Embed Size (px)
Citation preview
Data RecoveryData Recovery
ByByRavi MalikRavi Malik
AbstractionAbstraction
Data RecoveryData Recovery is the process of salvaging and is the process of salvaging and handling the data through the data from damaged, handling the data through the data from damaged, failed, corrupted, or inaccessible failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often media when it cannot be accessed normally. Often the data are being salvaged from storage media the data are being salvaged from storage media such as internal or external such as internal or external hard disk drives, , solid-state drives (SSD), (SSD), USB flash drive, , storage tapes, , CDs, , DVDs, , RAID, and other , and other electronics. Recovery may be required due to electronics. Recovery may be required due to physical damage to the storage device or logical physical damage to the storage device or logical damage to the file system that prevents it from damage to the file system that prevents it from being mounted by the host operating system (OS).being mounted by the host operating system (OS).
ContentsContents
1. Data Loss1. Data Loss
1.1 What is data Loss ?1.1 What is data Loss ?
1.2 Common Computer Problems1.2 Common Computer Problems
1.3 What causes Data Loss ?1.3 What causes Data Loss ?
1.4 How to prevent data Loss ?1.4 How to prevent data Loss ?
2. Data Recovery2. Data Recovery
2.1 What is Data Recovery ? 2.1 What is Data Recovery ?
2.2 How can it be used ?2.2 How can it be used ?
ContentsContents3. Data Recovery Techniques 3. Data Recovery Techniques
3.1 Recovery Methods3.1 Recovery Methods
3.1.1 Scanning Probe Microscopy (SPM)3.1.1 Scanning Probe Microscopy (SPM)
3.1.2 Magnetic Force Microscopy (MFM)3.1.2 Magnetic Force Microscopy (MFM)
3.1.3 Scanning Tunneling Microscopy (STM) 3.1.3 Scanning Tunneling Microscopy (STM)
4. Avoid Data Recovery 4. Avoid Data Recovery
4.1 How to avoid Data Recovery ?4.1 How to avoid Data Recovery ?
4.2 Secure Deletion4.2 Secure Deletion
4.2.1 Degaussing4.2.1 Degaussing
4.2.2 Multiple Overwrites4.2.2 Multiple Overwrites
5. 5. What can you do ? What can you do ?
Data LossData LossOverviewOverview
What is data Loss ?What is data Loss ? Common Computer ProblemsCommon Computer Problems What causes Data Loss ?What causes Data Loss ? How to prevent data loss ?How to prevent data loss ?
Data LossData LossWhat is Data Loss?What is Data Loss?
Data has accidentally been erased or data Data has accidentally been erased or data control structures have been overwritten.control structures have been overwritten.
Data has been corrupted or made Data has been corrupted or made inaccessible.inaccessible.
Data is unable to be accessed from a Data is unable to be accessed from a previous functioning computer system or previous functioning computer system or backup.backup.
Common Computer Common Computer ProblemsProblems
Computer won’t boot upComputer won’t boot up Applications that are unable to run Applications that are unable to run
or load dataor load data Hard drive crashesHard drive crashes Corrupt files or dataCorrupt files or data Accidental reformatting of partitionsAccidental reformatting of partitions Inaccessible drives and partitionsInaccessible drives and partitions Media surface contamination and Media surface contamination and
damagedamage
What Causes Data Loss?What Causes Data Loss?
SabotageSabotage Natural DisasterNatural Disaster Hardware Error Hardware Error Virus AttackVirus Attack Human ErrorHuman Error
Intentional deletionIntentional deletion Accidental overwriting of filesAccidental overwriting of files
Software CorruptionSoftware Corruption
What Causes Data Loss?What Causes Data Loss?
How to Prevent Data How to Prevent Data LossLoss
Don’t upgrade hardware or software Don’t upgrade hardware or software without having a backupwithout having a backup
Physically secure your system from Physically secure your system from intrudersintruders
Use firewalls and virus protectionUse firewalls and virus protection
Be prepared for physical disastersBe prepared for physical disasters
Data RecoveryData RecoveryOverviewOverview
What is Data Recovery ? What is Data Recovery ? Data Recovery MethodsData Recovery Methods Use of Software to recover DataUse of Software to recover Data Use of Machines to recover DataUse of Machines to recover Data
What is data recovery?What is data recovery?
