Misplaced Pages

Data recovery: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 12:05, 27 February 2024 editDeeptiblr (talk | contribs)5 editsm BootableTags: Reverted Visual edit← Previous edit Latest revision as of 22:19, 25 December 2024 edit undoGuy Harris (talk | contribs)Extended confirmed users76,466 edits Corrupt partitions and file systems, media errors: Fix title to be the title of the archived version of the page, and mark it as usurped. 
(27 intermediate revisions by 22 users not shown)
Line 1: Line 1:
{{Short description|Process of salvaging inaccessible data from corrupted or damaged secondary storage}} {{Short description|Process of salvaging inaccessible data from corrupted or damaged secondary storage}}
{{Use dmy dates|date=June 2016}} {{Use dmy dates|date=November 2024}}
{{Multiple issues| {{Multiple issues|
{{More citations needed|date=February 2012}} {{More citations needed|date=February 2012}}
Line 6: Line 6:
}} }}


In ], '''data recovery''' is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from ], ] or ], when the data stored in them cannot be accessed in a usual way. <ref>{{Cite web |title=Data Recovery Explained |url=https://www.ibm.com/cloud/learn/data-recovery |access-date=2022-08-28 |website=www.ibm.com |language=en-us |archive-date=28 August 2022 |archive-url=https://web.archive.org/web/20220828110036/https://www.ibm.com/cloud/learn/data-recovery |url-status=live }}</ref> The data is most often salvaged from storage media such as internal or external ]s (HDDs), ]s (SSDs), ]s, ], ]s, ]s, ] subsystems, and other ]. Recovery may be required due to physical damage to the storage devices or logical damage to the ] that prevents it from being ] by the host ] (OS).<ref>{{Cite web |title=Data Recovery Explained |url=https://www.ibm.com/cloud/learn/data-recovery |access-date=2022-12-01 |website=www.ibm.com |language=en-us |archive-date=28 August 2022 |archive-url=https://web.archive.org/web/20220828110036/https://www.ibm.com/cloud/learn/data-recovery |url-status=live }}</ref> In ], '''data recovery''' is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from ], ] or ], when the data stored in them cannot be accessed in a usual way.<ref name=":0">{{Cite web |title=Data Recovery Explained |url=https://www.ibm.com/cloud/learn/data-recovery |access-date=28 August 2022 |website=www.ibm.com |date=6 October 2021 |language=en-us |archive-date=28 August 2022 |archive-url=https://web.archive.org/web/20220828110036/https://www.ibm.com/cloud/learn/data-recovery |url-status=live }}</ref> The data is most often salvaged from storage media such as internal or external ]s (HDDs), ]s (SSDs), ]s, ], ]s, ]s, ] subsystems, and other ]. Recovery may be required due to physical damage to the storage devices or logical damage to the ] that prevents it from being ] by the host ] (OS).<ref name=":0" />


Logical failures occur when the hard drive devices are functional but the user or automated-OS cannot retrieve or access data stored on them. Logical failures can occur due to corruption of the engineering chip, lost partitions, firmware failure, or failures during formatting/re-installation.<ref>{{Cite web |title=What is logical failure? |url=https://www.disklabs.com/faqs/what-is-logical-failure/ |access-date=2022-12-01 |website=Disklabs Digital Forensics and Data Recovery |language=en-gb |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055714/https://www.disklabs.com/faqs/what-is-logical-failure/ |url-status=live }}</ref><ref>{{Cite web |title=What Happens When Drives Experience Logical Failure? |url=https://www.streetdirectory.com/etoday/-eaecfj.html |access-date=2022-12-01 |website=www.streetdirectory.com |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055708/https://www.streetdirectory.com/etoday/-eaecfj.html |url-status=live }}</ref> Logical failures occur when the hard drive devices are functional but the user or automated-OS cannot retrieve or access data stored on them. Logical failures can occur due to corruption of the engineering chip, lost partitions, firmware failure, or failures during formatting/re-installation.<ref>{{Cite web |title=What is logical failure? |url=https://www.disklabs.com/faqs/what-is-logical-failure/ |access-date=1 December 2022 |website=Disklabs Digital Forensics and Data Recovery |language=en-gb |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055714/https://www.disklabs.com/faqs/what-is-logical-failure/ |url-status=live }}</ref><ref>{{Cite web |title=What Happens When Drives Experience Logical Failure? |url=https://www.streetdirectory.com/etoday/-eaecfj.html |access-date=1 December 2022 |website=www.streetdirectory.com |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055708/https://www.streetdirectory.com/etoday/-eaecfj.html |url-status=live }}</ref>


Data recovery can be a very simple or technical challenge. This is why there are specific software companies specialized in this field.<ref>{{Cite web |title=Data Recovery – Backup Technology |url=https://www.dell.com/en-us/dt/learn/data-protection/data-recovery.htm |access-date=2022-12-01 |website=www.dell.com |language=en |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055708/https://www.dell.com/en-us/dt/learn/data-protection/data-recovery.htm |url-status=live }}</ref> Data recovery can be a very simple or technical challenge. This is why there are specific software companies specialized in this field.<ref>{{Cite web |title=Data Recovery – Backup Technology |url=https://www.dell.com/en-us/dt/learn/data-protection/data-recovery.htm |access-date=1 December 2022 |website=www.dell.com |language=en |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055708/https://www.dell.com/en-us/dt/learn/data-protection/data-recovery.htm |url-status=live }}</ref>


