Everyone has lost a document or probably will encounter someone who will try to “lose” a piece of evidence. On the innocent side, the computer could “freeze,” lose power, be hit by a hurricane, or data can be accidentally deleted. On the nefarious side an opponent may try to bury a smoking gun. What is not generally known is that loss or destruction can be remedied. The key is having the right tools, software, and expertise to recover the wayward data. This month we will cover the basics of data recovery.
First Issue: Where Do The Lost Files Go?
Most people believe the deletion is tantamount to destruction. Actually if piece of data is viewed as a page in a book, deletion is not analogous to running the page through a shredder. The better view is that deletion is like removing the entry from the book’s table of contents, while leaving the pages of information. The only things erased are a few characters of information that point to where the actual document is located. In time, the section of the hard drive will be overwritten, but in the short run, its still there.
In Technospeak: “The pointer, along with other pointers for every folder and file on the hard drive, is saved in a section near the beginning of the hard drive and is used by the operating system to create the directory tree structure. By erasing the pointer file, the actual file becomes invisible to the operating system, even though it is still there until the file system reuses the space.” Source: Ontrack Data.
Second Issue: How Do We Bring Them Back?
Initially the expert must find the original table of contents so we can find where and whether the actual files still exist. A technologist can rebuild the table of contents and bring the missing information back from the dark side. By deleting the entries in the table of contents, the computer allows data to be written where the deleted data used to reside. The files must be recovered before they are overwritten.
In Geekspeak: ”Every operating system has a file system, which is a unique method of indexing and keeping track of the files. Unfortunately for those that lose data, file systems can be very complex, which is why it can be so difficult to locate missing files. For instance, file systems that are used in business environments require security details and access transaction details. A good example is a transaction-based or journaling file system, whose goal is to log when each file is accessed, modified or saved – making the file system more complicated and harder to rebuild. . . . Recovery engineers are internally trained to work on data recovery, working with computer hardware for a number of years
and learning the low-level specifics of every type of file system.” Source: Ontrack Data .
Third Issue: Should the Recovery be Outsourced?
From the legal perspective, it may be important to preserve a chain of custody and to have a witness who can testify about the methods used to retrieve the wayward file. From a cost perspective the file may only need to be retrieved from a the computer’s trash can (Macintosh) or recycling bin (Windows). There are also over-the-counter file recovery software packages for the do-it-yourselfer.
Deleted files can be damaged on their journey to the hinterlands. Subsequently recovered files can be damaged or incomplete or in need of repair. Here is where the pros come in. The pro will use a two-step process consisting of diagnosis of the data loss followed by the repair and recovery of the information. Seldom do the experts work on the original data. They most always attempt to make a mirror image of the files and always work on a copy.
In New Speak: “During this stage, recovery engineers can determine if the drive requires special attention from the cleanroom, which is an ultra-clean environment used when working with microscopic components. The cleanroom will work at an electronic and mechanical level to get the drive operational. This can include anything from physically cleaning the disk platters so they can spin properly to swapping out electrical components to power up the drive . . . . After the drive is operational and a copy of the drive can be made, data recovery engineers work to repair the file structures and produce a complete file listing that shows all of the files and directories on the volume. This file listing will also tell the customer if there are holes (or Input/Output errors) within the file itself. The final phase is the recovery phase. The goal of this phase is to copy out the data and backup that data on media that the customer requires. Source: Ontrack Data
In Technospeak, Geekspeak, or Newspeak, the message is the same: If mission critical data is lost, then call in a pro. Finagling with missing or damaged files can render them irrecoverable.