Data Recovery

This article is outdated and has been replaced by Create a block-level backup with Linux for Data Recovery

Data Recovery should only be carried out by the Lead Remote Tech

Data recovery on any device is a delicate process- care must be taken to ensure that no data or remnants of data become overwritten in the recovery process. Data recovery is time-sensitive and has a high chance of failure if not performed properly.

Procedure

-First, and most importantly, turn off the device and do not turn it back on until data recovery is finished. Continued usage of storage drives in a device can cause deleted or damaged data to be overwritten partially or completely, which can complicate or prevent the data recovery process.

If a customer calls to ask about data recovery- inform them first that they need to turn off the device and to not turn it back on.

Educate the Customer

  1. Inform the customer that the device should be turned off immediately, if the device is not in the store. If you physically have the device, turn it off.
  2. Give the customer a brief rundown of the data recovery process- what causes it, how files are deleted, and how files are recovered. It is important to set the precedent at this stage of the recovery process that data recovery is an “uphill battle” with a high chance of failure, especially if the device has been used since data was lost.

Backup the Drive

  1. Remove the storage drive from which data recovery is being attempted, and mount it in a shop computer designated for data recovery. By mounting the drive in this way, we can be sure that no data will be written that may overwrite the information we are attempting to recover.
  2. Backup the drive with a block-level backup. The standard backup procedure uses “sparse images”, which will not suffice. Sparse images do not take into consideration the blocks on the disk that the disk itself considers “empty”- which is why backups made this way can be made much smaller than their source drive. Instead, you must select to make a “block-by-block” backup in Acronis or opt to use a program such as dd or ddrescue on Linux.
  3. Verify that the backup was successful- check for error messages. The size of the backup should be equivalent to the capacity of the drive (ie, a 500GB drive will have a 500GB backup).

Attempt Recovery

  1. If the drive is recognized, open the data recovery program and begin the recovery process. If the drive is not recognized, troubleshoot the cause according to standard Hardware Diagnostic procedure.
  2. If you can gain access to the drive, begin the data recovery process.

Recovery

Windows

In Windows, we use a combination of free and paid software. Our primary recovery tool for Windows drives is EaseUS Data Recovery Wizard. For drives that aren’t recognized or aren’t recognized correctly by EaseUs, we use a powerful program, called TestDisk, to perform partition and data recovery. The program is free and is provided by CGSecurity. Refer to the documentation “Procedure - Using TestDisk for Windows” for a more detailed guide on how to use the program.

Mac

In Mac OS X, we use Disk Drill for file recovery. There should be a designated Mac computer in the shop for data recovery with a license for the Disk Drill program. Refer to the documentation “Procedure - Using Disk Drill for Mac” for a more detailed guide on how to use the program.

iOS

Currently, the only way to “recover” data for iOS devices is through iTunes and iCloud backups, or by sending the device to Drive Savers. WIthout a pre-existing backup, we are unable in the shop to retrieve any data from an iOS device.

Recovering lost files

  1. Try to locate the file(s) on the drive’s file structure. There will be times where a customer thinks they have lost data when, in reality, they have simply misplaced it or a failing drive or file system led them to believe the file(s) had been lost. If you can find files in this way, recover them to either the shop server or external media provided by the customer.
  2. Use the appropriate data recovery method for the platform. For Windows, use EaseUS Data Recovery Wizard *and for Mac, use *Disk Drill. See the References section below for links to documentation on these programs.
  3. If the file(s) are located, immediately move them to an external storage device- either a USB, CD/DVD, or the PC/Mac servers in the shop.
  4. Once transferred, verify the integrity of the recovered files by attempting to open them in their appropriate program (Preview/Photo Viewer for pictures, etc). If there are too many files to test individually, test random samples throughout the list of recovered files.
  5. If the backup has been successful, inform the customer. If there are a large number of files, make sure they understand that while the recovery was successful there may still be some files that are inaccessible, missing, or partially corrupted.
  6. If the backup was unsuccessful, inform the customer. Let them know that Drivesavers may be able to recover data but the associated cost is very high, usually in the $1,000-$2,000 price range for typical home-use devices.

