Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media formats such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. Although there is some confusion as to the term, data recovery can also be the process of retrieving and securing deleted information from a storage media for forensic purposes or spying. 1 GiB of SDRAM mounted in a personal computer. ... For other uses, see Raid. ... For library and office filing systems, see Library classification. ... An operating system (OS) is a software that manages computer resources and provides programmers with an interface used to access those resources. ... The simple definition of computer forensics - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006 Thus, it is more than the technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a civil wrong or a criminal act. ...

Recovering data after physical damage

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. This causes logical damage that must be dealt with before any files can be salvaged from the failed media. The CD-ROM (an abbreviation for Compact Disc Read-Only Memory (ROM)) is a non-volatile optical data storage medium using the same physical format as audio compact discs, readable by a computer with a CD-ROM drive. ... Typical hard drives of the mid-1990s. ... A head crash occurs when the read-write head of a hard disk drive touches its rotating platter. ... DDS tape drive. ...

Most physical damage cannot be repaired by end users. For example, opening a hard disk in a normal environment can allow dust to settle on the surface, causing further damage to the platters and complicating the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs; therefore, costly data recovery companies are consulted to salvage the data. These firms often use Class 100 cleanroom facilities to protect the media while repairs are being made. For the Cleanroom software engineering methodology, see Cleanroom Software Engineering. ...

Despite this, there are many accounts of users getting a bad disk going long enough to pull their data off, often via slightly bizarre tricks. These include making the drive cold (in the freezer) or spinning it manually on the ground, both actions being used to unstick a jammed platter. Most data recovery professionals recommend against the use of tricks such as these, as they can cause additional physical damage to the drive if done improperly (and in many cases, even when done properly).

Recovery techniques

Recovering data from physically damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk imaging procedure is used to recover every readable bit from the surface. Once this image is acquired, the image can be analyzed for logical damage and will possibly allow for much of the original filesystem to be reconstructed.

Hardware repair

Examples of physical recovery procedures are: removing a damaged PCB (printed circuit board) and replacing it with a matching PCB from a healthy drive (this often entails the movement of a microchip from the original board to the replacement), changing the original damaged read/write head assembly with matching parts from a healthy drive, removing the hard disk platters from the original damaged drive and installing them into a healthy drive, and often a combination of all of these procedures. All of the above described procedures are highly technical in nature and should never be attempted by an untrained individual. All of these procedures will almost certainly void the manufacturer's warranty. Part of a 1983 Sinclair ZX Spectrum computer board. ... Microphotograph of a hard disk head. ...

Disk imaging

The extracted raw image can be used to reconstruct usable data after any logical damage has been repaired. Once that is complete, the files may be in usable form although recovery is often incomplete. According to research by the Defense Cyber Crime Institute there are also tools available to law enforcement and government agencies only such as ILook IXimager.

Open source tools such as DCFLdd v1.3.4-1 can usually recover all data, with exception of the physically damaged sectors. (It is important that DCFLdd v1.3.4-1 be installed on a FreeBSD operating system. Studies have shown that the same program installed on a Linux system produces extra "bad sectors", resulting in the loss of information that is actually available.) ^[1]

Typically, Hard Disk Drive data recovery imaging have the following abilities^[2]: (1) Communicating with the hard drive bypassing the BIOS and operating system that are very limited in their abilities to deal with drives that have "bad sectors" or take a long time to read. (2) Reading data from “bad sectors” rather than skipping them (using various read commands and ECC to recreate damaged data). (3) Handling issues of unstable drives, such as resetting/repowering the drive when it stops responding or skipping sectors that take too long time to read (read instability can be caused by minute mechanical wear and other issues). and (4) Pre-configuring drives by disabling certain features, such a SMART and G-List re-mapping, to minimize imaging time and the possibility of further drive degradation.