== About == == About ==
The most common data recovery scenarios involve an operating system failure, malfunction of a storage device, logical failure of storage devices, accidental damage or deletion, etc. (typically, on a single-drive, single-], single-OS system), in which case the ultimate goal is simply to copy all important files from the damaged media to another new drive. This can be accomplished using a ], or DVD by booting directly from a ] or a USB drive instead of the corrupted drive in question. Many Live CDs or DVDs provide a means to mount the system drive and backup drives or removable media, and to move the files from the system drive to the backup media with a ] or ]. Such cases can often be mitigated by ]ing and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files. The most common data recovery scenarios involve an operating system failure, malfunction of a storage device, logical failure of storage devices, accidental damage or deletion, etc. (typically, on a single-drive, single-], single-OS system), in which case the ultimate goal is simply to copy all important files from the damaged media to another new drive. This can be accomplished using a ], or DVD by booting directly from a ] or a USB drive instead of the corrupted drive in question. Many Live CDs or DVDs provide a means to mount the system drive and backup drives or removable media, and to move the files from the system drive to the backup media with a ] or ] software. Such cases can often be mitigated by ] and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.


Another scenario involves a drive-level failure, such as a compromised ] or drive partition, or a ]. In any of these cases, the data is not easily read from the media devices. Depending on the situation, solutions involve repairing the logical file system, partition table, or ], or updating the ] or drive recovery techniques ranging from software-based recovery of corrupted data, to hardware- and software-based recovery of damaged service areas (also known as the hard disk drive's "firmware"), to hardware replacement on a physically damaged drive which allows for the extraction of data to a new drive. If a drive recovery is necessary, the drive itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read. Another scenario involves a drive-level failure, such as a compromised ] or drive partition, or a ]. In any of these cases, the data is not easily read from the media devices. Depending on the situation, solutions involve repairing the logical file system, partition table, or ], or updating the ] or drive recovery techniques ranging from software-based recovery of corrupted data, to hardware- and software-based recovery of damaged service areas (also known as the hard disk drive's "firmware"), to hardware replacement on a physically damaged drive which allows for the extraction of data to a new drive. If a drive recovery is necessary, the drive itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read.
Line 29: Line 29:
Of course, there are exceptions to this, such as cases where severe damage to the hard drive ] may have occurred. However, if the hard drive can be repaired and a full image or clone created, then the logical file structure can be rebuilt in most instances. Of course, there are exceptions to this, such as cases where severe damage to the hard drive ] may have occurred. However, if the hard drive can be repaired and a full image or clone created, then the logical file structure can be rebuilt in most instances.


Most physical damage cannot be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the ]. During normal operation, read/write heads float 3 to 6 ] above the platter surface, and the average dust particles found in a normal environment are typically around 30,000 nanometers in diameter.<ref>{{cite web |title=Data Recovery On A 3TB Seagate Hard Drive |url=https://acsdata.com/data-recovery-3tb-seagate-hard-drive/#Hard_Drive_Flying_Height |archive-url=https://web.archive.org/web/20170213184416/https://acsdata.com/data-recovery-3tb-seagate-hard-drive/ |archive-date=13 February 2017 |website=acsdata.com}}</ref> When these dust particles get caught between the read/write heads and the platter, they can cause new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, data recovery companies are often employed to salvage important data with the more reputable ones using ] dust- and static-free ]s.<ref>{{cite web|url=https://www.ontrack.com/uk/blog/concepts-explained/diy-data-recovery-could-mean-bye-bye/|title=DIY data recovery could mean "bye-bye"|last=Vasconcelos|first=Pedro|work=The Ontrack Data Recovery Blog|publisher=Ontrack Data Recovery|access-date=26 July 2019|df=dmy-all|archive-date=26 July 2019|archive-url=https://web.archive.org/web/20190726104548/https://www.ontrack.com/uk/blog/concepts-explained/diy-data-recovery-could-mean-bye-bye/|url-status=live}}</ref> Most physical damage cannot be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the ]. During normal operation, read/write heads float 3 to 6{{nbsp}}] above the platter surface, and the average dust particles found in a normal environment are typically around 30,000{{nbsp}}nanometers in diameter.<ref>{{cite web |title=Data Recovery On A 3TB Seagate Hard Drive |url=https://acsdata.com/data-recovery-3tb-seagate-hard-drive/#Hard_Drive_Flying_Height |archive-url=https://web.archive.org/web/20170213184416/https://acsdata.com/data-recovery-3tb-seagate-hard-drive/ |archive-date=13 February 2017 |website=acsdata.com}}</ref> When these dust particles get caught between the read/write heads and the platter, they can cause new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, data recovery companies are often employed to salvage important data with the more reputable ones using ] dust- and static-free ]s.<ref>{{cite web|url=https://www.ontrack.com/uk/blog/concepts-explained/diy-data-recovery-could-mean-bye-bye/|title=DIY data recovery could mean "bye-bye"|last=Vasconcelos|first=Pedro|work=The Ontrack Data Recovery Blog|publisher=Ontrack Data Recovery|access-date=26 July 2019|archive-date=26 July 2019|archive-url=https://web.archive.org/web/20190726104548/https://www.ontrack.com/uk/blog/concepts-explained/diy-data-recovery-could-mean-bye-bye/|url-status=live}}</ref>


