Saturday, July 31, 2010

Clicking disk drives

Often customers for disk recovery say that the computer just stopped. It then often turns out that the computer has been going very slow, or making clicking noises.

Hard disk drives will click when the head cannot locate a track. It will try and recalibrate itself by moving the head as far out as possible, and the clicking is when it hits the end stop. When it does this every second or so, it indicates there is a major problem with the drive. Sometimes the sector will be read, and the clicking will stop, but other times, it will continue and the drive will be dead.

If clicking noises are heard from the drive then this indicates there are problems. The drive may continue for months, or could die a few minutes later. The only safe thing to do is to copy off any files that have not been backed up, followed by a full backup. The next stage is to replace the drive. A new physical drive these days is not expensive, and much cheaper than data recovery.

If the drive does die with clicking noises the most likely reason is that the heads have failed. In maybe 80% of cases they can be replaced, but the cost could be 5 to 20 times that of a new drive. Thus take any clicking seriously with a full backup, and most likely a new hard drive.

CnW Recovery does not work on head replacement, but can recommend companies to assist.

Friday, July 30, 2010

NAS RAID drives

For a small business, or even home user, the thought of secure data storage is very attractive. Network Attached Storage (NAS) systems are becoming very popular as they may be shared on a network by several PCs, some even purely by wireless interface. The idea of a RAID is that if one drive should fail, the other one will still have the information, so no data should be lost.

Recently, at CnW Recovery I have seen several RAID systems where it is the RAID controller, rather than the drive which has failed. This ends up with multiple, physically working drives, but no way to access the data. Most RAID controllers actually use some kind of Unix file system and recently we have seen XFS, ReiserFS and Ext2 as the data storage. The drives do also typically contain a few Unix partitions to power the Linux based controller system.

To recover the data it is necessary to remove the drives and then logically read the data partition of the drive. CnW software is being developed to make this as easy as possible, and new variations of drive layout are being added on a regular basis.

The main warning of this blog is that a RAID is not quite as secure as the manufacturers might imply, but at the same time, help is on hand to recover the data.

Thursday, July 29, 2010

How to avoid data recovery

This may be an odd item to write about in a data recovery blog, but actually the best kind of data recovery is not to require it. The critical word is 'Backup'. However, I get many customers who say that they were about to do a backup, or where going to do a backup when they had finished their project, university work etc, and then all of a sudden everything is lost.

For a safe backup there are a few critical points
  • Must be done automatically, or on a regular basis
  • A backup must be stored on another piece of media
  • A backup must be stored in a different location
  • A backup must be tested with the occasional restore

For many users and small businesses a very easy type of backup is an online system that automatically backs files up when they are added to the system, or edited. There are many available, but the one I use is Carbonite as it is automatic, and has unlimited capacity. It ticks all four boxes above.

The different media is essential as if just a different partition is used, this could fail at the same time as the key data partition.

The different location will cover events such as fire and theft. For non sensitive data, then placing a backup drive in the office or home is a good start, or with friends are neighbours.

Another point on backup is the ability to recreate a complete system disk from scratch in the event of a complete failure. For this one requires disk image of the system disk and Acronis is a popular solution, but not one I have tried.

Always think that if any thing is not backed up, it could be lost - so BACKUP now.

Wednesday, July 28, 2010

Reconstructing video disk from MPEGs

Recovery programs are very good at recovering MPEGs but these are not typically viewable with a DVD player. To view the files it is necessary to create a VIDEO_TS directory with .IFO and .VOB files. To convert MPEGS into such a structure it is normally necessary to a 3rd part product such as IFOEDIT. IFOEDIT is a very good (free) program, but it is maybe a bit too complex for many users. CnW Recovery software has a built in tool to recreate a video disk from MPEGS, and for many users this is a straight forward simple function. There is also a nice feature in that it is included as part of the free demo of CnW Recovery software.

Tuesday, July 27, 2010

Recovery from a formatted disk

I occasionally receive disks that are perfectly valid, with intact files and file system. However, the history of them is that they have been reformatted,and the original files lost. To make things slightly worse, the file system may have been changed. Thus an original FAT32 disk couldnow be a NTFS or the other way around.

To help detect this, CnW Recovery software has a function on the partition scan that will count the number of MFTs (for NTFS) or directory clusters for FAT disks. It will often be clear at the end of the scan if there was a different file system on the disk at a previous time. It is then possible, using the partition manager to force the disk to act as a certain format, eg FAT32 or NTFS before recovering the files.

Often in instances where the file system has been changed, most of the critical file information will have been overwritten, but fortunately all file systems tend to use different areas of the disk so it possible that a complete MFT (NTFS directory sectors) may still be intact as may be many FAT32 directories. By analysing this remaining fragmenst, it is possible to determine the critical parameters before attempting a recovery.

Often a very complete recovery will be possible, as long as the disk has not been used too much after reformatting.

Monday, July 26, 2010

Hashing in forensic recovery

With any forensic investigation, the term hashing will appear somewhere. But what is hashing, and how important is it?

Hashing is a digital signature, and therefore is unique for each file or document. The most common standard is MD5 which is a 16 byte number, normally displayed as a string of 32 hex text characters. It is secure because any single bit change, anywhere in the file will produce a completely different hash value. It is also secure because there is no way of working out from the result, what the original data string was.

When a file is recovered, or imaged, the whole file is scanned, and a hash value is produced. In future, if the same file has it's hash value calculated, as long as it is the same, then the file is identical. It would be impossible to tamper with the file without changing the hash value. Thus forensically, the reason for hashing is as part of the chain of custody. If is file is read, then it can be distributed as evidence and as long as the hash remains the same, the file is the same. For this reason, the CnW Recovery software always includes a file hash value in the log for forensic applications.

