Main Page | Recent changes | View source | Page history

Printable version | Disclaimers | Privacy policy

 Not logged in
Log in | Help
 

Data Recovery

From OCAU Wiki

This page is a work in progress.

Data loss can happen at any time for many reasons. There is no replacement for a good backup policy; But if you are reading this you are probably beyond that point. If the data is particularly valuable a professional solution should be considered. Data Retriever is an Australian based data recovery business and ocau sponsor with a "No Data, No charge" policy. http://www.dataretriever.com.au/ For those without such a budget or need, this page should cover the basics for a home retrieval. This is only a general guide to file recovery and assumes a simple File system and a physical hard disk drive, SSD's, flash based memory and certain smart file systems will still work but specifics aren't covered here. If the data is important get it recovered professionally and set up a back up system.


Contents

Basics of deleted data

A file is never fully deleted, that is putting it in the recycle bin wont delete it for good, When you select a file for deletion it still exists on the hard drive but the OS thinks the file is now just empty space waiting to be written too.

A file is only truly deleted when the space it occupied has been over-written. There is much debate as to how many over writes it takes to delete a file completely but for the purpose of this article just one over write can make most types of data unusable. A text file can stand up to an overwrite much better than, say: a video file. A few scrambled characters in an essay might be usable but in a video file a few changes may result in dropped frames etc. Completely unwatchable as a movie but in a forensics investigation it might be enough. Which is where the argument force-ably over writing a file comes from.

Recovering a "deleted" file

Assuming you have just accidentally deleted a file, recovery is very simple. there are many free programs that can search a hard-drive for deleted files and recover them for you. Recuva is a free windows based program for doing just that. For the reasons mentioned above you must never save the recovered file to the hard drive it is being recovered from. Recovering from the drive and onto an external hard drive is acceptable in basic cases. for example recovering a small file you recently deleted. The reason this is done is because from the point of view of your OS the file you are recovering is empty space and you could potentially end up writing to the same sector of your hard drive you are recovering from.

Types of Hard Drive failure

If something more catastrophic than accidentally pressing "Empty recycle bin" has occurred you must first Identify what has gone wrong. Common failures are:

Physical failure

Physical failure is a failure of the hardware which controls the hard drive or the hard drive controller I.E. raid controller or USB Hard drive controller. This is typically the hardest type of data to recover from, failed raid and USB controllers can be easily replaced and the hard drive should be able to be used as normal with its new controller. Actual hard drive controller boards on the HDD themselves are harder to recover from, Often they can be re flashed or replaced with a known working unit from an exact model hard drive. Finally physical failure of the platters or spindles can occur. This can be recovered from but is a professional job requiring expert knowledge and a clean room, not recommended for a home job.

File system failure

File system failure is particularly common when different file systems are mixed or an OS expects a file systems different to what is present. Simple forced resets, power failures etc can also corrupt file systems. A hard drive with a damaged file system will usually show up as a different size or as a raw format, using a program such as chkdsk or fsck may work in more severe cases gparted (available on most popular Linux live cds) can be used to rebuild the file system.

Recovering a Hard Drive

To recover a hard drive that is failing or otherwise can be recovered you must first image the drive. A bit for bit image allows you to work on the hard drive without fear of mechanical failure or overwriting anything.

To make an image of the file grab any modern Linux live CD and enter this command into a terminal: $ dd if=/dev/hda of=/media/newdrive/HDD_backup.dd conv=noerror,sync

if=/dev/hda refers to the location of the hard drive you wish to recover, you can use the command: $ sudo fdisk -l To list all available hard drives if more than one is present. The second part of the command refers to where the imaged drive is stored obviously the hdd its getting stored on needs to be larger than the drive getting imaged. other commands can also be appended such as compressing the image as its being created, selecting sector size if known and changing the output file format. The dd command will take some time to complete depending on the size of the HDD being imaged.

Once you have the image it can be processed by data recovery software or if the damage is not too severe it can be mounted in ubuntu and accessed by the file manager. To mount it read only create a mount point $ mkdir /mnt/driveimage Then make the mount point read only to stop the OS writing files to it. All modern operating systems will write files to a mounted storage devices to facilitate things like recycle bins etc. so this step is a must and often over looked.

Retrieved from "http://www.overclockers.com.au/wiki/index.php?title=Data_Recovery&oldid=18241"

[Main Page]
OCAU News
OCAU Forums
PC Database
Main Page
Recent changes
Random page
All pages
Help
View source
Discuss this page
Page history
What links here
Related changes
Special pages