SlideShare a Scribd company logo

Data Recovery Seminar Report

Download as DOCX, PDF
T
tutannandi

PPT Report

Technology
1 of 21
A SEMINAR REPORT ON:17.05.2017 REPORT NAME : DATA RECOVER BY NAME : SHOVAN NANDI ROLL NO : 15800114007 Registration No : 141580110007 Department of Computer Science & Engineering REPORT TO BE SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENS FOR THE DEGREE OF BACHELOR OF TECHNOLOGY IN COMPUTER SCIENCE & ENGINEERING At Mallabhum Institute of Technology Affiliated to Maulana Abul Kalam Azad University of Technology (Formerly known as West Bengal University of Technology) BF-142, Sector – I, Salt Lake, Kolkata – 700064
Data Recovery A seminar report Submitted in partial fulfillment of the requirement for the award of degree of Bachelor of Technology in Computer Science and engineering. Data Recovery A Seminar Report Acknowledgement: I would like to thank respected Sir Uttam Ganguli and Miss. Swapana Halder for giving me such a wonderful opportunity to expand my knowledge for my own branch and giving me guidelines to present a seminar report. It helped me a lot to realize of what we study for. Secondly, I would like to thank my parents who patiently helped me as i went through my work and helped to modify and eliminate some of the irrelevant or un-necessary stuffs. Thirdly, I would like to thank my friends who helped me to make my work more organized and well-stacked till the end. Next, I would thank Microsoft for developing such a wonderful toollike MS Word. It helped my work a lot to remain error-free. Last but clearly not the least, I would thank The Almighty for giving me strength to complete my report on time. Preface: I have made this report file on the topic Data Recovery; I have tried my bestto elucidate all the relevant detail to the topic to be included in the report. While in the beginning I have tried to give a general view about this topic. My efforts and wholehearted co-corporation of each and everyone has ended on a successfulnote. I express my sincere gratitude to Jana Sir who assisting me throughout the preparation of this topic. I thank him for providing me the reinforcement, confidence and most importantly the track for the topic whenever I needed it.
Index: Abstract Elementary Knowledge of Data Recovery 1.Connectionof Data 2.The essenceofdata recovery 3.The scope of data recovery 4.The principle of data recovery  Data Loss 1.Softwarereason 2.Hardware reason Data Protecting Technology 1.SMART Technology 2.SPS 3.DFT 4.Floppydisk array technology 5.SAN 6.NAS 7. Backup Common CasesofPartition recovery 1.MBR Recovery 2.RecoveryofPartition 3.PartitionTable doctor 4.The FAT table recovery RecoveryOption 1. RecoveryFrom LogicalDamage  2.Recoveryfrom PhysicalDamage 3.RecoveryFromOverwritten Data  Challenges Conclusion
ABSTRACT: Data recovery refers to accessing logically or physically damaged data or over written data without the use any functioning backup. The advanced data recovery has two different methods where the first method - Part replacement which deals with the recovery from physically and/or logically damaged data. The second method of data recovery is the Magnetic recovery which deals with the recovery of the over written data. In this paper we are discussing about the methods and challenges for replacing, or refreshing firmware and system area information and for some part of the drive electronics. The magnetic recovery uses the Magnetic ForceMicroscopyfor recovery of over written data. The backboneof the magnetic recovery is the interesting fact that the magnetic memory always remembers whatever is written on it till it is forced for a degauss under strong magnetic field. As far as the cyber forensics is considered the recovery of data after physical damage and over writing is of great importance. In this paper we discussed the limitations of current techniques and some probable future directions of data recovery. It is predicted that the data recovery is more important in near future. ELEMENTARYKNOWLEDGE OF DATA RECOVERY: In this paper we will see how data will be recovered from all types of damages like physical and logical. In this we will look after the need of data recovery in today’s world as the data is the most important part in human life. In the chapter of introduction firstly the definition means what is mean by data recovery & the other one is why it is needed. After this we will look after the recovery techniques and the challenges in data recovery.Depending on the field the data recovery is also refers to the result of data mining, decryption and decompression. In this paper data recovery means accessing data from logically or physically damaged media specifically from hard disk drives or to obtained a file or blocks that have no backups. Definition: Data recovery is the process ofrecovering data from primary storage media when it cannot be accessed normally. This can be due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. The loss of data can be due to logical and physical damages or due to overwriting of data. And there are different ways to tackle all these three conditions.
Why it is needed? The data loss or impairment became very common due to the internal (software or hardware faults) or external (operator fault and environmental faults) faults. This often poses the grave problem of losing all those outcomes of many hardships endured to achieve the specific task. Data which costyears of hardships may be lost in a flash due to a single mistake! We may be coming across suchpainful experiences too often. Increasing hastiness and pace of life resulting in accidental deletion of valuable useful data added to the agony. This reveal only one side of the importance of Data Recovery, the other side is nothing other than the forensic importance of the data recovery. The change that the forensic need have is, here the data may not be accidentally deleted but that makes a difference in the recovery mode also as in this face the recovery will be difficult as the deletion would have been performed in an intention that the data should never get recovered. These situations were the circumstances which lead to the need of recovering the lost data .In such cases of accidental loss of stored data, we will be barely in need of suchrecovery software and some times more than software which can perform usual undulation. Hence the data recovery became important. The data recovery procedurebecame important irrespective of the file systems used. In each file system the data recovery process depends on the type of file systems and their features. Besides this there are drive independent data recovery methods also. Conectionof data: Connotation of data is comprehensive, it includes not only multi-media files such as data documents, images, voices that stored in file system or data base, but also hardware information, network addresses and network services, which are used to depositand manage those information. The essenceofdata recovery: Data recovery means retrieving lost, deleted, unusable or inaccessible data that lost for various reasons. Data recovery not only restores lost files but also recovers corrupted data. On the basis of different lost reason, we can adopt different data recovery methods. There are software and hardware reasons that cause data loss, while we can recover data by software and hardware ways.Being different from prevention and backup, data recovery is the remedial measure. The best way to insure the security of your data is prevention and backup regularly. To operate and use your data according to the normative steps, you can reduce the danger of data loss to the lowest.
The scope of data recovery: There are so many forms and phenomenon on data problem, we can divide the objects or scope of data recovery according to different symptoms. System problem: The main symptom is that you cannot enter the system or the system is abnormal or computer closes down. There are complex reasons for this, thus we need adopt different processing methods. Reasons for this symptom may be the key file of system is lost or corrupted, there is some bad track on hard disk, the hard disk is damaged, MBR or DBR is lost, or the CMOS setting is incorrect and so on. Bad track of hard disk: There are logic and physical bad track. Logic bad track is mainly caused by incorrect operation, and it can be restored by software. While physical bad track is caused by physical damage, which is real damage, we can restore it by changing the partition or sector. When there is physical bad track, you’d better backup your data for fear that the data can not be used any more because of the bad track. Partition problem: If partition can not be identified and accessed, or partition is identified as unformatted, partition recovery tools such as Partition Table Doctor can be used to recover data. Files loss: If files are lost because of deletion, format or Ghost clone error, files restoring tools such as Data Recovery Wizard can be used to recover data. Password loss: If files,system password,database or account is lost,some special decription tools that correspond to certain data from such as Word,Winzip can be used. File repair: For some reasons, some files can not be accessed or used, or the contents are full of troubled characters, the contents are changed so as they can not be read.
In this condition, some special files restoring tools can be tried to restore the files. The principle of data recovery: Data recovery is a process of finding and recovering data, in which there may be some risk, for no all situations can be anticipated or prearranged. It means maybe there will be some unexpected things happen. So you need reduce the danger in data recovery to the lowest: Backup all the data in your hard disk. Prevent the equipment from being damaged again. Don’t write anything to the device on which you want to recover data. Try to get detailed information on how the data lost and the losing process Backup the data recovered in time. DATA LOSS: Actually, there are various reasons that cause data loss; software, hardware, factitious, natural, intended, unintended, all may cause data loss or damage on storage devices.Generally, There are two main reasons for data problem: software and hardware whose corresponding reasons are software reason and hardware reason. Software reason: Virus, format, mis-partition, mis-clone, mis-operation, network deletion, power- cut during operation all may be the software reasons. The symptoms are usually mis-operation, read error, can not find or open file, report no partition, not formatted, password lost and troubled characters. A: Computer Viruses: some malicious virus programs will destroy data, overwrite, or erase the data contents. B: Mis-format: fast or completely format partition, thus changing the file system form (NTFS, FAT32) of partition. C: Mis-Clone: when backing up the hard disk, mis-clone or overlay the original data on hard disk. For these, we can use software tools to recover it. So called soft recovery means data can be recovered by software, not referring to hardware fixing operation for its fault is not because of hardware failure. The following are prompts that system can not start up normally:
Invalid Partition Table: Invalid partition table information: Missing Operating System: “55AA” mark in DOS boot sector lost or DBR corrupted.Disk Boot Failure: System file read failure. Bad or missing command interpreter: Can not find command.com file or ‘COMMAND.COM’ file corrupted. Invalid system disk: DOS boot record corrupted: Type the name of the command, Interpreter: DOS partition mark in partition table error or ‘COMMAND.COM’ file lost, corrupted. Error Loading Operating System: Main boot startup program read boot sector unsuccessfully. Not found any active partition in HDD: Active partition mark in partition table changed as inactive partition mark. 2.Hardware reason: Sometimes data loss is because of hardware, such as bad sector in hard disk, power cut, head damage, circuit panel problem, etc. When your hardware has some problems, you probably will find: the speed of hardware become slow, you cannot operate successfully; you cannot read data, etc, which are most often physical bad track failures. Correspondingly, data recovery in hardware fix is considered as hard recovery, such as memory medium damage, track damage, hard disk scrape, head damage, electric machinery damage, chip burnout and so on.. The most distinct feature or difference between soft recovery and hard recovery is whether the memory medium itself can be normally accessed by fixing or replacing parts. Data Protecting Technologies: Data security and fault freedom of storage are paid more and more attention. People are attaching more and more importance to developing new technologies to protect data. 1.SMART Technology: SMART, also called Self-Monitoring Analysis and Report Technology, mainly protects HD from losing data when there is some problems on the HD. SMART drive can reduce the risk of data loss, it alarms to predict and remind thus enhancing the data security.