Retrieving deleted/inaccessible data from Retrieving deleted/inaccessible data from electronic storage media (hard drives, removable electronic storage media (hard drives, removable media, optical devices, etc...)media, optical devices, etc...)
Typical causes of loss include:Typical causes of loss include: Electro-mechanical FailureElectro-mechanical Failure Natural DisasterNatural Disaster Computer Virus Computer Virus Data CorruptionData Corruption Computer CrimeComputer Crime Human ErrorHuman Error
ExampleExample http://www.drivesavers.com/museum/qtpopisdn.htmlhttp://www.drivesavers.com/museum/qtpopisdn.html
Data Recovery MethodsData Recovery Methods
Use of software to recover Use of software to recover datadata
Use of machines to recover Use of machines to recover datadata
Software Data ExtractionSoftware Data Extraction
Data extraction is the process of moving data Data extraction is the process of moving data off of the imaged drive to another off of the imaged drive to another destination location.destination location.
Data extraction software scans sectors of the Data extraction software scans sectors of the hard drive and restructures the file system hard drive and restructures the file system either in memory or another hard drive. either in memory or another hard drive.
The software can be used to copy the The software can be used to copy the recoverable data to a destination location.recoverable data to a destination location.
Software RecoverySoftware Recovery Data loss can occur because the hard drive may Data loss can occur because the hard drive may
have problems accessing the data it contains at have problems accessing the data it contains at a software or logical level.a software or logical level.
By making a complete sector copy (an exact By making a complete sector copy (an exact copy including all deleted information) of the copy including all deleted information) of the hard drive, using a program such as Norton hard drive, using a program such as Norton GHOST, most data recovery programs search GHOST, most data recovery programs search for deleted MFT (Master File Table) entries to for deleted MFT (Master File Table) entries to undelete files.undelete files.
If the MFT is corrupt or defective, this method If the MFT is corrupt or defective, this method will not work. Some data recovery programs will not work. Some data recovery programs will ignore the MFT and search all of the will ignore the MFT and search all of the unallocated clusters to try to find and recover unallocated clusters to try to find and recover files.files.
Data RecoveryData Recovery The user may send a failed hard disk drive to The user may send a failed hard disk drive to
a private data recovery company that offers a private data recovery company that offers secure and confidential data recovery.secure and confidential data recovery.
The data recovery company will carefully The data recovery company will carefully perform part replacement of the heads, perform part replacement of the heads, spindle motor and base casting, the spindle motor and base casting, the electronics board, etc. in a clean room electronics board, etc. in a clean room environment. environment.
Part replacement has historically been Part replacement has historically been successful for data recovery about 40%-60% successful for data recovery about 40%-60% of the time.of the time.
Data RecoveryData Recovery
When data is written to a medium, the When data is written to a medium, the head sets the polarity of most, but not all head sets the polarity of most, but not all of the magnetic domains.of the magnetic domains.
When a 1 is written to disk the media When a 1 is written to disk the media records a 1, and when a 0 is written the records a 1, and when a 0 is written the media records a 0. However the actual media records a 0. However the actual effecteffect is closer to obtaining a 0.95 when a is closer to obtaining a 0.95 when a 0 is overwritten with a 1, and a 1.05 when 0 is overwritten with a 1, and a 1.05 when a 1 is overwritten with a 1. a 1 is overwritten with a 1.
Data RecoveryData Recovery Normal disk circuitry is set up so that both Normal disk circuitry is set up so that both
these values are read as ones, but using these values are read as ones, but using specialized circuitry it is possible to work out specialized circuitry it is possible to work out what previous "layers" contained.what previous "layers" contained.
The recovery of at least one or two layers of The recovery of at least one or two layers of overwritten data isn't too hard to perform by overwritten data isn't too hard to perform by reading the signal from the analog head reading the signal from the analog head electronics with a high-quality digital sampling electronics with a high-quality digital sampling oscilloscope, downloading the sampled oscilloscope, downloading the sampled waveform to a PC, and analyzing it in software waveform to a PC, and analyzing it in software to recover the previously recorded signal. to recover the previously recorded signal.
Data Recovery Data Recovery TechniquesTechniques
OverviewOverview Recovery MethodsRecovery Methods Scanning Probe Microscopy (SPM)Scanning Probe Microscopy (SPM) Magnetic Force Microscopy (MFM)Magnetic Force Microscopy (MFM) Scanning Tunneling Microscopy Scanning Tunneling Microscopy
(STM) (STM)
Scanning Probe Microscopy Scanning Probe Microscopy (SPM)(SPM)
A technique that is used to image A technique that is used to image and measure surfaces at the atomic and measure surfaces at the atomic level.level.
