1. A SEMINAR REPORT ON:17.05.2017
REPORT NAME : DATA RECOVER
BY
NAME : SHOVAN NANDI
ROLL NO : 15800114007
Registration No : 141580110007
Department of Computer Science & Engineering
REPORT TO BE SUBMITTED IN PARTIAL FULFILLMENT OF THE
REQUIREMENS FOR THE DEGREE OF BACHELOR OF
TECHNOLOGY
IN COMPUTER SCIENCE & ENGINEERING
At
Mallabhum Institute of Technology
Affiliated to
Maulana Abul Kalam Azad University of Technology
(Formerly known as West Bengal University of Technology)
BF-142, Sector – I, Salt Lake, Kolkata – 700064
2. Data Recovery
A seminar report
Submitted in partial fulfillment of the requirement for the award of degree of
Bachelor of Technology in Computer Science and engineering.
Data Recovery
A Seminar Report
Acknowledgement:
I would like to thank respected Sir Uttam Ganguli and Miss. Swapana Halder
for giving me such a wonderful opportunity to expand my knowledge for my
own branch and giving me guidelines to present a seminar report. It helped me a
lot to realize of what we study for.
Secondly, I would like to thank my parents who patiently helped me as i went
through my work and helped to modify and eliminate some of the irrelevant or
un-necessary stuffs.
Thirdly, I would like to thank my friends who helped me to make my work
more organized and well-stacked till the end.
Next, I would thank Microsoft for developing such a wonderful toollike MS
Word. It helped my work a lot to remain error-free.
Last but clearly not the least, I would thank The Almighty for giving me
strength to complete my report on time.
Preface:
I have made this report file on the topic Data Recovery; I have tried my bestto
elucidate all the relevant detail to the topic to be included in the report. While in
the beginning I have tried to give a general view about this topic.
My efforts and wholehearted co-corporation of each and everyone has ended on
a successfulnote. I express my sincere gratitude to Jana Sir who assisting me
throughout the preparation of this topic. I thank him for providing me the
reinforcement, confidence and most importantly the track for the topic
whenever I needed it.
3. Index:
Abstract
Elementary Knowledge of Data Recovery
1.Connectionof Data
2.The essenceofdata recovery
3.The scope of data recovery
4.The principle of data recovery
Data Loss
1.Softwarereason
2.Hardware reason
Data Protecting Technology
1.SMART Technology
2.SPS
3.DFT
4.Floppydisk array technology
5.SAN
6.NAS
7. Backup
Common CasesofPartition recovery
1.MBR Recovery
2.RecoveryofPartition
3.PartitionTable doctor
4.The FAT table recovery
RecoveryOption
1. RecoveryFrom LogicalDamage
2.Recoveryfrom PhysicalDamage
3.RecoveryFromOverwritten Data
Challenges
Conclusion
4. ABSTRACT:
Data recovery refers to accessing logically or physically damaged data
or over written data without the use any functioning backup. The advanced data
recovery has two different methods where the first method - Part replacement
which deals with the recovery from physically and/or logically damaged data.
The second method of data recovery is the Magnetic recovery which deals with
the recovery of the over written data. In this paper we are discussing about the
methods and challenges for replacing, or refreshing firmware and system area
information and for some part of the drive electronics. The magnetic recovery
uses the Magnetic ForceMicroscopyfor recovery of over written data. The
backboneof the magnetic recovery is the interesting fact that the magnetic
memory always remembers whatever is written on it till it is forced for a
degauss under strong magnetic field. As far as the cyber forensics is considered
the recovery of data after physical damage and over writing is of great
importance. In this paper we discussed the limitations of current techniques and
some probable future directions of data recovery. It is predicted that the data
recovery is more important in near future.
ELEMENTARYKNOWLEDGE OF DATA RECOVERY:
In this paper we will see how data will be recovered from all types of damages
like physical and logical. In this we will look after the need of data recovery in
today’s world as the data is the most important part in human life. In the chapter
of introduction firstly the definition means what is mean by data recovery & the
other one is why it is needed. After this we will look after the recovery
techniques and the challenges in data recovery.Depending on the field the data
recovery is also refers to the result of data mining, decryption and
decompression. In this paper data recovery means accessing data from logically
or physically damaged media specifically from hard disk drives or to obtained a
file or blocks that have no backups.
