Data recovery techniques for reading lost data from PCs, Macs, video DVDs, camera memory chips and CDs. Both software and recovery service provided.
Saturday, July 31, 2010
Clicking disk drives
Hard disk drives will click when the head cannot locate a track. It will try and recalibrate itself by moving the head as far out as possible, and the clicking is when it hits the end stop. When it does this every second or so, it indicates there is a major problem with the drive. Sometimes the sector will be read, and the clicking will stop, but other times, it will continue and the drive will be dead.
If clicking noises are heard from the drive then this indicates there are problems. The drive may continue for months, or could die a few minutes later. The only safe thing to do is to copy off any files that have not been backed up, followed by a full backup. The next stage is to replace the drive. A new physical drive these days is not expensive, and much cheaper than data recovery.
If the drive does die with clicking noises the most likely reason is that the heads have failed. In maybe 80% of cases they can be replaced, but the cost could be 5 to 20 times that of a new drive. Thus take any clicking seriously with a full backup, and most likely a new hard drive.
CnW Recovery does not work on head replacement, but can recommend companies to assist.
Friday, July 30, 2010
NAS RAID drives
Recently, at CnW Recovery I have seen several RAID systems where it is the RAID controller, rather than the drive which has failed. This ends up with multiple, physically working drives, but no way to access the data. Most RAID controllers actually use some kind of Unix file system and recently we have seen XFS, ReiserFS and Ext2 as the data storage. The drives do also typically contain a few Unix partitions to power the Linux based controller system.
To recover the data it is necessary to remove the drives and then logically read the data partition of the drive. CnW software is being developed to make this as easy as possible, and new variations of drive layout are being added on a regular basis.
The main warning of this blog is that a RAID is not quite as secure as the manufacturers might imply, but at the same time, help is on hand to recover the data.
Thursday, July 29, 2010
How to avoid data recovery
For a safe backup there are a few critical points
- Must be done automatically, or on a regular basis
- A backup must be stored on another piece of media
- A backup must be stored in a different location
- A backup must be tested with the occasional restore
For many users and small businesses a very easy type of backup is an online system that automatically backs files up when they are added to the system, or edited. There are many available, but the one I use is Carbonite as it is automatic, and has unlimited capacity. It ticks all four boxes above.
The different media is essential as if just a different partition is used, this could fail at the same time as the key data partition.
The different location will cover events such as fire and theft. For non sensitive data, then placing a backup drive in the office or home is a good start, or with friends are neighbours.
Another point on backup is the ability to recreate a complete system disk from scratch in the event of a complete failure. For this one requires disk image of the system disk and Acronis is a popular solution, but not one I have tried.
Always think that if any thing is not backed up, it could be lost - so BACKUP now.
Wednesday, July 28, 2010
Reconstructing video disk from MPEGs
Tuesday, July 27, 2010
Recovery from a formatted disk
To help detect this, CnW Recovery software has a function on the partition scan that will count the number of MFTs (for NTFS) or directory clusters for FAT disks. It will often be clear at the end of the scan if there was a different file system on the disk at a previous time. It is then possible, using the partition manager to force the disk to act as a certain format, eg FAT32 or NTFS before recovering the files.
Often in instances where the file system has been changed, most of the critical file information will have been overwritten, but fortunately all file systems tend to use different areas of the disk so it possible that a complete MFT (NTFS directory sectors) may still be intact as may be many FAT32 directories. By analysing this remaining fragmenst, it is possible to determine the critical parameters before attempting a recovery.
Often a very complete recovery will be possible, as long as the disk has not been used too much after reformatting.
Monday, July 26, 2010
Hashing in forensic recovery
Hashing is a digital signature, and therefore is unique for each file or document. The most common standard is MD5 which is a 16 byte number, normally displayed as a string of 32 hex text characters. It is secure because any single bit change, anywhere in the file will produce a completely different hash value. It is also secure because there is no way of working out from the result, what the original data string was.
When a file is recovered, or imaged, the whole file is scanned, and a hash value is produced. In future, if the same file has it's hash value calculated, as long as it is the same, then the file is identical. It would be impossible to tamper with the file without changing the hash value. Thus forensically, the reason for hashing is as part of the chain of custody. If is file is read, then it can be distributed as evidence and as long as the hash remains the same, the file is the same. For this reason, the CnW Recovery software always includes a file hash value in the log for forensic applications.