Scans an atomically sharp probe Scans an atomically sharp probe over a surface which produces a 3D over a surface which produces a 3D topographic image of the surface at topographic image of the surface at the atomic scale.the atomic scale.
Magnetic Force Microscopy Magnetic Force Microscopy (MFM)(MFM)
MFM (Magnetic Force Microscopy) is a new MFM (Magnetic Force Microscopy) is a new technique which images the spatial technique which images the spatial variation of magnetic forces on a sample variation of magnetic forces on a sample surface. surface.
MFM is derived from scanning probe MFM is derived from scanning probe microscopy (SPM) and uses a sharp microscopy (SPM) and uses a sharp magnetic tip attached to a flexible magnetic tip attached to a flexible cantilever for analysis.cantilever for analysis.
An image of the field at the surface is An image of the field at the surface is formed by moving the tip across the surface formed by moving the tip across the surface and measuring the force.and measuring the force.
Magnetic Force Microscopy Magnetic Force Microscopy (MFM)(MFM)
Detectable old data will be present beside Detectable old data will be present beside new data on the track which is usually new data on the track which is usually ignored.ignored.
Together with software, MFM can see past Together with software, MFM can see past various kinds of data loss/removal.various kinds of data loss/removal.
Each track contains an image of Each track contains an image of everything ever written to it, but each everything ever written to it, but each layer gets progressively smaller the earlier layer gets progressively smaller the earlier it was written.it was written.
Magnetic Force Microscopy Magnetic Force Microscopy (MFM)(MFM)
MFM looks at the minute sampling MFM looks at the minute sampling region to detect remnant region to detect remnant magnetization at track edges.magnetization at track edges.
MFM image showing the MFM image showing the bits of a hard diskbits of a hard disk
Scanning Tunneling Scanning Tunneling Microscopy (STM)Microscopy (STM)
STM (Scanning Tunneling Microscopy) is STM (Scanning Tunneling Microscopy) is a more recent variation of MFM which a more recent variation of MFM which uses a probe tip typically made by uses a probe tip typically made by plating nickel onto a pre-patterned plating nickel onto a pre-patterned surface.surface.
The probe is scanned across the surface The probe is scanned across the surface that is to be analyzed. STM measures a that is to be analyzed. STM measures a weak electrical current flowing between weak electrical current flowing between the tip and the sample. The image is the tip and the sample. The image is then generated in the same way as MFM.then generated in the same way as MFM.
Scanning Tunneling Scanning Tunneling Microscopy (STM)Microscopy (STM)
Avoid Data RecoveryAvoid Data RecoveryOverviewOverview
How to avoid Data Recovery ?How to avoid Data Recovery ? Secure DeletionSecure Deletion DegaussingDegaussing Multiple OverwritesMultiple Overwrites
How to Avoid Data How to Avoid Data RecoveryRecovery
Companies, agencies, or individuals Companies, agencies, or individuals may want to ensure their data may want to ensure their data cannot be recovered.cannot be recovered.
Simple deletion is not good enough.Simple deletion is not good enough. Faced with techniques such as Faced with techniques such as
MFM, truly deleting data from MFM, truly deleting data from magnetic media is very difficultmagnetic media is very difficult
Secure DeletionSecure Deletion DegaussingDegaussing
Process in which the media is returned to its initial Process in which the media is returned to its initial statestate
Coercivity – Amount of magnetic field necessary to Coercivity – Amount of magnetic field necessary to reduce the magnetic induction to zero. (measured in reduce the magnetic induction to zero. (measured in Oersteds)Oersteds)
Effectively erasing a medium to the extent that data Effectively erasing a medium to the extent that data recovery is uneconomical requires a magnetic force recovery is uneconomical requires a magnetic force ~5x the coercivity. ~5x the coercivity.
US Government guidelines on media coercivity:US Government guidelines on media coercivity: Class 1: 350 Oe coercivity or lessClass 1: 350 Oe coercivity or less Class 2: 350-750 Oe coercivity. Class 2: 350-750 Oe coercivity. Class 3: over 750 Oe coercivityClass 3: over 750 Oe coercivity
Degaussers are available for classes 1 and 2. None Degaussers are available for classes 1 and 2. None known for known for fullyfully degaussing class 3 media. degaussing class 3 media.
