Data recovery: Difference between revisions - Wikipedia


Article Images

Line 6:

}}

In [[computing]], '''data recovery''' is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from [[computer data storage#Secondary storage|secondary storage]], [[removable media]] or [[Computer file|files]], when the data stored in them cannot be accessed in a usual way. <ref>{{Cite web |title=Data Recovery Explained |url=https://www.ibm.com/cloud/learn/data-recovery |access-date=2022-08-28 |website=www.ibm.com |language=en-us |archive-date=28 August 2022 |archive-url=https://web.archive.org/web/20220828110036/https://www.ibm.com/cloud/learn/data-recovery |url-status=live }}</ref> The data is most often salvaged from storage media such as internal or external [[hard disk drive]]s (HDDs), [[solid-state drive]]s (SSDs), [[USB flash drive]]s, [[Magnetic -tape data storage|magnetic tapes]], [[Compact disc|CD]]s, [[DVD]]s, [[RAID]] subsystems, and other [[electronics|electronic devices]]. Recovery may be required due to physical damage to the storage devices or logical damage to the [[file system]] that prevents it from being [[Mount (computing)|mounted]] by the host [[operating system]] (OS).<ref>{{Cite web |title=Data Recovery Explained |url=https://www.ibm.com/cloud/learn/data-recovery |access-date=2022-12-01 |website=www.ibm.com |language=en-us |archive-date=28 August 2022 |archive-url=https://web.archive.org/web/20220828110036/https://www.ibm.com/cloud/learn/data-recovery |url-status=live }}</ref>

Logical failures occur when the hard drive devices are functional but the user or automated-OS cannot retrieve or access data stored on them. Logical failures can occur due to corruption of the engineering chip, lost partitions, firmware failure, or failures during formatting/re-installation.<ref>{{Cite web |title=What is logical failure? |url=https://www.disklabs.com/faqs/what-is-logical-failure/ |access-date=2022-12-01 |website=Disklabs Digital Forensics and Data Recovery |language=en-gb |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055714/https://www.disklabs.com/faqs/what-is-logical-failure/ |url-status=live }}</ref><ref>{{Cite web |title=What Happens When Drives Experience Logical Failure? |url=https://www.streetdirectory.com/etoday/-eaecfj.html |access-date=2022-12-01 |website=www.streetdirectory.com |archive-date=1 December 2022 |archive-url=https://web.archive.org/web/20221201055708/https://www.streetdirectory.com/etoday/-eaecfj.html |url-status=live }}</ref>

Line 13:

== About ==

The most common data recovery scenarios involve an operating system failure, malfunction of a storage device, logical failure of storage devices, accidental damage or deletion, etc. (typically, on a single-drive, single-[[disk partitionpartitioning|partition]], single-OS system), in which case the ultimate goal is simply to copy all important files from the damaged media to another new drive. This can be accomplished using a [[Live CD]], or DVD by booting directly from a [[Read-only memory|ROM]] or a USB drive instead of the corrupted drive in question. Many Live CDs or DVDs provide a means to mount the system drive and backup drives or removable media, and to move the files from the system drive to the backup media with a [[file manager]] or [[optical disc authoring]] software]]. Such cases can often be mitigated by [[disk partitionpartitioning]]ing and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.

Another scenario involves a drive-level failure, such as a compromised [[file system]] or drive partition, or a [[hard disk drive failure]]. In any of these cases, the data is not easily read from the media devices. Depending on the situation, solutions involve repairing the logical file system, partition table, or [[master boot record]], or updating the [[firmware]] or drive recovery techniques ranging from software-based recovery of corrupted data, to hardware- and software-based recovery of damaged service areas (also known as the hard disk drive's "firmware"), to hardware replacement on a physically damaged drive which allows for the extraction of data to a new drive. If a drive recovery is necessary, the drive itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read.

Line 29:

Of course, there are exceptions to this, such as cases where severe damage to the hard drive [[Hard disk drive platter|platters]] may have occurred. However, if the hard drive can be repaired and a full image or clone created, then the logical file structure can be rebuilt in most instances.