===Recovery techniques=== ===Recovery techniques===
Line 37: Line 37:
] ]


A common misconception is that a damaged ] (PCB) may be simply replaced during recovery procedures by an identical PCB from a healthy drive. While this may work in rare circumstances on hard disk drives manufactured before 2003, it will not work on newer drives. Electronics boards of modern drives usually contain drive-specific ] (generally a map of bad sectors and tuning parameters) and other information required to properly access data on the drive. Replacement boards often need this information to effectively recover all of the data. The replacement board may need to be reprogrammed. Some manufacturers (Seagate, for example) store this information on a serial ] chip, which can be removed and transferred to the replacement board.<ref>{{cite web A common misconception is that a damaged ] (PCB) may be simply replaced during recovery procedures by an identical PCB from a healthy drive. While this may work in rare circumstances on hard disk drives manufactured before 2003, it will not work on newer drives. Electronics boards of modern drives usually contain drive-specific ] (generally a map of bad sectors and tuning parameters) and other information required to properly access data on the drive. Replacement boards often need this information to effectively recover all of the data. The replacement board may need to be reprogrammed. Some manufacturers (Seagate, for example) store this information on a serial ] chip, which can be removed and transferred to the replacement board.<ref>{{cite web
|url = http://www.donordrives.com/pcb-replacement-guide |url = http://www.donordrives.com/pcb-replacement-guide
|title = Hard Drive Circuit Board Replacement Guide or How To Swap HDD PCB |title = Hard Drive Circuit Board Replacement Guide or How To Swap HDD PCB
|access-date = 27 May 2015 |access-date = 27 May 2015
|website = donordrives.com |website = donordrives.com
|url-status = dead |url-status = dead
|archive-url = https://web.archive.org/web/20150527061149/http://www.donordrives.com/pcb-replacement-guide |archive-url = https://web.archive.org/web/20150527061149/http://www.donordrives.com/pcb-replacement-guide
|archive-date = 27 May 2015 |archive-date = 27 May 2015
|df = dmy-all |df = dmy-all
}}</ref><ref>{{cite web }}</ref><ref>{{cite web
| url = http://www.pcb4you.com/pages/firmware-adaptation-service-rom-swap | url = http://www.pcb4you.com/pages/firmware-adaptation-service-rom-swap
Line 51: Line 51:
| title = Firmware Adaptation Service - ROM Swap | title = Firmware Adaptation Service - ROM Swap
| access-date = 27 May 2015 | archive-date = 29 March 2013 | access-date = 27 May 2015 | archive-date = 29 March 2013
| website = pcb4you.com | website = pcb4you.com
}}</ref> }}</ref>


Line 58: Line 58:
|title = Hiding Data in Hard Drive's Service Areas |title = Hiding Data in Hard Drive's Service Areas
|date = 14 February 2013 |date = 14 February 2013
|access-date = 23 January 2015 |access-date = 23 January 2015
|author = Ariel Berkman |author = Ariel Berkman
|website = recover.co.il |website = recover.co.il
|url-status = dead |url-status = dead
|archive-url = https://web.archive.org/web/20150226053423/http://www.recover.co.il/SA-cover/SA-cover.pdf |archive-url = https://web.archive.org/web/20150226053423/http://www.recover.co.il/SA-cover/SA-cover.pdf
|archive-date = 26 February 2015 |archive-date = 26 February 2015
|df = dmy-all |df = dmy-all
}}</ref> One function of the system area is to log defective sectors within the drive; essentially telling the drive where it can and cannot write data. }}</ref> One function of the system area is to log defective sectors within the drive; essentially telling the drive where it can and cannot write data.


Line 75: Line 75:


===Corrupt partitions and file systems, media errors=== ===Corrupt partitions and file systems, media errors===
In some cases, data on a hard disk drive can be unreadable due to damage to the ] or ], or to (intermittent) media errors. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged partition table or file system using specialized data recovery software such as ]; software like ] can image media despite intermittent errors, and image raw data when there is partition table or file system damage. This type of data recovery can be performed by people without expertise in drive hardware as it requires no special physical equipment or access to platters. In some cases, data on a hard disk drive can be unreadable due to damage to the ] or ], or to (intermittent) media errors. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged partition table or file system using specialized data recovery software such as ]; software like ] can image media despite intermittent errors, and image raw data when there is partition table or file system damage. This type of data recovery can be performed by people without expertise in drive hardware as it requires no special physical equipment or access to platters.


Sometimes data can be recovered using relatively simple methods and tools;<ref> {{webarchive|url=https://web.archive.org/web/20161017073654/http://www.recover-computerdata.com/ |date=17 October 2016 }}</ref> more serious cases can require expert intervention, particularly if parts of files are irrecoverable. ] is the recovery of parts of damaged files using knowledge of their structure. Sometimes data can be recovered using relatively simple methods and tools;<ref>{{Cite web|url=http://www.recover-computerdata.com/|archive-url=https://web.archive.org/web/20161017073654/http://www.recover-computerdata.com/|url-status=usurped|title=Data Recovery Software & Tools to Recover Computer Data|archive-date=17 October 2016|website=www.recover-computerdata.com}}</ref> more serious cases can require expert intervention, particularly if parts of files are irrecoverable. ] is the recovery of parts of damaged files using knowledge of their structure.


