Wednesday, June 15, 2011

Data Recovery

Data recovery process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives, solid state drives (SSD), USB flash, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system.

The most common "data recovery" scenario involves an operating system (OS) failure (typically on a single-disk, single-partition, single-OS system), in which case the goal is simply to copy all wanted files to another disk. This can be easily accomplished with a Live CD, most of which provide a means to mount the system drive and backup disks or removable media, and to move the files from the system disk to the backup media with a file manager or optical disc authoring software. Such cases can often be mitigated by disk partitioning and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.

Another scenario involves a disk-level failure, such as a compromised file system or disk partition or a hard disk failure. In any of these cases, the data cannot be easily read. Depending on the situation, solutions involve repairing the file system, partition table or master boot record, or hard disk recovery techniques ranging from software-based recovery of corrupted data to hardware replacement on a physically damaged disk. If hard disk recovery is necessary, the disk itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read.

In a third scenario, files have been "deleted" from a storage medium. Typically, deleted files are not erased immediately; instead, references to them in the directory structure are removed, and the space they occupy is made available for later overwriting. In the meantime, the original file may be restored. Although there is some confusion over the term, "data recovery" may also be used in the context of forensic applications or espionage.

Posted by at No comments:

Photo Recovery

Photo Recovery

is the process of salvaging digital photographs from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Photo Recovery can be considered a subset of the overall Data Recovery field. Click here if you are interested in the photo recovery software list.

Photo loss or deletion failures may be due to both hardware or software failures.


Recovering data after hardware failure

An excellent explanation of hardware failures is provided in the section for data recovery. Typically, if your drive or card is so badly damaged that your computer can not recognize that a drive/card has been connected, you will need to consult a data recovery service provider.

Recovering data after logical failure

Logical Damage or the inability to view photos can occur due to many reasons. The most common reasons are:

  1. Deletion of photos.
  2. Corruption of boot sector of media.
  3. Corruption of file system.
  4. Disk formatting.
  5. Move or Copy errors.

Photo Recovery Using File Carving

The majority of photo recovery programs work by using a technique called file carving (data carving). There are many different file carving techniques that are used to recover photos. Most of these techniques fail in the presence of file system fragmentation. Simson Garfinkel showed that on average 17% of JPEGs are fragmented, which means on average 17% of jpegs are recovered partially or appear corrupt when recovered using techniques that can't handle fragmented photos. Currently only Adroit Photo Recovery and CnW Recovery claim to be able to recover fragmented photos.

Header-Footer Carving

In Header-Footer Carving, a recovery program attempts to recover photos based on the standard starting and ending byte signature of the photo format. To take an example, all JPEGs always begin with the hex sequence "FFD8" and they must end with the hex sequence "FFD9". Header-Footer Carving cannot be used to recover fragmented photos, and fragmented photos will appear to be partially recovered or corrupt if incorrect data is added. Header-Footer Carving along with Header-Size Carving are by far the most common techniques for photo recovery. One of the first non-gui/console based programs to use this technique is Photo Rec.

Header-Size Carving

In Header-Size Carving, a recovery program attempts to recover photos based on the standard starting byte signature of the photo format, along with the size of the photo that is either derived or explicitly stated in the photo format. To take an example all 24-bit Windows Bitmaps (*.bmp), begin with the letters "BM", and store the size of the file in the header. Header-Footer Carving cannot be used to recover fragmented photos, and fragmented photos will appear to be partially recovered or corrupt if incorrect data is added.

File-Structure Based Carving

A more advanced form of carving, a recovery program attempts to recover photos based on detailed knowledge of the structure rules of the photo format. This will enable a recovery program to identify when a photo is not complete or fragmented, but more needs to be done to see if a fragmented photo can be recovered. This technique is rarely used by most photo recovery programs.

Validated Carving

In validated carving, a decoder is used to detect any errors in recovery of a photo. More advanced forms of validated carving occur when each part of the recovered photo is compared against the rest of the photo to see if it "fits" visually. Validated carving is superb at detecting photos that are either fragmented or have parts over-written or missing. Validated carving alone cannot be used to recover fragmented photos.

Log Carving

Log Carving occurs when a recovery program uses information left over in either file system structures or the log to recover a deleted photo. For example, occasionally NTFS will store in the logs the exact location of where the file was located prior to its deletion. A program using Log Carving will be able to then recover the photo. To be sure about the quality of recovery, Validated Carving or File-Structure based carving should also be used to validate the recovered photo.

Bi-Fragment Gap Carving

A fragmented photo recovery technique where a header and footer are identified and then all combinations of blocks between the header and footer are validated to determine which combination results in the correct recovery of the photo.[1] This technique will only work if the file is fragmented into two parts.

SmartCarving

A process by which fragmented photos are recovered by looking at blocks on the disk and determining which block is the best visual match for the photo being recovered. This is done in parallel for all blocks that are not part of a recovered file.[3]

Photo Recovery Tips

  1. Do not write/save to the drive that you wish to recover from. Every potential write operation may over-write the blocks that you wish to recover from.
  2. If you suspect your drive is dying, create a disk image of your drive and choose photo recovery software that can read disk images.
  3. Save any recovered photos to a drive different from the recovered drive.
  4. Backup so that you don't have to worry about recovery software again.