2.SPS: Shake Protecting System, can prevent the head from shaking thus enhancing the anti-knock characteristics of HD, avoiding damages caused by shake. 3.DFT: DFT, a kind of IBM data protecting technology, can check hard disk via using DFT program to access the DFT micro codes in hard disk. By DFT, users can conveniently check the HD operation. 4.Floppy disk array technology: Originally ‘Redundant Arrays of Inexpensive Disks’. A project at the computer science department of the University of California at Berkeley, under the direction of Professor Katz, in conjunction with Professor John Ousterhout and Professor David Patterson. The project is reaching its culmination with the implementation of a prototype disk array file server with a capacity of 40 GBytes and a sustained bandwidth of 80 MBytes/second. The server is being interfaced to a 1 Gb/s local area network. A new initiative, which is part of the Sequoia 2000 Project, seeks to construct a geographically distributed storage system spanning disk arrays and automated libraries of optical disks and tapes. The project will extend the interleaved storage techniques so successfully applied to disks to tertiary storage devices. A key element of the research will be to develop techniques for managing latency in the I/O and network paths. The original (‘Inexpensive’) term referred to the 3.5 and 5.25 inch disks used for the first RAID system but no longer applies. The following standard RAID specifications exist: RAID 0 Non-redundant striped array RAID 1 Mirrored arrays RAID 2 Parallel array with ECC RAID 3 Parallel array with parity RAID 4 Striped array with parity RAID 5 Striped array with rotating parity The basic idea of RAID (Redundant Array of Independent Disks) is to combine multiple inexpensive disk drives into an array of disk drives to obtain performance, capacity and reliability that exceeds that of a single large drive. The array of drives appears to the host computer as a single logical drive. The Mean Time Between Failure (MTBF) of the array is equal to the MTBF of an individual drive, divided by the number of drives in the array. Because of this, the MTBF of a non-redundant array (RAID 0) is too low for mission-critical systems. However, disk arrays can be made fault-tolerant by redundantly storing information in various ways.
5.SAN: SAN, called Storage Area Network or Network behind servers, is specialized, high speed network attaching servers and storage devices. A SAN allows "any to any" connection across the network, using interconnect elements such as routers, gateways, hubs and swithes. It eliminates the traditional dedicated connection between a server and storage, and concept that the server effectively "owns and manages" the storage devices. It also eliminates any restriction to amount of data that a server can access, currently limited by the number of storage devices, which can be attached to the individual server. Instead, a SAN introduces the flexibility of networking to enable one server or many heterogeneous servers to share a common storage "utility", which may comprise many storage devices, including disk, tape, and optical storage. And, the storage utility may be located far from the servers which use it. 6.NAS: NAS is Network Attached Storage. It can store the quick-increased information .Backup means to prepare a spare copy of a file, file system, or other resource for use in the event of failure or loss of the original. This essential precaution is neglected by most new computer users until the first time they experience a disk crash or accidentally delete the only copy of the file they have been working on for the last six months. Ideally the backup copies should be kept at a different site or in a fire safe since, though your hardware may be insured against fire, the data on it is almost certainly neither insured nor easily replaced. 7.Backup: Backup in time may reduce the danger and disaster to the lowest, thus data security can be most ensured. In different situations, there are different ways. Both backing up important data of system with hardware and backing up key information with cloning mirror data to different storage device can work well. COMMON CASES OF DATA RECOVERY: 1.MBR Recovery: On condition that there is no problem with hardware, the first step is MBR recovery. MBR recovery is simple because it is system data. Though it may be created by different software and the code might be different, the method is the same. Even if multi-system boot, it is not hard. You can backup the data to be recovered after the system boot turn to be normal, and then restore the multi system boot.
Recover MBR by fdisk: The simplest way to recover MBR is Fdisk, whose command is simple too; you can use “Fdisk/MBR”. Please note that, the hard disk to be operated should be connected on mater IDE interface as the master hard disk. As to other connection way, we need appoint the interface location of IDE device in form of “Fdisk/CMBR”. The command syntax of Fdisk command line is “Fdisk/parameter switch”. Besides that obtained by “FDISK/?”, there are some hidden parameters information: /ACTOK Parameter Function: not to check bad sectors on disk surface Details: It can speed up partition operation. /CMBR Parameter Function: to re-create MBR of appointed disk Details: Equals to /MBR parameter, except that it can appoint certain disk /EXT Parameter Function: to create extend partition. Details: Creates extend partition on the currency disk , which used to create logical partition. /FPRMT Parameter Function: to check the usage of FAT16 and FAT32 in interactive mode. Details: When /FPRMT parameter is added, there will be no query of that whether supports high- capacity hard disk; while there will be a query that it uses FAT16 or FAT32 when creating a new partition. /LO Parameter Function: to rebuild logical partition. Details: Used to create logical disk, /LOG and /EXT should work together. /LOGO Parameter Function: to create logical partition with FAT16 /MBR Parameter Function: to re-create MBR of master disk Details: to clear the system booting choice recorded in MBR after uninstalling Windows NT or Windows 2000 /PRI Parameter Function: to create primary partition and activate it. Details: e to create primary partition, and the partition will be set active automatically. /PRIO Parameter Function: to create primary partition of FAT16 and activate it. /Q Parameter Function: not to restart computer when ending Fdisk Details: unnecessary to restart computer after changing the partition table. /STATUS Parameter Function: to display details of current partition
Details: When there is no logical partition in extend partition, the extend partition will not be displayed. /X Parameter Function: no LBA attribute Details: there would be no partition with LBA attribute. It makes handier to use Fdisk with these parameters. However, to hide the parameter will be more dangerous, which calls for more caution. Uses Fixmbr to restore MBR: Provided by Microsoft, Fixmbr is a MBR recovery tool, which determines hard disk partition and re-construct MBR through overall search. Only when using Windows 2000 recovery console that we can use Fixmbr. Windows 2000 recovery console can boot from Windows install CD. Fixmbr only revises MBR; it does not write other sectors, which is safe. You can get help information of Fixmbr as following when using Fixmbr/?. The parameter “DriveNo” is to write a new MBR (driver). The device name can be obtained from output of the map command. For example, device name: /Device/HardDisk0 The following command is to write a new MBR to the appointed device: fixmar /Device/HardDisk0 Attention: If we do not assign DriverNo, the new MBR will be written in booting device, namely the driver that loads host system. If the system detects invalid or the non-standard partition mark, it will prompt that whether continue to execute this command or not. Only if there are some problems with the driver you visit; otherwise, please do not continue. By default MBR structure will be checked. If it is abnormal, it will prompt that whether recover or not. If choose “Y”, it will search partitions. When it has found the partition, it will also prompt that whether to revise MBR or not. If choose “Y”, recovery will be finished. If the system is down now, please inactivate the anti-virus function in BIOS first and then continue. By default, it will search all existing hard disk, and finish all mentioned operations above. If the result is not right, you may use “/Z” parameter to clear the result and restart; then it returns to the original condition. 2.Recovery of Partition The partition recovery is generally the second step of the whole process. Because apart from some tools that directly reads and writes hard disk, most of tool software runs under operation system, working with the system calling.
While operation system’s visiting disk is on the basis of MBR and DBR; without MBR and DBR, operation system is unable to visit file system. Therefore, if the partition table is corrupted, we need rebuild partition table, which is usually fulfilled manually; in some special cases it can be done automatically by some working software. If partition table is corrupted, there are many tools to rebuild it automatically, if only the problem is not too serious. If it is too serious, or the partition table structure is too complex, it may possibly be out of the reach of their ability to rebuild. In this case, we need do it manually. Usually we use some tool software to recover the lost partition table, such as Norton Utilities 8.0, DiskMan, KV3000/Kavfix PartitionMagic etc. Here we introduce Partition Table Doctor. 3.Partition Table Doctor : Partition Table Doctor is the only real software for hard disk partitions recovery. When you come up against a drive error (not hardware failure) this versatile tool would automatically check and repair the Master Boot Record, partition table, and the boot sector of the partition with an error, to recover the FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP partition on IDE/ATA/SATA/SCSI hard disk drives. It can create an emergency floppy disk or a bootable CD to recover the bad partition even if your operation system fails to boot. Partition Table Doctor manages for MS-DOS, Freedos, Windows 95/98/Me, Windows NT 4.0, Windows 2000, Windows XP and Windows 2003. There are two modes for partition recovery: “auto mode” and “interactive mode”. 4.The FAT table recovery CIH destroys data backwards from partitions. In this case, system data in the former part may be destroyed and lost. If FAT2 is still intact, we may make FAT2 to cover FAT1. Usually we use DiskEdit and WinHex. Regarding to other forms of destruction such as format and so on, we usually make use of tool software to scan the whole disk, seldom manual recovery; because there are even dozens of trillions sectors a partition has several trillions. Depending on the manual analysis is impossible. For some extremely important data file, we can also recover manually. Recover FAT by DiskEdit: After recovering DBR of FAT, if part of FAT1 is damaged while FAT2 remains intact (It is the most situation when destroyed by CIH), we may use FAT2 to cover FAT1. The specific method is to find the start sector of FAT2 and then
start searching the start sector of DATA (if it is FAT16, search FDT). By this way, we can figure out the length of FAT table. According to length and the start sector of FAT2, we may know the start sector of FAT1. Copy FAT2 to the damaged FAT1, we can finally recover the whole partition. Recover FAT by WinHex: Principle of recovering FAT by WinHex is the same as that by DiskEdit. After recovering DBR, we can make FAT2 to cover FAT1. After finding FAT2, we begin searching the start sector of DATA (if it is FAT16, search FDT). The division is distinct, because the conclusion part of FAT must be 0 regions, otherwise there is not any free space (even so, in ordinary circumstances, there is still a bit of space in FAT after scanning DATA area. So the end of the last sector must be 0 too.). While at the beginning of DATA region or FDT region it mustn’t be 0. No matter there is fixed FDT, the system always begins from second cluster. If there is FDT, it follows closely FAT2, and its file registration must exist; if there is not, then begins from data area where some data must exists. Thus we may figure out the length of the FAT table, and then the start sector of FAT1 according to the length and the start sector of FAT2. Copy FAT2 to the damaged FAT1 we can finally recover this partition. RecoveryOption: There are three types of recovery options------- 1. RecoveryFromLogicalDamage: Logicaldamage is primarily caused by power outages that prevent file system structures from being completelywritten to the storage medium, but problems with hardware (especiallyRAID controllers)and drivers, as well as system crashes,can have the same effect.The result is that the file system is left in an inconsistent state. This can cause a variety of problems,such as strange behavior (e.g., infinitely recusing directories, drives reporting negative amounts of free space),system crashes, or an actual loss of data. Various programs exist to correctthese inconsistencies,and most operating systems come with at least a rudimentary repair tool for their native file systems.Linux, forinstance, comes with the feckutility, and MicrosoftWindows provides chkdsk. Third-party utilities are also available, and some can produce superior results by recovering data even when the disk cannot be recognized by the operating system's repair utility.Two commontechniques used to recoverdata from logical damage are consistencychecking and data carving. While most logical damage can be either repaired or worked