Definition:
Data recovery is the process ofrecovering data from primary storage media
when it cannot be accessed normally. This can be due to physical damage to the
storage device or logical damage to the file system that prevents it from being
mounted by the host operating system. Recovery may be required due to
physical damage to the storage device or logical damage to the file system that
prevents it from being mounted by the host operating system. The loss of data
can be due to logical and physical damages or due to overwriting of data. And
there are different ways to tackle all these three conditions.
5. Why it is needed?
The data loss or impairment became very common due to the internal (software
or hardware faults) or external (operator fault and environmental faults) faults.
This often poses the grave problem of losing all those outcomes of many
hardships endured to achieve the specific task. Data which costyears of
hardships may be lost in a flash due to a single mistake! We may be coming
across suchpainful experiences too often. Increasing hastiness and pace of life
resulting in accidental deletion of valuable useful data added to the agony. This
reveal only one side of the importance of Data Recovery, the other side is
nothing other than the forensic importance of the data recovery. The change that
the forensic need have is, here the data may not be accidentally deleted but that
makes a difference in the recovery mode also as in this face the recovery will be
difficult as the deletion would have been performed in an intention that the data
should never get recovered. These situations were the circumstances which lead
to the need of recovering the lost data .In such cases of accidental loss of stored
data, we will be barely in need of suchrecovery software and some times more
than software which can perform usual undulation. Hence the data recovery
became important. The data recovery procedurebecame important irrespective
of the file systems used. In each file system the data recovery process depends
on the type of file systems and their features. Besides this there are drive
independent data recovery methods also.
Conectionof data:
Connotation of data is comprehensive, it includes not only multi-media files
such as data documents, images, voices that stored in file system or data base,
but also hardware information, network addresses and network services, which
are used to depositand manage those information.
The essenceofdata recovery:
Data recovery means retrieving lost, deleted, unusable or inaccessible data that
lost for various reasons.
Data recovery not only restores lost files but also recovers corrupted data.
On the basis of different lost reason, we can adopt different data recovery
methods. There are software and hardware reasons that cause data loss, while
we can recover data by software and hardware ways.Being different from
prevention and backup, data recovery is the remedial measure. The best way to
insure the security of your data is prevention and backup regularly. To operate
and use your data according to the normative steps, you can reduce the danger
of data loss to the lowest.
6. The scope of data recovery:
There are so many forms and phenomenon on data problem, we can divide the
objects or scope of data recovery according to different symptoms.
System problem:
The main symptom is that you cannot enter the system or the system is
abnormal or computer closes down. There are complex reasons for this, thus we
need adopt different processing methods. Reasons for this symptom may be the
key file of system is lost or corrupted, there is some bad track on hard disk, the
hard disk is damaged, MBR or DBR is lost, or the CMOS setting is incorrect
and so on.
Bad track of hard disk:
There are logic and physical bad track. Logic bad track is mainly caused by
incorrect operation, and it can be restored by software. While physical bad track
is caused by physical damage, which is real damage, we can restore it by
changing the partition or sector. When there is physical bad track, you’d better
backup your data for fear that the data can not be used any more because of the
bad track.
Partition problem:
If partition can not be identified and accessed, or partition is identified as
unformatted, partition recovery tools such as Partition Table Doctor can be used
to recover data.
Files loss:
If files are lost because of deletion, format or Ghost clone error, files restoring
tools such as Data Recovery Wizard can be used to recover data.
Password loss:
If files,system password,database or account is lost,some special decription
tools that correspond to certain data from such as Word,Winzip can be used.
File repair:
For some reasons, some files can not be accessed or used, or the contents are
full of troubled characters, the contents are changed so as they can not be read.
7. In this condition, some special files restoring tools can be tried to restore the
files.
The principle of data recovery:
Data recovery is a process of finding and recovering data, in which there may be
some risk, for no all situations can be anticipated or prearranged. It means
maybe there will be some unexpected things happen. So you need reduce the
danger in data recovery to the lowest:
Backup all the data in your hard disk.
Prevent the equipment from being damaged again.
Don’t write anything to the device on which you want to recover data.
Try to get detailed information on how the data lost and the losing process
Backup the data recovered in time.
DATA LOSS:
Actually, there are various reasons that cause data loss; software, hardware,
factitious, natural, intended, unintended, all may cause data loss or damage on
storage devices.Generally, There are two main reasons for data problem:
software and hardware whose corresponding reasons are software reason and
hardware reason.
