Project Name: Basic Data Recovery
Description: Basic Data Recovery will help all digital forensics investigator to perform perform data recovery.
Author: Rohit D Sadgune
Summary of Content
- Basic Data Recovery
- File System Recovery
- Phases of basic data recovery
Data Recovery is the process of extracting digital information in form of data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the digital information are being salvaged from storage media such as internal or external hard disk drives, solid-state drives (SSD), USB flash drive, storage tapes, CDs, DVDs, RAID, and other electronics. Data recovery may be required because of physical damage to the digital storage device or logical damage to the file system that prevents it from being mounted by the host operating system.
Data recovery may be required because of physical damage to the digital storage device or logical damage to the file system that prevents it from being mounted by the host operating system. Data Recovery is possible on FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®, CDFS/ISO9660/Joliet, UDF these file System. Data Recovery becomes more tedious job when it deals with RAID Recovery, LVM Recovery, VM Recovery, NAS Recovery, SAN Recovery, SSD Recovery
The term “data recovery” is also used in the context of forensic applications or espionage, where data which has been encrypted or hidden, rather than damaged, is recovered.
It is important to understand the four phases of data recovery. Each phase stands for different level and range of data recovery capabilities, each phase requires different hdd repair tools and data recovery tools to work with and each phase must be treated properly to make sure the maximum data is finally to be recovered.
- Phase 1: Repair the digital storage device most probably hard drive
- Phase 2: Forensically Image the drive to a new drive.
- Phase 3: Logical recovery of files, partition, MBR, and MFT.
- Phase 4: Repair the damaged files that were retrieved.
|Data Loss||Types of data loss||What is File System|
|Different Types of File systems||Data Recovery Chanses||How data recovery work|
Data loss is an error condition in digital information systems in which digital information is unavailable or destroyed by failures or neglect in storage, transmission, or processing. Digital Information systems supports implementation of backup and disaster recovery equipment and processes to prevent data loss or restore lost data.
Types of data loss
- Intentional Action
- Intentional deletion of a file or program
- Unintentional Action
- Accidental deletion of a file or program
- Misplacement of CDs or Memory sticks
- Administration errors
- Inability to read unknown file format
- Power failure, resulting in data in volatile memory not being saved to permanent memory.
- Hardware failure, such as a head crash in a hard disk.
- A software crash or freeze, resulting in data not being saved.
- Software bugs or poor usability, such as not confirming a file delete command.
- Business failure (vendor bankruptcy), where data is stored with a software vendor using Software-as-a-service and SaaS data escrow has not been provisioned.
- Data corruption, such as file system corruption or database corruption.
- Natural disaster, earthquake, flood, tornado, etc.
- Theft, hacking, sabotage, etc.
- A malicious act, such as a worm, virus, hacker or theft of physical media.
Understanding file systems
What is file system?
Any computer file is stored on some kind of digital storage device with a specified capacity. Main thing is that each digital storage is a linear space to read or both read and write digital information. Each byte of information on the digital storage device has its own offset from the storage start (address) and is referenced by this address.
Generally, computer storages devices use a 2 sector and in-sector offset to reference any byte of information on the storage device. The sector is a group of bytes (usually 512 bytes) that is a minimum allocayed unit of on the physical storage. For example, byte 1040 on a hard disk will be referenced as sector #3 and offset in sector 16 bytes ([sector]+[sector]+[16 bytes]). This scheme is applied to optimize digital storage devices addressing or allocation systems and use a smaller number to reference any portion of information on the storage.
To eliminate the second part of the address (in-sector offset), files are usually stored starting from the sector start and occupy all whole sectors (e.g.: 20-byte file occupies the whole sector, 412-byte file also occupies the whole sector, at the same time, 516 byte file occupies two whole sectors).
Each file is stored to ‘unused’ sectors of storage device and can be read & write then by known position and size. However, how do we know what sectors are used or unused? Where are file size and position stored? Where is file name? These answers give us the file system.
As a whole, file system is a structural representation of data and a set of metadata that describe the stored data on degital storage device. File system can not only serve for the purposes of the whole storage but also be a part of an isolated storage segment – disk partition. Usually the file system operates blocks, not sectors. File system blocks are collection of sectors that optimize storage addressing. Modern file systems generally use block sizes from 1 up to 128 sectors (512-65536 bytes). Files are usually stored from the start of a block and take entire blocks.
Contineous read/write/delete operations to file system cause file system fragmentation. As a result files aren’t stored as whole fragments anymore and are divided into fragments.
In addition to user files the file system also stores its own parameters (such as block size), file descriptors (that include file size, file location, its fragments etc.), file names and directory hierarchy. It can also store files security information, file extended attributes and other parameters.To comply the end user requirements as to storage performance, stability and reliability there exists a great types of file systems each developed to use certain user purposes.
Windows file systems
Microsoft Windows OS use two major file systems: FAT, derived from old DOS with its later extension FAT32, and now users widely-used NTFS file systems. Recently released ReFS file system was developed by Microsoft as a new generation file system for Windows 8 Servers.