around using these two techniques, data recoverysoftware can never guarantee that no data loss will occur. For instance, in the FAT file system, when two files claim to share the same allocation unit (”cross- linked”), data loss for one of the files is essentially guaranteed. (1.1) consistencychecking: consistencychecking, involves scanning the logical structure of the disk and checking to make sure that it is consistentwith its specification.For instance, in mostfile systems,a directory must have at least two entries: a dot (.) entry that points to itself, and a dot-dot(..) entry that points to its parent. A file system repair program can read each directoryand make sure that these entries exist and point to the correctdirectories.If they do not, an error message can be printed and the problem corrected. Both chkdsk and feck work in this fashion. This strategy suffers from a major problem,however; if the file system is sufficiently damaged,the consistencycheck can fail completely.In this case, the repair program may crash trying to deal with the mangled input, or it may not recognize the drive as having a valid file system at all.The second issue that arises is the disregard for data files. If chkdsk finds a data file to be out of place or unexplainable, it may delete the file without asking.This is done so that the operating system may run smoother,but the files deleted are often important user files which cannot be replaced.Similar issues arise when using system restore disks (often provided with proprietary systems like Dell and Compaq),which restore the operating system by removing the previous installation. This problem can often be avoided by installing the operating system on a separate partition from your user data (1.2) Data carving: Data Carving is a data recovery technique that allows for data with no file system allocation information to be extracted by identifying sectors and clusters belonging to the file. Data Carving usually searches through raw sectors looking for specificdesired file signatures. The fact that there is no allocation information means that the investigator must specifya block size of data to carve out upon finding a matching file signature, or the carving software must infer it from other information on the media. There is a requirementthat the beginning of the file still be present and that there is (depending on how commonthe file signature is) a risk of many false hits. Data carving, also known as file carving, has traditionally required that the files recovered be located in sequential sectors (rather than fragmented) as there is no allocation information to
point to fragmented file portions. Recent developments in file carving algorithms have led to tools that can recover files that are fragmented into multiple pieces.A goodnumber of software tools are present now which can perform undulation, upto a great extend, even if data seems to be permanently deleted from the drive. The working of these tools are usually based on the nature of the file system that will never delete any data but only will mark it as deleted till it is over written next time. And these software can recover the data only before it is over written. These recovery tools are highly depended on the file system type.The main disadvantage of these tools is that they can recover the data only when the drive is working properly and the data is not over written. In forensic needs it is needed to recoverthe data from physically damaged drives and also when the data is over written, because physically damaging the file and dumping the drive with junk data are not that much difficultjobs to be performed. 2.Recoveryfrom PhysicalDamage: A wide variety of failures can cause physical damage to storage media. CDROMs can have their metallic substrate or dye layer scratched off; hard disks can sufferany of several mechanical failures, such as head crashes and failed motors;and tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. This causes logical damage that must be dealt with before any files can be recovered.Most physical damage cannot be repaired by end users. For example, opening a hard disk in a normal environment can allow dust to settle on the surface, causing further damage to the platters. Furthermore, end users generally do not have the hardware or technical expertise required to make these sorts of repairs; therefore,data recovery companies are consulted. These firms use Class 100 cleanroom facilities to protectthe media while repairs are made, and tools such as magnetometers to manually read the bits off failed magnetic media. The extracted raw bits can be used to reconstructa disk image, which can then be mounted to have its logical damage repaired. Once that is complete,the files can be extracted from the image. (2.1)Causes of physicaldamage: Physical damage could be caused by various failures. Hard disk drives could undergo any of numerous automatic failures, like head stack crashes, tapes could just break Physical damage at all times causes as
a minimum a few data loss, and in a few cases the logical formations of the file system are smashed too.Recovering data following physical damaged hard drives:majorities of the physical damage could not be mended by end users. For instance, opening a hard drive within a standard environment could let airborne dust to resolve on the media salver and being fixed between the salver and the read-write head, leading new head crashes that further damage the salver and thus concessionthe recovery procedure.End users usually don’t have the hardware or technological proficiencyrequired to create these repairs. There are two techniques to recoverdata from physically damaged drives.& they are first is Replacing or ”refreshing” the system area information and Replacing the drives electronics. These two techniques are called ’Part replacement’methods. (2.2)The part replacement: Techniques for recovering data from physically damaged hard disk can be describedas part replacement whereby printed circuit boards (PCBs) are swapped;heads are transplanted; motors and base castings are replaced by remounting the disks onto the spindle of a donor drive;[1] and firmware or system information is replaced or refreshed by rewriting it. Placing the disks in a donor drive swaps everything except for the on- disk system information. Data stored on portions of the magnetic layer of the disk that have beenphysically removed;such as due to a slider (head) scraping away the surface, cannot be recovered. The ultimate part replacementoperations are re-mounting disks onto new drives and transplanting head stacks. In these two extreme cases there are six difficult challenges to overcome forsuccessfuldata recovery. 1.Re-optimizing preamp read settings. 2. Recalibrated repeatable run-out (RRO) and head offsets. 3. Control spindle rotation and head positioning, typically using the magnetic servo patterns on the disk surfaces. 4. Determine the layout and format of each surface, defects and defect mapping Strategies. 5. Detectthe binary data in the analog head signal and 6. Decodethe preceding,scrambling, RLL,parity-assist ECC, and any other codes to reveal user data. The sectors or blocks created from the detected and decoded userbits must still be assembledinto useful files.It is at this latter task where logical recoveries typically start. Interestingly, data forensic examinations can only begin after the physical and then the logical recoveries have been completed.
(2.3)Refreshingthe system information: Current state-of-the-art research for system area refreshing focuses on developing algorithms that can quickly and adequately re-optimize all important channel, preamp, and servo system parameters without rewriting over data.This capability is needed both when the system area information is corrupted and when a head stack transplant is necessary. The system information includes the drive specifichyper-tuned parameters along with the normal characteristic parameters of the hdd.The system area may become corrupted due to malfunctioning circuits, firmware bugs, exceeding the operational shock specifications of the drive, or positionsystem errors. Another, more common,reason for system area corruption is a loss of power during an update of the system area itself. The G-list, or grown defectlist, holds information about the location of defects that have beenfound in the field during drive operation. The G-list is typically used for sectorswapping, or sector reallocation. Related o this is the Plist, or primary defectlist that stores the location of media defects that were found during manufacturing.For some drive models,the system area contains only a small amount of information, such as a unique drive serial number, the P-list and G-list, S.M.A.R.T. data, and a drive password possiblyencrypted. (2.4)Replacing the drive electronics Current state-of-the-art research for drive electronics replacement focuses ondeveloping fasterand more robust methods for determining the servo sectortrack ID and wedge ID and the data sectorencodings. Additionally,timing, equalization, and detectionmethods are being advanced to recoverdata from the drives that are being built today and in the future. These are likely to employiterative equalization and decoding,LDPC (low-density parity-check) codes,and new timing recovery schemes.Forflyable media, the most cost-effective way to spin the disk is with its original motor and base casting or with from of a donor drive. All that is required is a standard HDD motor controller and related programming capability.Once a compatible head stack is in place and the disks are spinning, the signal from the preamp needs to be acquired and used: first for servo positioning and then for data detection.To acquire a good signal, the read bias currents must be approximated for each head.
3. RECOVERY OF OVERWRITTENDATA: A good part of the computerusers are still to know about the mostimportant and interesting feature of our most commonstorage media, the magnetic storage media, which is it’s capability to remember anything ever written on it till it is completelydestroyed bya degauss under strong magnetic field. Magnetic hard drives are used as the primary storage device for a wide range of applications, including desktop,mobile,and server systems.All magnetic disk drives possess the capability for data retention,but for the majority of computerusers, the hard disk drive possessesthe highest lifespanof all magnetic media types, and therefore is most likely to have large amounts of sensitive data on it.In reality, magnetic media is simply any medium which uses a magnetic signal to store and retrieve information. Examples of magnetic media include: floppydisks, hard drives, reel-to-reel tapes, eight-tracks, and many others.The inherent similarity between all these forms of media is that they all use magnetic fields to store data. This process has been used for years, but now that security concerns are being brought more into focus,we are now starting to see some of the weaknesses of this technology, as well as its wellknown benefits. (3.1)Wise drives: When data is written to the disc platter, it is stored in the form of ones and zeroes. This is due to the binary nature of computers the data in question is either on (1),or off (0). This is represented on the disk by storing either a charge (1), or no charge(0). The data is written to the actual disc platter in what are called tracks. These are concentric rings on the disc platter itself,which are somewhat similar to the annual rings of a tree. As data is written to these rings, the head actually writes either a charge (1), or no charge (0). In reality, as this is an analog medium, the discs charge will not be exactly at a 1 or 0 potential, but perhaps a 1.06 when a one is written on top of an existing 1, and perhaps a .96 when an existing 0 is overwritten with a 1.The main idea to grasp here is that the charge will never be exactly 1 or 0 on the disc itself.It will be different,due to the properties of the magnetic coating on the disc.Inthis way, data is written to the tracks of the disc.Each time data is written to the disc, it is not written to exactly the same location on the disc. Some commonmethods used to gather data from drives which might have very important information to investigations include: Magnetic Force Microscopy(MFM)and magnetic force Scanning Tunneling Microscopy (STM).Other methods and variations exist, but are either classified by
governmental intelligence agencies,or are not widely used yet. We will deal with MFM and STM. (4.2) Magnetic force microscopy: MFM is a fairly recent method for imaging magnetic patterns with high resolution and requires hardly any sample preparation.[7] This method uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface of the disc, where it picks up the stray field of the disc. An image of the field at the surface is formed by moving this tip across the surface of the disc and measuring the force (or force gradient) as a function of position. The strength of this interaction is measured by monitoring the positionof the cantilever using an optical interferometer or tunneling sensor.In this way, data can be extracted from a drive. The fact that magnetic media contains residual charges from previous data even after being wiped or overwritten several times makes complete data destructionnext to impossible. Challenges: The Recoveryof data using part replacementand magnetic recovery methods are now implemented in robust ways and hence the challenges it is facing or the areas where the improvements have to be made are the improvements in efficiencyof the steps in the recovery procedure,in most occasions.The challenges are…… • The data can be recovered only if the magnetic platter is not damaged; although Researches are there for improving the part replacement methods there is no active researches that is intended to over come this challenge. • The recovery is highly complicatedin case of some particular ultra hypertuned hard disk which has highly customized system area ; Active researches are there to overcome this challenge, besides the manufacturers have also now started designing the drives amenable for recovery. • The part replacementmethods and the magnetic recovery are usually of highcost. CONCLUSION: From above discussion,we can say that the data recovery is possible and it is not that much difficult.As we are recovering a data from physical and logical damaging without loosing the content of data.
The recovery data from the logically and/or physically damaged disk drives, and the recoveryof over written data is now beendone with a good amount of success.The data recovery now have becomea handy tool to the endusers as far as the logical damages are concerned, although the recovery of data from the physically damaged drives and over written data, which is done by the magnetic data recovery methods have still to reach at the end users, the data recoveryindustry has grown through heights of technology,that nowadays the situation is such that, data can be recovered from any physically damaged drive untill it’s magnetic platters remain as such.And in case of the magnetic recovery also the present state-of-the-art has contributed alot to the data recoverindustry that the magnetic recoveryhad reported recoverof data that had beenover written upto 17 times.

