Data recovery

Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives, solid-state drives (SSD), USB flash drive, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system.

The most common "data recovery" scenario involves an operating system (OS) failure (typically on a single-disk, single-partition, single-OS system), in which case the goal is simply to copy all wanted files to another disk. This can be easily accomplished with a Live CD, most of which provide a means to mount the system drive and backup disks or removable media, and to move the files from the system disk to the backup media with a file manager or optical disc authoring software. Such cases can often be mitigated by disk partitioning and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.

Another scenario involves a disk-level failure, such as a compromised file system or disk partition, or a hard disk failure. In any of these cases, the data cannot be easily read. Depending on the situation, solutions involve repairing the file system, partition table or master boot record, or hard disk recovery techniques ranging from software-based recovery of corrupted data to hardware replacement on a physically damaged disk. If hard disk recovery is necessary, the disk itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read.

In a third scenario, files have been "deleted" from a storage medium. Typically, deleted files are not erased immediately; instead, references to them in the directory structure are removed, and the space they occupy is made available for later overwriting. In the meantime, the original file may be restored. Although there is some confusion over the term, "data recovery" may also be used in the context of forensic applications or espionage.

Contents

Recovering data after physical damage

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. Any logical damage must be dealt with before files can be salvaged from the failed media.

Most physical damage cannot be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head, causing new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, costly data recovery companies are often employed to salvage important data.

Recovery techniques

Recovering data from physically damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk-imaging procedure is used to recover every readable bit from the surface. Once this image is acquired and saved on a reliable medium, the image can be safely analysed for logical damage and will possibly allow for much of the original file system to be reconstructed.

Hardware repair

Examples of physical recovery procedures are: removing a damaged PCB (printed circuit board) and replacing it with a matching PCB from a healthy drive, performing a live PCB swap (in which the System Area of the HDD is damaged on the target drive which is then instead read from the donor drive, the PCB then disconnected while still under power and transferred to the target drive), read/write head assembly with matching parts from a healthy drive, removing the hard disk platters from the original damaged drive and installing them into a healthy drive, and often a combination of all of these procedures. Some data recovery companies have procedures that are highly technical in nature and are not recommended for an untrained individual. Many of these procedures will void the manufacturer's warranty.

Recovering from logical (non-hardware) damage

Overwritten data

When data has been physically overwritten on a hard disk drive it is generally assumed that the previous data is no longer possible to recover. In 1996, Peter Gutmann, a computer scientist[1], presented a paper that suggested overwritten data could be recovered through the use of magnetic force microscope.[1] In 2001, he presented another paper on a similar topic.[2] Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.[3][4] To guard against this type of data recovery, he and Colin Plumb designed the Gutmann method, which is used by several disk scrubbing software packages.

Although Gutmann's theory may be correct, there's no practical evidence that overwritten data can be recovered. Moreover, there are good reasons to think that it cannot.[5][6][7]

Solid State Drives (SSD) overwrite data differently to Hard Disk Drives (HDD) which makes at least some of their data easier to recover. Most SSDs use flash memory to store data in pages and blocks, referenced by Logical Block Addresses (LBA) which are managed by the Flash Translation Layer (FTL). When the FTL modifies a sector it writes the new data to another location and updates the map so the new data appears at the target LBA. This leaves the old data in place and recoverable by data recovery software.[8]

Corrupt partitions and filesystems, media errors

In some cases, data on a hard drive can be unreadable due to damage to the partition table or filesystem, or to (intermittent) media errors. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged partition table or filesystem using specialized data recovery software such as Testdisk; software like dd_rescue can image media despite intermittent errors, and image raw data when there is partition table or filesystem damage. This type of data recovery can be performed by knowledgeable end-users, as it requires no special physical equipment. However, more serious cases can still require expert intervention.

Online Data Recovery

"Online" or "Remote" data recovery is yet another method to restore the lost or deleted data. It is same as performing the regular software based recoveries except that this kind of recovery is performed over the Internet without physically having the drive or computer in possession. The recovery technician sitting somewhere else gains access to a user's computer and completes the recovery job online. In this scenario, the user doesn't have to travel or send the media anywhere physically.

Although online data recovery is convenient and useful in many cases, it still carries some points making it less popular than the classic data recovery methods. First of all, it requires a stable broadband Internet connection for it to be performed correctly, which many third world countries still lack. Also, it cannot be performed in case of physical damage to media and for such cases, the traditional in-lab recovery has to take place.

See also

External links

References

  1. ^ Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutmann, Department of Computer Science, University of Auckland
  2. ^ Data Remanence in Semiconductor Devices, Peter Gutmann, IBM T.J. Watson Research Center
  3. ^ Feenberg, Daniel (14 May 2004). "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann.". National Bureau of Economic Research. http://www.nber.org/sys-admin/overwritten-data-guttman.html. Retrieved 21 May 2008. 
  4. ^ Data Removal and Erasure from Hard Disk Drives
  5. ^ "Disk Wiping – One Pass is Enough". 17 March 2009. http://www.anti-forensics.com/disk-wiping-one-pass-is-enough. 
  6. ^ "Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots)". 18 March 2009. http://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots. 
  7. ^ Wright, Dr. Craig (15 January 2009). "Overwriting Hard Drive Data". http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/. 
  8. ^ "Data Recovery Possible on Securely Erased SSDs". http://www.macosxfilerecovery.com/data-recovery-possible-on-securely-erased-ssds/. Retrieved 22 November 2011. 

Further reading