fundamentals

 

Data Recovery Fundamentals

 

Data Recovery Fundamentals

Hardware Recovery

Software Recovery

Partition Recovery

File-system Recovery

File carving for Lost Files

 

 


Hardware Recovery

A computer hard drive contains drives called platters which are coated with a magnetic storage medium. The platters spin at high speed whilst a “read/write” head moves backwards and forwards in a cusion of air over their surface. The head reads the status of the magnetic material (a positive or negative charge) and writes to the magnetic medium with an electronic pulse.

Figure 1, Simplified schematic diagram of hard drive internals: Image Source: Microsoft MSDN

Description: DiskPartitionAlignmentFig2.jpg

Learn more: http://www.youtube.com/watch?v=kdmLvl1n82U

Like any mechanical device, a computer hard drive can physically fail. The most common failures are:

·         Head crash: Where the read/write heads make contact with the platter surface. This can present as a grinding or whining noise.

·         Failure of the drive spindle / motor mechanism, used to rotate the platters;

·         Failure of the “actuator arm” used to move the read/write heads over the drive. This can present as a loud clicking noise caused by the actuator arm striking the inside of the drive case.

In these situations the drive should be immediately powered down and assistance sought from a hardware data recovery service. Continued use of a drive in these situations can lead to greater physical damage and permanent data loss.

Another common hardware failure is loss of power to a drive. In the case of external USB drives this problem may be addressed by swapping the drive into a different USB case. However and equally common cause of a power failure is a short circuit in the drives printed circuit board (PCB). Whilst it is possible to swap a faulty PCB with an identical replacement, it is recommended that inexperienced users have this be performed by a hardware data recovery service.

Software Recovery

A “logical hard drive structure” refers to the configuration of the hard drive to store data. The principle logical drive structures are:

Partition

When a hard drive is configured to store data, a “partition” is created. The partition acts as the container for the file-system and files. A hard drive can contain a one or more partitions.

File-system

A partition is formatted with a file-system. Once this takes place the partition is allocated a drive letter, e.g. “D:” Most Windows booting hard drives will be formatted with Microsoft’s NTFS (New Technology File-system). However, external USB devices, including camera cards, are usually formatted with the older FAT (File Allocation Table) file-system. This is primarily for compatibility reasons as a FAT file-system can be read by Macintosh computers whereas NFTS cannot.

The task of the file-system is to keep track of individual files created and stored on the drive. To do this the file-systems uses an index at the start of the drive which records the name and location of all files and folders on the drive.

File Storage

The smallest unit of storage space on a hard drive is a sector. Windows groups sectors into “clusters” into which Individual files are stored. A file may occupy one or more clusters depending on it size. A file may be in contiguous clusters, or it can be fragmented and stored in different parts of the drive. The file-system is responsible for tracking the location of the data for each file.

These structures are summarized in Figure 2 below:

 

Figure 2, hard drive structure

Software data recovery deals with data loss at a “logical” level, meaning that whilst the hardware is working correctly, a software problem (e.g. an accidental format) has caused files to go missing.

Partition Recovery

A partition error usually manifests itself in a drive letter that suddenly disappears and a drive becomes blank, RAW or unallocated.

The highest level of recovery performed by Recover My Files is to locate and read a missing or damaged partition. If successful, partition recovery is very fast; because once the missing partition is identified the entire contents of the partition become available.

File-system Recovery

Deleted Files

When a file is deleted from a Windows computer the record for that file in the file-system index (the FAT or MFT) is marked to show that it is a deleted. The clusters on the drive where the data for the file is stored are now considered unallocated (i.e. available for new storage). At this point in time, the deleted file can easily be located by reading the file-system index record, locating the list of deleted files, and going to the clusters to recover the data.

However, continued use of a computer after a deletion will lead to new data being written to the hard drive. If new data is written to the drive it is possible that:

·         The record in the file-system index is re-used for a new file. If this happens, the original file name is overwritten and destroyed as the file name is only stored in the index and not with the file data; and/or,

·         One or more of the clusters used to store the original file could be re-used for new data. If this happens, the original file content could become corrupt or totally overwritten and destroyed.

It is for this reason that following a deletion or loss of files, use of the hard drive should be kept to a minimum to avoid new data being written to the drive and to maximize the possibility of recovery.

File and Folder Structure Recovery

If an entire drive has been lost and a partition recovery (described above) is not successful, Recover My Files is designed to search for and rebuild the file-system index. This is particularly important as the file-system index is the only location where file and folder names are stored. Without recovery of the index, the original folder structure and files names will not be known.

Recover My Files searches for individual FAT and MFT records. At the end of a Recover Drive search, these records are rebuilt to display the file and folder structure in the search results screen. The records are used to locate the data on the drive and recover the files.

File carving for Lost Files

In some data recovery situations partition and file-system recovery is not possible (because the partition, file-system, or individual file-system records have been corrupted or destroyed). In such cases it is possible to recover data by “File carving” (also referred to as “File Carving”) for “Lost Files”.

File carving is a well-known data recovery technique used to describe the identification and extraction of file types from unallocated clusters using file signatures. A file signature is “a constant numerical or text value used to identify a file format or protocol” (1).

An example of a file signature is shown in Figure 22-6, which is the beginning of a .jpg file in Hexview:

Figure 3, View of .jpg file header

The object of carving is to identify and extract (carve) the file based on this signature information alone. Carrier (2005) describes File carving as:

“…a process where a chunk of data is searched for signatures that correspond to the start and end of known file types. The result of this analysis process is a collection of files that contain one of the signatures. This is commonly performed on the unallocate space of a file-system and allows the investigator to recover files that hav no metadata structures pointing to them”. (2)

File carving has both advantages and limitations. These include:

File-system independent

                File carving is essentially file-system independent. A file type will exhibit the same file signature and structure on under FAT, NTFS, HFT, EXT2 or other file-systems and can be data carved accordingly.

Time Required:

A drawback of file carving is that it can take a considerable amount of time to process a large drive. Also, the greater the number of file signatures searched for simultaneously, the more processing required and the longer the search.

Data Fragmentation:

Without file-system records, it is impossible to track a fragmented files. Fragmented files may return as invalid as only the start of the file is located.

No Original File Names

As file names are stored only as part of the file-system, data carved files cannot be recovered with their original name.

File carving in Recover My Files

In Recover My Files carved files are represented by a carving knife icon. Files are given the naming convention “LostFile_FileType_SectorLocation.xxx”. For example, “LostFile_JPG_904063.jpg”, which shows that the lost jpg file has been carved from sectors on the drive beginning at sector 904063.

If the file end is not found, but sufficient information is found within the file to suggest it will at minimum be partially recovered, it is assigned a default file size according to that file type. The global default size of lost files can be set in the OPTIONS > SEARCH window (see Chapter - 12.2).