Recommended

Data recovery power point
Data recovery power pointData recovery power point
Data recovery power pointtutannandi
 
Data recovery
Data recoveryData recovery
Data recoverygupta8741
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery toolsuniversity of Gujrat, pakistan
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESVenkatesh Pensalwar
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide showtutannandi
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 

Recommended

Data recovery power point
Data recovery power pointData recovery power point
Data recovery power pointtutannandi
 
Data recovery
Data recoveryData recovery
Data recoverygupta8741
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery toolsuniversity of Gujrat, pakistan
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESVenkatesh Pensalwar
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide showtutannandi
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Data recovery
Data recoveryData recovery
Data recoveryMir Majid
 
Data recovery
Data recoveryData recovery
Data recoverySuresh Hirpara
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
 
Biometric Security Systems ppt
Biometric Security Systems pptBiometric Security Systems ppt
Biometric Security Systems pptOECLIB Odisha Electronics Control Library
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Data recovery
Data recoveryData recovery
Data recoverybhaumik_c
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Biometrics security
Biometrics securityBiometrics security
Biometrics securityVuda Sreenivasarao
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity gppcpa
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
File system Os
File system OsFile system Os
File system OsNehal Naik
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1Vamsee Krishna Kiran
 
Program security
Program securityProgram security
Program securityG Prachi
 
F1805023942
F1805023942F1805023942
F1805023942Niro Thakur
 
When the Back-Ups Fail: Recovery and Reinvention of Digital Collections
When the Back-Ups Fail: Recovery and Reinvention of Digital CollectionsWhen the Back-Ups Fail: Recovery and Reinvention of Digital Collections
When the Back-Ups Fail: Recovery and Reinvention of Digital CollectionsVisual Resources Association
 

More Related Content

What's hot

03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Data recovery
Data recoveryData recovery
Data recoverybhaumik_c
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity gppcpa
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
File system Os
File system OsFile system Os
File system OsNehal Naik
 
Program security
Program securityProgram security
Program securityG Prachi
 

What's hot (20)

Data recovery
Data recoveryData recovery
Data recovery
 
Data recovery
Data recoveryData recovery
Data recovery
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
 
Biometric Security Systems ppt
Biometric Security Systems pptBiometric Security Systems ppt
Biometric Security Systems ppt
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 
Data recovery
Data recoveryData recovery
Data recovery
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Biometrics security
Biometrics securityBiometrics security
Biometrics security
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
File system Os
File system OsFile system Os
File system Os
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
 
Program security
Program securityProgram security
Program security
 

Similar to Data Recovery Seminar Report

When the Back-Ups Fail: Recovery and Reinvention of Digital Collections
When the Back-Ups Fail: Recovery and Reinvention of Digital CollectionsWhen the Back-Ups Fail: Recovery and Reinvention of Digital Collections
When the Back-Ups Fail: Recovery and Reinvention of Digital CollectionsVisual Resources Association
 
Four phases of data recovery
Four phases of data recoveryFour phases of data recovery
Four phases of data recoveryDolphin Data Lab
 
Data backup and disaster recovery
Data backup and disaster recoveryData backup and disaster recovery
Data backup and disaster recoverycatacutanjcsantos
 
Data Recovery Offline Solutions
Data Recovery Offline SolutionsData Recovery Offline Solutions
Data Recovery Offline Solutionsjustlinkitnow
 
E brochure it252_datarecovery
E brochure it252_datarecoveryE brochure it252_datarecovery
E brochure it252_datarecoveryI-r Papa
 
Understanding Memory in Computing part 1.pptx
Understanding Memory in Computing part 1.pptxUnderstanding Memory in Computing part 1.pptx
Understanding Memory in Computing part 1.pptxPravash Chandra Das
 
2.6 backup and recovery
2.6 backup and recovery2.6 backup and recovery
2.6 backup and recoverymrmwood
 