Recovering data after logical damage

Far more common than physical damage is logical damage to a file system. Logical damage is primarily caused by power outages that prevent file system structures from being completely written to the storage medium, but problems with hardware (especially RAID controllers) and drivers, as well as system crashes, can have the same effect. The result is that the file system is left in an inconsistent state. This can cause a variety of problems, such as strange behavior (e.g., infinitely recursing directories, drives reporting negative amounts of free space), system crashes, or an actual loss of data. Various programs exist to correct these inconsistencies, and most operating systems come with at least a rudimentary repair tool for their native file systems. Linux, for instance, comes with the fsck utility, Mac OS X has Disk Utility and Microsoft Windows provides chkdsk. Third-party utilities such as The Coroners Toolkit and The Sleuth Kit are also available, and some can produce superior results by recovering data even when the disk cannot be recognized by the operating system's repair utility. Utilities such as TestDisk can be useful for reconstructing corrupted partition tables. In computing, a redundant array of inexpensive disks, also later known as redundant array of independent disks (commonly abbreviated RAID) is a system which uses multiple hard drives to share or replicate data among the drives. ... This article is about operating systems that use the Linux kernel. ... The system utility fsck (for file system check or file system consistency check) is a tool for checking the consistency of a file system in the Unix system and clones thereof. ... Mac OS X (pronounced ) is a line of graphical operating systems developed, marketed, and sold by Apple Inc. ... Disk Utility is the name of a utility created by Apple for performing disk-related tasks in Mac OS X. These tasks include: the creation of disk images; mounting, unmounting, and ejecting disks (including both hard disks, removable media and disk images); enabling or disabling journaling; verifying a disks... Windows redirects here. ... This article needs additional references or sources for verification. ... The Coroners Toolkit (or TCT) is a suite of computer security programs by Dan Farmer and Wietse Venema. ... The Sleuth Kit (TSK) is a collection of UNIX- and Windows-based tools and utilities to allow for the forensic analysis of computer systems. ... TestDisk is a powerful free data recovery utility! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing your Partition Table). ...

Some kinds of logical damage can be mistakenly attributed to physical damage. For instance, when a hard drive's read/write head begins to click, most end-users will associate this with internal physical damage. This is not always the case, however. Often, either the firmware on the platters or the controller card will instead need to be rebuilt. Once the firmware on either of these two devices is restored, the drive will be back in shape and the data accessible.^{[citation needed]} A microcontroller, like this PIC18F8720 is controlled by firmware stored inside on FLASH memory In computing, firmware is a computer program that is embedded in a hardware device, for example a microcontroller. ... A microcontroller, like this PIC18F8720 is controlled by firmware stored inside on FLASH memory In computing, firmware is a computer program that is embedded in a hardware device, for example a microcontroller. ...

Preventing logical damage

The increased use of journaling file systems, such as NTFS 5.0, ext3, and XFS, is likely to reduce the incidence of logical damage. These file systems can always be "rolled back" to a consistent state, which means that the only data likely to be lost is what was in the drive's cache at the time of the system failure. However, regular system maintenance should still include the use of a consistency checker. This can protect both against bugs in the file system software and latent incompatibilities in the design of the storage hardware. One such incompatibility is the result of the disk controller reporting that file system structures have been saved to the disk when it has not actually occurred. This can often occur if the drive stores data in its write cache, then claims it has been written to the disk. If power is lost, and this data contains file system structures, the file system may be left in an inconsistent state such that the journal itself is damaged or incomplete. One solution to this problem is to use hardware that does not report data as written until it actually is written. Another is using disk controllers equipped with a battery backup so that the waiting data can be written when power is restored. Finally, the entire system can be equipped with a battery backup that may make it possible to keep the system on in such situations, or at least to give enough time to shut down properly. A journaling (or journalling) file system is a file system that logs changes to a journal (usually a circular log in a specially-allocated area) before actually writing them to the main file system. ... NTFS is the standard file system of Windows NT, including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista. ... The ext3 or third extended filesystem is a journaled file system that is commonly used by the Linux operating system. ... XFS is a high-performance journaling file system created by Silicon Graphics for their IRIX operating system. ... For other uses, see cache (disambiguation). ... An uninterruptible power supply (UPS), uninterruptible power source or sometimes called a battery backup is a device which maintains a continuous supply of electric power to connected equipment by supplying power from a separate source when utility power is not available. ...

Recovery techniques

Two main techniques are used to recover data from logical damage. While most logical damage can be either repaired or worked around using these two techniques, data recovery software can never guarantee that no data loss will occur. For instance, in the FAT file system, when two files claim to share the same allocation unit ("cross-linked"), data loss for one of the files is essentially guaranteed. File Allocation Table (FAT) is a partially patented file system developed by Microsoft for MS-DOS and was the primary file system for consumer versions of Microsoft Windows up to and including Windows Me. ...

