-
4
- #1
Well in no way am i an expert in data recovery techniquesso please dont flame me. I have no formal training on it but have managed to do a fair amount of research over the last year. I work in the service department of a major computer retailer in Vancouver and have been in the service department for 3 years. Most of the problems i specialize in solving seem to be software related issues on the windows side of things. I do also work on hardware troubleshooting but am not as interested in that area.
I have done about 20 data recoveries in the past year due to software issues or file corruptions, like bad mbr or lost partition tables or erased fats.
i am interested in sharing some of my observations on the little bit of data recovery that i have done to help others who have little experience in data recovery(like me), or to spark up some conversation that i can learn from.(maybe some of my self taught techniques are not very good. any input would be appreciated. and keep in mind that i have no formal training in this area. It is all learned by reading and alot of experimenting.
Over the past year i have had a lot of requests from clients to help them with issues dealing with lost data on their home or work computer. most of the time their computer has one drive containing their os and data, and the drive simply will not boot. sometimes this is due to a bad drive, and other times it is due to data corruption. Anyway these are some of the steps that i take when helping a client through this type of difficulty.
After booking the drive into our service department, the first thing I do is to put it into my test bench(my test bench is just a celleron system, with onboard video, a fdd, and two open ide chanels) and see if the drive is in physical working order. I try to make sure that the drive is spinning up, and is recognized by the bios of my test bench. If it is not then I try to match the controller of the hard drive with one of the known good controllers from other bad drives we have collected over time. If it spins up and is recognized then great.
Now because I still want the customer to be able to take his drive to a data recovery specialist I try to do as little with the customers drive as possible. So the next thing that I will do is to duplicate or clone the drive. Now we don’t have a hardware drive duplication machine so I use the latest version of Norton ghost.(I have read a lot of documentation regarding ghost and duplication. Those who do data forensics do not like to use ghost because, even though it will do a sector by sector copy, it will not copy a sector from the source drive to the exact same sector on the destination drive. For example, it does not necessarily copy the contents of sector 69764 of the source drive to sector 69764 on the destination drive. But everything will be in the same place relative to the boot sector. I believ this also has something to do with the geometry of the drive or something like that.) When I use ghost I use a new switch. The –ir switch instruct ghost to do a sector copy including all the formatted and unformatted space.
Now that I have a duplicate of the drive I can work on it without fear of doing any more damage to the integrity of the clients original drive. Usually at this point I will try to boot from the drive and see what happens. Usually nothing. I will try to boot up with a win 98 disk and see if I can see the drive. If I can then I will look at the contents including looking for any signs of virus activity in the autoexec.bat, config.sys, win.ini and system.ini files. If everything looks ok then I will fdisk the mbr and re sys the drive. Of course if the customer wants any of the files that are listed then I can copy them at this point in time. If I was not able to see the drive or got a unspecified drive error then usually this is a clue that I need to look and see if there are any valid partitions. If I fire up fdisk and find that there are no partitions, then I will try to use Norton disk doctor to rebuild the partition table. There have been very few instances that this has not solved the problem and made the drive bootable again or at least readable with a dos boot disk or in another windows system.
Now failing these attempts, and the drive is not bootable or readable then out comes Norton disk edit, a hex editor, but I will only use this tool to take a quick scan of the drive to see if anything appears to be there. A lot of times I can get an idea if the drive was formatted from here as well. One thing I would love to be able to do with a hex editor is to learn how to manually rebuild the partition table rather than using programs to do it. I would still probably use a program if I knew how but would at least have the knowledge to go in and tweak it manually if the program did not work.
Finally I use an copy of tiramisu32 to try and rescue any data that is still not readable. I find it usually takes any where from 1 to 3 hours to run and finds pretty well anything that has not been written over. After it runs I can then copy all the files it finds to another hard drive and then go through them in another system to make sure they are readable and not corrupted. If they are ok, which in most cases they are, then I can call the client and let them know what we have.
Now I know that I could save myself a lot of work by just running tiramisu right at the beginning but I like to play a little and see if I cansolve a problem that is fixable, like rebuilding a bad partition table or restoring a second fat. I look at it as a good opportunity to learn.
