Data recovery: Difference between revisions - Wikipedia

Article Images

Line 6:

}}

In [[computing]], '''data recovery''' is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from [[computer data storage#Secondary storage|secondary storage]], [[removable media]] or [[Computer file|files]], when the data stored in them cannot be accessed in a usual way. <ref>{{Cite web |title=Data Recovery Explained |url=https://www.ibm.com/cloud/learn/data-recovery |access-date=2022-08-28 |website=www.ibm.com |language=en-us |archive-date=28 August 2022 |archive-url=https://web.archive.org/web/20220828110036/https://www.ibm.com/cloud/learn/data-recovery |url-status=live }}</ref> The data is most often salvaged from storage media such as internal or external [[hard disk drive]]s (HDDs), [[solid-state drive]]s (SSDs), [[USB flash drive]]s, [[Magnetic -tape data storage|magnetic tapes]], [[Compact disc|CD]]s, [[DVD]]s, [[RAID]] subsystems, and other [[electronics|electronic devices]]. Recovery may be required due to physical damage to the storage devices or logical damage to the [[file system]] that prevents it from being [[Mount (computing)|mounted]] by the host [[operating system]] (OS).<ref>{{Cite web |title=Data Recovery Explained |url=https://www.ibm.com/cloud/learn/data-recovery |access-date=2022-12-01 |website=www.ibm.com |language=en-us |archive-date=28 August 2022 |archive-url=https://web.archive.org/web/20220828110036/https://www.ibm.com/cloud/learn/data-recovery |url-status=live }}</ref>

Logical failures occur when the hard drive devices are functional but the user or automated-OS cannot retrieve or access ~~date~~data stored inon itthem. ItLogical failures can occur due to ~~corrupt~~corruption of the engineering chip, lost partitions~~, deleted data~~, firmware failure, ~~failed~~or failures during formatting/re-installation.<ref>{{Cite web |title=What is logical failure? |url=https://www.disklabs.com/faqs/what-is-logical-failure/ |access-date=2022-12-01 |website=Disklabs Digital Forensics and Data Recovery |language=en-gb |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055714/https://www.disklabs.com/faqs/what-is-logical-failure/ |url-status=live }}</ref><ref>{{Cite web |title=What Happens When Drives Experience Logical Failure? |url=https://www.streetdirectory.com/etoday/-eaecfj.html |access-date=2022-12-01 |website=www.streetdirectory.com |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055708/https://www.streetdirectory.com/etoday/-eaecfj.html |url-status=live }}</ref>

Data recovery can be a very simple or technical challenge. This is why there are specific software companies specialized in this field.<ref>{{Cite web |title=Data Recovery – Backup Technology |url=https://www.dell.com/en-us/dt/learn/data-protection/data-recovery.htm |access-date=2022-12-01 |website=www.dell.com |language=en |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055708/https://www.dell.com/en-us/dt/learn/data-protection/data-recovery.htm |url-status=live }}</ref>

== About ==

The most common data recovery scenarios involve an operating system failure, malfunction of a storage device, logical failure of storage devices, accidental damage or deletion, etc. (typically, on a single-drive, single-[[disk ~~partition~~partitioning|partition]], single-OS system), in which case the ultimate goal is simply to copy all important files from the damaged media to another new drive. This can be accomplished using a [[Live CD]], or DVD by booting directly from a [[Read-only memory|ROM]] or a USB drive instead of the corrupted drive in question. Many Live CDs or DVDs provide a means to mount the system drive and backup drives or removable media, and to move the files from the system drive to the backup media with a [[file manager]] or [[optical disc authoring]] software]]. Such cases can often be mitigated by [[disk ~~partition~~partitioning]]~~ing~~ and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.

Another scenario involves a drive-level failure, such as a compromised [[file system]] or drive partition, or a [[hard disk drive failure]]. In any of these cases, the data is not easily read from the media devices. Depending on the situation, solutions involve repairing the logical file system, partition table, or [[master boot record]], or updating the [[firmware]] or drive recovery techniques ranging from software-based recovery of corrupted data, to hardware- and software-based recovery of damaged service areas (also known as the hard disk drive's "firmware"), to hardware replacement on a physically damaged drive which allows for the extraction of data to a new drive. If a drive recovery is necessary, the drive itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read.

