Citizendia
Your Ad Here

Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Computer data storage, often called storage or memory, refers to Computer components devices and recording media that retain digital Often the data are being salvaged from storage media formats such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other electronics. RAID — which stands for Redundant Array of Inexpensive Disks,or alternatively Redundant Array of Independent Disks (a less specific name and thus now the Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. In Computing, a file system (often also written as filesystem) is a method for storing and organizing Computer files and the data they contain to make An operating system (commonly abbreviated OS and O/S) is the software component of a Computer system that is responsible for the management and coordination Although there is some confusion as to the term, data recovery can also be the process of retrieving and securing deleted information from a storage media for forensic purposes or spying. Computer forensics is a branch of Forensic science pertaining to legal evidence found in computers and digital storage mediums

Contents

Recovering data after physical damage

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. CD-ROM (an initialism of "Compact Disc Read-Only Memory " is a pre-pressed Compact Disc that contains data accessible to but not writable A hard disk drive ( HDD) commonly referred to as a hard drive, hard disk, or fixed disk drive, is a Non-volatile storage device A head crash is a specific type of Hard disk failure, and occurs when the read-write head of a Hard disk drive touches its rotating platter A tape drive, which is also known as a streamer, is a data storage device that reads and writes data stored on a magnetic tape. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. This causes logical damage that must be dealt with before any files can be salvaged from the failed media.

Most physical damage cannot be repaired by end users. For example, opening a hard disk in a normal environment can allow dust to settle on the surface, causing further damage to the platters and complicating the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs; therefore, costly data recovery companies are consulted to salvage the data. These firms often use Class 100 cleanroom facilities to protect the media while repairs are being made. A cleanroom is an environment typically used in Manufacturing or scientific research that has a low level of environmental Pollutants such as dust airborne

Despite this, there are many accounts of users getting a bad disk going long enough to pull their data off, often via slightly bizarre tricks. These include making the drive cold (in the freezer) or spinning it manually on the ground, both actions being used to unstick a jammed platter. Most data recovery professionals recommend against the use of tricks such as these, as they can cause additional physical damage to the drive if done improperly (and in many cases, even when done properly).

Recovery techniques

Recovering data from physically damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk imaging procedure is used to recover every readable bit from the surface. Once this image is acquired, the image can be analyzed for logical damage and will possibly allow for much of the original filesystem to be reconstructed.

Hardware repair

Examples of physical recovery procedures are: removing a damaged PCB (printed circuit board) and replacing it with a matching PCB from a healthy drive (this often entails the movement of a microchip from the original board to the replacement), changing the original damaged read/write head assembly with matching parts from a healthy drive, removing the hard disk platters from the original damaged drive and installing them into a healthy drive, and often a combination of all of these procedures. A printed circuit board, or PCB, is used to mechanically support and electrically connect Electronic components using conductive pathways or traces Disk read/write heads are mechanisms that read Data from or write data to Disk drives The heads have gone through a number of changes over the years All of the above described procedures are highly technical in nature and should never be attempted by an untrained individual. All of these procedures will almost certainly void the manufacturer's warranty.

Disk imaging

The extracted raw image can be used to reconstruct usable data after any logical damage has been repaired. Once that is complete, the files may be in usable form although recovery is often incomplete. According to research by the Defense Cyber Crime Institute there are also tools available to law enforcement and government agencies only such as ILook IXimager.

Open source tools such as DCFLdd v1.3.4-1 can usually recover all data, with exception of the physically damaged sectors. (It is important that DCFLdd v1. 3. 4-1 be installed on a FreeBSD operating system. Studies have shown that the same program installed on a Linux system produces extra "bad sectors", resulting in the loss of information that is actually available. ) [1]

Typically, Hard Disk Drive data recovery imaging have the following abilities[2]: (1) Communicating with the hard drive bypassing the BIOS and operating system that are very limited in their abilities to deal with drives that have "bad sectors" or take a long time to read. (2) Reading data from “bad sectors” rather than skipping them (using various read commands and ECC to recreate damaged data). (3) Handling issues of unstable drives, such as resetting/repowering the drive when it stops responding or skipping sectors that take too long time to read (read instability can be caused by minute mechanical wear and other issues). and (4) Pre-configuring drives by disabling certain features, such a SMART and G-List re-mapping, to minimize imaging time and the possibility of further drive degradation.