Software reason:
Virus, format, mis-partition, mis-clone, mis-operation, network deletion, power-
cut during operation all may be the software reasons. The symptoms are usually
mis-operation, read error, can not find or open file, report no partition, not
formatted, password lost and troubled characters.
A: Computer Viruses: some malicious virus programs will destroy data,
overwrite, or erase the data contents.
B: Mis-format: fast or completely format partition, thus changing the file
system form (NTFS, FAT32) of partition.
C: Mis-Clone: when backing up the hard disk, mis-clone or overlay the original
data on hard disk.
For these, we can use software tools to recover it. So called soft recovery means
data can be recovered by software, not referring to hardware fixing operation for
its fault is not because of hardware failure.
The following are prompts that system can not start up normally:
8. Invalid Partition Table: Invalid partition table information:
Missing Operating System: “55AA” mark in DOS boot sector lost or DBR
corrupted.Disk Boot Failure: System file read failure.
Bad or missing command interpreter: Can not find command.com file or
‘COMMAND.COM’ file corrupted.
Invalid system disk: DOS boot record corrupted:
Type the name of the command, Interpreter: DOS partition mark in partition
table error or ‘COMMAND.COM’ file lost, corrupted.
Error Loading Operating System: Main boot startup program read boot sector
unsuccessfully.
Not found any active partition in HDD: Active partition mark in partition table
changed as inactive partition mark.
2.Hardware reason:
Sometimes data loss is because of hardware, such as bad sector in hard disk,
power cut, head damage, circuit panel problem, etc.
When your hardware has some problems, you probably will find: the speed of
hardware become slow, you cannot operate successfully; you cannot read data,
etc, which are most often physical bad track failures.
Correspondingly, data recovery in hardware fix is considered as hard recovery,
such as memory medium damage, track damage, hard disk scrape, head damage,
electric machinery damage, chip burnout and so on..
The most distinct feature or difference between soft recovery and hard recovery
is whether the memory medium itself can be normally accessed by fixing or
replacing parts.
Data Protecting Technologies:
Data security and fault freedom of storage are paid more and more attention.
People are attaching more and more importance to developing new technologies
to protect data.
1.SMART Technology:
SMART, also called Self-Monitoring Analysis and Report Technology, mainly
protects HD from losing data when there is some problems on the HD. SMART
drive can reduce the risk of data loss, it alarms to predict and remind thus
enhancing the data security.
9. 2.SPS:
Shake Protecting System, can prevent the head from shaking thus enhancing the
anti-knock characteristics of HD, avoiding damages caused by shake.
3.DFT:
DFT, a kind of IBM data protecting technology, can check hard disk via using
DFT program to access the DFT micro codes in hard disk. By DFT, users can
conveniently check the HD operation.
4.Floppy disk array technology:
Originally ‘Redundant Arrays of Inexpensive Disks’. A project at the computer
science department of the University of California at Berkeley, under the
direction of Professor Katz, in conjunction with Professor John Ousterhout and
Professor David Patterson.
The project is reaching its culmination with the implementation of a prototype
disk array file server with a capacity of 40 GBytes and a sustained bandwidth of
80 MBytes/second. The server is being interfaced to a 1 Gb/s local area
network. A new initiative, which is part of the Sequoia 2000 Project, seeks to
construct a geographically distributed storage system spanning disk arrays and
automated libraries of optical disks and tapes. The project will extend the
interleaved storage techniques so successfully applied to disks to tertiary storage
devices. A key element of the research will be to develop techniques for
managing latency in the I/O and network paths.
The original (‘Inexpensive’) term referred to the 3.5 and 5.25 inch disks used
for the first RAID system but no longer applies.
The following standard RAID specifications exist:
RAID 0 Non-redundant striped array
RAID 1 Mirrored arrays
RAID 2 Parallel array with ECC
RAID 3 Parallel array with parity
RAID 4 Striped array with parity
RAID 5 Striped array with rotating parity
The basic idea of RAID (Redundant Array of Independent Disks) is to combine
multiple inexpensive disk drives into an array of disk drives to obtain
performance, capacity and reliability that exceeds that of a single large drive.
The array of drives appears to the host computer as a single logical drive. The
Mean Time Between Failure (MTBF) of the array is equal to the MTBF of an
individual drive, divided by the number of drives in the array. Because of this,
the MTBF of a non-redundant array (RAID 0) is too low for mission-critical
systems. However, disk arrays can be made fault-tolerant by redundantly storing
information in various ways.