Type IType II/III
Commercial Degaussers
Secure Deletion Secure Deletion
Technique 2: Multiple OverwritesTechnique 2: Multiple Overwrites Use an overwrite schemeUse an overwrite scheme
Flip each magnetic domain on the disk back Flip each magnetic domain on the disk back and forth as much as possible and forth as much as possible
Overwrite in alternating patterns to expose it Overwrite in alternating patterns to expose it to an oscillating magnetic field.to an oscillating magnetic field.
Overwrite with “junk” data several timesOverwrite with “junk” data several times Use the lowest frequency possible for Use the lowest frequency possible for
overwritesoverwrites Penetrates deeper into the recording mediumPenetrates deeper into the recording medium
Deletion TechniquesDeletion Techniques
Peter Guttman’s overwrite scheme:Peter Guttman’s overwrite scheme: Meant to defeat all possible recovery Meant to defeat all possible recovery
techniques (MFM, etc)techniques (MFM, etc) Specifies 35 different overwritesSpecifies 35 different overwrites Not all overwrites are needed if Not all overwrites are needed if
targeting specific recovery method (i.e. targeting specific recovery method (i.e. MFM)MFM)
Data Recovery TipsData Recovery Tips DO’sDO’s
Backup your data frequently. Backup your data frequently. If you believe there is If you believe there is
something wrong with your something wrong with your computer shut it down, do not computer shut it down, do not continue to power up because continue to power up because you may do more damage. you may do more damage.
If you here a clunk, clunk If you here a clunk, clunk sound when you power up the sound when you power up the drive, shut down! Do not panic drive, shut down! Do not panic nor turn the power button on nor turn the power button on and off. and off.
Package the drive properly Package the drive properly when you send it in to a data when you send it in to a data recovery specialist. You can recovery specialist. You can cause additional damage to the cause additional damage to the hard drive if it is poorly hard drive if it is poorly packaged. packaged.
DON’TSDON’TS Do not ever assume that data Do not ever assume that data
recovery is impossible; even in the recovery is impossible; even in the worst cases, such as natural disasters worst cases, such as natural disasters data recovery specialists have been data recovery specialists have been able to retrieve valuable data. able to retrieve valuable data.
Never remove the cover from the Never remove the cover from the hard drive; this will only cause hard drive; this will only cause further damage. further damage.
Do not rest your computer on a Do not rest your computer on a moveable object or piece of moveable object or piece of furniture. Shock and vibration can furniture. Shock and vibration can result in serious damage to the hard result in serious damage to the hard drive. drive.
Do not subject the drive to extreme Do not subject the drive to extreme temperatures changes both hot and temperatures changes both hot and cold. cold.
In the case where a drive has been In the case where a drive has been exposed to water, fire or even smoke exposed to water, fire or even smoke do not try to power up.do not try to power up.
SummarySummary Individuals or companies may experience data Individuals or companies may experience data
loss at any time for many reasons.loss at any time for many reasons. There are various steps that should be There are various steps that should be
implemented to help prevent data loss.implemented to help prevent data loss. Data loss can be very costly and very Data loss can be very costly and very
upsetting.upsetting. There are several data recovery techniques There are several data recovery techniques
that have proven to be successful or partially that have proven to be successful or partially successful in recovering data.successful in recovering data.
Utilizing qualified professional data recovery Utilizing qualified professional data recovery specialists will aid in the degree of success of specialists will aid in the degree of success of data recovery.data recovery.
QUESTIONS?QUESTIONS?
BibliographyBibliography http://www.intellirecovery.com/data/http://www.intellirecovery.com/data/
recovery.htmlrecovery.html http://www.data-recovery-info.comhttp://www.data-recovery-info.com http://mechmat.caltech.edu/~kaushik/park/1-3-http://mechmat.caltech.edu/~kaushik/park/1-3-
0.htm0.htm http://www.eng.yale.edu/reedlab/research/spm/http://www.eng.yale.edu/reedlab/research/spm/
spm.htmlspm.html http://www.cs.auckland.ac.nz/~pgut001/pubs/http://www.cs.auckland.ac.nz/~pgut001/pubs/
secure_del.htmlsecure_del.html http://www.ebaumsworld.comhttp://www.ebaumsworld.com http://www.disklabs.comhttp://www.disklabs.com