Recovering data after logical damage

Far more common than physical damage is logical damage to a file system. Logical damage is primarily caused by power outages that prevent file system structures from being completely written to the storage medium, but problems with hardware (especially RAID controllers) and drivers, as well as system crashes, can have the same effect. RAID — which stands for Redundant Array of Inexpensive Disks,or alternatively Redundant Array of Independent Disks (a less specific name and thus now the The result is that the file system is left in an inconsistent state. This can cause a variety of problems, such as strange behavior (e. g. , infinitely recursing directories, drives reporting negative amounts of free space), system crashes, or an actual loss of data. Various programs exist to correct these inconsistencies, and most operating systems come with at least a rudimentary repair tool for their native file systems. Linux, for instance, comes with the fsck utility, Mac OS X has Disk Utility and Microsoft Windows provides chkdsk. Linux (commonly pronounced ˈlɪnəks The system utility fsck (for " f ile s ystem c hec' k' " or " f ile s ystem c onsistency chec' Mac OS X (mæk oʊ ɛs tɛn is a line of computer Operating systems developed marketed and sold by Apple Inc, the latest of which is pre-loaded on all currently Disk Utility is the name of a utility created by Apple for performing disk -related tasks in Mac OS X. Microsoft Windows is a series of Software Operating systems and Graphical user interfaces produced by Microsoft. CHKDSK (short for Checkdisk) is a command on computers running DOS, OS/2 and Microsoft Windows operating systems that displays the Third-party utilities such as The Coroners Toolkit and The Sleuth Kit are also available, and some can produce superior results by recovering data even when the disk cannot be recognized by the operating system's repair utility. The Coroner's Toolkit (or TCT) is a suite of computer security programs by Dan Farmer and Wietse Venema. The Sleuth Kit (TSK is a library and collection of Unix - and Windows -based tools and utilities to allow for the forensic analysis of computer systems Utilities such as TestDisk can be useful for reconstructing corrupted partition tables. TestDisk is a free data recovery utility It was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again

Some kinds of logical damage can be mistakenly attributed to physical damage. For instance, when a hard drive's read/write head begins to click, most end-users will associate this with internal physical damage. This is not always the case, however. Often, either the firmware on the platters or the controller card will instead need to be rebuilt. In Computing, firmware is a computer program that is Embedded in a hardware device for example a Microcontroller. Once the firmware on either of these two devices is restored, the drive will be back in shape and the data accessible. In Computing, firmware is a computer program that is Embedded in a hardware device for example a Microcontroller.

Preventing logical damage

The increased use of journaling file systems, such as NTFS 5.0, ext3, and XFS, is likely to reduce the incidence of logical damage. A journaling file system is a File system that logs changes to a journal (usually a circular log in a dedicated area before committing them to the main file NTFS (New Technology File System Is the standard File system of Windows NT, including its later versions Windows 2000, Windows XP, Windows The ext3 or third extended filesystem is a journaled file system that is commonly used by the Linux Operating system. XFS is a high-performance Journaling file system created by Silicon Graphics, originally for their IRIX Operating system and later ported to These file systems can always be "rolled back" to a consistent state, which means that the only data likely to be lost is what was in the drive's cache at the time of the system failure. In Computer science, a cache (kæʃ like "cash") is a collection of data duplicating original However, regular system maintenance should still include the use of a consistency checker. This can protect both against bugs in the file system software and latent incompatibilities in the design of the storage hardware. One such incompatibility is the result of the disk controller reporting that file system structures have been saved to the disk when it has not actually occurred. This can often occur if the drive stores data in its write cache, then claims it has been written to the disk. If power is lost, and this data contains file system structures, the file system may be left in an inconsistent state such that the journal itself is damaged or incomplete. One solution to this problem is to use hardware that does not report data as written until it actually is written. Another is using disk controllers equipped with a battery backup so that the waiting data can be written when power is restored. An uninterruptible power supply ( UPS) also known as a continuous power supply ( CPS) or a battery backup is a device which maintains a continuous Finally, the entire system can be equipped with a battery backup that may make it possible to keep the system on in such situations, or at least to give enough time to shut down properly.