===Overwritten data=== ===Overwritten data===
Line 84: Line 84:
After data has been physically overwritten on a hard disk drive, it is generally assumed that the previous data are no longer possible to recover. In 1996, ], a computer scientist, presented a paper that suggested overwritten data could be recovered through the use of ].<ref> {{webarchive|url=https://web.archive.org/web/20071209152858/http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html |date=9 December 2007 }}, Peter Gutmann, Department of Computer Science, University of Auckland</ref> In 2001, he presented another paper on a similar topic.<ref> {{webarchive|url=https://web.archive.org/web/20070221201213/http://www.cypherpunks.to/~peter/usenix01.pdf |date=21 February 2007 }}, Peter Gutmann, IBM T.J. Watson Research Center</ref> To guard against this type of data recovery, Gutmann and Colin Plumb designed a method of irreversibly scrubbing data, known as the ] and used by several disk-scrubbing software packages. After data has been physically overwritten on a hard disk drive, it is generally assumed that the previous data are no longer possible to recover. In 1996, ], a computer scientist, presented a paper that suggested overwritten data could be recovered through the use of ].<ref> {{webarchive|url=https://web.archive.org/web/20071209152858/http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html |date=9 December 2007 }}, Peter Gutmann, Department of Computer Science, University of Auckland</ref> In 2001, he presented another paper on a similar topic.<ref> {{webarchive|url=https://web.archive.org/web/20070221201213/http://www.cypherpunks.to/~peter/usenix01.pdf |date=21 February 2007 }}, Peter Gutmann, IBM T.J. Watson Research Center</ref> To guard against this type of data recovery, Gutmann and Colin Plumb designed a method of irreversibly scrubbing data, known as the ] and used by several disk-scrubbing software packages.


Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.<ref>{{cite web | last = Feenberg | first = Daniel | title = Can Intelligence Agencies Read Overwritten Data? A response to Gutmann. | publisher = National Bureau of Economic Research | date = 14 May 2004 | url = http://www.nber.org/sys-admin/overwritten-data-guttman.html | access-date = 21 May 2008 | url-status = live | archive-url = https://web.archive.org/web/20080509083548/http://www.nber.org/sys-admin/overwritten-data-guttman.html | archive-date = 9 May 2008 | df = dmy-all }}</ref> Although Gutmann's theory may be correct, there is no practical evidence that overwritten data can be recovered, while research has shown to support that overwritten data cannot be recovered.{{specify|date=June 2013}}<ref>{{cite web |url=https://www.anti-forensics.com/disk-wiping-one-pass-is-enough/ |title=Disk Wiping – One Pass is Enough |date=17 March 2009 |website=anti-forensics.com |url-status=dead |archive-url=https://web.archive.org/web/20120902011743/http://www.anti-forensics.com/disk-wiping-one-pass-is-enough |archive-date=2 September 2012 |df=dmy }}</ref><ref>{{cite web|url=https://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots/ |title=Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots) |date=18 March 2009 |website=anti-forensics.com |url-status=dead |archive-url=https://web.archive.org/web/20121127130830/https://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots/ |archive-date=27 November 2012 |df=dmy }}</ref><ref>{{cite web Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.<ref>{{cite web | last = Feenberg | first = Daniel | title = Can Intelligence Agencies Read Overwritten Data? A response to Gutmann. | publisher = National Bureau of Economic Research | date = 14 May 2004 | url = http://www.nber.org/sys-admin/overwritten-data-guttman.html | access-date = 21 May 2008 | url-status = live | archive-url = https://web.archive.org/web/20080509083548/http://www.nber.org/sys-admin/overwritten-data-guttman.html | archive-date = 9 May 2008 | df = dmy-all }}</ref> Gutmann's article contains a number of errors and inaccuracies, particularly regarding information about how data is encoded and processed on hard drives.<ref>{{Cite web|url=https://kaleron.edu.pl/throwing-Gutmanns-algorithm-into-the-trash|title=Throwing Gutmann's algorithm into the trash - about effectiveness of data overwriting.}}</ref> Although Gutmann's theory may be correct, there is no practical evidence that overwritten data can be recovered, while research has shown to support that overwritten data cannot be recovered.{{specify|date=June 2013}}<ref>{{cite web |url=https://www.anti-forensics.com/disk-wiping-one-pass-is-enough/ |title=Disk Wiping – One Pass is Enough |date=17 March 2009 |website=anti-forensics.com |url-status=dead |archive-url=https://web.archive.org/web/20120902011743/http://www.anti-forensics.com/disk-wiping-one-pass-is-enough |archive-date=2 September 2012 }}</ref><ref>{{cite web|url=https://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots/ |title=Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots) |date=18 March 2009 |website=anti-forensics.com |url-status=dead |archive-url=https://web.archive.org/web/20121127130830/https://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots/ |archive-date=27 November 2012 }}</ref><ref>{{cite web
|url = http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/ |url = http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/
|title = Overwriting Hard Drive Data |title = Overwriting Hard Drive Data
|date = 15 January 2009 |date = 15 January 2009
|first = Dr. Craig |first = Dr. Craig
|last = Wright |last = Wright
|url-status = live |url-status = live
|archive-url = https://web.archive.org/web/20100523070012/http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/ |archive-url = https://web.archive.org/web/20100523070012/http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/
|archive-date = 23 May 2010 |archive-date = 23 May 2010
|df = dmy-all |df = dmy-all
}}</ref> }}</ref>