There are possible dangers with hashing. It can be taken because there is hash value, then the file is true, but it must always be considered that a file could have been tampered with before the original recovery or investigation was made.

The second concern is that the MD5 hashing routine has been broken in forensic terms. ie a file has been modified, and kept the same hash value. To do this takes a lot of skill, and a lot of computing power to discover which 16 byte number has to be inserted at which location in the file to produce an unchanged hash value. The solution to this concern is to use longer hash values, such as SHA-1, SHA-256.

My personal view though is that for 99.999999% of applications, MD5 is adequate, and will always detect accidental and transmission errors. With increasing computer power, it true that the length of the hash will have to increase, and each extra byte will improve the strength by 256 times. However in March 2011, SHA-256 has been added to the forensic log

Sunday, July 25, 2010

Why photo recovery sometimes has corrupted photos

Digital cameras are great, and so are memory chips, but sometimes failures happen and photos are lost. The typical reason is that part of thye chip is corrupted when taking it out of the camera, or plugging into the PC. Data recovery is fairly straight forward, and many recovery programs will produce good results. The problem comes when some of the photos will not open or are otherwise corrupted.

When a memory chip is corrupted, it is very common for the file allocation table (FAT) to be destroyed which means that the normal recovery program can only assume that the photo was stored sequentially, and again many times this is the case. If you are a photographer that has deleted some photo in the camera, either because they were bad, or to save space then new photos will be fragmentd when stored. This means that different parts of the photo will be stored in different areas of the memory chip. The location of each sector (or cluster) used is stored in the FAT, and this is the critical element which may be missing. Hence photos are not recovered correctly.

The solution is a feature rarely found in recovery software that will examine all the memory chip and reconstruct photos even when the fragments have been scattered over the memory chip. Although it may not be possible to be 100% reliable, extra photos will be recovered that otherwise would be lost. For more details see

Erased DVD-RW video disks

Mini video DVD-RW often get either accidently erased, or fail due to camera or operator error. The reason is not too important, but the result can be a video disk that can not be read, and all PCs just state that the disk is blank.

Very few data recovery companies can handle this type of error, but CnW Recovery have developed special hardware to allow such disks to be recovered. As long as the erase was a quick erase, that nomrally takes less than 2 minutes, then the recovery success rate is extremely high. There is a fixed fee of just £40, and no fix, no fee. for more details.

Saturday, July 24, 2010

Undelete software

We all make mistakes, and deleted files, or directories is a common one. There are lots of software packages that claim to help, but some can actually make things worse, and all, if not used carefully can add to misery by permanately overwriting file that could have been recovered.

When a file is deleted the process is that either the directory entry is marked as deleted, or in the case of Macintosh systems, and some Unix file systems, the file name and details are also deleted. On most common systems (unless special scrubbing software is included) the data remains unchanged on the disk, but the area the data occupies is redesignated as unallocated. This means that any new file can use the space that was previously assigned to the deleted files. Unless you have the budget of the CIA and FBI combined, it is safe to say that an overwritten sector is just that, an previous data is lost for ever. The danger of downloading a data recovery, or undelete program onto the computer where files have been deleted, is very significant. There is no way to stop the program being copied to areas where the deleted files were, and so data will be lost for ever.

Any use of the computer, or even just leaving it one can cause files in unallocated space to be overwritten. For instance, virus checkers ar always having updates, and does Microsoft. Any web browsing generates many temporary files. Shut down must be as soon as possible. The only safe solution is to turn the computer off and remove the drive entirely. Any other approach, or delay increases the chance of permanant loss. Even shutting down the computer writes files. For many forensic investigations it is often suggested the best way is to literally pull the plug, and not try an organised shut down.

The safe solution is to remove the drive and set it up as a slave drive on a different computer running the undelete, or data recovery software. For critical application, or forensic investigation a write blocker should be used to ensure that no data is written to the slave drive.

When it comes to undelete software, gain it is very dangerous to atually try and undelete rather than recover the deleted files to a different drive. With a FAT device, the locations that the original file are stored in is delted when the file is marked as deleted. Undeleting will therefore just assume that the file is sequential - a good starting point, but not always true. Also, for FAT32 files, the starting point of the file is only partitally known, and very few recovery programs actually determine the correct location. Fortunately CnW Recovery does work out the correct location for files of a known type. See for more details.

Friday, July 23, 2010

Recovery from a Western Digital 250GB disk

I received a WD 250 GB disk that span, and was even recognised by the BIOS. However, every sector read failed. When putting it on the PC3000 UDMA system (Russian hard drive recovery product) it indicated that part of the service area of the disk was corrupted. The next stage was a complete backup of all the readable firmware, and service area before the failed translation module was regenerated. It worked, and the drive was then imaged before running the data recovery process of the slightly corrupted NTFS drive.

HP Media vault

Received a pair of disks recently that were unreadable with with the original HP Media vault. The disks were 300GB and 750GB giving a capacity of just over 1TB. The first disk started with the string "Broadcom NAS Version 1.1 MBR Tag" and did not have a standard boot sector. The second disk had a standard boot sector, but a header suggesting a FAT32 disk.

Both disks actually had Reiser FS as their data structure. After investigation, it was determined that the data was in three stripes, and the locations are stored in sector 1 (ie second on the disk) of each disk. A few enhancements to the CnW Recovery software ( and all the data was read and recovered. It was read using the JBOD feature in the RAID option