Now keep in mind after reading this that these are only a few of the things I try and again I have had no proper training in this. These are all things I have learned on my own. I hope this will start up a discussion on general data recovery for consumers and some of the techniques or tools used, and maybe even some of the methods you follow or order you do things in. again keep in mind that this is mostly used for the home user or small business.
Looking forward to your comments
I have done about 20 data recoveries in the past year due to software issues or file corruptions, like bad mbr or lost partition tables or erased fats.
i am interested in sharing some of my observations on the little bit of data recovery that i have done to help others who have little experience in data recovery(like me), or to spark up some conversation that i can learn from.(maybe some of my self taught techniques are not very good. any input would be appreciated. and keep in mind that i have no formal training in this area. It is all learned by reading and alot of experimenting.
Over the past year i have had a lot of requests from clients to help them with issues dealing with lost data on their home or work computer. most of the time their computer has one drive containing their os and data, and the drive simply will not boot. sometimes this is due to a bad drive, and other times it is due to data corruption. Anyway these are some of the steps that i take when helping a client through this type of difficulty.
After booking the drive into our service department, the first thing I do is to put it into my test bench(my test bench is just a celleron system, with onboard video, a fdd, and two open ide chanels) and see if the drive is in physical working order. I try to make sure that the drive is spinning up, and is recognized by the bios of my test bench. If it is not then I try to match the controller of the hard drive with one of the known good controllers from other bad drives we have collected over time. If it spins up and is recognized then great.
Now because I still want the customer to be able to take his drive to a data recovery specialist I try to do as little with the customers drive as possible. So the next thing that I will do is to duplicate or clone the drive. Now we don’t have a hardware drive duplication machine so I use the latest version of Norton ghost.(I have read a lot of documentation regarding ghost and duplication. Those who do data forensics do not like to use ghost because, even though it will do a sector by sector copy, it will not copy a sector from the source drive to the exact same sector on the destination drive. For example, it does not necessarily copy the contents of sector 69764 of the source drive to sector 69764 on the destination drive. But everything will be in the same place relative to the boot sector. I believ this also has something to do with the geometry of the drive or something like that.) When I use ghost I use a new switch. The –ir switch instruct ghost to do a sector copy including all the formatted and unformatted space.
Now that I have a duplicate of the drive I can work on it without fear of doing any more damage to the integrity of the clients original drive. Usually at this point I will try to boot from the drive and see what happens. Usually nothing. I will try to boot up with a win 98 disk and see if I can see the drive. If I can then I will look at the contents including looking for any signs of virus activity in the autoexec.bat, config.sys, win.ini and system.ini files. If everything looks ok then I will fdisk the mbr and re sys the drive. Of course if the customer wants any of the files that are listed then I can copy them at this point in time. If I was not able to see the drive or got a unspecified drive error then usually this is a clue that I need to look and see if there are any valid partitions. If I fire up fdisk and find that there are no partitions, then I will try to use Norton disk doctor to rebuild the partition table. There have been very few instances that this has not solved the problem and made the drive bootable again or at least readable with a dos boot disk or in another windows system.
Now failing these attempts, and the drive is not bootable or readable then out comes Norton disk edit, a hex editor, but I will only use this tool to take a quick scan of the drive to see if anything appears to be there. A lot of times I can get an idea if the drive was formatted from here as well. One thing I would love to be able to do with a hex editor is to learn how to manually rebuild the partition table rather than using programs to do it. I would still probably use a program if I knew how but would at least have the knowledge to go in and tweak it manually if the program did not work.
Finally I use an copy of tiramisu32 to try and rescue any data that is still not readable. I find it usually takes any where from 1 to 3 hours to run and finds pretty well anything that has not been written over. After it runs I can then copy all the files it finds to another hard drive and then go through them in another system to make sure they are readable and not corrupted. If they are ok, which in most cases they are, then I can call the client and let them know what we have.
Now I know that I could save myself a lot of work by just running tiramisu right at the beginning but I like to play a little and see if I cansolve a problem that is fixable, like rebuilding a bad partition table or restoring a second fat. I look at it as a good opportunity to learn.
Now keep in mind after reading this that these are only a few of the things I try and again I have had no proper training in this. These are all things I have learned on my own. I hope this will start up a discussion on general data recovery for consumers and some of the techniques or tools used, and maybe even some of the methods you follow or order you do things in. again keep in mind that this is mostly used for the home user or small business.
Looking forward to your comments