General Hacking

Data Recovery

                   By Abir  Atarthy

There is a lots queries regarding data recovery in my mail box. So here i thought to write something on it.

Data recovery is an important subject and it’s definitely a good thing to have a positive understanding of data recovery and how it could effort you personally or your business.

Definition:

Data recovery is the salvaging of data originally stored on media such as magnetic disks and tapes and which has become corrupt or inaccessible.

Data gets damaged or missing in a variety of ways from virus attacks to improper storage of the media to accidents like floods. It could also have simply just been erased. Very often a large percentage of this data can be recovered using a variety of techniques.

Recovering or salvaging the data from such media can sometimes be performed using simple hardware or software but may occasionally require the assistance of data recovery specialists.
There are many types of data recovery issues are there but i will discuss only on deleted files issues here.

Can erased data be recovered? 

Yes, usually. When you delete a file the file is not actually deleted. It's just the entry in the index pointing to the file's actual location that is deleted. The file itself is left untouched but subsequent work you do on the PC could overwrite the location where the file was so it's important to minimise any amateur attempts at data recovery. 

How can I completely erase a hard disk? 

You can't. Any data you've deleted can probably be recovered later. Formatting doesn't remove the data beyond recovery. Neither does low-level formatting or "shredding". Even when every single byte of information on your drive has been written over a lot can still be recovered by extra sensitive recovery systems in use by the local plod (well, maybe not him but his peers in their hi-tech departments). But, always seek assistance at the earliest signs of trouble rather than relying on the assumption that everything can be recovered. 

Recovering data after logical damage

Logical damage is primarily caused by power outages that prevent file system structures from being completely written to the storage medium, but problems with hardware (especially RAID controllers) and drivers, as well as system crashes, can have the same effect. The result is that the file system is left in an inconsistent state. This can cause a variety of problems, such as strange behavior (e.g., infinitely recursing directories, drives reporting negative amounts of free space), system crashes, or an actual loss of data. Various programs exist to correct these inconsistencies, and most operating systems come with at least a rudimentary repair tool for their native file systems. Linux, for instance, comes with the fsck utility, Mac OS X has Disk Utility and Microsoft Windows provides chkdsk. Other many third party softwares are also available.

Preventing logical damage

The increased use of journaling file systems, such as NTFS  5.0, ext3,  is likely to reduce the incidence of logical damage. These file systems can always be "rolled back" to a consistent state, which means that the only data likely to be lost is what was in the drive's cache at the time of the system failure. 

Recovery techniques

Two common techniques used to recover data from logical damage are consistency checking and data carving. While most logical damage can be either repaired or worked around using these two techniques, data recovery software can never guarantee that no data loss will occur. For instance, in the FAT file system, when two files claim to share the same allocation unit ("cross-linked"), data loss for one of the files is essentially guaranteed.

Consistency checking

The first, consistency checking, involves scanning the logical structure of the disk and checking to make sure that it is consistent with its specification. For instance, in most file systems, a directory must have at least two entries: a dot (.) entry that points to itself, and a dot-dot (..) entry that points to its parent. A file system repair program can read each directory and make sure that these entries exist and point to the correct directories.Both chkdsk and fsck work in this fashion.

Data carving

Data Carving is a data recovery technique that allows for data with no file system allocation information to be extracted by identifying sectors and clusters belonging to the file. Data Carving usually searches through raw sectors looking for specific desired file signatures. The fact that there is no allocation information means that the investigator must specify a block size of data to carve out upon finding a matching file signature, or the carving software must infer it from other information on the media.  Data carving, also known as file carving, has traditionally required that the files recovered be located in sequential sectors (rather than fragmented) as there is no allocation  information to point to fragmented file portions

Recovery software

Bootable

Data recovery cannot always be done on a running system. As a result, a boot disk, Live CD, Live USB, or any other type of Live Distro containing a minimal operating system and a set of repair tools is needed.

Consistency checkers

• CHKDSK : A consistency checker for DOS and Windows systems.

File Recovery

• Recuva - Freeware data recovery program. Runs under Microsoft Windows 7, Vista, XP, 2003, 2000 and 98.

Forensics

The Sleuth Kit : Also known as TSK, The Sleuth Kit is a suite of forensic analysis tools developed by Brian Carrier for UNIX, Linux and Windows systems. TSK includes the Autopsy forensic browser.

 ------------------------------------