There are possible dangers with hashing. It can be taken because there is hash value, then the file is true, but it must always be considered that a file could have been tampered with before the original recovery or investigation was made.
The second concern is that the MD5 hashing routine has been broken in forensic terms. ie a file has been modified, and kept the same hash value. To do this takes a lot of skill, and a lot of computing power to discover which 16 byte number has to be inserted at which location in the file to produce an unchanged hash value. The solution to this concern is to use longer hash values, such as SHA-1, SHA-256.
My personal view though is that for 99.999999% of applications, MD5 is adequate, and will always detect accidental and transmission errors. With increasing computer power, it true that the length of the hash will have to increase, and each extra byte will improve the strength by 256 times. However in March 2011, SHA-256 has been added to the forensic log
Sunday, July 25, 2010
Why photo recovery sometimes has corrupted photos
When a memory chip is corrupted, it is very common for the file allocation table (FAT) to be destroyed which means that the normal recovery program can only assume that the photo was stored sequentially, and again many times this is the case. If you are a photographer that has deleted some photo in the camera, either because they were bad, or to save space then new photos will be fragmentd when stored. This means that different parts of the photo will be stored in different areas of the memory chip. The location of each sector (or cluster) used is stored in the FAT, and this is the critical element which may be missing. Hence photos are not recovered correctly.
The solution is a feature rarely found in recovery software that will examine all the memory chip and reconstruct photos even when the fragments have been scattered over the memory chip. Although it may not be possible to be 100% reliable, extra photos will be recovered that otherwise would be lost. For more details see www.cnwrecovery.com/html/jpeg_frags.html
Erased DVD-RW video disks
Very few data recovery companies can handle this type of error, but CnW Recovery have developed special hardware to allow such disks to be recovered. As long as the erase was a quick erase, that nomrally takes less than 2 minutes, then the recovery success rate is extremely high. There is a fixed fee of just £40, and no fix, no fee. www.cnwrecovery.co.uk/html/dvd_recovery.html for more details.
Saturday, July 24, 2010
Undelete software
When a file is deleted the process is that either the directory entry is marked as deleted, or in the case of Macintosh systems, and some Unix file systems, the file name and details are also deleted. On most common systems (unless special scrubbing software is included) the data remains unchanged on the disk, but the area the data occupies is redesignated as unallocated. This means that any new file can use the space that was previously assigned to the deleted files. Unless you have the budget of the CIA and FBI combined, it is safe to say that an overwritten sector is just that, an previous data is lost for ever. The danger of downloading a data recovery, or undelete program onto the computer where files have been deleted, is very significant. There is no way to stop the program being copied to areas where the deleted files were, and so data will be lost for ever.
Any use of the computer, or even just leaving it one can cause files in unallocated space to be overwritten. For instance, virus checkers ar always having updates, and does Microsoft. Any web browsing generates many temporary files. Shut down must be as soon as possible. The only safe solution is to turn the computer off and remove the drive entirely. Any other approach, or delay increases the chance of permanant loss. Even shutting down the computer writes files. For many forensic investigations it is often suggested the best way is to literally pull the plug, and not try an organised shut down.
The safe solution is to remove the drive and set it up as a slave drive on a different computer running the undelete, or data recovery software. For critical application, or forensic investigation a write blocker should be used to ensure that no data is written to the slave drive.
When it comes to undelete software, gain it is very dangerous to atually try and undelete rather than recover the deleted files to a different drive. With a FAT device, the locations that the original file are stored in is delted when the file is marked as deleted. Undeleting will therefore just assume that the file is sequential - a good starting point, but not always true. Also, for FAT32 files, the starting point of the file is only partitally known, and very few recovery programs actually determine the correct location. Fortunately CnW Recovery does work out the correct location for files of a known type. See www.cnwrecovery.com/html/fat32.html for more details.
Friday, July 23, 2010
Recovery from a Western Digital 250GB disk
HP Media vault
Both disks actually had Reiser FS as their data structure. After investigation, it was determined that the data was in three stripes, and the locations are stored in sector 1 (ie second on the disk) of each disk. A few enhancements to the CnW Recovery software (http://www.cnwrecovery.com/) and all the data was read and recovered. It was read using the JBOD feature in the RAID option