Database failure and recovery 1
Database failure and recovery 1Database failure and recovery 1
Database failure and recovery 1vishal choudhary
 
Creating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanCreating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanRishu Mehra
 
Creating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanCreating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanRishu Mehra
 
database backup and recovery
database backup and recoverydatabase backup and recovery
database backup and recoverysdrhr
 
Data Backup and Recovery.pdf
Data Backup and Recovery.pdfData Backup and Recovery.pdf
Data Backup and Recovery.pdfAshraf Hossain
 
1. Chapter One.pdf
1. Chapter One.pdf1. Chapter One.pdf
1. Chapter One.pdffikadumola
 
Enterprise data protection meeting
Enterprise data protection meetingEnterprise data protection meeting
Enterprise data protection meetingcsandit
 
HPE Data Protector Best Practice Guide
HPE Data Protector Best Practice GuideHPE Data Protector Best Practice Guide
HPE Data Protector Best Practice GuideAndrey Karpov
 
Transaction Processing Systems
Transaction Processing SystemsTransaction Processing Systems
Transaction Processing SystemsMR Z
 
Disaster Management - Technical
Disaster Management - TechnicalDisaster Management - Technical
Disaster Management - TechnicalNishant Mevawala
 

Similar to Data Recovery Seminar Report (20)

F1805023942
F1805023942F1805023942
F1805023942
 
When the Back-Ups Fail: Recovery and Reinvention of Digital Collections
When the Back-Ups Fail: Recovery and Reinvention of Digital CollectionsWhen the Back-Ups Fail: Recovery and Reinvention of Digital Collections
When the Back-Ups Fail: Recovery and Reinvention of Digital Collections
 
Four phases of data recovery
Four phases of data recoveryFour phases of data recovery
Four phases of data recovery
 
Data backup and disaster recovery
Data backup and disaster recoveryData backup and disaster recovery
Data backup and disaster recovery
 
Data Recovery Offline Solutions
Data Recovery Offline SolutionsData Recovery Offline Solutions
Data Recovery Offline Solutions
 
E brochure it252_datarecovery
E brochure it252_datarecoveryE brochure it252_datarecovery
E brochure it252_datarecovery
 
Understanding Memory in Computing part 1.pptx
Understanding Memory in Computing part 1.pptxUnderstanding Memory in Computing part 1.pptx
Understanding Memory in Computing part 1.pptx
 
2.6 backup and recovery
2.6 backup and recovery2.6 backup and recovery
2.6 backup and recovery
 
Database failure and recovery 1
Database failure and recovery 1Database failure and recovery 1
Database failure and recovery 1
 
Data recovery1
Data recovery1Data recovery1
Data recovery1
 
Creating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanCreating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery Plan
 
Creating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanCreating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery Plan
 
Mudassar9135
Mudassar9135Mudassar9135
Mudassar9135
 
database backup and recovery
database backup and recoverydatabase backup and recovery
database backup and recovery
 
Data Backup and Recovery.pdf
Data Backup and Recovery.pdfData Backup and Recovery.pdf
Data Backup and Recovery.pdf
 
1. Chapter One.pdf
1. Chapter One.pdf1. Chapter One.pdf
1. Chapter One.pdf
 
Enterprise data protection meeting
Enterprise data protection meetingEnterprise data protection meeting
Enterprise data protection meeting
 
HPE Data Protector Best Practice Guide
HPE Data Protector Best Practice GuideHPE Data Protector Best Practice Guide
HPE Data Protector Best Practice Guide
 
Transaction Processing Systems
Transaction Processing SystemsTransaction Processing Systems
Transaction Processing Systems
 
Disaster Management - Technical
Disaster Management - TechnicalDisaster Management - Technical
Disaster Management - Technical
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Data Recovery Seminar Report