Line 22:

==Physical damage==

~~{{See also|Data recovery hardware}}~~

A wide variety of failures can cause physical damage to storage media, which may result from human errors and natural disasters. [[CD-ROM]]s can have their metallic substrate or dye layer scratched off; hard disks can suffer from a multitude of mechanical failures, such as [[head crash]]es, PCB failure, and failed motors; [[tape drive|tapes]] can simply break.

Line 30 ⟶ 29:

Of course, there are exceptions to this, such as cases where severe damage to the hard drive [[Hard disk drive platter|platters]] may have occurred. However, if the hard drive can be repaired and a full image or clone created, then the logical file structure can be rebuilt in most instances.

Most physical damage cannot be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the [[disk read-and-write head|read/write head]]. During normal operation, read/write heads float 3 to 6 {{nbsp}}[[Nanometre|nanometers]] above the platter surface, and the average dust particles found in a normal environment are typically around 30,000 {{nbsp}}nanometers in diameter.<ref>{{cite web |title=Data Recovery On A 3TB Seagate Hard Drive |url=https://acsdata.com/data-recovery-3tb-seagate-hard-drive/#Hard_Drive_Flying_Height |archive-url=https://web.archive.org/web/20170213184416/https://acsdata.com/data-recovery-3tb-seagate-hard-drive/ |archive-date=13 February 2017 |website=acsdata.com}}</ref> When these dust particles get caught between the read/write heads and the platter, they can cause new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, data recovery companies are often employed to salvage important data with the more reputable ones using [[Cleanroom#EU GMP classification|class 100]] dust- and static-free [[cleanroom]]s.<ref>{{cite web|url=https://www.ontrack.com/uk/blog/concepts-explained/diy-data-recovery-could-mean-bye-bye/|title=DIY data recovery could mean "bye-bye"|last=Vasconcelos|first=Pedro|work=The Ontrack Data Recovery Blog|publisher=Ontrack Data Recovery|access-date=26 July 2019|df=dmy-all|archive-date=26 July 2019|archive-url=https://web.archive.org/web/20190726104548/https://www.ontrack.com/uk/blog/concepts-explained/diy-data-recovery-could-mean-bye-bye/|url-status=live}}</ref>

===Recovery techniques===

Line 38 ⟶ 37:

[[File:HD with toasty PCB.jpg|thumb|right|250px|Media that has suffered a catastrophic electronic failure requires data recovery in order to salvage its contents.]]

A common misconception is that a damaged [[printed circuit board]] (PCB) may be simply replaced during recovery procedures by an identical PCB from a healthy drive. While this may work in rare circumstances on hard disk drives manufactured before 2003, it will not work on newer drives. Electronics boards of modern drives usually contain drive-specific [[hard disk drive failure|adaptation data]] (generally a map of bad sectors and tuning parameters) and other information required to properly access data on the drive. Replacement boards often need this information to effectively recover all of the data. The replacement board may need to be reprogrammed. Some manufacturers (Seagate, for example) store this information on a serial [[EEPROM]] chip, which can be removed and transferred to the replacement board.<ref>{{cite web

|url = http://www.donordrives.com/pcb-replacement-guide

|title = Hard Drive Circuit Board Replacement Guide or How To Swap HDD PCB

Line 71 ⟶ 70:

==Logical damage==

~~{{See also|List of data recovery software}}~~

[[File:Data loss of image file.JPG|thumb|Result of a failed data recovery from a hard disk drive.]]

Line 77 ⟶ 75:

===Corrupt partitions and file systems, media errors===

In some cases, data on a hard disk drive can be unreadable due to damage to the [[disk partitioning#Partition table|partition table]] or [[file system]], or to (intermittent) media errors. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged partition table or file system using specialized data recovery software such as [[~~Testdisk~~TestDisk]]; software like [[ddrescue]] can image media despite intermittent errors, and image raw data when there is partition table or file system damage. This type of data recovery can be performed by people without expertise in drive hardware as it requires no special physical equipment or access to platters.