]s (SSD) overwrite data differently from hard disk drives (HDD) which makes at least some of their data easier to recover. Most SSDs use ] to store data in pages and blocks, referenced by ] (LBA) which are managed by the ] (FTL). When the FTL modifies a sector it writes the new data to another location and updates the map so the new data appear at the target LBA. This leaves the pre-modification data in place, with possibly many generations, and recoverable by data recovery software. ]s (SSD) overwrite data differently from hard disk drives (HDD) which makes at least some of their data easier to recover. Most SSDs use ] to store data in pages and blocks, referenced by ] (LBA) which are managed by the ] (FTL). When the FTL modifies a sector it writes the new data to another location and updates the map so the new data appear at the target LBA. This leaves the pre-modification data in place, with possibly many generations, and recoverable by data recovery software.


=== Lost, deleted, and formatted data === === Lost, deleted, and formatted data ===
Line 118: Line 118:
|title = Four Phases Of Data Recovery |title = Four Phases Of Data Recovery
|date = 28 December 2012 |date = 28 December 2012
|access-date = 23 March 2015 |access-date = 23 March 2015
|author = Stanley Morgan |author = Stanley Morgan
|website = dolphindatalab.com |website = dolphindatalab.com
|url-status = live |url-status = live
Line 125: Line 125:
|archive-url = https://web.archive.org/web/20150402112539/http://www.dolphindatalab.com/the-four-phases-of-data-recovery/ |archive-url = https://web.archive.org/web/20150402112539/http://www.dolphindatalab.com/the-four-phases-of-data-recovery/
|archive-date = 2 April 2015 |archive-date = 2 April 2015
|df = dmy-all |df = dmy-all
}}</ref> }}</ref>


Line 149: Line 149:
*]: a lightweight variant of ] or ] ], similar to a Windows Preinstallation Environment, which can be run from a live CD or live USB drive. Discontinued. *]: a lightweight variant of ] or ] ], similar to a Windows Preinstallation Environment, which can be run from a live CD or live USB drive. Discontinued.
*]: a ]-based Live CD with a focus on being small and fast, useful for computer and data rescue *]: a ]-based Live CD with a focus on being small and fast, useful for computer and data rescue
*]: capable of creating bootable ] USB drives for data recovery *]: capable of creating bootable ] USB drives for data recovery
*]: contains utilities for data recovery under Linux *]: contains utilities for data recovery under Linux
*]: a ]-based data recovery tool for hard disks and magnetic storage devices *]: an ]-based live CD, useful for repairing unbootable computer systems and retrieving data after a system crash
*]: an ] based live CD, useful for repairing unbootable computer systems and retrieving data after a system crash
*] (WinPE): A customizable Windows Boot DVD (made by Microsoft and distributed for free). Can be modified to boot to any of the programs listed. *] (WinPE): A customizable Windows Boot DVD (made by Microsoft and distributed for free). Can be modified to boot to any of the programs listed.
*BLR : To recover data from failed or unbootable PCs, Data Recovery Professional provides a tool for creating bootable USB recovery media.


===Consistency checkers=== ===Consistency checkers===
*]: a consistency checker for ] and Windows systems *]: a consistency checker for ] and Windows systems
*]: a consistency checker for ] *]: a consistency checker for the ]
*]: a consistency checker for ] *]: a consistency checker for ]
*]: a consistency checker for UNIX *]: a consistency checker for UNIX
*]: a GUI for ], the GNU partition editor, capable of calling fsck *]: a GUI for ], the GNU partition editor, capable of calling fsck


=== File recovery === === File recovery ===


*]: recovers data from ] *]: recovers data from ]
*]: data recovery application for Mac OS X and Windows *]: data recovery application for Mac OS X and Windows
*]: multi-platform data recovery and disk editing tool *]: multi-platform data recovery and disk editing tool
*]: generates error-correction data for optical discs *]: generates error-correction data for optical discs
Line 181: Line 179:
*]: data recovery utility for Windows and macOS *]: data recovery utility for Windows and macOS
*]: free, open source, multi-platform. recover files and lost ] *]: free, open source, multi-platform. recover files and lost ]
*]: a suite of utilities that has a file recovery component for Windows XP and later *]: a suite of utilities that has a file recovery component for Windows XP and later
*]: a command-line utility from Microsoft to recover deleted files for Windows 10 version 2004 and later *]: a command-line utility from Microsoft to recover deleted files for Windows 10 version 2004 and later