10. 5.SAN:
SAN, called Storage Area Network or Network behind servers, is specialized,
high speed network attaching servers and storage devices. A SAN allows "any
to any" connection across the network, using interconnect elements such as
routers, gateways, hubs and swithes. It eliminates the traditional dedicated
connection between a server and storage, and concept that the server effectively
"owns and manages" the storage devices. It also eliminates any restriction to
amount of data that a server can access, currently limited by the number of
storage devices, which can be attached to the individual server. Instead, a SAN
introduces the flexibility of networking to enable one server or many
heterogeneous servers to share a common storage "utility", which may comprise
many storage devices, including disk, tape, and optical storage. And, the storage
utility may be located far from the servers which use it.
6.NAS:
NAS is Network Attached Storage. It can store the quick-increased information
.Backup means to prepare a spare copy of a file, file system, or other resource
for use in the event of failure or loss of the original. This essential precaution is
neglected by most new computer users until the first time they experience a disk
crash or accidentally delete the only copy of the file they have been working on
for the last six months. Ideally the backup copies should be kept at a different
site or in a fire safe since, though your hardware may be insured against fire, the
data on it is almost certainly neither insured nor easily replaced.
7.Backup:
Backup in time may reduce the danger and disaster to the lowest, thus data
security can be most ensured. In different situations, there are different ways.
Both backing up important data of system with hardware and backing up key
information with cloning mirror data to different storage device can work well.
COMMON CASES OF DATA RECOVERY:
1.MBR Recovery:
On condition that there is no problem with hardware, the first step is MBR
recovery. MBR recovery is simple because it is system data. Though it may be
created by different software and the code might be different, the method is the
same. Even if multi-system boot, it is not hard. You can backup the data to be
recovered after the system boot turn to be normal, and then restore the multi
system boot.
11. Recover MBR by fdisk:
The simplest way to recover MBR is Fdisk, whose command is simple too; you
can use “Fdisk/MBR”. Please note that, the hard disk to be operated should be
connected on mater IDE interface as the master hard disk. As to other
connection way, we need appoint the interface location of IDE device in form of
“Fdisk/CMBR”.
The command syntax of Fdisk command line is “Fdisk/parameter switch”.
Besides that obtained by “FDISK/?”, there are some hidden parameters
information:
/ACTOK
Parameter Function: not to check bad sectors on disk surface
Details: It can speed up partition operation.
/CMBR
Parameter Function: to re-create MBR of appointed disk
Details: Equals to /MBR parameter, except that it can appoint certain disk
/EXT
Parameter Function: to create extend partition.
Details: Creates extend partition on the currency disk , which used to create
logical partition.
/FPRMT
Parameter Function: to check the usage of FAT16 and FAT32 in interactive
mode.
Details: When /FPRMT parameter is added, there will be no query of that
whether supports high- capacity hard disk; while there will be a query that it
uses FAT16 or FAT32 when creating a new partition.
/LO
Parameter Function: to rebuild logical partition.
Details: Used to create logical disk, /LOG and /EXT should work together.
/LOGO
Parameter Function: to create logical partition with FAT16
/MBR
Parameter Function: to re-create MBR of master disk
Details: to clear the system booting choice recorded in MBR after uninstalling
Windows NT or Windows 2000
/PRI
Parameter Function: to create primary partition and activate it. Details: e to
create primary partition, and the partition will be set active automatically.
/PRIO Parameter Function: to create primary partition of FAT16 and activate it.
/Q Parameter Function: not to restart computer when ending Fdisk Details:
unnecessary to restart computer after changing the partition table.
/STATUS
Parameter Function: to display details of current partition
12. Details: When there is no logical partition in extend partition, the extend
partition will not be displayed.
/X
Parameter Function: no LBA attribute
Details: there would be no partition with LBA attribute.
It makes handier to use Fdisk with these parameters. However, to hide the
parameter will be more dangerous, which calls for more caution.
Uses Fixmbr to restore MBR:
Provided by Microsoft, Fixmbr is a MBR recovery tool, which determines hard
disk partition and re-construct MBR through overall search.
Only when using Windows 2000 recovery console that we can use Fixmbr.
Windows 2000 recovery console can boot from Windows install CD. Fixmbr
only revises MBR; it does not write other sectors, which is safe. You can get
help information of Fixmbr as following when using Fixmbr/?.