Recovery techniques

Two main techniques are used to recover data from logical damage. While most logical damage can be either repaired or worked around using these two techniques, data recovery software can never guarantee that no data loss will occur. For instance, in the FAT file system, when two files claim to share the same allocation unit ("cross-linked"), data loss for one of the files is essentially guaranteed. Templateinfobox filesystem whilst covering all 3 file systems please make any style changes to both at the same time

Consistency checking

The first, consistency checking, involves scanning the logical structure of the disk and checking to make sure that it is consistent with its specification. For instance, in most file systems, a directory must have at least two entries: a dot (. In Computing, a directory, catalog, folder or drawer is an entity in a File system, which contains a group of files and/or other directories ) entry that points to itself, and a dot-dot (. . ) entry that points to its parent. A file system repair program can read each directory and make sure that these entries exist and point to the correct directories. If they do not, an error message can be printed and the problem corrected. Both chkdsk and fsck work in this fashion. CHKDSK (short for Checkdisk) is a command on computers running DOS, OS/2 and Microsoft Windows operating systems that displays the The system utility fsck (for " f ile s ystem c hec' k' " or " f ile s ystem c onsistency chec' This strategy suffers from two major problems. First, if the file system is sufficiently damaged, the consistency check can fail completely. In this case, the repair program may crash trying to deal with the mangled input, or it may not recognize the drive as having a valid file system at all. The second issue that arises is the disregard for data files. If chkdsk finds a data file to be out of place or unexplainable, it may delete the file without asking. CHKDSK (short for Checkdisk) is a command on computers running DOS, OS/2 and Microsoft Windows operating systems that displays the This is done so that the operating system may run smoother, but the files deleted are often important user files which cannot be replaced. Similar issues arise when using system restore disks (often provided with proprietary systems like Dell and Compaq), which restore the operating system by removing the previous installation. The multinational technology company Dell Inc develops manufactures sells and supports Personal computers and other computer-related products Compaq Computer Corporation was an American Personal computer company founded in 1982 and is now a brand name of Hewlett-Packard. This problem can often be avoided by installing the operating system on a separate partition from your user data.

Zero-knowledge analysis

The second technique for file system repair is to assume very little about the state of the file system to be analyzed, and using any hints that any undamaged file system structures might provide, rebuild the file system from scratch. This strategy involves scanning the entire drive and making note of all file system structures and possible file boundaries, then trying to match what was located to the specifications of a working file system. Some third-party programs use this technique, which is notably slower than consistency checking. It can, however, recover data even when the logical structures are almost completely destroyed. This technique generally does not repair the underlying file system, but merely allows for data to be extracted from it to another storage device.

Recovering overwritten data

Further information: Data remanence

When data has been physically overwritten on a hard disk it is generally assumed that the previous data is no longer possible to recover. Data remanence is the residual representation of Data that has been in some way nominally erased or removed In 1996, Peter Gutmann, a respected computer scientist, presented a paper that suggested overwritten data could be recovered through the use of Scanning transmission electron microscopy. Peter Gutmann is a computer scientist in the Department of Computer Science at the University of Auckland, Auckland, New Zealand. A scanning transmission electron microscope (STEM is a type of Transmission electron microscope. [3] In 2001, he presented another paper on a similar topic. [4] Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered. [5][6] To guard against this type of data recovery, he and Colin Plumb designed the Gutmann method, which is used by several disk scrubbing software packages. The Gutmann method is an Algorithm for securely erasing the contents of computer Hard drives such as files Devised by Peter Gutmann

Although Gutmann's theory may not be wrong, there's no practical evidence that overwritten data can be recovered. Moreover, there are good reasons to think that it cannot. [7][8]

Tools

Boot media

It is often the case that data recovery and forensics operations cannot be done on a running system. As a result, it is common to use a specialized boot disk, Live CD, Live USB, or any other type of LiveDistro containing a minimal operating system and a set of repair tools. A boot disk is a removable digital data storage medium from which a Computer can load and run ( boot) an Operating system or utility program A live CD or live distro is a computer Operating system that is executed upon boot, without installation to a Hard disk drive. A live USB or USB live distro is a USB flash drive or an External hard disk drive containing a full Operating system which can be booted A live CD or live distro is a computer Operating system that is executed upon boot, without installation to a Hard disk drive. When floppy drives were still common, the boot disk was typically a very minimal LiveDistro on a floppy disk (such as the Mac OS Classic Disk Tools disk, standard with every system release). A floppy disk is an increasingly Obsolete data storage medium that is composed of a disk of thin flexible ("floppy" Magnetic storage medium encased Mac OS is the trademarked name for a series of Graphical user interface -based Operating systems developed by Apple Inc However, as operating system complexity has increased, it has become more common for developers to include recovery tools on the same media as the OS installer. There are also many purpose-built LiveDistros that include advanced data recovery and forensics tools.