Consistency checking

The first, consistency checking, involves scanning the logical structure of the disk and checking to make sure that it is consistent with its specification. For instance, in most file systems, a directory must have at least two entries: a dot (.) entry that points to itself, and a dot-dot (..) entry that points to its parent. A file system repair program can read each directory and make sure that these entries exist and point to the correct directories. If they do not, an error message can be printed and the problem corrected. Both chkdsk and fsck work in this fashion. This strategy suffers from two major problems. First, if the file system is sufficiently damaged, the consistency check can fail completely. In this case, the repair program may crash trying to deal with the mangled input, or it may not recognize the drive as having a valid file system at all. The second issue that arises is the disregard for data files. If chkdsk finds a data file to be out of place or unexplainable, it may delete the file without asking. This is done so that the operating system may run smoother, but the files deleted are often important user files which cannot be replaced. Similar issues arise when using system restore disks (often provided with proprietary systems like Dell and Compaq), which restore the operating system by removing the previous installation. This problem can often be avoided by installing the operating system on a separate partition from your user data. In computing, a directory, catalog, or folder[1] is an entity in a file system which contains a group of files and/or other directories. ... This article needs additional references or sources for verification. ... The system utility fsck (for file system check or file system consistency check) is a tool for checking the consistency of a file system in the Unix system and clones thereof. ... This article needs additional references or sources for verification. ... This article is about the corporation Dell, Inc. ... Compaq Computer Corporation is an American personal computer company founded in 1982, and now a brand name of Hewlett-Packard. ...

Zero-knowledge analysis

The second technique for file system repair is to assume very little about the state of the file system to be analyzed, and using any hints that any undamaged file system structures might provide, rebuild the file system from scratch. This strategy involves scanning the entire drive and making note of all file system structures and possible file boundaries, then trying to match what was located to the specifications of a working file system. Some third-party programs use this technique, which is notably slower than consistency checking. It can, however, recover data even when the logical structures are almost completely destroyed. This technique generally does not repair the underlying file system, but merely allows for data to be extracted from it to another storage device.

Recovering overwritten data

Further information: Data remanence

When data has been physically overwritten on a hard disk it is generally assumed that the previous data is no longer possible to recover. In 1996, Peter Gutmann, a respected computer scientist, presented a paper that suggested overwritten data could be recovered through the use of Scanning transmission electron microscopy.^[3] In 2001, he presented another paper on a similar topic.^[4] Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.^[5][6] To guard against this type of data recovery, he and Colin Plumb designed the Gutmann method, which is used by several disk scrubbing software packages. It has been suggested that File wipe be merged into this article or section. ... This article is about a computer scientist. ... A scanning transmission electron microscope (STEM) is a type of transmission electron microscope. ... The Gutmann method is an algorithm for securely shredding the contents of computer hard drives, such as files. ...

Although Gutmann's theory may not be wrong, there's no practical evidence that overwritten data can be recovered. Moreover, there are good reasons to think that it cannot.^[7][8]

Tools

Boot media

It is often the case that data recovery and forensics operations cannot be done on a running system. As a result, it is common to use a specialized boot disk, Live CD, Live USB, or any other type of LiveDistro containing a minimal operating system and a set of repair tools. When floppy drives were still common, the boot disk was typically a very minimal LiveDistro on a floppy disk (such as the Mac OS Classic Disk Tools disk, standard with every system release). However, as operating system complexity has increased, it has become more common for developers to include recovery tools on the same media as the OS installer. There are also many purpose-built LiveDistros that include advanced data recovery and forensics tools. A boot disk is a removable media, normally read-only, that can boot an operating system or utility. ... Gnoppix 0. ... A live USB is a USB flash drive containing a full operating system which can be booted. ... Gnoppix 0. ... A floppy disk is a data storage device that is composed of a disk of thin, flexible (floppy) magnetic storage medium encased in a square or rectangular plastic shell. ... This article relates to both the original Classic Mac OS as well as Mac OS X, Apples more recent operating system. ...

Main article: List of LiveDistros

Knoppix 

The original Linux LiveCD. It contains many useful utilities for data recovery.

Ubuntu Rescue Remix 

A GNU/Linux live system that runs from CD or USB pen drive that includes free-libre, open source data recovery and forensics tools. ^[9]

This is a large list of LiveDistros. ... Knoppix, or KNOPPIX, is a complete Linux distribution on a CD. This includes a working computer operating system and a powerful suite of graphical user software which can be used as a live CD. It is a Debian-based Linux distribution, developed by Linux consultant Klaus Knopper. ...

Specialized software

Consistency checkers

CHKDSK 

A consistency checker for DOS and Windows systems.

Disk First Aid 

A consistency checker for Mac OS 9.

Disk Utility 

A consistency checker for Mac OS X.

fsck 

A consistency checker for UNIX filesystems.

This article needs additional references or sources for verification. ... Disk First Aid on Mac OS 9 Disk First Aid is a software utility made by Apple Computer, bundled with the Mac OS, which verifies and repairs the directory structure of any HFS or HFS+ hard disk or volume. ... Disk Utility is the name of a utility created by Apple for performing disk-related tasks in Mac OS X. These tasks include: the creation of disk images; mounting, unmounting, and ejecting disks (including both hard disks, removable media and disk images); enabling or disabling journaling; verifying a disks... The system utility fsck (for file system check or file system consistency check) is a tool for checking the consistency of a file system in the Unix system and clones thereof. ...