The parameter “DriveNo” is to write a new MBR (driver). The device name can
be obtained from output of the map command. For example, device name:
/Device/HardDisk0
The following command is to write a new MBR to the appointed device:
fixmar /Device/HardDisk0
Attention: If we do not assign DriverNo, the new MBR will be written in
booting device, namely the driver that loads host system. If the system detects
invalid or the non-standard partition mark, it will prompt that whether continue
to execute this command or not. Only if there are some problems with the driver
you visit; otherwise, please do not continue.
By default MBR structure will be checked. If it is abnormal, it will prompt that
whether recover or not. If choose “Y”, it will search partitions. When it has
found the partition, it will also prompt that whether to revise MBR or not. If
choose “Y”, recovery will be finished. If the system is down now, please
inactivate the anti-virus function in BIOS first and then continue. By default, it
will search all existing hard disk, and finish all mentioned operations above. If
the result is not right, you may use “/Z” parameter to clear the result and restart;
then it returns to the original condition.
2.Recovery of Partition
The partition recovery is generally the second step of the whole process.
Because apart from some tools that directly reads and writes hard disk, most of
tool software runs under operation system, working with the system calling.
13. While operation system’s visiting disk is on the basis of MBR and DBR;
without MBR and DBR, operation system is unable to visit file system.
Therefore, if the partition table is corrupted, we need rebuild partition table,
which is usually fulfilled manually; in some special cases it can be done
automatically by some working software.
If partition table is corrupted, there are many tools to rebuild it automatically, if
only the problem is not too serious. If it is too serious, or the partition table
structure is too complex, it may possibly be out of the reach of their ability to
rebuild. In this case, we need do it manually. Usually we use some tool software
to recover the lost partition table, such as Norton Utilities 8.0, DiskMan,
KV3000/Kavfix PartitionMagic etc. Here we introduce Partition Table
Doctor.
3.Partition Table Doctor :
Partition Table Doctor is the only real software for hard disk partitions
recovery. When you come up against a drive error (not hardware failure) this
versatile tool would automatically check and repair the Master Boot Record,
partition table, and the boot sector of the partition with an error, to recover the
FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP partition on
IDE/ATA/SATA/SCSI hard disk drives. It can create an emergency floppy disk
or a bootable CD to recover the bad partition even if your operation system fails
to boot. Partition Table Doctor manages for MS-DOS, Freedos, Windows
95/98/Me, Windows NT 4.0, Windows 2000, Windows XP and Windows 2003.
There are two modes for partition recovery: “auto mode” and “interactive
mode”.
4.The FAT table recovery
CIH destroys data backwards from partitions. In this case, system data in the
former part may be destroyed and lost. If FAT2 is still intact, we may make
FAT2 to cover FAT1. Usually we use DiskEdit and WinHex. Regarding to
other forms of destruction such as format and so on, we usually make use of
tool software to scan the whole disk, seldom manual recovery; because there are
even dozens of trillions sectors a partition has several trillions. Depending on
the manual analysis is impossible. For some extremely important data file, we
can also recover manually.
Recover FAT by DiskEdit:
After recovering DBR of FAT, if part of FAT1 is damaged while FAT2 remains
intact (It is the most situation when destroyed by CIH), we may use FAT2 to
cover FAT1. The specific method is to find the start sector of FAT2 and then
14. start searching the start sector of DATA (if it is FAT16, search FDT). By this
way, we can figure out the length of FAT table. According to length and the
start sector of FAT2, we may know the start sector of FAT1. Copy FAT2 to the
damaged FAT1, we can finally recover the whole partition.
Recover FAT by WinHex:
Principle of recovering FAT by WinHex is the same as that by DiskEdit. After
recovering DBR, we can make FAT2 to cover FAT1. After finding FAT2, we
begin searching the start sector of DATA (if it is FAT16, search FDT). The
division is distinct, because the conclusion part of FAT must be 0 regions,
otherwise there is not any free space (even so, in ordinary circumstances, there
is still a bit of space in FAT after scanning DATA area. So the end of the last
sector must be 0 too.). While at the beginning of DATA region or FDT region it
mustn’t be 0. No matter there is fixed FDT, the system always begins from
second cluster. If there is FDT, it follows closely FAT2, and its file registration
must exist; if there is not, then begins from data area where some data must
exists. Thus we may figure out the length of the FAT table, and then the start
sector of FAT1 according to the length and the start sector of FAT2. Copy
FAT2 to the damaged FAT1 we can finally recover this partition.
RecoveryOption:
There are three types of recovery options-------
1. RecoveryFromLogicalDamage:
Logicaldamage is primarily caused by power outages that prevent file
system structures from being completelywritten to the storage medium,
but problems with hardware (especiallyRAID controllers)and drivers, as
well as system crashes,can have the same effect.The result is that the
file system is left in an inconsistent state. This can cause a variety of
problems,such as strange behavior (e.g., infinitely recusing directories,
drives reporting negative amounts of free space),system crashes, or an
actual loss of data. Various programs exist to correctthese
inconsistencies,and most operating systems come with at least a
rudimentary repair tool for their native file systems.Linux, forinstance,
comes with the feckutility, and MicrosoftWindows provides chkdsk.
Third-party utilities are also available, and some can produce superior
results by recovering data even when the disk cannot be recognized by
the operating system's repair utility.Two commontechniques used to
recoverdata from logical damage are consistencychecking and data
carving. While most logical damage can be either repaired or worked
15. around using these two techniques, data recoverysoftware can never
guarantee that no data loss will occur. For instance, in the FAT file
system, when two files claim to share the same allocation unit (”cross-
linked”), data loss for one of the files is essentially guaranteed.
(1.1) consistencychecking:
consistencychecking, involves scanning the logical structure of the disk
and checking to make sure that it is consistentwith its specification.For
instance, in mostfile systems,a directory must have at least two entries:
a dot (.) entry that points to itself, and a dot-dot(..) entry that points to its
parent. A file system repair program can read each directoryand make
sure that these entries exist and point to the correctdirectories.If they
do not, an error message can be printed and the problem corrected.
Both chkdsk and feck work in this fashion. This strategy suffers from a
major problem,however; if the file system is sufficiently damaged,the
consistencycheck can fail completely.In this case, the repair program
may crash trying to deal with the mangled input, or it may not recognize
the drive as having a valid file system at all.The second issue that arises
is the disregard for data files. If chkdsk finds a data file to be out of place
or unexplainable, it may delete the file without asking.This is done so
that the operating system may run smoother,but the files deleted
are often important user files which cannot be replaced.Similar issues
arise when using system restore disks (often provided with proprietary
systems like Dell and Compaq),which restore the operating system by
removing the previous installation. This problem can often be avoided by
installing the operating system on a separate partition from your user
data
(1.2) Data carving:
Data Carving is a data recovery technique that allows for data with no
file system allocation information to be extracted by identifying sectors
and clusters belonging to the file. Data Carving usually searches through
raw sectors looking for specificdesired file signatures. The fact that
there is no allocation information means that the investigator must
specifya block size of data to carve out upon finding a matching file
signature, or the carving software must infer it from other information on
the media. There is a requirementthat the beginning of the file still be
present and that there is (depending on how commonthe file signature
is) a risk of many false hits. Data carving, also known as file carving, has
traditionally required that the files recovered be located in sequential
sectors (rather than fragmented) as there is no allocation information to
16. point to fragmented file portions. Recent developments in file carving
algorithms have led to tools that can recover files that are fragmented
into multiple pieces.A goodnumber of software tools are present now
which can perform undulation, upto a great extend, even if data seems
to be permanently deleted from the drive. The working of these tools are
usually based on the nature of the file system that will never delete any
data but only will mark it as deleted till it is over written next time. And
these software can recover the data only before it is over written. These
recovery tools are highly depended on the file system type.The main
disadvantage of these tools is that they can recover the data only when
the drive is working properly and the data is not over written. In forensic
needs it is needed to recoverthe data from physically damaged drives
and also when the data is over written, because physically damaging the
file and dumping the drive with junk data are not that much difficultjobs
to be performed.
2.Recoveryfrom PhysicalDamage:
A wide variety of failures can cause physical damage to storage media.
CDROMs can have their metallic substrate or dye layer scratched off;
hard disks can sufferany of several mechanical failures, such as head
crashes and failed motors;and tapes can simply break. Physical
damage always causes at least some data loss, and in many cases the
logical structures of the file system are damaged as well. This causes
logical damage that must be dealt with before any files can be
recovered.Most physical damage cannot be repaired by end users.
For example, opening a hard disk in a normal environment can allow
dust to settle on the surface, causing further damage to the platters.
Furthermore, end users generally do not have the hardware or technical
expertise required to make these sorts of repairs; therefore,data
recovery companies are consulted. These firms use Class 100
cleanroom facilities to protectthe media while repairs are made, and
tools such as magnetometers to manually read the bits off failed
magnetic media. The extracted raw bits can be used to reconstructa
disk image, which can then be mounted to have its logical damage
repaired. Once that is complete,the files can be extracted from the
image.
