Data RecoveryData RecoveryTechniquesTechniques

ByBy

Danny SeltzerDanny Seltzerandand

Evan HollanderEvan Hollander

NOT a Data Recovery NOT a Data Recovery TechniqueTechnique

What is Data Loss?What is Data Loss?

Data has accidentally been erased or data Data has accidentally been erased or data control structures have been overwritten.control structures have been overwritten.

Data has been corrupted or made Data has been corrupted or made inaccessible.inaccessible.

Data is unable to be accessed from a Data is unable to be accessed from a previous functioning computer system or previous functioning computer system or backup.backup.

Common Computer Common Computer ProblemsProblems

Computer won’t boot upComputer won’t boot up Applications that are unable to run Applications that are unable to run

or load dataor load data Hard drive crashesHard drive crashes Corrupt files or dataCorrupt files or data Accidental reformatting of partitionsAccidental reformatting of partitions Inaccessible drives and partitionsInaccessible drives and partitions Media surface contamination and Media surface contamination and

damagedamage

What Causes Data Loss?What Causes Data Loss?

SabotageSabotage Natural DisasterNatural Disaster Hardware ErrorHardware Error Virus AttackVirus Attack Human ErrorHuman Error

Intentional deletionIntentional deletion Accidental overwriting of filesAccidental overwriting of files

Software CorruptionSoftware Corruption

What Causes Data Loss?What Causes Data Loss?

How to Prevent Data How to Prevent Data LossLoss

Don’t upgrade hardware or software Don’t upgrade hardware or software without having a backupwithout having a backup

Physically secure your system from Physically secure your system from intrudersintruders

Use firewalls and virus protectionUse firewalls and virus protection

Be prepared for physical disastersBe prepared for physical disasters

Things to Know About Data Things to Know About Data LossLoss

Data loss is disastrous at home, but for Data loss is disastrous at home, but for companies it causes setbacks in time and companies it causes setbacks in time and money.money.

““93% of companies that experience data loss for 93% of companies that experience data loss for more than 10 days file for bankruptcy within more than 10 days file for bankruptcy within one year of the disaster.”one year of the disaster.”

If the data loss recovery is dealt with quickly or If the data loss recovery is dealt with quickly or the necessary precautions are taken prior to any the necessary precautions are taken prior to any problem, the company could retrieve the data problem, the company could retrieve the data more easily or not experience a problem at all.more easily or not experience a problem at all.

Data RecoveryData Recovery The majority of data loss situations are recoverable.The majority of data loss situations are recoverable.

Computer storage systems may fail, but the data Computer storage systems may fail, but the data stored on them is not always completely lost.stored on them is not always completely lost.

There are occasions when damage to data is There are occasions when damage to data is permanent and complete data recovery is not permanent and complete data recovery is not possible. However, some data is usually always possible. However, some data is usually always recoverable.recoverable.

Data recovery professionals can recover data from Data recovery professionals can recover data from crashed hard drives, operating systems, storage crashed hard drives, operating systems, storage devices, servers, desktops, and laptops using various devices, servers, desktops, and laptops using various proprietary data recovery tools and techniques.proprietary data recovery tools and techniques.

Data Recovery TipsData Recovery Tips DO’sDO’s

Backup your data frequently. Backup your data frequently. If you believe there is If you believe there is

something wrong with your something wrong with your computer shut it down, do not computer shut it down, do not continue to power up because continue to power up because you may do more damage. you may do more damage.

If you here a clunk, clunk sound If you here a clunk, clunk sound when you power up the drive, when you power up the drive, shut down! Do not panic nor shut down! Do not panic nor turn the power button on and turn the power button on and off. off.

Package the drive properly Package the drive properly when you send it in to a data when you send it in to a data recovery specialist. You can recovery specialist. You can cause additional damage to the cause additional damage to the hard drive if it is poorly hard drive if it is poorly packaged. packaged.

DON’TSDON’TS Do not ever assume that data Do not ever assume that data

recovery is impossible; even in the recovery is impossible; even in the worst cases, such as natural disasters worst cases, such as natural disasters data recovery specialists have been data recovery specialists have been able to retrieve valuable data. able to retrieve valuable data.