File recovery tools

PhotoRec 

A file recovery tool designed to extract image files (photos) and other document files from failed storage devices including hard disks and digital cameras.

PhotoRec is file data recovery software designed to recover lost pictures or lost files from digital camera memory (CompactFlash, Memory Stick, SecureDigital, SmartMedia, Microdrive, MMC, USB Memory Drives. ...

Forensic toolkits

The Coroner's Toolkit 

A suite of utilities aimed at assisting in forensic analysis of a UNIX system after a break-in.

The Sleuth Kit 

A suite of forensic analysis tools for UNIX, Linux and Windows systems. Includes the Autopsy forensic browser.

The Coroners Toolkit (or TCT) is a suite of computer security programs by Dan Farmer and Wietse Venema. ... The Sleuth Kit (TSK) is a collection of UNIX- and Windows-based tools and utilities to allow for the forensic analysis of computer systems. ...

Imaging tools

Main article: Disk image

• IRestorer

ddrescue 

The GNU tool for imaging failing harddrives.

SpinRite 

A well-known imager written in x86 assembly language.

A disk image is a computer file containing the complete contents and structure of a data storage medium or device, such as a Hard drive, CD or DVD. The term has been generalized to cover any such file, whether originated from an actual physical storage device or not. ... GNU (pronounced ) is a computer operating system composed entirely of free software. ... SpinRite is a software program for scanning magnetic data storage devices such as hard disks, recovering data from them and refreshing their surfaces. ...

Partition recovery tools

Main article: List of partition utilities

Parted 

A program for creating, destroying, resizing, checking, and copying partitions.

TestDisk 

A utility designed to recover lost or damaged partitions on a wide variety of systems.

This is a list of partitioning utilities. ... GNU Parted is a program for creating, destroying, resizing, checking, and copying partitions, and the file systems on them. ... TestDisk is a powerful free data recovery utility! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing your Partition Table). ...

See also

• Computer forensics
• Data loss
• Backup
• Continuous Data Protection
• Error detection and correction
• Hidden file and hidden directory
• Undeletion
• SystemRescueCD

The simple definition of computer forensics - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006 Thus, it is more than the technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a civil wrong or a criminal act. ... In the field of information technology, data loss refers to the unforseen loss of data or information. ... For other uses of Backup, see Backup (disambiguation). ... Continuous data protection (CDP), also called continuous backup, refers to backup of computer data by automatically saving a copy of every change made to that data, essentially capturing every version of the data that the user saves. ... It has been suggested that this article or section be merged with SEC-DED. (Discuss) In mathematics, computer science, telecommunication, and information theory, error detection and correction has great practical importance in maintaining data (information) integrity across noisy channels and less-than-reliable storage media. ... Undeletion is a feature for restoring computer files which have been removed from a file system by file deletion. ... SystemRescueCD is a version of the Linux computer operating system on a bootable CD-ROM disc (a LiveCD), useful for repairing unbootable systems and retrieving data after a system crash. ...

References

1. ^ Cyrus Robinson, IXImager Bad Sector Drive Imaging Study. Defense Cyber Crime Institute Cyber Files Reports and studies are available only to US governmental agencies and law enforcement organizations.
2. ^ 'Disk Imaging: A Vital Step in Data Recovery' - This white paper describes disk-level issues that must be handled during a hard disk data recovery imaging.
3. ^ Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutmann, Department of Computer Science, University of Auckland
4. ^ Data Remanence in Semiconductor Devices, Peter Gutmann, IBM T.J. Watson Research Center
5. ^ Can Intelligence Agencies Read Overwritten Data?
6. ^ Data Removal and Erasure from Hard Disk Drives
7. ^ Erasing hard disk drive data: How many passes are needed?
8. ^ Feenberg, Daniel (14 May 2004). Can Intelligence Agencies Read Overwritten Data? A response to Gutmann.. National Bureau of Economic Research. Retrieved on 2008-05-21.
9. ^ Ubuntu-rescue-remix

2008 (MMVIII) is the current year, a leap year that started on Tuesday of the Anno Domini (or common era), in accordance with the Gregorian calendar. ... is the 141st day of the year (142nd in leap years) in the Gregorian calendar. ...

Further reading

• Tanenbaum, A. & Woodhull, A. S. (1997). Operating Systems: Design And Implementation, 2nd ed. New York: Prentice Hall.

External links

• Data Recovery and protection strategies - A guide from Microsoft on Data Recovery and best practices and procedures
• Data recovery at the Open Directory Project
• Computer data recovery: A guide for IT professionals - A guide from Computer Weekly on best practices for data recovery
• www.datarecoveryadvice.org Data Recovery Advice for the Public - Data Recovery Tips and Advice.