===Forensics=== ===Forensics===
{{See also|Computer forensics}} {{See also|Computer forensics}}
*]: an open-source ] file recovery program, originally developed by the ] and ] Center for Information Systems Security Studies and Research *]: an open-source ] file recovery program, originally developed by the ] and ] Center for Information Systems Security Studies and Research
*]: by AccessData, used by law enforcement *]: by AccessData, used by law enforcement
*]: An open-source program for Linux *]: An open-source program for Linux
Line 193: Line 191:


===Imaging tools=== ===Imaging tools===
{{Main|List of disk cloning software}} {{Main|Comparison of disk cloning software}}
{{See also|Disk image}} {{See also|Disk image}}
*]: a free disk cloning, disk imaging, data recovery, and deployment boot disk *]: a free disk cloning, disk imaging, data recovery, and deployment boot disk
Line 217: Line 215:
* ] * ]
* ] * ]
* ]
* ] * ]
{{div col end}} {{div col end}}
Line 226: Line 223:
==Further reading== ==Further reading==
* Tanenbaum, A. & Woodhull, A. S. (1997). ''Operating Systems: Design And Implementation,'' 2nd ed. New York: Prentice Hall. * Tanenbaum, A. & Woodhull, A. S. (1997). ''Operating Systems: Design And Implementation,'' 2nd ed. New York: Prentice Hall.
* {{curlie|Computers/Hardware/Storage/Data_Recovery/|Data recovery}}


{{Data}} {{Data}}

Latest revision as of 22:19, 25 December 2024

Process of salvaging inaccessible data from corrupted or damaged secondary storage

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Data recovery" – news · newspapers · books · scholar · JSTOR (February 2012) (Learn how and when to remove this message)
This article is written like a manual or guide. Please help rewrite this article and remove advice or instruction. (April 2016)
(Learn how and when to remove this message)

In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

Logical failures occur when the hard drive devices are functional but the user or automated-OS cannot retrieve or access data stored on them. Logical failures can occur due to corruption of the engineering chip, lost partitions, firmware failure, or failures during formatting/re-installation.

Data recovery can be a very simple or technical challenge. This is why there are specific software companies specialized in this field.

About

The most common data recovery scenarios involve an operating system failure, malfunction of a storage device, logical failure of storage devices, accidental damage or deletion, etc. (typically, on a single-drive, single-partition, single-OS system), in which case the ultimate goal is simply to copy all important files from the damaged media to another new drive. This can be accomplished using a Live CD, or DVD by booting directly from a ROM or a USB drive instead of the corrupted drive in question. Many Live CDs or DVDs provide a means to mount the system drive and backup drives or removable media, and to move the files from the system drive to the backup media with a file manager or optical disc authoring software. Such cases can often be mitigated by disk partitioning and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.

Another scenario involves a drive-level failure, such as a compromised file system or drive partition, or a hard disk drive failure. In any of these cases, the data is not easily read from the media devices. Depending on the situation, solutions involve repairing the logical file system, partition table, or master boot record, or updating the firmware or drive recovery techniques ranging from software-based recovery of corrupted data, to hardware- and software-based recovery of damaged service areas (also known as the hard disk drive's "firmware"), to hardware replacement on a physically damaged drive which allows for the extraction of data to a new drive. If a drive recovery is necessary, the drive itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read.

In a third scenario, files have been accidentally "deleted" from a storage medium by the users. Typically, the contents of deleted files are not removed immediately from the physical drive; instead, references to them in the directory structure are removed, and thereafter space the deleted data occupy is made available for later data overwriting. In the mind of end users, deleted files cannot be discoverable through a standard file manager, but the deleted data still technically exists on the physical drive. In the meantime, the original file contents remain, often several disconnected fragments, and may be recoverable if not overwritten by other data files.

The term "data recovery" is also used in the context of forensic applications or espionage, where data which have been encrypted, hidden, or deleted, rather than damaged, are recovered. Sometimes data present in the computer gets encrypted or hidden due to reasons like virus attacks which can only be recovered by some computer forensic experts.

Physical damage

A wide variety of failures can cause physical damage to storage media, which may result from human errors and natural disasters. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer from a multitude of mechanical failures, such as head crashes, PCB failure, and failed motors; tapes can simply break.

Physical damage to a hard drive, even in cases where a head crash has occurred, does not necessarily mean there will be a permanent loss of data. The techniques employed by many professional data recovery companies can typically salvage most, if not all, of the data that had been lost when the failure occurred.

Of course, there are exceptions to this, such as cases where severe damage to the hard drive platters may have occurred. However, if the hard drive can be repaired and a full image or clone created, then the logical file structure can be rebuilt in most instances.

Most physical damage cannot be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head. During normal operation, read/write heads float 3 to 6 nanometers above the platter surface, and the average dust particles found in a normal environment are typically around 30,000 nanometers in diameter. When these dust particles get caught between the read/write heads and the platter, they can cause new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, data recovery companies are often employed to salvage important data with the more reputable ones using class 100 dust- and static-free cleanrooms.

Recovery techniques

Recovering data from physically damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk-imaging procedure is used to recover every readable bit from the surface. Once this image is acquired and saved on a reliable medium, the image can be safely analyzed for logical damage and will possibly allow much of the original file system to be reconstructed.

Hardware repair

Media that has suffered a catastrophic electronic failure requires data recovery in order to salvage its contents.

