Data Recovery

By:
Rohit Gupta
2015 MCA15

CSD AMU ALIGARH

 Content
1. Data Loss
1.1 What is data Loss ?
1.2 What causes Data Loss & How to
prevent data Loss ?
2. Data Recovery
2.1 What is Data Recovery ?
2.2 How can it be used ?
3. Data Recovery Techniques
3.1 Software Data Recovery
3.2 Hardware Data Recovery
4. Conclusion
5. Future Scope

CSD AMU ALIGARH

What is Data Loss?

• Data has accidentally been erased or data

control structures have been overwritten.

• Data has been corrupted or made

inaccessible.

• Data loss is distinguished from data

unavailability

CSD AMU ALIGARH

What Causes Data Loss
and
Preventions

CSD AMU ALIGARH

 What Causes Data Loss?
• Hardware and System problems
• Software corruption or application error
• Virus Attacks
• Human Error
– Accidental deletion
– Accidental overwriting of files
• Natural Disaster

CSD AMU ALIGARH

Data loss and Preventions
• Head Crash
the read/write heads of a hard drive
come into physical contact with the
media surface.
Indications:
Unusual noise omitting from the
hard drive – clicking, grinding or
scraping.
What to do?
Shut down the computer
immediately
CSD AMU ALIGARH
• Power Surge
Extreme power fluctuations may
severely damage media electronics and
directly effect a drive’s read/write
heads resulting in physical media
damage and/or data corruption.
Indication:
Smoke omitting from computer,
sparks, inaccessible data, drive will not
power up.
What to do?
Unplug devices following all power
outages. CSD AMU ALIGARH
• Water Damage
A single spill from a cup of coffee or
water can bring your computer to a
screeching halt.
What to do:
Immediately power down computer
and keep it off.
Do not attempt to dry your hard drive
or electronics; place in an airtight bag.

CSD AMU ALIGARH

• Virus Attacks
There are literally thousands of viruses
constantly attacking computers in this
internet age.
What to do:
Always protect yourself with antivirus
software and never open emails from
unfamiliar users.
Update antivirus software regularly.

CSD AMU ALIGARH

 Cause Example Percentage

Hardware and Disk drive crashes, Electrical outages and power 45%
System Problems surges, Manufacturer defects etc..

Human Errors Accidental Deletion, Overwriting of files etc.. 33%

Software Application displays an error message when 12%

Corruption or document is opened, Installing corrupt application
Application Error etc..
Computer Viruses Viruses such as MyDoom.A or MyDoom.b etc.. 6%

Natural Disasters Fires, Floods, Lightning, Earthquakes etc.. 4%

CSD AMU ALIGARH

Backup Hardware
• CDs, DVDs and Blue-Ray disks
- Inexpensive, quick, months to years of
storage

• Thumb drives
- Inexpensive, quick, larger storage capacity than
CDs/DVDs, months to years of storage

• Internal hard drive

- Easy transfer from one hard drive to another, many
years of storage

• External hard drive

- Easy transfer from internal to external hard drive,
better connection options, long-term storage
CSD AMU ALIGARH
 What is Data Recovery
• Data recovery is the process of restoring data
that has been lost, accidentally deleted,
corrupted or made inaccessible for any reason,
from electronic storage media (hard drives,
removable media, optical devices, etc...)

• There are occasions when damage to data is

permanent and complete data recovery is not
possible. However, some data is usually always
recoverable.
CSD AMU ALIGARH
 Cases of Recovery

FIRE CRUSHED SOAKED

Found after a fire A bus runs over a Notebook trapped
destroyed a 100 year laptop – All data underwater for
old home – All data recovered two days – All
Recovered data recovered

CSD AMU ALIGARH

Data Recovery Techniques

CSD AMU ALIGARH

 Data Recovery Using Software
• Only restore data that is not overwritten.

• Do not work on physically damaged drives.

• Uses various file system such as FAT,NTFS to

recover data

• Can be used to restore permanently deleted files,

from removable devices etc..

• Recuva, Undelete Pro, EasyRecovery, Proliant,

Novanet, etc..

CSD AMU ALIGARH

 NTFS File System
• preferred file system for Microsoft’s various desktops
and server.

• File Records are stored in a special table called as

Master File Table (MFT).

• MFT does not store the data of file (unless the data is
small to be able to fit in MFT Entry).

• The information about file is stored in MFT Entry as

series of attributes.

• Each attribute has an identifier which identifies type of

attribute CSD AMU ALIGARH
Type Type Identifier(Hexadecimal) Attribute Name
Identifier
(Decimal)

16 0x10 $STANDARD_INFORMATION
32 0x20 $ATTRIBUTE_LIST
48 0x30 $FILE_NAME
64 0x40 $VOLUME_VERSION
64 0x40 $OBJECT_ID
80 0x50 $SECURITY_DESCRIPTOR
96 0x60 $VOLUME_NAME
112 0x70 $VOLUME_INFORMATION
128 0x80 $DATA
144 0x90 $INDEX_ROOT
160 0xA0 $INDEX_ALLOCATION
176 0xB0 $BITMAP
192 0xC0 $SYMBOLIC_LINK
192 0xD0 $REPARSE_POINT
208 0xE0 $EA_INFORMATION
224 0xF0 $EA
256 0x100 $LOGGED_UTILITY_STREAM
--- 0xFFFFFFFF End of Attributes
CSD AMU ALIGARH
• first sixteen entries in MFT only for NTFS metadata files which
are reserved
• File Records for user created files are added after that
reserved entries.

NTFS FILE SYSTEM METADATA FILES

Entry Number NFTS Metadata File Name

0 $MFT
1 $MFTMirr
2 $LogFile
3 $Volume
4 $AttrDef
5 . (Dot)
6 $Bitmap
7 $Boot
8 $BadClus
9 $Secure
10 $Upcase
11 $Extend
CSD AMU ALIGARH
• Files and folders are differentiated using simple flag values
present in MFT Entry

MFT HEADER FALG VALUE DETAILS

Value Description

0x00 Deleted File Entry

0x01 File Entry
0x02 Deleted Folder Entry
0x03 Folder Entry

CSD AMU ALIGARH

 When we delete a file on NTFS file system:
Step 1:

File’s MFT Entry is made unallocated by changing the flag

values in MFT Entry Header. For files it is changed from0x01
to 0x00, and for folder it is changed from 0x03 to 0x02.

Step 2:

$Bitmap attribute of $MFT metadata file is processed and

value 0 is set for the file’s MFT Entry.

Step 3:

The non resident attributes of file’s MFT Entry are

processed and their clusters are set to unallocated in $BITMAP
metadata file.

when file is deleted on NTFS files system, actual data content of

the file is not deleted. Only the changes to the MFT Entry Header
and some metadata files are CSDmade
AMU ALIGARH
Recuva

• Recuva is a data recovery program for windows. It

is able to recover files that have been
"permanently" deleted. The program can also be
used to recover files deleted from USB flash
drives, memory cards etc.

• The program works on both FAT and NTFS file

systems.

CSD AMU ALIGARH

After installation of Recuva Wizard
CSD AMU ALIGARH
Specify Location

CSD AMU ALIGARH

 Scanning required file

CSD AMU ALIGARH

Showing Results

CSD AMU ALIGARH

Advantages & Disadvantages of
Data Recovery From Softwares

Advantages:
• Data Can be Recovered
• Various Software are available
• User Interface.
• Easy to handle.

Disadvantages:
• Not work if data is overwritten.
• Not work on physically damaged
devices
CSD AMU ALIGARH
Data Recovery Using Macroscopic
Technique

CSD AMU ALIGARH

Macroscopic Technique
• Scanning Probe Microscopy (SPM)
• Magnetic Force Microscopy (MFM)
• Scanning Tunneling Microscopy
(STM)

CSD AMU ALIGARH

Scanning Probe Microscopy
• Scanning probe microscopy (SPM) is a
new branch of microscopy that forms
images of surfaces using a physical probe
that scans the specimen.

• An image of the surface is obtained by

mechanically moving the probe in a raster
scan of the specimen, line by line, and
recording the probe-surface interaction as
a function of position

CSD AMU ALIGARH

 Scanning Probe Microscopy (SPM)
• Uses a sharp magnetic tip attached to a flexible
cantilever placed close to the surface to be analyzed

• produce a topographic view of the surface, using a

PC as a controller

CSD AMU ALIGARH

CSD AMU ALIGARH
Magnetic Force Microscopy
• MFM (Magnetic Force Microscopy) is a
new technique which images the spatial
variation of magnetic forces on a sample
surface.

• MFM is derived from scanning probe

microscopy (SPM) and uses a sharp
magnetic tip attached to a flexible
cantilever for analysis.

• An image of the field at the surface is

formed by moving the tip across the
surface and measuring the force.
CSD AMU ALIGARH
MFM Working image showing the bits of a
hard disk

CSD AMU ALIGARH

Scanning Tunneling Microscopy

• STM (Scanning Tunneling Microscopy) is a

more recent variation of MFM which uses
a probe tip typically made by plating
nickel onto a pre-patterned surface.

• The probe is scanned across the surface

that is to be analyzed. STM measures a
weak electrical current flowing between
the tip and the sample. The image is
then generated in the same way as MFM.
CSD AMU ALIGARH
Advantages & Disadvantages of
Macroscopic Technique

Advantages:
• Data Can be Recovered
• Gives Topographic View
• Overwritten Data Recovery is possible.

Disadvantages:
• Much costly.
• Can not be done at home.

CSD AMU ALIGARH

CSD AMU ALIGARH
CSD AMU ALIGARH
CSD AMU ALIGARH
Conclusion
• Individuals or companies may experience data loss at
any time for many reasons.

• There are various steps that should be implemented to

help prevent data loss.

• Data loss can be very costly and very upsetting.

• There are several data recovery techniques that have

proven to be successful or partially successful in
recovering data.

• Utilizing qualified professional data recovery specialists

will aid in the degree of success of data recovery.

CSD AMU ALIGARH

Future Scope
• New File Systems Can be developed or upgraded for easy
recovery of data

• New softwares can be developed for data recovery

CSD AMU ALIGARH

References
• WWW.Google.co.in
• http://www.intellirecovery.com/data/recovery.html
• http://www.data-recovery-info.com
• http://www.eng.yale.edu/reedlab/research/spm/spm.html

• http://www.ebaumsworld.com
• http://www.disklabs.com

CSD AMU ALIGARH

 ANY
QUESTIONS?
CSD AMU ALIGARH