(2.1)Causes of physicaldamage:
Physical damage could be caused by various failures. Hard disk drives
could undergo any of numerous automatic failures, like head stack
crashes, tapes could just break Physical damage at all times causes as
17. a minimum a few data loss, and in a few cases the logical formations of
the file system are smashed too.Recovering data following physical
damaged hard drives:majorities of the physical damage could not be
mended by end users. For instance, opening a hard drive within a
standard environment could let airborne dust to resolve on the media
salver and being fixed between the salver and the read-write head,
leading new head crashes that further damage the salver and thus
concessionthe recovery procedure.End users usually don’t have the
hardware or technological proficiencyrequired to create these repairs.
There are two techniques to recoverdata from physically damaged
drives.& they are first is Replacing or ”refreshing” the system area
information and Replacing the drives electronics. These two techniques
are called ’Part replacement’methods.
(2.2)The part replacement:
Techniques for recovering data from physically damaged hard disk can
be describedas part replacement whereby printed circuit boards (PCBs)
are swapped;heads are transplanted; motors and base castings are
replaced by remounting the disks onto the spindle of a donor drive;[1]
and firmware or system information is replaced or refreshed by rewriting
it. Placing the disks in a donor drive swaps everything except for the on-
disk system information. Data stored on portions of the magnetic layer of
the disk that have beenphysically removed;such as due to a slider
(head) scraping away the surface, cannot be recovered.
The ultimate part replacementoperations are re-mounting disks onto
new drives and transplanting head stacks. In these two extreme cases
there are six difficult challenges to overcome forsuccessfuldata
recovery.
1.Re-optimizing preamp read settings.
2. Recalibrated repeatable run-out (RRO) and head offsets.
3. Control spindle rotation and head positioning, typically using the
magnetic servo patterns on the disk surfaces.
4. Determine the layout and format of each surface, defects and defect
mapping Strategies.
5. Detectthe binary data in the analog head signal and
6. Decodethe preceding,scrambling, RLL,parity-assist ECC, and any
other codes to reveal user data.
The sectors or blocks created from the detected and decoded userbits
must still be assembledinto useful files.It is at this latter task where
logical recoveries typically start. Interestingly, data forensic examinations
can only begin after the physical and then the logical recoveries have
been completed.
18. (2.3)Refreshingthe system information:
Current state-of-the-art research for system area refreshing focuses on
developing algorithms that can quickly and adequately re-optimize all
important channel, preamp, and servo system parameters without
rewriting over data.This capability is needed both when the system area
information is corrupted and when a head stack transplant is necessary.
The system information includes the drive specifichyper-tuned
parameters along with the normal characteristic parameters of the
hdd.The system area may become corrupted due to malfunctioning
circuits, firmware bugs, exceeding the operational shock specifications of
the drive, or positionsystem errors. Another, more common,reason for
system area corruption is a loss of power during an update of the system
area itself. The G-list, or grown defectlist, holds information about the
location of defects that have beenfound in the field during drive
operation. The G-list is typically used for sectorswapping, or sector
reallocation. Related o this is the Plist, or primary defectlist that stores
the location of media defects that were found during manufacturing.For
some drive models,the system area contains only a small amount of
information, such as a unique drive serial number, the P-list and G-list,
S.M.A.R.T. data, and a drive password possiblyencrypted.
(2.4)Replacing the drive electronics
Current state-of-the-art research for drive electronics replacement
focuses ondeveloping fasterand more robust methods for determining
the servo sectortrack ID and wedge ID and the data sectorencodings.
Additionally,timing, equalization, and detectionmethods are being
advanced to recoverdata from the drives that are being built today and
in the future. These are likely to employiterative equalization and
decoding,LDPC (low-density parity-check) codes,and new timing
recovery schemes.Forflyable media, the most cost-effective way to spin
the disk is with its original motor and base casting or with from of a donor
drive. All that is required is a standard HDD motor controller and related
programming capability.Once a compatible head stack is in place and
the disks are spinning, the signal from the preamp needs to be acquired
and used: first for servo positioning and then for data detection.To
acquire a good signal, the read bias currents must be approximated for
each head.