  • 1. A SEMINAR REPORT ON:17.05.2017 REPORT NAME : DATA RECOVER BY NAME : SHOVAN NANDI ROLL NO : 15800114007 Registration No : 141580110007 Department of Computer Science & Engineering REPORT TO BE SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENS FOR THE DEGREE OF BACHELOR OF TECHNOLOGY IN COMPUTER SCIENCE & ENGINEERING At Mallabhum Institute of Technology Affiliated to Maulana Abul Kalam Azad University of Technology (Formerly known as West Bengal University of Technology) BF-142, Sector – I, Salt Lake, Kolkata – 700064
  • 2. Data Recovery A seminar report Submitted in partial fulfillment of the requirement for the award of degree of Bachelor of Technology in Computer Science and engineering. Data Recovery A Seminar Report Acknowledgement: I would like to thank respected Sir Uttam Ganguli and Miss. Swapana Halder for giving me such a wonderful opportunity to expand my knowledge for my own branch and giving me guidelines to present a seminar report. It helped me a lot to realize of what we study for. Secondly, I would like to thank my parents who patiently helped me as i went through my work and helped to modify and eliminate some of the irrelevant or un-necessary stuffs. Thirdly, I would like to thank my friends who helped me to make my work more organized and well-stacked till the end. Next, I would thank Microsoft for developing such a wonderful toollike MS Word. It helped my work a lot to remain error-free. Last but clearly not the least, I would thank The Almighty for giving me strength to complete my report on time. Preface: I have made this report file on the topic Data Recovery; I have tried my bestto elucidate all the relevant detail to the topic to be included in the report. While in the beginning I have tried to give a general view about this topic. My efforts and wholehearted co-corporation of each and everyone has ended on a successfulnote. I express my sincere gratitude to Jana Sir who assisting me throughout the preparation of this topic. I thank him for providing me the reinforcement, confidence and most importantly the track for the topic whenever I needed it.
  • 3. Index: Abstract Elementary Knowledge of Data Recovery 1.Connectionof Data 2.The essenceofdata recovery 3.The scope of data recovery 4.The principle of data recovery  Data Loss 1.Softwarereason 2.Hardware reason Data Protecting Technology 1.SMART Technology 2.SPS 3.DFT 4.Floppydisk array technology 5.SAN 6.NAS 7. Backup Common CasesofPartition recovery 1.MBR Recovery 2.RecoveryofPartition 3.PartitionTable doctor 4.The FAT table recovery RecoveryOption 1. RecoveryFrom LogicalDamage  2.Recoveryfrom PhysicalDamage 3.RecoveryFromOverwritten Data  Challenges Conclusion
  • 4. ABSTRACT: Data recovery refers to accessing logically or physically damaged data or over written data without the use any functioning backup. The advanced data recovery has two different methods where the first method - Part replacement which deals with the recovery from physically and/or logically damaged data. The second method of data recovery is the Magnetic recovery which deals with the recovery of the over written data. In this paper we are discussing about the methods and challenges for replacing, or refreshing firmware and system area information and for some part of the drive electronics. The magnetic recovery uses the Magnetic ForceMicroscopyfor recovery of over written data. The backboneof the magnetic recovery is the interesting fact that the magnetic memory always remembers whatever is written on it till it is forced for a degauss under strong magnetic field. As far as the cyber forensics is considered the recovery of data after physical damage and over writing is of great importance. In this paper we discussed the limitations of current techniques and some probable future directions of data recovery. It is predicted that the data recovery is more important in near future. ELEMENTARYKNOWLEDGE OF DATA RECOVERY: In this paper we will see how data will be recovered from all types of damages like physical and logical. In this we will look after the need of data recovery in today’s world as the data is the most important part in human life. In the chapter of introduction firstly the definition means what is mean by data recovery & the other one is why it is needed. After this we will look after the recovery techniques and the challenges in data recovery.Depending on the field the data recovery is also refers to the result of data mining, decryption and decompression. In this paper data recovery means accessing data from logically or physically damaged media specifically from hard disk drives or to obtained a file or blocks that have no backups. Definition: Data recovery is the process ofrecovering data from primary storage media when it cannot be accessed normally. This can be due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. The loss of data can be due to logical and physical damages or due to overwriting of data. And there are different ways to tackle all these three conditions.
  • 5. Why it is needed? The data loss or impairment became very common due to the internal (software or hardware faults) or external (operator fault and environmental faults) faults. This often poses the grave problem of losing all those outcomes of many hardships endured to achieve the specific task. Data which costyears of hardships may be lost in a flash due to a single mistake! We may be coming across suchpainful experiences too often. Increasing hastiness and pace of life resulting in accidental deletion of valuable useful data added to the agony. This reveal only one side of the importance of Data Recovery, the other side is nothing other than the forensic importance of the data recovery. The change that the forensic need have is, here the data may not be accidentally deleted but that makes a difference in the recovery mode also as in this face the recovery will be difficult as the deletion would have been performed in an intention that the data should never get recovered. These situations were the circumstances which lead to the need of recovering the lost data .In such cases of accidental loss of stored data, we will be barely in need of suchrecovery software and some times more than software which can perform usual undulation. Hence the data recovery became important. The data recovery procedurebecame important irrespective of the file systems used. In each file system the data recovery process depends on the type of file systems and their features. Besides this there are drive independent data recovery methods also. Conectionof data: Connotation of data is comprehensive, it includes not only multi-media files such as data documents, images, voices that stored in file system or data base, but also hardware information, network addresses and network services, which are used to depositand manage those information. The essenceofdata recovery: Data recovery means retrieving lost, deleted, unusable or inaccessible data that lost for various reasons. Data recovery not only restores lost files but also recovers corrupted data. On the basis of different lost reason, we can adopt different data recovery methods. There are software and hardware reasons that cause data loss, while we can recover data by software and hardware ways.Being different from prevention and backup, data recovery is the remedial measure. The best way to insure the security of your data is prevention and backup regularly. To operate and use your data according to the normative steps, you can reduce the danger of data loss to the lowest.
  • 6. The scope of data recovery: There are so many forms and phenomenon on data problem, we can divide the objects or scope of data recovery according to different symptoms. System problem: The main symptom is that you cannot enter the system or the system is abnormal or computer closes down. There are complex reasons for this, thus we need adopt different processing methods. Reasons for this symptom may be the key file of system is lost or corrupted, there is some bad track on hard disk, the hard disk is damaged, MBR or DBR is lost, or the CMOS setting is incorrect and so on. Bad track of hard disk: There are logic and physical bad track. Logic bad track is mainly caused by incorrect operation, and it can be restored by software. While physical bad track is caused by physical damage, which is real damage, we can restore it by changing the partition or sector. When there is physical bad track, you’d better backup your data for fear that the data can not be used any more because of the bad track. Partition problem: If partition can not be identified and accessed, or partition is identified as unformatted, partition recovery tools such as Partition Table Doctor can be used to recover data. Files loss: If files are lost because of deletion, format or Ghost clone error, files restoring tools such as Data Recovery Wizard can be used to recover data. Password loss: If files,system password,database or account is lost,some special decription tools that correspond to certain data from such as Word,Winzip can be used. File repair: For some reasons, some files can not be accessed or used, or the contents are full of troubled characters, the contents are changed so as they can not be read.
  • 7. In this condition, some special files restoring tools can be tried to restore the files. The principle of data recovery: Data recovery is a process of finding and recovering data, in which there may be some risk, for no all situations can be anticipated or prearranged. It means maybe there will be some unexpected things happen. So you need reduce the danger in data recovery to the lowest: Backup all the data in your hard disk. Prevent the equipment from being damaged again. Don’t write anything to the device on which you want to recover data. Try to get detailed information on how the data lost and the losing process Backup the data recovered in time. DATA LOSS: Actually, there are various reasons that cause data loss; software, hardware, factitious, natural, intended, unintended, all may cause data loss or damage on storage devices.Generally, There are two main reasons for data problem: software and hardware whose corresponding reasons are software reason and hardware reason. Software reason: Virus, format, mis-partition, mis-clone, mis-operation, network deletion, power- cut during operation all may be the software reasons. The symptoms are usually mis-operation, read error, can not find or open file, report no partition, not formatted, password lost and troubled characters. A: Computer Viruses: some malicious virus programs will destroy data, overwrite, or erase the data contents. B: Mis-format: fast or completely format partition, thus changing the file system form (NTFS, FAT32) of partition. C: Mis-Clone: when backing up the hard disk, mis-clone or overlay the original data on hard disk. For these, we can use software tools to recover it. So called soft recovery means data can be recovered by software, not referring to hardware fixing operation for its fault is not because of hardware failure. The following are prompts that system can not start up normally:
  • 8. Invalid Partition Table: Invalid partition table information: Missing Operating System: “55AA” mark in DOS boot sector lost or DBR corrupted.Disk Boot Failure: System file read failure. Bad or missing command interpreter: Can not find command.com file or ‘COMMAND.COM’ file corrupted. Invalid system disk: DOS boot record corrupted: Type the name of the command, Interpreter: DOS partition mark in partition table error or ‘COMMAND.COM’ file lost, corrupted. Error Loading Operating System: Main boot startup program read boot sector unsuccessfully. Not found any active partition in HDD: Active partition mark in partition table changed as inactive partition mark. 2.Hardware reason: Sometimes data loss is because of hardware, such as bad sector in hard disk, power cut, head damage, circuit panel problem, etc. When your hardware has some problems, you probably will find: the speed of hardware become slow, you cannot operate successfully; you cannot read data, etc, which are most often physical bad track failures. Correspondingly, data recovery in hardware fix is considered as hard recovery, such as memory medium damage, track damage, hard disk scrape, head damage, electric machinery damage, chip burnout and so on.. The most distinct feature or difference between soft recovery and hard recovery is whether the memory medium itself can be normally accessed by fixing or replacing parts. Data Protecting Technologies: Data security and fault freedom of storage are paid more and more attention. People are attaching more and more importance to developing new technologies to protect data. 1.SMART Technology: SMART, also called Self-Monitoring Analysis and Report Technology, mainly protects HD from losing data when there is some problems on the HD. SMART drive can reduce the risk of data loss, it alarms to predict and remind thus enhancing the data security.