Never remove the cover from the Never remove the cover from the hard drive; this will only cause hard drive; this will only cause further damage. further damage.

Do not rest your computer on a Do not rest your computer on a moveable object or piece of moveable object or piece of furniture. Shock and vibration can furniture. Shock and vibration can result in serious damage to the hard result in serious damage to the hard drive. drive.

Do not subject the drive to extreme Do not subject the drive to extreme temperatures changes both hot and temperatures changes both hot and cold. cold.

In the case where a drive has been In the case where a drive has been exposed to water, fire or even smoke exposed to water, fire or even smoke do not try to power up.do not try to power up.

Data Recovery Data Recovery TechniquesTechniques

Use of software to recover Use of software to recover datadata

Use of machines to recover Use of machines to recover datadata

Software Data ExtractionSoftware Data Extraction

Data extraction is the process of moving data Data extraction is the process of moving data off of the imaged drive to another destination off of the imaged drive to another destination location.location.

Data extraction software scans sectors of the Data extraction software scans sectors of the hard drive and restructures the file system hard drive and restructures the file system either in memory or another hard drive. either in memory or another hard drive.

The software can be used to copy the The software can be used to copy the recoverable data to a destination location.recoverable data to a destination location.

Software RecoverySoftware Recovery Data loss can occur because the hard drive may Data loss can occur because the hard drive may

have problems accessing the data it contains at have problems accessing the data it contains at a software or logical level.a software or logical level.

By making a complete sector copy (an exact By making a complete sector copy (an exact copy including all deleted information) of the copy including all deleted information) of the hard drive, using a program such as Norton hard drive, using a program such as Norton GHOST, most data recovery programs search GHOST, most data recovery programs search for deleted MFT (Master File Table) entries to for deleted MFT (Master File Table) entries to undelete files.undelete files.

If the MFT is corrupt or defective, this method If the MFT is corrupt or defective, this method will not work. Some data recovery programs will not work. Some data recovery programs will ignore the MFT and search all of the will ignore the MFT and search all of the unallocated clusters to try to find and recover unallocated clusters to try to find and recover files.files.

Data RecoveryData Recovery The user may send a failed hard disk drive to The user may send a failed hard disk drive to

a private data recovery company that offers a private data recovery company that offers secure and confidential data recovery.secure and confidential data recovery.

The data recovery company will carefully The data recovery company will carefully perform part replacement of the heads, perform part replacement of the heads, spindle motor and base casting, the spindle motor and base casting, the electronics board, etc. in a clean room electronics board, etc. in a clean room environment. environment.

Part replacement has historically been Part replacement has historically been successful for data recovery about 40%-60% successful for data recovery about 40%-60% of the time.of the time.

Data RecoveryData Recovery

When data is written to a medium, the When data is written to a medium, the head sets the polarity of most, but not all head sets the polarity of most, but not all of the magnetic domains.of the magnetic domains.

When a 1 is written to disk the media When a 1 is written to disk the media records a 1, and when a 0 is written the records a 1, and when a 0 is written the media records a 0. However the actual media records a 0. However the actual effecteffect is closer to obtaining a 0.95 when a is closer to obtaining a 0.95 when a 0 is overwritten with a 1, and a 1.05 when 0 is overwritten with a 1, and a 1.05 when a 1 is overwritten with a 1. a 1 is overwritten with a 1.

Data RecoveryData Recovery Normal disk circuitry is set up so that both Normal disk circuitry is set up so that both

these values are read as ones, but using these values are read as ones, but using specialized circuitry it is possible to work out specialized circuitry it is possible to work out what previous "layers" contained.what previous "layers" contained.

The recovery of at least one or two layers of The recovery of at least one or two layers of overwritten data isn't too hard to perform by overwritten data isn't too hard to perform by reading the signal from the analog head reading the signal from the analog head electronics with a high-quality digital sampling electronics with a high-quality digital sampling oscilloscope, downloading the sampled oscilloscope, downloading the sampled waveform to a PC, and analyzing it in software waveform to a PC, and analyzing it in software to recover the previously recorded signal. to recover the previously recorded signal.