Most physical damage cannot be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the [[disk read-and-write head|read/write head]]. During normal operation, read/write heads float 3 to 6 {{nbsp}}[[Nanometre|nanometers]] above the platter surface, and the average dust particles found in a normal environment are typically around 30,000 {{nbsp}}nanometers in diameter.<ref>{{cite web |title=Data Recovery On A 3TB Seagate Hard Drive |url=https://acsdata.com/data-recovery-3tb-seagate-hard-drive/#Hard_Drive_Flying_Height |archive-url=https://web.archive.org/web/20170213184416/https://acsdata.com/data-recovery-3tb-seagate-hard-drive/ |archive-date=13 February 2017 |website=acsdata.com}}</ref> When these dust particles get caught between the read/write heads and the platter, they can cause new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, data recovery companies are often employed to salvage important data with the more reputable ones using [[Cleanroom#EU GMP classification|class 100]] dust- and static-free [[cleanroom]]s.<ref>{{cite web|url=https://www.ontrack.com/uk/blog/concepts-explained/diy-data-recovery-could-mean-bye-bye/|title=DIY data recovery could mean "bye-bye"|last=Vasconcelos|first=Pedro|work=The Ontrack Data Recovery Blog|publisher=Ontrack Data Recovery|access-date=26 July 2019|df=dmy-all|archive-date=26 July 2019|archive-url=https://web.archive.org/web/20190726104548/https://www.ontrack.com/uk/blog/concepts-explained/diy-data-recovery-could-mean-bye-bye/|url-status=live}}</ref>

===Recovery techniques===

Line 37:

[[File:HD with toasty PCB.jpg|thumb|right|250px|Media that has suffered a catastrophic electronic failure requires data recovery in order to salvage its contents.]]

A common misconception is that a damaged [[printed circuit board]] (PCB) may be simply replaced during recovery procedures by an identical PCB from a healthy drive. While this may work in rare circumstances on hard disk drives manufactured before 2003, it will not work on newer drives. Electronics boards of modern drives usually contain drive-specific [[hard disk drive failure|adaptation data]] (generally a map of bad sectors and tuning parameters) and other information required to properly access data on the drive. Replacement boards often need this information to effectively recover all of the data. The replacement board may need to be reprogrammed. Some manufacturers (Seagate, for example) store this information on a serial [[EEPROM]] chip, which can be removed and transferred to the replacement board.<ref>{{cite web

|url = http://www.donordrives.com/pcb-replacement-guide

|title = Hard Drive Circuit Board Replacement Guide or How To Swap HDD PCB

Line 75:

===Corrupt partitions and file systems, media errors===

In some cases, data on a hard disk drive can be unreadable due to damage to the [[disk partitioning#Partition table|partition table]] or [[file system]], or to (intermittent) media errors. In the majority of these cases, at least a portion of the original data can be recovered by repairing the damaged partition table or file system using specialized data recovery software such as [[TestdiskTestDisk]]; software like [[ddrescue]] can image media despite intermittent errors, and image raw data when there is partition table or file system damage. This type of data recovery can be performed by people without expertise in drive hardware as it requires no special physical equipment or access to platters.

Sometimes data can be recovered using relatively simple methods and tools;<ref>[http://www.recover-computerdata.com/ Data Recovery Software] {{webarchive|url=https://web.archive.org/web/20161017073654/http://www.recover-computerdata.com/ |date=17 October 2016 }}</ref> more serious cases can require expert intervention, particularly if parts of files are irrecoverable. [[File carving|Data carving]] is the recovery of parts of damaged files using knowledge of their structure.

Line 84:

After data has been physically overwritten on a hard disk drive, it is generally assumed that the previous data are no longer possible to recover. In 1996, [[Peter Gutmann (computer scientist)|Peter Gutmann]], a computer scientist, presented a paper that suggested overwritten data could be recovered through the use of [[magnetic force microscopy]].<ref>[http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html ''Secure Deletion of Data from Magnetic and Solid-State Memory''] {{webarchive|url=https://web.archive.org/web/20071209152858/http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html |date=9 December 2007 }}, Peter Gutmann, Department of Computer Science, University of Auckland</ref> In 2001, he presented another paper on a similar topic.<ref>[http://www.cypherpunks.to/~peter/usenix01.pdf ''Data Remanence in Semiconductor Devices''] {{webarchive|url=https://web.archive.org/web/20070221201213/http://www.cypherpunks.to/~peter/usenix01.pdf |date=21 February 2007 }}, Peter Gutmann, IBM T.J. Watson Research Center</ref> To guard against this type of data recovery, Gutmann and Colin Plumb designed a method of irreversibly scrubbing data, known as the [[Gutmann method]] and used by several disk-scrubbing software packages.

Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.<ref>{{cite web | last = Feenberg | first = Daniel | title = Can Intelligence Agencies Read Overwritten Data? A response to Gutmann. | publisher = National Bureau of Economic Research | date = 14 May 2004 | url = http://www.nber.org/sys-admin/overwritten-data-guttman.html | access-date = 21 May 2008 | url-status = live | archive-url = https://web.archive.org/web/20080509083548/http://www.nber.org/sys-admin/overwritten-data-guttman.html | archive-date = 9 May 2008 | df = dmy-all }}</ref> Gutmann's article contains a number of errors and inaccuracies, particularly regarding information about how data is encoded and processed on hard drives.<ref>https://kaleron.edu.pl/throwing-Gutmanns-algorithm-into-the-trash</ref> Although Gutmann's theory may be correct, there is no practical evidence that overwritten data can be recovered, while research has shown to support that overwritten data cannot be recovered.{{specify|date=June 2013}}<ref>{{cite web |url=https://www.anti-forensics.com/disk-wiping-one-pass-is-enough/ |title=Disk Wiping – One Pass is Enough |date=17 March 2009 |website=anti-forensics.com |url-status=dead |archive-url=https://web.archive.org/web/20120902011743/http://www.anti-forensics.com/disk-wiping-one-pass-is-enough |archive-date=2 September 2012 |df=dmy }}</ref><ref>{{cite web|url=https://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots/ |title=Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots) |date=18 March 2009 |website=anti-forensics.com |url-status=dead |archive-url=https://web.archive.org/web/20121127130830/https://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots/ |archive-date=27 November 2012 |df=dmy }}</ref><ref>{{cite web

|url = http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/

|title = Overwriting Hard Drive Data

Line 96:

}}</ref>

[[Solid-state drive]]s (SSD) overwrite data differently from hard disk drives (HDD) which makes at least some of their data easier to recover. Most SSDs use [[flash memory]] to store data in pages and blocks, referenced by [[Logical block addressing|logical block addresses]] (LBA) which are managed by the [[Flash Translationmemory Layercontroller#Flash translation layer (FTL) and mapping|flash translation layer]] (FTL). When the FTL modifies a sector it writes the new data to another location and updates the map so the new data appear at the target LBA. This leaves the pre-modification data in place, with possibly many generations, and recoverable by data recovery software.

=== Lost, deleted, and formatted data ===

Line 149:

*[[BartPE]]: a lightweight variant of [[Windows XP|Microsoft Windows XP]] or [[Windows Server 2003]] [[32-bit computing|32-bit operating systems]], similar to a Windows Preinstallation Environment, which can be run from a live CD or live USB drive. Discontinued.

*[[Finnix]]: a [[Debian]]-based Live CD with a focus on being small and fast, useful for computer and data rescue

*[[Disk Drill Basic]]: capable of creating bootable [[Mac OS XmacOS]] USB drives for data recovery

*[[Knoppix]]: contains utilities for data recovery under Linux

*[[SpinRiteSystemRescue]]: aan [[FreeDOSArch Linux]]-based datalive recoveryCD, tooluseful for hardrepairing disksunbootable computer systems and magneticretrieving data after a storagesystem devicescrash

*[[SystemRescueCD]]: an [[Arch Linux]] based live CD, useful for repairing unbootable computer systems and retrieving data after a system crash

*[[Windows Preinstallation Environment]] (WinPE): A customizable Windows Boot DVD (made by Microsoft and distributed for free). Can be modified to boot to any of the programs listed.

Line 160 ⟶ 159:

*[[Disk Utility]]: a consistency checker for [[Mac OS X Snow Leopard|Mac OS X]]

*[[fsck]]: a consistency checker for UNIX

*[[gpartedGParted]]: a GUI for [[GNU partedParted]], the GNU partition editor, capable of calling fsck

=== File recovery ===

*[[CDRoller]]: recovers data from [[optical disc]]

*[[Disk Drill Basic]]: data recovery application for Mac OS X and Windows

*[[DMDE]]: multi-platform data recovery and disk editing tool

*[[dvdisaster]]: generates error-correction data for optical discs

Line 180 ⟶ 179:

*[[Stellar Data Recovery]]: data recovery utility for Windows and macOS

*[[TestDisk]]: free, open source, multi-platform. recover files and lost [[disk partitioning|partitions]]

*[[AVG PC TuneUp|AVG UtilitiesTuneUp]]: a suite of utilities that has a file recovery component for Windows XP and later

*[[Windows File Recovery]]: a command-line utility from Microsoft to recover deleted files for Windows 10 version 2004 and later

===Forensics===

{{See also|Computer forensics}}

*[[Foremost (software)|Foremost]]: an open-source [[command-line interface|command-line]] file recovery program, originally developed by the [[U.S. Air Force Office of Special Investigations]] and [[Naval Postgraduate School|NPS]] Center for Information Systems Security Studies and Research

*[[Forensic Toolkit]]: by AccessData, used by law enforcement

*[[Open Computer Forensics Architecture]]: An open-source program for Linux

Line 192 ⟶ 191:

===Imaging tools===

{{Main|ListComparison of disk cloning software}}

{{See also|Disk image}}

*[[Clonezilla]]: a free disk cloning, disk imaging, data recovery, and deployment boot disk

Line 216 ⟶ 215:

* [[Hidden file and hidden directory]]

* [[Undeletion]]

* [[List of data recovery software]]

* [[List of data-erasing software]]

{{div col end}}