Since I've been doing so much data recovery lately, I decided to write a series of articles on the subject. These articles will discuss the techniques I use on a regular basis. This article will discuss what to do when data loss occurs, when data recovery is and isn't possible, and how data recovery works.
Although the data recovery process itself can be complicated, the idea behind the process is simple. Data recovery is possible because a file and information about a file are two different things, stored in two different places. The Windows operating system uses a
The best way to describe how a hard drive's file system works is to compare it to a book. The FAT is like the table of contents. The actual files on the hard drive are like the pages in the book.
To illustrate how the data recovery process works, let's take the analogy one step further. You need to install a new kitchen sink, so you buy a book on home improvement. The table of contents tells you that the chapter on installing a sink starts on p. 40. If you rip the table of contents out of the book and shred those pages, have you lost the information on installing the sink? Of course not. The chapter on installing a sink is still in the book; it's just going to be harder to find since you no longer have a table of contents.
Data recovery works the same way. When data needs to be recovered, it is often only the FAT that's messed up. The actual file that needs to be recovered may still exist on your hard drive in perfect condition. If the file still exists, is undamaged and is not encrypted, it can be recovered. All you have to do is to find it.
On the other hand, if the file itself is damaged or missing or encrypted, recovery through normal means is impossible. That doesn't mean recovery is impossible, only recovery through the usual means. You can't magically recover what isn't there.
If a file is physically damaged, your only hope of recovering it (without a backup) is to reconstruct the file. Many applications, such as Microsoft Office, place uniform headers at the beginning of files to designate that the file belongs to that application. Some utilities can be used to manually reconstruct file headers so that at least a portion of the file can be recovered.
In many cases, data loss is related to the FAT rather than to the data itself. For instance, normally when you delete a file, it is moved to the recycle bin. But if you delete a file from the recycle bin or remove it in such a way that causes it to never be placed in the recycle bin, the actual file is not deleted.
Instead, the operating system changes the first letter of the file name in the FAT to a sigma sign. (Older file systems used a question mark). The operating system also writes zeros to cluster chain entries within the FAT as a way of showing that the disk space previously used by the file is still available. When a file is erased in this manner, the file itself still exists until another file overwrites the area of the hard disk that was previously used to store the file that has been erased.
A similar concept applies to formatting a hard disk as well as corruption of the file allocation table. In these cases, the files still exist. They've simply been removed from the FAT (or renamed to something that Windows is designed to not display).
Recovering deleted data
Now let's talk about the recovery process. Often when someone erases a file they really need to get back, the first thing they do is to install a data recovery utility. Bad idea! Remember, the deleted file still exists on your hard drive, but the operating system has flagged the space occupied by the file as being available. This means that if files are written to the hard disk (such as occurs when you install a recovery utility), there's a good chance that the file you're trying to recover could be permanently overwritten.
Installing a data recovery utility isn't the only thing that can cause a deleted file to be permanently lost. Normal use of a PC results in frequent file I/O operations, many of which have the potential to make deleted files non-recoverable.
To recover lost data, the first thing you should do is to turn off the computer and remove the hard drive. Next, take a spare hard drive (maybe an old one that's too small for day-to-day use), install it into your computer, and install Windows. Unless the data loss was the result of a viral infection, I don't recommend installing anti-virus software; doing so can interfere with data recovery.
Once you have Windows up and running using the spare drive, install your data recovery utility. Now shut down the PC and install the drive that contains the data you're trying to recover. Next install another blank hard drive of equal size. Boot the system and do a sector-by-sector copy (not a file copy) from the drive containing your deleted data to the empty drive. When the copy process ends, shut down the computer and remove the drive containing the original copy of your deleted data. You're now ready to begin the data recovery process.
Why do I recommend copying the drive prior to attempting a recovery? First, you never want to attempt a recovery on your PC's original drive. If you work directly with this drive and make a mistake, there are no second chances. But if you're working with a copy and make a mistake, you can always make another copy.
The other reason why you should work off of a copy rather than the original drive is this: If hard disk corruption is the cause of the data loss, there's a good chance the corruption will spread. To avoid further data loss, you must minimize your use of the corrupt drive.
The remaining articles in this series will demonstrate some actual data recovery techniques.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinSystems.com and other TechTarget sites.
More information from SearchWinSystems.com
- Tip: Best practices: Desktop disaster recovery
- Topics: Disaster recovery
- RSS: Sign up for our RSS feed to receive expert advice every day.
This was first published in May 2006