- FAT (File Allocation Table)
- NTFS (New Technology File System)
- ReFS (Resilient File System)
MacOS file systems
Apple Mac OS operating system uses HFS+ file system, an extension to their own HFS file system that was previously used on old Macintosh computers.This file system except files and folders also stores Finder information about directories view, window positions etc.
Linux file systems
Open-source Linux OS always used to implement, test and use different concepts of structural file systems. Among huge amount of various file system types the most popular Linux file systems nowadays are.
BSD, Solaris, Unix file systems
- UFS (Unix File System)
- FFS (Fast File System.
- ZFS for Solaris
Clustered file systems
Clustered file systems are used in computer cluster systems. These file systems have embedded support of distributed storage.
- ZFS – Sun company ‘Zettabyte File System’ – the new file system developed for distrubuted storages of Sun Solaris OS.
- Apple Xsan – the Apple company evolution of CentraVision and later StorNext file systems.
- VMFS – ‘Virtual Machine File System’ developed by VMware company for its VMware ESX Server.
- GFS – Rad Hat Linux ‘Global File System’.
- JFS1 – original (legacy) design of IBM JFS file system used in older AIX storage systems.
How data recovery work?
The digital information that still remains on the mass storage can be recovered to a given location. Data recovery chances depend much on the data loss condition itself, but you should always remmember that no information is recoverable after overwriting. For this reason you should not write anything to the digital storage deviece until the last file is recovered.
Data recovery software serve to get data back after information loss with maximum possible result. Commonly, data recovery operation bases on storage scan to find specific information (deleted files, lost file systems) and assemble structures of a damaged file system.
Data recovery chances
Data recovery is entirely depend much on the actual reason with which data loss and further end user’s actions. To get maximum data recovery result it’s strongly recommended to stop any write access to the storage and run data recovery software immediately.
- Data loss by file deletion
Any deleted file persisted by by the storage until the storage space is re-allocated by other data. After file deletion OS may re-use disk space any point of time to store a new file. Thus, even minor write to the storage may cause permanent data loss. Internet browser are also responsibel for overwriting of deleted files as well by saving cache or cookies to the storage. If you install the software to the same drive, your data are also under the risk of overwriting.
Another reason that affects data recovery chances after file deletion is file deletion algorithm dependent on the file system. For Windows NTFS file system data recovery chances are quite high, because if an index for an entry in a kernel-resident array data structure remains on the disk, the software is having very high chanses to take all required information about the file.NTFS, BSD UFS file system destroys information about file befining, allocation and logical size permanently and together with high degree of file fragmentation typical of this file system leaves very slim chances for successful data recover.
Other file systems (like FAT) feature preferable chances for data recovery. Here only some sort of active information is vanished (like information about file fragments), but information about file name, start and size still remains on disk. Experience based techniques still allow to ‘guess’ file fragments and recover files which are in good helth. Please keep in mind, that due to lack of actual information about allocation of file fragments any data recovery software may fail to detect original file positionon ondigital storage, especially if several fragmented files were deleted close to the same location on the storage.
- Data Recovery after file system format
As we going to format file system some sort of information on the digital storage is destroyed due to overwriting with new information of a new file system. Here as we have discussed earlier data recovery chances after format are entirely depend on the original and new file systems.
For instance we take if a file system was formatted with FAT, it write on top adds huge amount of digital storage space at disk start with zeros (empty cluster allocation tables) and therefore destroys any previous data. Thoughn it was haing FAT as previous file system, the information about allocation of previous files will be destroyed completely. Other file systems usually allocate more or fewer structures to different storage locations.
Recovery chances are much dependent on original and new file systems. Sometimes recovery probablity is higher if the file system is formatted with the same file system type (e.g. NTFS over NTFS), sometimes – not (e.g. FAT on FAT has rare recovery chances than XFS over FAT).
- Recovery after file system damage
This type of data loss data recovery software usually apply the same algorithms as for a formatted file system. Data recovery probablity entirely depend much on the actual file system damage that can be a damage of user files, file folders, file location, file name or all at once.
- Loss of information about partition
This type of data loss cause is probably the most crucial one to recover. Working with this type of damage data recovery software recognise file system start by known file system structures for assessment of the digital storage.
- Hardware failure
Never try to recover data from a damaged digital storage or failing storage yourself. You may land insituation where there will be a permanent data loss. The only exception is RAID systems where storage redundancy allows to recover good data without a failed unit.
RAID failure can be occur also effect file system. But if the file system remains intact, your RAID will have quite good data recovery chances.
- Recovery of wiped / overwritten data
It is highly impossible. The myth about the chanses to recover lost files after overwriting is inherent from successful attempts to recover data from old diskettes and hard disks. These devices (with storage capacity from kilobytes to megabytes) used very wide magnetic trace and simple digital encoding to store the information. For this reason it was possible to read ‘traces of data’ after wiping or overwriting by calibrating read ‘head’ sensitivity and position.
Please never trust those companies that claim to be able to recover data in this way.