Data Recovery TechniquesData Recovery TechniquesScanning Probe Microscopy Scanning Probe Microscopy

(SPM)(SPM) A technique that is used to image A technique that is used to image

and measure surfaces at the atomic and measure surfaces at the atomic level.level.

Scans an atomically sharp probe Scans an atomically sharp probe over a surface which produces a 3D over a surface which produces a 3D topographic image of the surface at topographic image of the surface at the atomic scale.the atomic scale.

Data Recovery TechniquesData Recovery TechniquesMagnetic Force Microscopy Magnetic Force Microscopy

(MFM)(MFM) MFM (Magnetic Force Microscopy) is a new MFM (Magnetic Force Microscopy) is a new

technique which images the spatial technique which images the spatial variation of magnetic forces on a sample variation of magnetic forces on a sample surface. surface.

MFM is derived from scanning probe MFM is derived from scanning probe microscopy (SPM) and uses a sharp microscopy (SPM) and uses a sharp magnetic tip attached to a flexible magnetic tip attached to a flexible cantilever for analysis.cantilever for analysis.

An image of the field at the surface is An image of the field at the surface is formed by moving the tip across the surface formed by moving the tip across the surface and measuring the force.and measuring the force.

Magnetic Force Microscopy Magnetic Force Microscopy (MFM)(MFM)

Detectable old data will be present beside Detectable old data will be present beside new data on the track which is usually new data on the track which is usually ignored.ignored.

Together with software, MFM can see past Together with software, MFM can see past various kinds of data loss/removal.various kinds of data loss/removal.

Each track contains an image of Each track contains an image of everything ever written to it, but each everything ever written to it, but each layer gets progressively smaller the earlier layer gets progressively smaller the earlier it was written.it was written.

Magnetic Force Microscopy Magnetic Force Microscopy (MFM)(MFM)

MFM looks at the minute sampling MFM looks at the minute sampling region to detect remnant region to detect remnant magnetization at track edges.magnetization at track edges.

MFM image showing the MFM image showing the bits of a hard diskbits of a hard disk

Data Recovery TechniquesData Recovery TechniquesScanning Tunneling Scanning Tunneling Microscopy (STM)Microscopy (STM)

STM (Scanning Tunneling Microscopy) is STM (Scanning Tunneling Microscopy) is a more recent variation of MFM which a more recent variation of MFM which uses a probe tip typically made by uses a probe tip typically made by plating nickel onto a pre-patterned plating nickel onto a pre-patterned surface.surface.

The probe is scanned across the surface The probe is scanned across the surface that is to be analyzed. STM measures a that is to be analyzed. STM measures a weak electrical current flowing between weak electrical current flowing between the tip and the sample. The image is the tip and the sample. The image is then generated in the same way as MFM.then generated in the same way as MFM.

SummarySummary Individuals or companies may experience data Individuals or companies may experience data

loss at any time for many reasons.loss at any time for many reasons. There are various steps that should be There are various steps that should be

implemented to help prevent data loss.implemented to help prevent data loss. Data loss can be very costly and very Data loss can be very costly and very

upsetting.upsetting. There are several data recovery techniques There are several data recovery techniques

that have proven to be successful or partially that have proven to be successful or partially successful in recovering data.successful in recovering data.

Utilizing qualified professional data recovery Utilizing qualified professional data recovery specialists will aid in the degree of success of specialists will aid in the degree of success of data recovery.data recovery.

BibliographyBibliography

http://www.intellirecovery.com/data/recovhttp://www.intellirecovery.com/data/recovery.htmlery.html

http://www.data-recovery-info.comhttp://www.data-recovery-info.com http://mechmat.caltech.edu/~kaushik/parhttp://mechmat.caltech.edu/~kaushik/par

k/1-3-0.htmk/1-3-0.htm http://www.eng.yale.edu/reedlab/researchhttp://www.eng.yale.edu/reedlab/research

/spm/spm.html/spm/spm.html http://www.cs.auckland.ac.nz/~pgut001/phttp://www.cs.auckland.ac.nz/~pgut001/p

ubs/secure_del.htmlubs/secure_del.html http://www.ebaumsworld.comhttp://www.ebaumsworld.com http://www.disklabs.comhttp://www.disklabs.com