What is Data Recovery?

Data recovery is the process of salvaging data from damaged, failed, wrecked or inaccessible primary storage media when it cannot be accessed normally. Often the data is being salvaged from storage media formats such as hard disk drive, storage tapes, CDs, DVDs, RAID, and other media. This can be due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. Although there is some confusion as to the term, data recovery can also be the process of recovering deleted information from a storage media.

Deleted and overwritten data

When a file is deleted, in fact the data is not gone. The operating system simply marks the file as deleted in File Allocation Table (FAT) and tells the Operating System the space allocated to the file is available for writing but the actual data in the hard drive is untouched. The space allocated to the file is then made available as free space, and as the computer is used, new data may be written to that same space. Before this is done, the data is still intact and can be recovered by a variety of different advanced data recovery tools. These tools can see the files from an entirely different perspective as they use a customised Operating System. These tools in used in combination to some other data recovery methods, enable recovery of data from the corrupted partitions. If the free space used by the deleted file is occupied by another file or in other words the deleted file is OVERWRITTEN, the task of data recovery will become extremely difficult.

A common misconception is that overwritten data, as described above, can be recovered by different advanced data recovery tools. You have to remember that in fact data is recorded onto magnetic media such as hard drives by writing a pattern of pole changes that represent binary “ones” and “zeroes”. These patterns are then read back by the disk and translated by the operating system as text, executables, pictures or whatever the data may represent.

If the data is overwritten with a pattern of bits (ones and zeroes), the magnetic fluxes will be physically changed and the disk will only detect the new patterns when it is reading the data. This makes the data effectively, and for all intents and purposes, erased.
However if the data loss has happened as result of logical or physical damage to the hard drive, data can be successfully recovered by specialist tools and replacement of faulty parts or updating the firmware located in the system area of the hard drive.

Physical damage

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical or electronic failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. This causes logical damage that must be dealt with before any files can be rescued from the failed media.

Physical or severe logical damage to storage media cannot be repaired by end users therefore professional help must be sought. For example, opening a hard disk in a normal environment, can allow dust and damaging particles to settle on the surface of platters, causing further damage to them and complicating the recovery process. Furthermore, end users do not have the hardware or technical expertise required to make these repairs for the purpose of data recovery; therefore, a data recovery company must be consulted. Professional data recovery companies have advanced tools and clean room facilities to protect the media while hard drive repairs for data recovery are being made. The extracted raw image can be used to reconstruct usable data after any logical damage has been mended. Data recovery success rates are about 85-99% depending on the complexity of the data recovery.

Logical damage

Far more common than physical damage is logical damage to a file system. Logical damage is primarily caused by power outages that prevent file system structures from being completely written to the storage medium. Other causes of logical damage to the hard drive, include electrostatic discharge (ESD) or “body electricity or finger sparks”. This can cause loss of data by corrupting the logical format of the hard drive. Also corrupt device drivers, as well as system crashes, can have the same effect. The result is that the file system is left in an inconsistent state. This can cause a variety of problems, such as strange behaviour (e.g., infinitely recursing directories, drives reporting negative amounts of free space), system crashes, blue screens or an actual loss of data.

Special tools and disk editing software enable technicians to correct these inconsistencies and therefore recover data from faulty partitions.

Two main techniques are used by data recovery technicians. The first, consistency checking, involves scanning the logical structure of the disk and checking to make sure that it is consistent with its specification. For instance, in most file systems, a directory must have at least two entries: a dot (.) entry that points to itself, and a dot-dot (..) entry that points to its parent. Special tools are used that can read each directory and make sure that these entries exist and point to the correct directories.

The second technique for file system repair is to assume very little about the state of the file system to be analyzed, and using any hints that any undamaged file system structures might provide, rebuild the file system from scratch. This strategy involves scanning the entire drive and making note of all file system structures and possible file boundaries, then trying to match what was located to the specifications of a working file system.

Data can be recovered even when the logical structures are almost completely destroyed. This technique generally does not repair the underlying file system, but allows the data to be extracted to another storage device successfully.

The increased use of journaling file systems, such as NTFS 5.0, ext3, and XFS, is likely to reduce the incidence of logical damage. These file systems can always be “rolled back” to a consistent state, which means that the only data likely to be lost is what was in the drive’s cache at the time of the system failure. However, regular system maintenance should still include the use of a consistency checker. This can protect both against bugs in the file system software and latent incompatibilities in the design of the storage hardware.

Firmware Corruption

Some kinds of logical damage can be mistakenly attributed to physical damage. For instance, when a hard drive’s read/write head begins to click, most end-users will associate this with internal physical damage. This is not always the case, however. Quite often, either the firmware on the platters or the controller card will instead need to be re-programmed. The firmware is normally located in the system area on the circuitry inside the hard drive and/or on the chip on the print controller board (PCB). Once the corrupt firmware on either of these two devices is restored by using specialist tools, the drive will be back in shape and the data will become accessible for data recovery.