Finishing up

  1. If only a storage drive was provided, return it to the customer along with the storage drive onto which the recovered data was transferred.
  2. If the customer brought in a working device for data recovery (of accidentally deleted files, for example), place the drive back into the device and ensure that it boots properly.
  3. If the customer brought in a device with a non-working storage drive, offer a quote for replacement and labor and proceed with regular diagnostic procedure.
  4. If the customer brought in a non-working device (water damage, motherboard failure), keep the original drive out of the machine and proceed with regular diagnostic procedure.

When the customer arrives to retrieve the device and storage drive(s), let them know that either they can take the drive for safekeeping or we can keep the drive to physically destroy it.

If the customer chooses to keep the original drive, place it in a antistatic bag and clearly mark the drive as failed.

Additional Information

Understanding Data Loss and Recovery

Bits and Bytes - How data is stored

Storage media such as hard drives and solid state drives store information in the form of bits- the smallest unit of measurement for data storage. A bit has two possible values- ON or OFF. The ON state can be represented visually as a 1. On the storage media itself, however, bits can be represented in any number of ways. On the traditional hard disk drive, bits are encoded into a platter with a specific magnetic field- a field pointing in one direction would indicate a 0, and a field pointing in the opposite direction would represent a 1. To change the magnetic field and thus the bit between states, a magnetic head passes above the platter to reverse the polarity.

Data loss can occur at a hardware level for many reasons. For example, data loss can occur if one or more storage cells containing bits erroneously changes its magnetic field or has its magnetic field changed by outside sources, or if the magnetic field is lost entirely due to wear and tear or outright failure. Sudden impact and extreme temperatures are also common causes of drive failure.

For the majority of data recovery operations, understanding the nuances of bits and bytes is not terribly important, but a solid understanding can help you relate information more easily to a customer.

What is a file?

We already know that data is stored as bits- 0s and 1s- and that eight bits make a byte. Expanding on that, there are 1024 bytes in 1 kilobyte, 1024 kilobytes in 1 megabyte, 1024 megabytes in 1 gigabyte, and so on. Customers typically understand storage on a broad scale- a typical customer might know that drives are measured in gigabytes, and that their files are stored somewhere on the drive. But what makes a file?

A file consists of some type of header- or, file signature- that identifies the type and size of the file. For example, a 500 byte text file might have a 10 byte header that identifies itself as a text file that spans 500 bytes (including the header). The remaining 490 bytes will consist of the text contained within the text file- the part that is displayed as human-readable text.

What happens to a deleted or damaged file?

In typical operation, a deleted file is not actually removed from the disk drive. Instead, it is marked as deleted. In other words, the disk space that the file occupies is marked as vacant; available to be used for other storage operations. The data will still be there, but the disk interprets the occupied space as empty and available space. The possibility of recovering a lost or deleted file is very likely if no disk activity has overwritten the space occupied by the file.

The likelihood of recovering a lost or deleted file is directly related to how much disk activity has occurred since the incident. For the best chance of recovering a file, the device should be shut down immediately. During continued use of the device it is very likely that the disk will write new data to the location of the lost file, permanently destroying it. It is still sometimes possible to recover a file that has been totally overwritten in this way, but only by certified data recovery specialists such as Drive Savers.

In the case of a partially overwritten file, what data is recoverable depends on how much and what parts of the file were overwritten. If the header/signature was fully or partially overwritten- but not the data- it is sometimes possible to reconstruct the header in such a way that little to no actual loss is apparent. If, however, some of the file data was damaged it may become impossible to fully or even partially recover the file. If recovered, the file may be damaged in various ways such as missing or jarbled text in a text document, or damaged/incomplete images in picture files.

References

TestDisk by CGSecurity: http://www.cgsecurity.org/wiki/TestDisk Free program for partition and data recovery

DriveSavers Data Recovery: http://www.drivesaversdatarecovery.com/ Professional data recovery service

Data Recovery on Wikipedia: https://www.wikiwand.com/en/Data_recovery Details using TestDisk for partition and data recovery

Discard
Save
Draft
Was this article helpful?
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on