Data recovery
In computing, data recovery is a process of salvaging inaccessible data from corrupted or damaged secondary storage, removable media or files, when the data they store cannot be accessed in a normal way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system (OS).
The most common data recovery scenario involves an operating system failure, malfunction of a storage device, accidental damage or deletion, etc. (typically, on a single-drive, single-partition, single-OS system), in which case the goal is simply to copy all wanted files to another drive. This can be easily accomplished using a Live CD, many of which provide a means to mount the system drive and backup drives or removable media, and to move the files from the system drive to the backup media with a file manager or optical disc authoring software. Such cases can often be mitigated by disk partitioning and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.
Another scenario involves a drive-level failure, such as a compromised file system or drive partition, or a hard disk drive failure. In any of these cases, the data cannot be easily read. Depending on the situation, solutions involve repairing the file system, partition table or master boot record, or drive recovery techniques ranging from software-based recovery of corrupted data, hardware- and software-based recovery of damaged service areas (also known as the hard disk drive's "firmware"), to hardware replacement on a physically damaged drive. If a drive recovery is necessary, the drive itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read.
In a third scenario, files have been "deleted" from a storage medium. Typically, the contents of deleted files are not removed immediately from the drive; instead, references to them in the directory structure are removed, and the space they occupy is made available for later overwriting. For the end users, deleted files are not discoverable through a standard file manager, but that data still technically exists on the drive. In the meantime, the original file contents remain, often in a number of disconnected fragments, and may be recoverable.
The term "data recovery" is also used in the context of forensic applications or espionage, where data which have been encrypted or hidden, rather than damaged, are recovered.
Physical damage
A wide variety of failures can cause physical damage to storage media, which may result from human errors and natural disasters. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. Any logical damage must be dealt with before files can be salvaged from the failed media.
Most physical damage cannot be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head, causing new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, data recovery companies are often employed to salvage important data with the more reputable ones using class 100 dust- and static-free cleanrooms.[1]
Recovery techniques
Recovering data from physically damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk-imaging procedure is used to recover every readable bit from the surface. Once this image is acquired and saved on a reliable medium, the image can be safely analyzed for logical damage and will possibly allow much of the original file system to be reconstructed.
Hardware repair
A common misconception is that a damaged printed circuit board (PCB) may be simply replaced during recovery procedures by an identical PCB from a healthy drive. While this may work in rare circumstances on hard disk drives manufactured before 2003, it will not work on newer drives. Electronics boards of modern drives usually contain drive-specific adaptation data required for accessing their system areas, so the related componentry needs to be either reprogrammed (if possible) or unsoldered and transferred between two electronics boards.[2][3]
Each hard disk drive has what is called a system area or service area; this portion of the drive, which is not directly accessible to the end user, usually contains drive's firmware and adaptive data that helps the drive operate within normal parameters.[4] One function of the system area is to log defective sectors within the drive; essentially telling the drive where it can and cannot write data.
The sector lists are also stored on various chips attached to the PCB, and they are unique to each hard disk drive. If the data on the PCB do not match what is stored on the platter, then the drive will not calibrate properly. In most cases the drive heads will click because they are unable to find the data matching what is stored on the PCB.
Logical damage
The term "logical damage" refers to situations in which the error is not a problem in the hardware and requires software-level solutions.
Corrupt partitions and file systems, media errors
In some cases, data on a hard disk drive can be unreadable due to damage to the partition table or file system, or to (intermittent) media errors. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged partition table or file system using specialized data recovery software such as Testdisk or M3 RAW Drive Recovery;[5] software like dd rescue can image media despite intermittent errors, and image raw data when there is partition table or file system damage. This type of data recovery can be performed by people without expertise in drive hardware, as it requires no special physical equipment or access to platters.
Sometimes data can be recovered using relatively simple methods and tools; more serious cases can require expert intervention, particularly if parts of files are irrecoverable. Data carving is the recovery of parts of damaged files using knowledge of their structure.
Overwritten data
When data have been physically overwritten on a hard disk drive it is generally assumed that the previous data are no longer possible to recover. In 1996, Peter Gutmann, a computer scientist, presented a paper that suggested overwritten data could be recovered through the use of magnetic force microscope.[6][7] In 2001, he presented another paper on a similar topic.[8] To guard against this type of data recovery, Gutmann and Colin Plumb designed a method of irreversibly scrubbing data, known as the Gutmann method and used by several disk-scrubbing software packages.
Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.[9] Although Gutmann's theory may be correct, there is no practical evidence that overwritten data can be recovered, while research has shown to support that overwritten data cannot be recovered.[10][11][12]
Solid-state drives (SSD) overwrite data differently from hard disk drives (HDD) which makes at least some of their data easier to recover. Most SSDs use flash memory to store data in pages and blocks, referenced by logical block addresses (LBA) which are managed by the flash translation layer (FTL). When the FTL modifies a sector it writes the new data to another location and updates the map so the new data appear at the target LBA. This leaves the pre-modification data in place, with possibly many generations, and recoverable by data recovery software.
Remote data recovery
Recovery experts do not always need to have physical access to the damaged hardware. When the lost data can be recovered by software techniques, they can often perform the recovery using remote access software over the Internet, LAN or other connection to the physical location of the damaged media. The process is essentially no different from what the end user could perform by themselves.[13]
Remote recovery requires a stable connection with an adequate bandwidth. However, it is not applicable where access to the hardware is required, as in cases of physical damage.
Four phases of data recovery
Usually, there are four phases when it comes to successful data recovery, though that can vary depending on the type of data corruption and recovery required.[14]
- Phase 1: Repair the hard disk drive
- Repair the hard disk drive so it is running in some form, or at least in a state suitable for reading the data from it. For example, if heads are bad they need to be changed; if the PCB is faulty then it needs to be fixed or replaced; if the spindle motor is bad the platters and heads should be moved to a new drive.
- Phase 2: Image the drive to a new drive or a disk image file
- When a hard disk drive fails, the importance of getting the data off the drive is the top priority. The longer a faulty drive is used, the more likely further data loss is to occur. Creating an image of the drive will ensure that there is a secondary copy of the data on another device, on which it is safe to perform testing and recovery procedures without harming the source.
- Phase 3: Logical recovery of files, partition, MBR and MFT
- After the drive has been cloned to a new drive, it is suitable to attempt the retrieval of lost data. If the drive has failed logically, there are a number of reasons for that. Using the clone it may be possible to repair the partition table, MBR and MFT in order to read the file system's data structure and retrieve stored data.
- Phase 4: Repair damaged files that were retrieved
- Data damage can be caused when, for example, a file is written to a sector on the drive that has been damaged. This is the most common cause in a failing drive, meaning that data needs to be reconstructed to become readable. Corrupted documents can be recovered by several software methods or by manually reconstructing the document using a hex editor.
See also
References
- ↑ Vasconcelos, Pedro. "DIY data recovery could mean "bye-bye"". The Ontrack Data Recovery Blog. Kroll Ontrack UK. Retrieved 23 May 2013.
- ↑ "Hard Drive Circuit Board Replacement Guide or How To Swap HDD PCB". donordrives.com. Retrieved May 27, 2015.
- ↑ "Firmware Adaptation Service - ROM Swap". pcb4you.com. Archived from the original on March 29, 2013. Retrieved May 27, 2015.
- ↑ Ariel Berkman (February 14, 2013). "Hiding Data in Hard Drive's Service Areas" (PDF). recover.co.il. Retrieved January 23, 2015.
- ↑ "Professional RAW to NTFS Converter Software – M3 RAW Drive Recovery 5.0". Retrieved 2015-03-15.
- ↑ Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutmann, Department of Computer Science, University of Auckland
- ↑ Mohammad, Abir (4 July 2014). "Data recovery & repair software and freeware, not limited by the lost file formats". www.colormango.com. Retrieved 12 January 2016.
- ↑ Data Remanence in Semiconductor Devices, Peter Gutmann, IBM T.J. Watson Research Center
- ↑ Feenberg, Daniel (14 May 2004). "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann.". National Bureau of Economic Research. Retrieved 21 May 2008.
- ↑ "Disk Wiping – One Pass is Enough". anti-forensics.com. 17 March 2009.
- ↑ "Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots)". anti-forensics.com. 18 March 2009.
- ↑ Wright, Dr. Craig (15 January 2009). "Overwriting Hard Drive Data".
- ↑ Barton, Andre (17 December 2012). "Data Recovery Over the Internet". Data Recovery Digest. Retrieved 29 April 2015.
- ↑ Stanley Morgan (December 28, 2012). "[Infographic] Four Phases Of Data Recovery". dolphindatalab.com. Retrieved March 23, 2015.
Further reading
- Tanenbaum, A. & Woodhull, A. S. (1997). Operating Systems: Design And Implementation, 2nd ed. New York: Prentice Hall.