19. 3. RECOVERY OF OVERWRITTENDATA:
A good part of the computerusers are still to know about the
mostimportant and interesting feature of our most commonstorage
media, the magnetic storage media, which is it’s capability to remember
anything ever written on it till it is completelydestroyed bya degauss
under strong magnetic field. Magnetic hard drives are used as the
primary storage device for a wide range of applications, including
desktop,mobile,and server systems.All magnetic disk drives possess
the capability for data retention,but for the majority of computerusers,
the hard disk drive possessesthe highest lifespanof all magnetic media
types, and therefore is most likely to have large amounts of sensitive
data on it.In reality, magnetic media is simply any medium which uses a
magnetic signal to store and retrieve information. Examples of magnetic
media include: floppydisks, hard drives, reel-to-reel tapes, eight-tracks,
and many others.The inherent similarity between all these forms of
media is that they all use magnetic fields to store data. This process has
been used for years, but now that security concerns are being brought
more into focus,we are now starting to see some of the weaknesses of
this technology, as well as its wellknown benefits.
(3.1)Wise drives:
When data is written to the disc platter, it is stored in the form of ones
and zeroes. This is due to the binary nature of computers the data in
question is either on (1),or off (0). This is represented on the disk by
storing either a charge (1), or no charge(0). The data is written to the
actual disc platter in what are called tracks. These are concentric rings
on the disc platter itself,which are somewhat similar to the annual rings
of a tree. As data is written to these rings, the head actually writes either
a charge (1), or no charge (0). In reality, as this is an analog medium,
the discs charge will not be exactly at a 1 or 0 potential, but perhaps a
1.06 when a one is written on top of an existing 1, and perhaps a .96
when an existing 0 is overwritten with a 1.The main idea to grasp here is
that the charge will never be exactly 1 or 0 on the disc itself.It will be
different,due to the properties of the magnetic coating on the disc.Inthis
way, data is written to the tracks of the disc.Each time data is written to
the disc, it is not written to exactly the same location on the disc. Some
commonmethods used to gather data from drives which might have very
important information to investigations include: Magnetic Force
Microscopy(MFM)and magnetic force Scanning Tunneling Microscopy
(STM).Other methods and variations exist, but are either classified by
20. governmental intelligence agencies,or are not widely used yet. We will
deal with MFM and STM.
(4.2) Magnetic force microscopy:
MFM is a fairly recent method for imaging magnetic patterns with high
resolution and requires hardly any sample preparation.[7] This method
uses a sharp magnetic tip attached to a flexible cantilever placed close
to the surface of the disc, where it picks up the stray field of the disc. An
image of the field at the surface is formed by moving this tip across the
surface of the disc and measuring the force (or force gradient) as a
function of position. The strength of this interaction is measured by
monitoring the positionof the cantilever using an optical interferometer
or tunneling sensor.In this way, data can be extracted from a drive. The
fact that magnetic media contains residual charges from previous data
even after being wiped or overwritten several times makes complete
data destructionnext to impossible.
Challenges:
The Recoveryof data using part replacementand magnetic recovery
methods are now implemented in robust ways and hence the challenges
it is facing or the areas where the improvements have to be made are
the improvements in efficiencyof the steps in the recovery procedure,in
most occasions.The challenges are……
• The data can be recovered only if the magnetic platter is not damaged;
although Researches are there for improving the part replacement
methods there
is no active researches that is intended to over come this challenge.
• The recovery is highly complicatedin case of some particular ultra
hypertuned hard disk which has highly customized system area ; Active
researches are there to overcome this challenge, besides the
manufacturers have also now
started designing the drives amenable for recovery.
• The part replacementmethods and the magnetic recovery are usually
of highcost.
CONCLUSION:
From above discussion,we can say that the data recovery is
possible and it is not that much difficult.As we are recovering a data
from physical and logical damaging without loosing the content of data.
21. The recovery data from the logically and/or physically damaged disk
drives, and the recoveryof over written data is now beendone with a
good amount of success.The data recovery now have becomea handy
tool to the endusers as far as the logical damages are concerned,
although the recovery of data from the physically damaged drives and
over written data, which is done by the magnetic data recovery methods
have still to reach at the end users, the data recoveryindustry has grown
through heights of technology,that nowadays the situation is such that,
data can be recovered from any physically damaged drive untill it’s
magnetic platters remain as such.And in case of the magnetic
recovery also the present state-of-the-art has contributed alot to the data
recoverindustry that the magnetic recoveryhad reported recoverof data
that had beenover written upto 17 times.