Main article: List of LiveDistros
Knoppix 
The original Linux LiveCD. Knoppix, or KNOPPIX (nopɪks is a GNU/Linux Operating system based on Debian designed to be run directly from a CD / DVD It contains many useful utilities for data recovery.
Ubuntu Rescue Remix 
A GNU/Linux live system that runs from CD or USB pen drive that includes free-libre, open source data recovery and forensics tools. [9]

Specialized software

Consistency checkers

CHKDSK 
A consistency checker for DOS and Windows systems. CHKDSK (short for Checkdisk) is a command on computers running DOS, OS/2 and Microsoft Windows operating systems that displays the
Disk First Aid 
A consistency checker for Mac OS 9. Disk First Aid is a Software utility made by Apple Computer, bundled with Mac OS, which verifies and repairs the Directory structure of any
Disk Utility 
A consistency checker for Mac OS X. Disk Utility is the name of a utility created by Apple for performing disk -related tasks in Mac OS X.
fsck 
A consistency checker for UNIX filesystems. The system utility fsck (for " f ile s ystem c hec' k' " or " f ile s ystem c onsistency chec'

File recovery tools

PhotoRec 
A file recovery tool designed to extract image files (photos) and other document files from failed storage devices including hard disks and digital cameras. PhotoRec is a Data recovery software tool designed to recover lost files from digital camera memory ( CompactFlash, Memory Stick, SecureDigital

Forensic toolkits

The Coroner's Toolkit 
A suite of utilities aimed at assisting in forensic analysis of a UNIX system after a break-in. The Coroner's Toolkit (or TCT) is a suite of computer security programs by Dan Farmer and Wietse Venema.
The Sleuth Kit 
A suite of forensic analysis tools for UNIX, Linux and Windows systems. The Sleuth Kit (TSK is a library and collection of Unix - and Windows -based tools and utilities to allow for the forensic analysis of computer systems Includes the Autopsy forensic browser.

Imaging tools

Main article: Disk image
ddrescue 
The GNU tool for imaging failing harddrives. A disk image is a single File containing the complete contents and structure representing a data storage medium or device such as a Hard drive, CD, or dd is a common UNIX program whose primary purpose is the Low-level copying and conversion of raw Data. GNU ( pronounced) is a computer Operating system composed entirely of Free software.
SpinRite 
A well-known imager written in x86 assembly language. SpinRite is a Computer Software program for scanning magnetic data storage devices such as Hard disks recovering data from them and refreshing their surfaces

Partition recovery tools

Main article: List of partition utilities
Parted 
A program for creating, destroying, resizing, checking, and copying partitions. GNU Parted is a free Computer program for creating destroying resizing checking and copying partitions and the File systems on them
TestDisk 
A utility designed to recover lost or damaged partitions on a wide variety of systems. TestDisk is a free data recovery utility It was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again

See also

References

  1. ^ Cyrus Robinson, IXImager Bad Sector Drive Imaging Study. Computer forensics is a branch of Forensic science pertaining to legal evidence found in computers and digital storage mediums In the field of Information technology, data loss refers to the unforeseen loss of data or information In Information technology, backup refers to making copies of Data so that these additional copies may be used to restore the original after a Continuous data protection (CDP also called continuous backup or real-time backup, refers to backup of Computer Data by automatically saving In Mathematics, Computer science, Telecommunication, and Information theory, error detection and correction has great practical importance in A hidden directory or hidden file on a computer is a directory (folder or File which is not shown to the User by default Undeletion is a feature for restoring Computer files which have been removed from a File system by File deletion. SystemRescueCD is an Operating system which runs from a bootable CD-ROM disc (a Live CD) or a USB flash drive, useful for repairing Defense Cyber Crime Institute Cyber Files Reports and studies are available only to US governmental agencies and law enforcement organizations.
  2. ^ 'Disk Imaging: A Vital Step in Data Recovery' - This white paper describes disk-level issues that must be handled during a hard disk data recovery imaging.
  3. ^ Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutmann, Department of Computer Science, University of Auckland
  4. ^ Data Remanence in Semiconductor Devices, Peter Gutmann, IBM T. J. Watson Research Center
  5. ^ Can Intelligence Agencies Read Overwritten Data?
  6. ^ Data Removal and Erasure from Hard Disk Drives
  7. ^ Erasing hard disk drive data: How many passes are needed?
  8. ^ Feenberg, Daniel (14 May 2004). Can Intelligence Agencies Read Overwritten Data? A response to Gutmann.. National Bureau of Economic Research. Retrieved on 2008-05-21. 2008 ( MMVIII) is the current year in accordance with the Gregorian calendar, a Leap year that started on Tuesday of the Common Events 878 - Syracuse Italy is captured by the Muslim sultan of Sicily.
  9. ^ Ubuntu-rescue-remix

Further reading

External links

© 2009 citizendia.org; parts available under the terms of GNU Free Documentation License, from http://en.wikipedia.org
 Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic