As a card-carrying computer geek, I often get calls from friends or family members who have lost computer data. Sometimes the data has been accidentally erased. Sometimes it's been damaged by a virus. Sometimes the hard drive itself is the problem. Whatever the cause, the one constant is this: People who are not IT professionals never back up their data.
Having done so much data recovery lately, I decided to write a series of articles that will discuss the recovery techniques I use regularly. This article will discuss what to do when you lose data, when data recovery is and isn't possible, and how data recovery works.
Although the data recovery process itself can be complicated, the idea behind the process is simple. Data recovery is possible because a file and information about a file are two different things, stored in two different places. The Windows operating system uses a file allocation table (FAT) to keep track of which files are on the hard drive and where those files are stored.
The best way to describe how a hard drive's file system works is to compare it to a book. The FAT is like a table of contents, while the actual files on the hard drive are like the pages in the book.
To illustrate how the data recovery process works, let's take this analogy one step further. You need to install a new kitchen sink, so you buy a book on home improvement. The table of contents tells you that the chapter on installing a kitchen sink starts on p. 40. If you rip the table of contents out of the book and shred those pages, have you lost the information on installing the sink? Of course not. The chapter on installing a sink is still in the book. It's just going to be harder to find.
Data recovery works the same way. When data needs to be recovered, often only the FAT is messed up. The actual file that needs to be recovered may still exist on your hard drive in perfect condition. If the file still exists, is undamaged, and is not encrypted, it can be recovered. All you have to do is to find it.
On the other hand, if the file itself is damaged or missing or encrypted, recovery through normal means is impossible. That doesn't mean recovery is impossible, only recovery through the usual means. You can't magically recover what isn't there.
If a file physically damaged, your only hope of recovering it (without a backup) is to reconstruct the file. Many applications, such as Microsoft Office, place uniform headers at the beginning of files to designate that the file belongs to that application. Some utilities can be used to manually reconstruct file headers so that at least a portion of the file can be recovered.
In many cases, data loss is related to the FAT rather than to the data itself. For instance, when you delete a file, it's usually moved to the recycle bin. But if you delete a file from the recycle bin or remove it in such a way that causes it to never be placed in the recycle bin, the actual file is not deleted.
Instead, the operating system changes the first letter of the file name in the FAT to a sigma sign. (Older file systems used a question mark.) The operating system also writes zeros to cluster chain entries within the file allocation table as a way of showing that the disk space previously used by the file is still available. When a file is erased in this manner, the file itself still exists until another file overwrites the area of the hard disk that was previously used to store the file that has been erased.
A similar concept also applies to formatting a hard disk as well as corruption of the FAT. In these cases, the files still exist. They've simply been removed from the FAT (or renamed to something that indows is designed to not display).
Recovering deleted data
Now let's talk about the recovery process. Often when someone erases a file that they really need to get back, the first thing they do is install a data recovery utility. Bad idea! Remember, the deleted file still exists on your hard drive, but the operating system has flagged the space occupied by the file as being available. This means that if files are written to the hard disk (such as occurs when you install a recovery utility), there's a good chance that the file that you are trying to recover could be permanently overwritten.
Installing a data recovery utility isn't the only thing that can cause a deleted file to be permanently lost. Normal use of a PC results in frequent file I/O operations, many of which have the potential to make deleted files non recoverable.
To recover lost data, the first thing that you should do is to turn off the computer and remove the hard drive. Next, take a spare hard drive (maybe an old one that's too small for day-to-day use), install it into your computer, and install Windows. Don't install anti-virus software (unless a viral infection caused the data loss); doing so may interfere with data recovery.
Once you have Windows running using the spare drive, install your data recovery utility. Now shut the PC down and install the drive that contains the data that you are trying to recover. Next install another blank hard drive of equal size. Boot the system and then do a sector-by-sector copy (not a file copy) from the drive containing your deleted data to the empty drive. When the copy process completes, shut down the computer and remove the drive that contains the original copy of your deleted data. You're now ready to begin the data recovery process.
Why do I recommend copying the drive prior to attempting a recovery? First, you never want to attempt a recovery on your PCs original drive. If you work directly with this drive, then there are no second chances if you make a mistake. If you are working with a copy though, and you make a mistake, you can always make another copy.
The other reason why you should work off of a copy is this: If hard disk corruption is the cause of the data loss, there's a good chance the corruption will spread. As such, you must minimize your use of the corrupt drive to avoid further data loss.
The coming articles in this guide will demonstrate some actual data recovery techniques.
Data Recovery Techniques for Windows
- How to recover data
- How to create a boot disk to run Norton Disk Editor
- How disk cluster size affects data recover processes
- How long file names complicate data recovery
- How to recover deleted files on FAT via Disk Editor
- How data recovery for NTFS differs from FAT
- How to recover corrupt NTFS boot sectors
- Signature-based data recovery: A last ditch technique
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinSystems.com and other TechTarget sites.