  • 9. 2.SPS: Shake Protecting System, can prevent the head from shaking thus enhancing the anti-knock characteristics of HD, avoiding damages caused by shake. 3.DFT: DFT, a kind of IBM data protecting technology, can check hard disk via using DFT program to access the DFT micro codes in hard disk. By DFT, users can conveniently check the HD operation. 4.Floppy disk array technology: Originally ‘Redundant Arrays of Inexpensive Disks’. A project at the computer science department of the University of California at Berkeley, under the direction of Professor Katz, in conjunction with Professor John Ousterhout and Professor David Patterson. The project is reaching its culmination with the implementation of a prototype disk array file server with a capacity of 40 GBytes and a sustained bandwidth of 80 MBytes/second. The server is being interfaced to a 1 Gb/s local area network. A new initiative, which is part of the Sequoia 2000 Project, seeks to construct a geographically distributed storage system spanning disk arrays and automated libraries of optical disks and tapes. The project will extend the interleaved storage techniques so successfully applied to disks to tertiary storage devices. A key element of the research will be to develop techniques for managing latency in the I/O and network paths. The original (‘Inexpensive’) term referred to the 3.5 and 5.25 inch disks used for the first RAID system but no longer applies. The following standard RAID specifications exist: RAID 0 Non-redundant striped array RAID 1 Mirrored arrays RAID 2 Parallel array with ECC RAID 3 Parallel array with parity RAID 4 Striped array with parity RAID 5 Striped array with rotating parity The basic idea of RAID (Redundant Array of Independent Disks) is to combine multiple inexpensive disk drives into an array of disk drives to obtain performance, capacity and reliability that exceeds that of a single large drive. The array of drives appears to the host computer as a single logical drive. The Mean Time Between Failure (MTBF) of the array is equal to the MTBF of an individual drive, divided by the number of drives in the array. Because of this, the MTBF of a non-redundant array (RAID 0) is too low for mission-critical systems. However, disk arrays can be made fault-tolerant by redundantly storing information in various ways.
  • 10. 5.SAN: SAN, called Storage Area Network or Network behind servers, is specialized, high speed network attaching servers and storage devices. A SAN allows "any to any" connection across the network, using interconnect elements such as routers, gateways, hubs and swithes. It eliminates the traditional dedicated connection between a server and storage, and concept that the server effectively "owns and manages" the storage devices. It also eliminates any restriction to amount of data that a server can access, currently limited by the number of storage devices, which can be attached to the individual server. Instead, a SAN introduces the flexibility of networking to enable one server or many heterogeneous servers to share a common storage "utility", which may comprise many storage devices, including disk, tape, and optical storage. And, the storage utility may be located far from the servers which use it. 6.NAS: NAS is Network Attached Storage. It can store the quick-increased information .Backup means to prepare a spare copy of a file, file system, or other resource for use in the event of failure or loss of the original. This essential precaution is neglected by most new computer users until the first time they experience a disk crash or accidentally delete the only copy of the file they have been working on for the last six months. Ideally the backup copies should be kept at a different site or in a fire safe since, though your hardware may be insured against fire, the data on it is almost certainly neither insured nor easily replaced. 7.Backup: Backup in time may reduce the danger and disaster to the lowest, thus data security can be most ensured. In different situations, there are different ways. Both backing up important data of system with hardware and backing up key information with cloning mirror data to different storage device can work well. COMMON CASES OF DATA RECOVERY: 1.MBR Recovery: On condition that there is no problem with hardware, the first step is MBR recovery. MBR recovery is simple because it is system data. Though it may be created by different software and the code might be different, the method is the same. Even if multi-system boot, it is not hard. You can backup the data to be recovered after the system boot turn to be normal, and then restore the multi system boot.
  • 11. Recover MBR by fdisk: The simplest way to recover MBR is Fdisk, whose command is simple too; you can use “Fdisk/MBR”. Please note that, the hard disk to be operated should be connected on mater IDE interface as the master hard disk. As to other connection way, we need appoint the interface location of IDE device in form of “Fdisk/CMBR”. The command syntax of Fdisk command line is “Fdisk/parameter switch”. Besides that obtained by “FDISK/?”, there are some hidden parameters information: /ACTOK Parameter Function: not to check bad sectors on disk surface Details: It can speed up partition operation. /CMBR Parameter Function: to re-create MBR of appointed disk Details: Equals to /MBR parameter, except that it can appoint certain disk /EXT Parameter Function: to create extend partition. Details: Creates extend partition on the currency disk , which used to create logical partition. /FPRMT Parameter Function: to check the usage of FAT16 and FAT32 in interactive mode. Details: When /FPRMT parameter is added, there will be no query of that whether supports high- capacity hard disk; while there will be a query that it uses FAT16 or FAT32 when creating a new partition. /LO Parameter Function: to rebuild logical partition. Details: Used to create logical disk, /LOG and /EXT should work together. /LOGO Parameter Function: to create logical partition with FAT16 /MBR Parameter Function: to re-create MBR of master disk Details: to clear the system booting choice recorded in MBR after uninstalling Windows NT or Windows 2000 /PRI Parameter Function: to create primary partition and activate it. Details: e to create primary partition, and the partition will be set active automatically. /PRIO Parameter Function: to create primary partition of FAT16 and activate it. /Q Parameter Function: not to restart computer when ending Fdisk Details: unnecessary to restart computer after changing the partition table. /STATUS Parameter Function: to display details of current partition
  • 12. Details: When there is no logical partition in extend partition, the extend partition will not be displayed. /X Parameter Function: no LBA attribute Details: there would be no partition with LBA attribute. It makes handier to use Fdisk with these parameters. However, to hide the parameter will be more dangerous, which calls for more caution. Uses Fixmbr to restore MBR: Provided by Microsoft, Fixmbr is a MBR recovery tool, which determines hard disk partition and re-construct MBR through overall search. Only when using Windows 2000 recovery console that we can use Fixmbr. Windows 2000 recovery console can boot from Windows install CD. Fixmbr only revises MBR; it does not write other sectors, which is safe. You can get help information of Fixmbr as following when using Fixmbr/?. The parameter “DriveNo” is to write a new MBR (driver). The device name can be obtained from output of the map command. For example, device name: /Device/HardDisk0 The following command is to write a new MBR to the appointed device: fixmar /Device/HardDisk0 Attention: If we do not assign DriverNo, the new MBR will be written in booting device, namely the driver that loads host system. If the system detects invalid or the non-standard partition mark, it will prompt that whether continue to execute this command or not. Only if there are some problems with the driver you visit; otherwise, please do not continue. By default MBR structure will be checked. If it is abnormal, it will prompt that whether recover or not. If choose “Y”, it will search partitions. When it has found the partition, it will also prompt that whether to revise MBR or not. If choose “Y”, recovery will be finished. If the system is down now, please inactivate the anti-virus function in BIOS first and then continue. By default, it will search all existing hard disk, and finish all mentioned operations above. If the result is not right, you may use “/Z” parameter to clear the result and restart; then it returns to the original condition. 2.Recovery of Partition The partition recovery is generally the second step of the whole process. Because apart from some tools that directly reads and writes hard disk, most of tool software runs under operation system, working with the system calling.
  • 13. While operation system’s visiting disk is on the basis of MBR and DBR; without MBR and DBR, operation system is unable to visit file system. Therefore, if the partition table is corrupted, we need rebuild partition table, which is usually fulfilled manually; in some special cases it can be done automatically by some working software. If partition table is corrupted, there are many tools to rebuild it automatically, if only the problem is not too serious. If it is too serious, or the partition table structure is too complex, it may possibly be out of the reach of their ability to rebuild. In this case, we need do it manually. Usually we use some tool software to recover the lost partition table, such as Norton Utilities 8.0, DiskMan, KV3000/Kavfix PartitionMagic etc. Here we introduce Partition Table Doctor. 3.Partition Table Doctor : Partition Table Doctor is the only real software for hard disk partitions recovery. When you come up against a drive error (not hardware failure) this versatile tool would automatically check and repair the Master Boot Record, partition table, and the boot sector of the partition with an error, to recover the FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP partition on IDE/ATA/SATA/SCSI hard disk drives. It can create an emergency floppy disk or a bootable CD to recover the bad partition even if your operation system fails to boot. Partition Table Doctor manages for MS-DOS, Freedos, Windows 95/98/Me, Windows NT 4.0, Windows 2000, Windows XP and Windows 2003. There are two modes for partition recovery: “auto mode” and “interactive mode”. 4.The FAT table recovery CIH destroys data backwards from partitions. In this case, system data in the former part may be destroyed and lost. If FAT2 is still intact, we may make FAT2 to cover FAT1. Usually we use DiskEdit and WinHex. Regarding to other forms of destruction such as format and so on, we usually make use of tool software to scan the whole disk, seldom manual recovery; because there are even dozens of trillions sectors a partition has several trillions. Depending on the manual analysis is impossible. For some extremely important data file, we can also recover manually. Recover FAT by DiskEdit: After recovering DBR of FAT, if part of FAT1 is damaged while FAT2 remains intact (It is the most situation when destroyed by CIH), we may use FAT2 to cover FAT1. The specific method is to find the start sector of FAT2 and then
  • 14. start searching the start sector of DATA (if it is FAT16, search FDT). By this way, we can figure out the length of FAT table. According to length and the start sector of FAT2, we may know the start sector of FAT1. Copy FAT2 to the damaged FAT1, we can finally recover the whole partition. Recover FAT by WinHex: Principle of recovering FAT by WinHex is the same as that by DiskEdit. After recovering DBR, we can make FAT2 to cover FAT1. After finding FAT2, we begin searching the start sector of DATA (if it is FAT16, search FDT). The division is distinct, because the conclusion part of FAT must be 0 regions, otherwise there is not any free space (even so, in ordinary circumstances, there is still a bit of space in FAT after scanning DATA area. So the end of the last sector must be 0 too.). While at the beginning of DATA region or FDT region it mustn’t be 0. No matter there is fixed FDT, the system always begins from second cluster. If there is FDT, it follows closely FAT2, and its file registration must exist; if there is not, then begins from data area where some data must exists. Thus we may figure out the length of the FAT table, and then the start sector of FAT1 according to the length and the start sector of FAT2. Copy FAT2 to the damaged FAT1 we can finally recover this partition. RecoveryOption: There are three types of recovery options------- 1. RecoveryFromLogicalDamage: Logicaldamage is primarily caused by power outages that prevent file system structures from being completelywritten to the storage medium, but problems with hardware (especiallyRAID controllers)and drivers, as well as system crashes,can have the same effect.The result is that the file system is left in an inconsistent state. This can cause a variety of problems,such as strange behavior (e.g., infinitely recusing directories, drives reporting negative amounts of free space),system crashes, or an actual loss of data. Various programs exist to correctthese inconsistencies,and most operating systems come with at least a rudimentary repair tool for their native file systems.Linux, forinstance, comes with the feckutility, and MicrosoftWindows provides chkdsk. Third-party utilities are also available, and some can produce superior results by recovering data even when the disk cannot be recognized by the operating system's repair utility.Two commontechniques used to recoverdata from logical damage are consistencychecking and data carving. While most logical damage can be either repaired or worked
  • 15. around using these two techniques, data recoverysoftware can never guarantee that no data loss will occur. For instance, in the FAT file system, when two files claim to share the same allocation unit (”cross- linked”), data loss for one of the files is essentially guaranteed. (1.1) consistencychecking: consistencychecking, involves scanning the logical structure of the disk and checking to make sure that it is consistentwith its specification.For instance, in mostfile systems,a directory must have at least two entries: a dot (.) entry that points to itself, and a dot-dot(..) entry that points to its parent. A file system repair program can read each directoryand make sure that these entries exist and point to the correctdirectories.If they do not, an error message can be printed and the problem corrected. Both chkdsk and feck work in this fashion. This strategy suffers from a major problem,however; if the file system is sufficiently damaged,the consistencycheck can fail completely.In this case, the repair program may crash trying to deal with the mangled input, or it may not recognize the drive as having a valid file system at all.The second issue that arises is the disregard for data files. If chkdsk finds a data file to be out of place or unexplainable, it may delete the file without asking.This is done so that the operating system may run smoother,but the files deleted are often important user files which cannot be replaced.Similar issues arise when using system restore disks (often provided with proprietary systems like Dell and Compaq),which restore the operating system by removing the previous installation. This problem can often be avoided by installing the operating system on a separate partition from your user data (1.2) Data carving: Data Carving is a data recovery technique that allows for data with no file system allocation information to be extracted by identifying sectors and clusters belonging to the file. Data Carving usually searches through raw sectors looking for specificdesired file signatures. The fact that there is no allocation information means that the investigator must specifya block size of data to carve out upon finding a matching file signature, or the carving software must infer it from other information on the media. There is a requirementthat the beginning of the file still be present and that there is (depending on how commonthe file signature is) a risk of many false hits. Data carving, also known as file carving, has traditionally required that the files recovered be located in sequential sectors (rather than fragmented) as there is no allocation information to