A common misconception is that a damaged printed circuit board (PCB) may be simply replaced during recovery procedures by an identical PCB from a healthy drive. While this may work in rare circumstances on hard disk drives manufactured before 2003, it will not work on newer drives. Electronics boards of modern drives usually contain drive-specific adaptation data (generally a map of bad sectors and tuning parameters) and other information required to properly access data on the drive. Replacement boards often need this information to effectively recover all of the data. The replacement board may need to be reprogrammed. Some manufacturers (Seagate, for example) store this information on a serial EEPROM chip, which can be removed and transferred to the replacement board.

Each hard disk drive has what is called a system area or service area; this portion of the drive, which is not directly accessible to the end user, usually contains drive's firmware and adaptive data that helps the drive operate within normal parameters. One function of the system area is to log defective sectors within the drive; essentially telling the drive where it can and cannot write data.

The sector lists are also stored on various chips attached to the PCB, and they are unique to each hard disk drive. If the data on the PCB do not match what is stored on the platter, then the drive will not calibrate properly. In most cases the drive heads will click because they are unable to find the data matching what is stored on the PCB.

Logical damage

Result of a failed data recovery from a hard disk drive.

The term "logical damage" refers to situations in which the error is not a problem in the hardware and requires software-level solutions.

Corrupt partitions and file systems, media errors

In some cases, data on a hard disk drive can be unreadable due to damage to the partition table or file system, or to (intermittent) media errors. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged partition table or file system using specialized data recovery software such as TestDisk; software like ddrescue can image media despite intermittent errors, and image raw data when there is partition table or file system damage. This type of data recovery can be performed by people without expertise in drive hardware as it requires no special physical equipment or access to platters.

Sometimes data can be recovered using relatively simple methods and tools; more serious cases can require expert intervention, particularly if parts of files are irrecoverable. Data carving is the recovery of parts of damaged files using knowledge of their structure.

Overwritten data

See also: Data erasure

After data has been physically overwritten on a hard disk drive, it is generally assumed that the previous data are no longer possible to recover. In 1996, Peter Gutmann, a computer scientist, presented a paper that suggested overwritten data could be recovered through the use of magnetic force microscopy. In 2001, he presented another paper on a similar topic. To guard against this type of data recovery, Gutmann and Colin Plumb designed a method of irreversibly scrubbing data, known as the Gutmann method and used by several disk-scrubbing software packages.

Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered. Gutmann's article contains a number of errors and inaccuracies, particularly regarding information about how data is encoded and processed on hard drives. Although Gutmann's theory may be correct, there is no practical evidence that overwritten data can be recovered, while research has shown to support that overwritten data cannot be recovered.

Solid-state drives (SSD) overwrite data differently from hard disk drives (HDD) which makes at least some of their data easier to recover. Most SSDs use flash memory to store data in pages and blocks, referenced by logical block addresses (LBA) which are managed by the flash translation layer (FTL). When the FTL modifies a sector it writes the new data to another location and updates the map so the new data appear at the target LBA. This leaves the pre-modification data in place, with possibly many generations, and recoverable by data recovery software.

Lost, deleted, and formatted data

Sometimes, data present in the physical drives (Internal/External Hard disk, Pen Drive, etc.) gets lost, deleted and formatted due to circumstances like virus attack, accidental deletion or accidental use of SHIFT+DELETE. In these cases, data recovery software is used to recover/restore the data files.

Logical bad sector

In the list of logical failures of hard disks, a logical bad sector is the most common fault leading data not to be readable. Sometimes it is possible to sidestep error detection even in software, and perhaps with repeated reading and statistical analysis recover at least some of the underlying stored data. Sometimes prior knowledge of the data stored and the error detection and correction codes can be used to recover even erroneous data. However, if the underlying physical drive is degraded badly enough, at least the hardware surrounding the data must be replaced, or it might even be necessary to apply laboratory techniques to the physical recording medium. Each of the approaches is progressively more expensive, and as such progressively more rarely sought.

Eventually, if the final, physical storage medium has indeed been disturbed badly enough, recovery will not be possible using any means; the information has irreversibly been lost.

Remote data recovery

Recovery experts do not always need to have physical access to the damaged hardware. When the lost data can be recovered by software techniques, they can often perform the recovery using remote access software over the Internet, LAN or other connection to the physical location of the damaged media. The process is essentially no different from what the end user could perform by themselves.

Remote recovery requires a stable connection with an adequate bandwidth. However, it is not applicable where access to the hardware is required, as in cases of physical damage.

Four phases of data recovery

Usually, there are four phases when it comes to successful data recovery, though that can vary depending on the type of data corruption and recovery required.

Phase 1
Repair the hard disk drive
The hard drive is repaired in order to get it running in some form, or at least in a state suitable for reading the data from it. For example, if heads are bad they need to be changed; if the PCB is faulty then it needs to be fixed or replaced; if the spindle motor is bad the platters and heads should be moved to a new drive.
Phase 2
Image the drive to a new drive or a disk image file
When a hard disk drive fails, the importance of getting the data off the drive is the top priority. The longer a faulty drive is used, the more likely further data loss is to occur. Creating an image of the drive will ensure that there is a secondary copy of the data on another device, on which it is safe to perform testing and recovery procedures without harming the source.
Phase 3
Logical recovery of files, partition, MBR and filesystem structures
After the drive has been cloned to a new drive, it is suitable to attempt the retrieval of lost data. If the drive has failed logically, there are a number of reasons for that. Using the clone it may be possible to repair the partition table or master boot record (MBR) in order to read the file system's data structure and retrieve stored data.
Phase 4
Repair damaged files that were retrieved
Data damage can be caused when, for example, a file is written to a sector on the drive that has been damaged. This is the most common cause in a failing drive, meaning that data needs to be reconstructed to become readable. Corrupted documents can be recovered by several software methods or by manually reconstructing the document using a hex editor.

