Data recovery solutions

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.

Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives, solid-state drives (SSD), USB flash drive, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system.

The most common "data recovery" scenario involves an operating system (OS) failure (typically on a single-disk, single-partition, single-OS system), in which case the goal is simply to copy all wanted files to another disk. This can be easily accomplished using a Live CD, many of which provide a means to mount the system drive and backup disks or removable media, and to move the files from the system disk to the backup media with a file manager or optical disc authoring software. Such cases can often be mitigated by disk partitioning and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.^[1]

Another scenario involves a disk-level failure, such as a compromised file system or disk partition, or a hard disk failure. In any of these cases, the data cannot be easily read. Depending on the situation, solutions involve repairing the file system, partition table or master boot record, or hard disk recovery techniques ranging from software-based recovery of corrupted data, hardware-software based recovery of damaged service areas (also known as the hard drive's "firmware"), to hardware replacement on a physically damaged disk. If hard disk recovery is necessary, the disk itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read.

In a third scenario, files have been "deleted" from a storage medium. Typically, the contents of deleted files are not removed immediately from the drive; instead, references to them in the directory structure are removed, and the space they occupy is made available for later overwriting. In the meantime, the original file contents remain, often in a number of disconnected fragments, and may be recoverable.

The term "data recovery" is also used in the context of forensic applications or espionage, where data which has been encrypted or hidden, rather than damaged, is recovered.^[2]

Contents

• 1 Physical damage
  • 1.1 Recovery techniques
    • 1.1.1 Hardware repair
• 2 Logical damage
  • 2.1 Corrupt partitions and filesystems, media errors
  • 2.2 Overwritten data
• 3 Remote data recovery
• 4 Four phases
• 5 See also
• 6 References
• 7 Further reading
• 8 External links

Physical damage

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. Any logical damage must be dealt with before files can be salvaged from the failed media.

Most physical damage cannot be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head, causing new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, data recovery companies are often employed to salvage important data.

Recovery techniques

Recovering data from physically damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk-imaging procedure is used to recover every readable bit from the surface. Once this image is acquired and saved on a reliable medium, the image can be safely analyzed for logical damage and will possibly allow much of the original file system to be reconstructed.

Hardware repair

A common misconception is that a damaged printed circuit board (PCB) may be replaced during recovery procedures by an identical PCB from a healthy drive. While this may work in rare circumstances on hard drives manufactured before 2003, it will not work on newer hard drives. Each hard drive has what is called a System Area. This portion of the drive, which is not accessible to the end user, contains adaptive data that helps the drive operate within normal parameters. One function of the System Area is to log defective sectors within the drive; essentially telling the hard drive where it can and cannot write data. The sector lists are also stored on various chips attached to the PCB, and they are unique to each hard drive. If the data on the PCB does not match what is stored on the platter, then the drive will not calibrate properly. ^[3] In most cases the hard drive heads will click, because they are unable to find the data matching what is stored on the PCB

Logical damage

Result of a failed data recovery from a hard disk drive.

The term "logical damage" refers to situations in which the error is not a problem in the hardware and requires software-level solutions.

Corrupt partitions and filesystems, media errors

In some cases, data on a hard drive can be unreadable due to damage to the partition table or filesystem, or to (intermittent) media errors. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged partition table or filesystem using specialized data recovery software such as Testdisk; software like dd_rescue can image media despite intermittent errors, and image raw data when there is partition table or filesystem damage. This type of data recovery can be performed by people without expertise in drive hardware, as it requires no special physical equipment or access to platters. Sometimes data can be recovered using relatively simple methods and tools; more serious cases can require expert intervention, particularly if parts of files are irrecoverable. Data carving is the recovery of parts of damaged files using knowledge of their structure.^[4]

Overwritten data

See also: Data erasure

When data has been physically overwritten on a hard disk drive it is generally assumed that the previous data is no longer possible to recover. In 1996, Peter Gutmann, a computer scientist, presented a paper that suggested overwritten data could be recovered through the use of magnetic force microscope.^[5] In 2001, he presented another paper on a similar topic.^[6] Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.^[7][8] Although Gutmann's theory may be correct, there is no practical evidence that overwritten data can be recovered, while research has shown to support that overwritten data cannot be recovered.^{[specify][9][10][11]} To guard against this type of data recovery, Gutmann and Colin Plumb designed a method of irreversibly scrubbing data, known as the Gutmann method and used by several disk-scrubbing software packages.

Solid-state drives (SSD) overwrite data differently than hard disk drives (HDD) which makes at least some of their data easier to recover. Most SSDs use flash memory to store data in pages and blocks, referenced by logical block addresses (LBA) which are managed by the flash translation layer (FTL). When the FTL modifies a sector it writes the new data to another location and updates the map so the new data appears at the target LBA. This leaves the pre-modification data in place, with possibly many generations, and recoverable by data recovery software.^[12]

Remote data recovery

It is not always necessary for experts to have physical access to the damaged drive; where data can be recovered by software techniques, they can often be used remotely, with an expert using a computer at another location linked by an Internet or other connection to equipment at the fault site.

Remote recovery requires a stable connection of adequate bandwidth. However, it is not applicable where access to the hardware is required, as for cases of physical damage.

Four phases

It is important to understand the four phases of data recovery. Each phase stands for different level and range of data recovery capabilities, each phase requires different hdd repair tools and data recovery tools to work with and each phase must be treated properly to make sure the maximum data is finally to be recovered.^[13]

• Phase 1: Repair the hard drive
• Phase 2: Image the drive to a new drive.
• Phase 3: Logical recovery of files, partition, MBR, and MFT.
• Phase 4: Repair the damaged files that were retrieved.

See also

• Backup
• Cleanroom
• Computer forensics
• Continuous data protection
• Data archaeology
• Data loss
• Error detection and correction
• File carving
• Hidden file and hidden directory
• Knowledge extraction
• List of data recovery software
• List of default file systems
• SystemRescueCD
• Windows To Go
• Undeletion

References

1. ^ "Data Recovery Solutions". R3 Data Recovery. Retrieved 13 October 2012.
2. ^ "Computer Forensics Schools and Training". Legal-Criminal-Justice-Schools.com. Retrieved 13 October 2012.
3. ^ Swapping PCB's on Data Recovery Report
4. ^ Zeno, Keneth (27 September 2011). "How Does Data Recovery Work?". Data Recovery Box. Retrieved 29 February 2012.
5. ^ Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutmann, Department of Computer Science, University of Auckland
6. ^ Data Remanence in Semiconductor Devices, Peter Gutmann, IBM T.J. Watson Research Center
7. ^ Feenberg, Daniel (14 May 2004). "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann.". National Bureau of Economic Research. Retrieved 21 May 2008.
8. ^ Data Removal and Erasure from Hard Disk Drives
9. ^ "Disk Wiping - One Pass is Enough". Anti-Forensics. 17 March 2009.
10. ^ "Disk Wiping - One Pass is Enough - Part 2 (this time with screenshots)". Anti-Forensics. 18 March 2009.
11. ^ Wright, Dr. Craig (15 January 2009). "Overwriting Hard Drive Data".
12. ^ "Data Recovery Possible on Securely Erased SSDs". Retrieved 22 November 2011.
13. ^ "Four Phases Of Data Recovery". datarecoverytools4u.com. Retrieved 18 March 2013.

Further reading

• Tanenbaum, A. & Woodhull, A. S. (1997). Operating Systems: Design And Implementation, 2nd ed. New York: Prentice Hall.

External links

• Data recovery at the Open Directory Project