It is important to note that for logical damage or loss, good photo recovery software can recover your photos.

Posted by at No comments:

List of data recovery software

Bootable

Data recovery cannot always be done on a running system. As a result, a boot disk, Live CD, Live USB, or any other type of Live Distro containing a minimal operating system and a set of repair tools is needed.

  • Knoppix: The original Linux Live CD. It contains many useful utilities for data recovery
  • SpinRite: A FreeDOS-based data recovery tool for hard disks and magnetic storage devices
  • SystemRescueCD: A Gentoo based Live CD, useful for repairing unbootable computer systems and retrieving data after a system crash
  • Trinity Rescue Kit

Consistency checkers

  • CHKDSK: A consistency checker for DOS and Windows systems.
  • Disk First Aid: A consistency checker for Mac OS 9.
  • Disk Utility: A consistency checker for Mac OS X.
  • fsck: A consistency checker for UNIX file systems.

File recovery

  • CDRoller: Recovers data from optical discs
  • dvdisaster: Generates error-correction data for optical disc
  • FileSalvage: A Mac OS X recovery program
  • GetDataBack: A Windows recovery program
  • IsoBuster: Recovers data from optical discs
  • Norton Utilities: A suite of utilities that has a file recovery component
  • PhotoRec: Multi-platform free and open source console program used to recover files
  • Recuva: Freeware data recovery program for Microsoft Windows
  • TestDisk: Can recover files as well as lost partitions
  • TotalRecovery : backup and recover system, can work preboot.
  • TuneUp Utilities: A suite of utilities that has a file recovery component

Forensics

  • The Coroner's Toolkit: A suite of utilities aimed at assisting in forensic analysis of a UNIX system after a break-in.
  • The Sleuth Kit: Also known as TSK, The Sleuth Kit is a suite of forensic analysis tools developed by Brian Carrier for UNIX, Linux and Windows systems. TSK includes the Autopsy forensic browser.
  • EnCase: A suite of forensic tools developed by Guidance Software that is used for imaging and forensic analysis for UNIX, Linux, and Windows systems.
  • Forensic Toolkit (FTK) by AccessData (Forensic Tool Kit) Used by law enforcement.
  • Open Computer Forensics Architecture: Runs on Linux.

Imaging tools

  • ddrescue: The GNU tool for imaging failing hard drives
  • CopyCatX: Originally a backup software, it is capable of creating images of damaged media

Services

Posted by at No comments:

Recovering from logical (non-hardware) damage

When data have been physically overwritten on a hard disk it is generally assumed that the previous data are no longer possible to recover. In 1996, Peter Gutmann, a computer scientist, presented a paper that suggested overwritten data could be recovered through the use of Scanning transmission electron microscopy. In 2001, he presented another paper on a similar topic. Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered. To guard against this type of data recovery, he and Colin Plumb designed the Gutmann method, which is used by several disk scrubbing software packages.

Although Gutmann's theory may be correct, there's no practical evidence that overwritten data can be recovered. Moreover, there are good reasons to think that it cannot.

Corrupt filesystems

In some cases, data on a hard drive can be unreadable due to damage to the file system. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged filesystem using specialized data recovery software. This type of data recovery can be performed by knowledgeable end-users as it requires no special physical equipment. However, more serious cases can still require expert intervention.

Online Data Recovery

"Online" or "Remote" data recovery is yet another method to restore the lost or deleted data. It is same as performing the regular software based recoveries except that this kind of recovery is performed over the Internet without physically having the drive or computer in possession. The recovery technician sitting somewhere else gains access to user's computer and complete the recovery job online. In this scenario, the user doesn't have to travel or send the media to anywhere physically.

Although online data recovery is convenient and useful in many cases, it still carries some points making it less popular than the classic data recovery methods. First of all, it requires a stable broadband Internet connection for it to be performed correctly, which many third world countries still lack. Also, it cannot be performed in case of physical damage to media and for such cases, the traditional in-lab recovery has to take place.

Posted by at No comments:

Recovering data after physical damage

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. Any logical damage must be dealt with before files can be salvaged from the failed media.

Most physical damage cannot be repaired by end users. For example, opening a hard disk in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head, causing new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, costly data recovery companies are often employed to salvage important data.

Recovery techniques

Recovering data from physically damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk-imaging procedure is used to recover every readable bit from the surface. Once this image is acquired and saved on a reliable medium, the image can be safely analysed for logical damage and will possibly allow for much of the original file system to be reconstructed.

Hardware repair

Media that has suffered a catastrophic electronic failure will require data recovery in order to salvage its contents.

Examples of physical recovery procedures are: removing a damaged PCB (printed circuit board) and replacing it with a matching PCB from a healthy drive, performing a live PCB swap (in which the System Area of the HDD is damaged on the target drive which is then instead read from the donor drive, the PCB then disconnected while still under power and transferred to the target drive), read/write head assembly with matching parts from a healthy drive, removing the hard disk platters from the original damaged drive and installing them into a healthy drive, and often a combination of all of these procedures. Some data recovery companies have procedures that are highly technical in nature and are not recommended for an untrained individual. Many of these procedures will void the manufacturer's warranty.
Posted by at No comments:
Subscribe to: Comments (Atom)