Restore disk

The Windows operating system can be reinstalled on a computer that is already licensed for it. The reinstallation can be done by downloading the operating system or by using a "restore disk" provided by the computer manufacturer. Eric Lundgren was fined and sentenced to U.S. federal prison in April 2018 for producing 28,000 restore disks and intending to distribute them for about 25 cents each as a convenience to computer repair shops.

List of data recovery software

Bootable

See also: List of live CDs § Rescue and repair

Data recovery cannot always be done on a running system. As a result, a boot disk, live CD, live USB, or any other type of live distro contains a minimal operating system.

Consistency checkers

File recovery

Forensics

See also: Computer forensics

Imaging tools

Main article: Comparison of disk cloning software See also: Disk image
  • Clonezilla: a free disk cloning, disk imaging, data recovery, and deployment boot disk
  • dd: common byte-to-byte cloning tool found on Unix-like systems
  • ddrescue: an open-source tool similar to dd but with the ability to skip over and subsequently retry bad blocks on failing storage devices
  • Team Win Recovery Project: a free and open-source recovery system for Android devices

See also

References

  1. ^ "Data Recovery Explained". www.ibm.com. 6 October 2021. Archived from the original on 28 August 2022. Retrieved 28 August 2022.
  2. "What is logical failure?". Disklabs Digital Forensics and Data Recovery. Archived from the original on 1 December 2022. Retrieved 1 December 2022.
  3. "What Happens When Drives Experience Logical Failure?". www.streetdirectory.com. Archived from the original on 1 December 2022. Retrieved 1 December 2022.
  4. "Data Recovery – Backup Technology". www.dell.com. Archived from the original on 1 December 2022. Retrieved 1 December 2022.
  5. "Data Recovery On A 3TB Seagate Hard Drive". acsdata.com. Archived from the original on 13 February 2017.
  6. Vasconcelos, Pedro. "DIY data recovery could mean "bye-bye"". The Ontrack Data Recovery Blog. Ontrack Data Recovery. Archived from the original on 26 July 2019. Retrieved 26 July 2019.
  7. "Hard Drive Circuit Board Replacement Guide or How To Swap HDD PCB". donordrives.com. Archived from the original on 27 May 2015. Retrieved 27 May 2015.
  8. "Firmware Adaptation Service - ROM Swap". pcb4you.com. Archived from the original on 29 March 2013. Retrieved 27 May 2015.
  9. Ariel Berkman (14 February 2013). "Hiding Data in Hard Drive's Service Areas" (PDF). recover.co.il. Archived from the original (PDF) on 26 February 2015. Retrieved 23 January 2015.
  10. "Data Recovery Report - Read Before Choosing A Data Recovery Company". 16 April 2013. Archived from the original on 16 April 2013.
  11. "Data Recovery Software & Tools to Recover Computer Data". www.recover-computerdata.com. Archived from the original on 17 October 2016.
  12. Secure Deletion of Data from Magnetic and Solid-State Memory Archived 9 December 2007 at the Wayback Machine, Peter Gutmann, Department of Computer Science, University of Auckland
  13. Data Remanence in Semiconductor Devices Archived 21 February 2007 at the Wayback Machine, Peter Gutmann, IBM T.J. Watson Research Center
  14. Feenberg, Daniel (14 May 2004). "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann". National Bureau of Economic Research. Archived from the original on 9 May 2008. Retrieved 21 May 2008.
  15. "Throwing Gutmann's algorithm into the trash - about effectiveness of data overwriting".
  16. "Disk Wiping – One Pass is Enough". anti-forensics.com. 17 March 2009. Archived from the original on 2 September 2012.
  17. "Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots)". anti-forensics.com. 18 March 2009. Archived from the original on 27 November 2012.
  18. Wright, Dr. Craig (15 January 2009). "Overwriting Hard Drive Data". Archived from the original on 23 May 2010.
  19. Barton, Andre (17 December 2012). "Data Recovery Over the Internet". Data Recovery Digest. Archived from the original on 27 May 2015. Retrieved 29 April 2015.
  20. Stanley Morgan (28 December 2012). "[Infographic] Four Phases Of Data Recovery". dolphindatalab.com. Archived from the original on 2 April 2015. Retrieved 23 March 2015.
  21. Washington Post (26 April 2018). "Electronics-recycling innovator is going to prison for trying to extend computers' lives". Washington Post. Archived from the original on 2 May 2018. Retrieved 2 May 2018.

Further reading

  • Tanenbaum, A. & Woodhull, A. S. (1997). Operating Systems: Design And Implementation, 2nd ed. New York: Prentice Hall.
Data
Data erasure
List of data-erasing software
Categories: