery is often incomplete.

Open source tools such as DCFLdd or DOS tools such as HDClone can usually recover data from all but the physically-damaged sectors. Studies[1][2] have shown that DCFLdd v1.3.4-1 installed on a Linux 2.4 Kernel system produces extra "bad sectors" when executed with certain parameters[3], resulting in the loss of information that is actually available. These studies state that when installed on a FreeBSD Kernel system, only the bad sectors are lost. DC3dd, a tool that has superseded DCFLdd, and ddrescue resolve this issue by accessing the hardware directly[3]. Another tool that can correctly image damaged media is ILook IXImager, a tool available only to government and Law Enforcement.

Typically, Hard Disk Drive data recovery imaging has the following abilities[4]: (1) Communicating with the hard drive by bypassing the BIOS and operating system which are very limited in their abilities to deal with drives that have "bad sectors" or take a long time to read. (2) Reading data from “bad sectors” rather than skipping them (by using various read commands and ECC to recreate damaged data). (3) Handling issues caused by unstable drives, such as resetting/repowering the drive when it stops responding or skipping sectors that take too long to read (read instability can be caused by minute mechanical wear and other issues). and (4) Pre-configuring drives by disabling certain features, such a SMART and G-List re-mapping, to minimize imaging time and the possibility of further drive degradation.

Hardware repair

noreply@blogger.com (raden) — Thu, 2 Jul 2009 02:27:00 -0700

Examples of physical recovery procedures are: removing a damaged PCB (printed circuit board) and replacing it with a matching PCB from a healthy drive, performing a live PCB swap (in which the System Area of the HDD is damaged on the target drive which is then instead read from the donor drive, the PCB then disconnected while still under power and transferred to the target drive), read/write head assembly with matching parts from a healthy drive, removing the hard disk platters from the original damaged drive and installing them into a healthy drive, and often a combination of all of these procedures. Some data recovery companies have procedures that are highly technical in nature and are not recommended for an untrained individual. Any of them will almost certainly void the manufacturer's warranty.

Recovery techniques

noreply@blogger.com (raden) — Mon, 29 Jun 2009 08:14:00 -0700

Recovering data from physically-damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk-imaging procedure is used to recover every readable bit from the surface. Once this image is acquired and saved on a reliable medium, the image can be safely analysed for logical damage and will possibly allow for much of the original file system to be reconstructed.

Recovering data after physical damage

noreply@blogger.com (raden) — Mon, 29 Jun 2009 08:12:00 -0700

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. This causes logical damage that must be dealt with before any files can be salvaged from the failed media.

Most physical damage cannot be repaired by end users. For example, opening a hard disk in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head, causing new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, costly data recovery companies are often employed to salvage important data. These firms often use "Class 100" / ISO-5 cleanroom facilities to protect the media while repairs are being made. (Any data recovery firm without a pass certificate of ISO-5 or better will not be accepted by hard drive manufacturers for warranty purposes.

Data Recovery

noreply@blogger.com (raden) — Mon, 29 Jun 2009 07:57:00 -0700

Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media formats such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system.

The most common "data recovery" issue involves an operating system (OS) failure (typically on a single-disk, single-partition, single-OS system), where the goal is to simply copy all wanted files to another disk. This can be easily accomplished with a Live CD, most of which provide a means to 1) mount the system drive, 2) mount and backup disk or media drives, and 3) move the files from the system to the backup with a file manager or optical disc authoring software. Further, such cases can be mitigated by disk partitioning and consistently moving valuable data files to a different partition from the replaceable OS system files.

The second type involves a disk-level failure such as a compromised file system, disk partition, or a hard disk failure —in each of which the data cannot be easily read. Depending on the case, solutions involve repairing the file system, partition table or MBR, or hard disk recovery techniques ranging from software-based recovery of corrupted data to hardware replacement on a physically damaged disk. These last two typically indicate the permanent failure of the disk, thus "recovery" means sufficient repair for a one-time recovery of files.

A third type involves the process of retrieving files that have been deleted from a storage media. Although there is some confusion as to the term, the term "data recovery" may be used to refer to such cases in the context of forensic purposes or spying.