Sometimes data can be recovered using relatively simple methods and tools;<ref>[http://www.recover-computerdata.com/ Data Recovery Software] {{webarchive|url=https://web.archive.org/web/20161017073654/http://www.recover-computerdata.com/ |date=17 October 2016 }}</ref> more serious cases can require expert intervention, particularly if parts of files are irrecoverable. [[File carving|Data carving]] is the recovery of parts of damaged files using knowledge of their structure.

Line 86 ⟶ 84:

After data has been physically overwritten on a hard disk drive, it is generally assumed that the previous data are no longer possible to recover. In 1996, [[Peter Gutmann (computer scientist)|Peter Gutmann]], a computer scientist, presented a paper that suggested overwritten data could be recovered through the use of [[magnetic force microscopy]].<ref>[http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html ''Secure Deletion of Data from Magnetic and Solid-State Memory''] {{webarchive|url=https://web.archive.org/web/20071209152858/http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html |date=9 December 2007 }}, Peter Gutmann, Department of Computer Science, University of Auckland</ref> In 2001, he presented another paper on a similar topic.<ref>[http://www.cypherpunks.to/~peter/usenix01.pdf ''Data Remanence in Semiconductor Devices''] {{webarchive|url=https://web.archive.org/web/20070221201213/http://www.cypherpunks.to/~peter/usenix01.pdf |date=21 February 2007 }}, Peter Gutmann, IBM T.J. Watson Research Center</ref> To guard against this type of data recovery, Gutmann and Colin Plumb designed a method of irreversibly scrubbing data, known as the [[Gutmann method]] and used by several disk-scrubbing software packages.

Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.<ref>{{cite web | last = Feenberg | first = Daniel | title = Can Intelligence Agencies Read Overwritten Data? A response to Gutmann. | publisher = National Bureau of Economic Research | date = 14 May 2004 | url = http://www.nber.org/sys-admin/overwritten-data-guttman.html | access-date = 21 May 2008 | url-status = live | archive-url = https://web.archive.org/web/20080509083548/http://www.nber.org/sys-admin/overwritten-data-guttman.html | archive-date = 9 May 2008 | df = dmy-all }}</ref> Gutmann's article contains a number of errors and inaccuracies, particularly regarding information about how data is encoded and processed on hard drives.<ref>https://kaleron.edu.pl/throwing-Gutmanns-algorithm-into-the-trash</ref> Although Gutmann's theory may be correct, there is no practical evidence that overwritten data can be recovered, while research has shown to support that overwritten data cannot be recovered.{{specify|date=June 2013}}<ref>{{cite web |url=https://www.anti-forensics.com/disk-wiping-one-pass-is-enough/ |title=Disk Wiping – One Pass is Enough |date=17 March 2009 |website=anti-forensics.com |url-status=dead |archive-url=https://web.archive.org/web/20120902011743/http://www.anti-forensics.com/disk-wiping-one-pass-is-enough |archive-date=2 September 2012 |df=dmy }}</ref><ref>{{cite web|url=https://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots/ |title=Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots) |date=18 March 2009 |website=anti-forensics.com |url-status=dead |archive-url=https://web.archive.org/web/20121127130830/https://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots/ |archive-date=27 November 2012 |df=dmy }}</ref><ref>{{cite web

|url = http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/

|title = Overwriting Hard Drive Data

Line 98 ⟶ 96:

}}</ref>

[[Solid-state drive]]s (SSD) overwrite data differently from hard disk drives (HDD) which makes at least some of their data easier to recover. Most SSDs use [[flash memory]] to store data in pages and blocks, referenced by [[Logical block addressing|logical block addresses]] (LBA) which are managed by the [[Flash ~~Translation~~memory ~~Layer~~controller#Flash translation layer (FTL) and mapping|flash translation layer]] (FTL). When the FTL modifies a sector it writes the new data to another location and updates the map so the new data appear at the target LBA. This leaves the pre-modification data in place, with possibly many generations, and recoverable by data recovery software.