  • 16. point to fragmented file portions. Recent developments in file carving algorithms have led to tools that can recover files that are fragmented into multiple pieces.A goodnumber of software tools are present now which can perform undulation, upto a great extend, even if data seems to be permanently deleted from the drive. The working of these tools are usually based on the nature of the file system that will never delete any data but only will mark it as deleted till it is over written next time. And these software can recover the data only before it is over written. These recovery tools are highly depended on the file system type.The main disadvantage of these tools is that they can recover the data only when the drive is working properly and the data is not over written. In forensic needs it is needed to recoverthe data from physically damaged drives and also when the data is over written, because physically damaging the file and dumping the drive with junk data are not that much difficultjobs to be performed. 2.Recoveryfrom PhysicalDamage: A wide variety of failures can cause physical damage to storage media. CDROMs can have their metallic substrate or dye layer scratched off; hard disks can sufferany of several mechanical failures, such as head crashes and failed motors;and tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. This causes logical damage that must be dealt with before any files can be recovered.Most physical damage cannot be repaired by end users. For example, opening a hard disk in a normal environment can allow dust to settle on the surface, causing further damage to the platters. Furthermore, end users generally do not have the hardware or technical expertise required to make these sorts of repairs; therefore,data recovery companies are consulted. These firms use Class 100 cleanroom facilities to protectthe media while repairs are made, and tools such as magnetometers to manually read the bits off failed magnetic media. The extracted raw bits can be used to reconstructa disk image, which can then be mounted to have its logical damage repaired. Once that is complete,the files can be extracted from the image. (2.1)Causes of physicaldamage: Physical damage could be caused by various failures. Hard disk drives could undergo any of numerous automatic failures, like head stack crashes, tapes could just break Physical damage at all times causes as
  • 17. a minimum a few data loss, and in a few cases the logical formations of the file system are smashed too.Recovering data following physical damaged hard drives:majorities of the physical damage could not be mended by end users. For instance, opening a hard drive within a standard environment could let airborne dust to resolve on the media salver and being fixed between the salver and the read-write head, leading new head crashes that further damage the salver and thus concessionthe recovery procedure.End users usually don’t have the hardware or technological proficiencyrequired to create these repairs. There are two techniques to recoverdata from physically damaged drives.& they are first is Replacing or ”refreshing” the system area information and Replacing the drives electronics. These two techniques are called ’Part replacement’methods. (2.2)The part replacement: Techniques for recovering data from physically damaged hard disk can be describedas part replacement whereby printed circuit boards (PCBs) are swapped;heads are transplanted; motors and base castings are replaced by remounting the disks onto the spindle of a donor drive;[1] and firmware or system information is replaced or refreshed by rewriting it. Placing the disks in a donor drive swaps everything except for the on- disk system information. Data stored on portions of the magnetic layer of the disk that have beenphysically removed;such as due to a slider (head) scraping away the surface, cannot be recovered. The ultimate part replacementoperations are re-mounting disks onto new drives and transplanting head stacks. In these two extreme cases there are six difficult challenges to overcome forsuccessfuldata recovery. 1.Re-optimizing preamp read settings. 2. Recalibrated repeatable run-out (RRO) and head offsets. 3. Control spindle rotation and head positioning, typically using the magnetic servo patterns on the disk surfaces. 4. Determine the layout and format of each surface, defects and defect mapping Strategies. 5. Detectthe binary data in the analog head signal and 6. Decodethe preceding,scrambling, RLL,parity-assist ECC, and any other codes to reveal user data. The sectors or blocks created from the detected and decoded userbits must still be assembledinto useful files.It is at this latter task where logical recoveries typically start. Interestingly, data forensic examinations can only begin after the physical and then the logical recoveries have been completed.
  • 18. (2.3)Refreshingthe system information: Current state-of-the-art research for system area refreshing focuses on developing algorithms that can quickly and adequately re-optimize all important channel, preamp, and servo system parameters without rewriting over data.This capability is needed both when the system area information is corrupted and when a head stack transplant is necessary. The system information includes the drive specifichyper-tuned parameters along with the normal characteristic parameters of the hdd.The system area may become corrupted due to malfunctioning circuits, firmware bugs, exceeding the operational shock specifications of the drive, or positionsystem errors. Another, more common,reason for system area corruption is a loss of power during an update of the system area itself. The G-list, or grown defectlist, holds information about the location of defects that have beenfound in the field during drive operation. The G-list is typically used for sectorswapping, or sector reallocation. Related o this is the Plist, or primary defectlist that stores the location of media defects that were found during manufacturing.For some drive models,the system area contains only a small amount of information, such as a unique drive serial number, the P-list and G-list, S.M.A.R.T. data, and a drive password possiblyencrypted. (2.4)Replacing the drive electronics Current state-of-the-art research for drive electronics replacement focuses ondeveloping fasterand more robust methods for determining the servo sectortrack ID and wedge ID and the data sectorencodings. Additionally,timing, equalization, and detectionmethods are being advanced to recoverdata from the drives that are being built today and in the future. These are likely to employiterative equalization and decoding,LDPC (low-density parity-check) codes,and new timing recovery schemes.Forflyable media, the most cost-effective way to spin the disk is with its original motor and base casting or with from of a donor drive. All that is required is a standard HDD motor controller and related programming capability.Once a compatible head stack is in place and the disks are spinning, the signal from the preamp needs to be acquired and used: first for servo positioning and then for data detection.To acquire a good signal, the read bias currents must be approximated for each head.
  • 19. 3. RECOVERY OF OVERWRITTENDATA: A good part of the computerusers are still to know about the mostimportant and interesting feature of our most commonstorage media, the magnetic storage media, which is it’s capability to remember anything ever written on it till it is completelydestroyed bya degauss under strong magnetic field. Magnetic hard drives are used as the primary storage device for a wide range of applications, including desktop,mobile,and server systems.All magnetic disk drives possess the capability for data retention,but for the majority of computerusers, the hard disk drive possessesthe highest lifespanof all magnetic media types, and therefore is most likely to have large amounts of sensitive data on it.In reality, magnetic media is simply any medium which uses a magnetic signal to store and retrieve information. Examples of magnetic media include: floppydisks, hard drives, reel-to-reel tapes, eight-tracks, and many others.The inherent similarity between all these forms of media is that they all use magnetic fields to store data. This process has been used for years, but now that security concerns are being brought more into focus,we are now starting to see some of the weaknesses of this technology, as well as its wellknown benefits. (3.1)Wise drives: When data is written to the disc platter, it is stored in the form of ones and zeroes. This is due to the binary nature of computers the data in question is either on (1),or off (0). This is represented on the disk by storing either a charge (1), or no charge(0). The data is written to the actual disc platter in what are called tracks. These are concentric rings on the disc platter itself,which are somewhat similar to the annual rings of a tree. As data is written to these rings, the head actually writes either a charge (1), or no charge (0). In reality, as this is an analog medium, the discs charge will not be exactly at a 1 or 0 potential, but perhaps a 1.06 when a one is written on top of an existing 1, and perhaps a .96 when an existing 0 is overwritten with a 1.The main idea to grasp here is that the charge will never be exactly 1 or 0 on the disc itself.It will be different,due to the properties of the magnetic coating on the disc.Inthis way, data is written to the tracks of the disc.Each time data is written to the disc, it is not written to exactly the same location on the disc. Some commonmethods used to gather data from drives which might have very important information to investigations include: Magnetic Force Microscopy(MFM)and magnetic force Scanning Tunneling Microscopy (STM).Other methods and variations exist, but are either classified by
  • 20. governmental intelligence agencies,or are not widely used yet. We will deal with MFM and STM. (4.2) Magnetic force microscopy: MFM is a fairly recent method for imaging magnetic patterns with high resolution and requires hardly any sample preparation.[7] This method uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface of the disc, where it picks up the stray field of the disc. An image of the field at the surface is formed by moving this tip across the surface of the disc and measuring the force (or force gradient) as a function of position. The strength of this interaction is measured by monitoring the positionof the cantilever using an optical interferometer or tunneling sensor.In this way, data can be extracted from a drive. The fact that magnetic media contains residual charges from previous data even after being wiped or overwritten several times makes complete data destructionnext to impossible. Challenges: The Recoveryof data using part replacementand magnetic recovery methods are now implemented in robust ways and hence the challenges it is facing or the areas where the improvements have to be made are the improvements in efficiencyof the steps in the recovery procedure,in most occasions.The challenges are…… • The data can be recovered only if the magnetic platter is not damaged; although Researches are there for improving the part replacement methods there is no active researches that is intended to over come this challenge. • The recovery is highly complicatedin case of some particular ultra hypertuned hard disk which has highly customized system area ; Active researches are there to overcome this challenge, besides the manufacturers have also now started designing the drives amenable for recovery. • The part replacementmethods and the magnetic recovery are usually of highcost. CONCLUSION: From above discussion,we can say that the data recovery is possible and it is not that much difficult.As we are recovering a data from physical and logical damaging without loosing the content of data.
  • 21. The recovery data from the logically and/or physically damaged disk drives, and the recoveryof over written data is now beendone with a good amount of success.The data recovery now have becomea handy tool to the endusers as far as the logical damages are concerned, although the recovery of data from the physically damaged drives and over written data, which is done by the magnetic data recovery methods have still to reach at the end users, the data recoveryindustry has grown through heights of technology,that nowadays the situation is such that, data can be recovered from any physically damaged drive untill it’s magnetic platters remain as such.And in case of the magnetic recovery also the present state-of-the-art has contributed alot to the data recoverindustry that the magnetic recoveryhad reported recoverof data that had beenover written upto 17 times.