=== Lost, deleted, and formatted data ===

Line 151 ⟶ 149:

*[[BartPE]]: a lightweight variant of [[Windows XP|Microsoft Windows XP]] or [[Windows Server 2003]] [[32-bit computing|32-bit operating systems]], similar to a Windows Preinstallation Environment, which can be run from a live CD or live USB drive. Discontinued.

*[[Finnix]]: a [[Debian]]-based Live CD with a focus on being small and fast, useful for computer and data rescue

*[[Disk Drill ~~Basic~~]]: capable of creating bootable [[~~Mac OS X~~macOS]] USB drives for data recovery

*[[Knoppix]]: contains utilities for data recovery under Linux

*[[~~SpinRite~~SystemRescue]]: aan [[~~FreeDOS~~Arch Linux]]-based ~~data~~live ~~recovery~~CD, ~~tool~~useful for ~~hard~~repairing ~~disks~~unbootable computer systems and ~~magnetic~~retrieving data after a ~~storage~~system ~~devices~~crash

*[[SystemRescueCD]]: an [[Arch Linux]] based live CD, useful for repairing unbootable computer systems and retrieving data after a system crash

*[[Windows Preinstallation Environment]] (WinPE): A customizable Windows Boot DVD (made by Microsoft and distributed for free). Can be modified to boot to any of the programs listed.

Line 162 ⟶ 159:

*[[Disk Utility]]: a consistency checker for [[Mac OS X Snow Leopard|Mac OS X]]

*[[fsck]]: a consistency checker for UNIX

*[[~~gparted~~GParted]]: a GUI for [[GNU ~~parted~~Parted]], the GNU partition editor, capable of calling fsck

=== File recovery ===

*[[CDRoller]]: recovers data from [[optical disc]]

*[[~~Stellar~~Disk ~~Photo Recovery~~Drill]]: ~~photo~~data recovery ~~utility~~application for Mac OS X and Windows▼

*EaseUS Data Recovery Wizard: Windows and Mac file recovery utilities by EaseUS

*[[~~Disk Drill Basic~~DMDE]]: multi-platform data recovery ~~application~~and ~~for~~disk ~~Mac OS X and~~editing ~~Windows~~tool

*[[dvdisaster]]: generates error-correction data for optical discs

*{{interlanguage link|SecurDisc|ru||de}} from [[Nero AG]]: "Data Reliability" feature generates redundant and checksum data in the remaining space of optical discs.

*[[GetDataBack]]: a Windows recovery program

*[[Hetman Partition Recovery]]: data drive recovery solution

Line 181 ⟶ 177:

*[[Recovery Toolbox]]: freeware and shareware tools plus online services for various Windows 2000 and later programs

*[[Recuva]]: proprietary software for Windows 2000 and later—FAT and NTFS

*[[Stellar Data Recovery ~~for Mac~~]]: data recovery utility for ~~Mac~~Windows and OSmacOS

*[[Stellar Data Recovery for Windows]]: data recovery utility for Windows

▲*[[Stellar Photo Recovery]]: photo recovery utility for Mac OS and Windows

*[[TestDisk]]: free, open source, multi-platform. recover files and lost [[disk partitioning|partitions]]

*[[AVG PC TuneUp|AVG ~~Utilities~~TuneUp]]: a suite of utilities that has a file recovery component for Windows XP and later

*[[Windows File Recovery]]: a command-line utility from Microsoft to recover deleted files for Windows 10 version 2004 and later

===Forensics===

*[[Foremost (software)|Foremost]]: an open-source [[command-line interface|command-line]] file recovery program, originally developed by the [[~~U.S.~~ Air Force Office of Special Investigations]] and [[Naval Postgraduate School|NPS]] Center for Information Systems Security Studies and Research

*[[Forensic Toolkit]]: by AccessData, used by law enforcement

*[[Open Computer Forensics Architecture]]: An open-source program for Linux

Line 197 ⟶ 191:

===Imaging tools===

*[[Clonezilla]]: a free disk cloning, disk imaging, data recovery, and deployment boot disk

Line 221 ⟶ 215:

* [[Hidden file and hidden directory]]

* [[Undeletion]]

* [[List of data recovery software]]

* [[List of data-erasing software]]