©
2006-2015 by Ross Johnson
Bit: the
smallest unit of computer data, a
bit represents one of two states;
'on' or 'off' (or
'1' or '0'). On magnetic media
such as a hard drive or floppy disk, an electro-mechanically
generated unit of magnatisim will represent a bit. A floppy
disk can hold millions of bits.
Byte: 8 bits
stored in a 'logical' grouping (i.e. 8 consecutive
bits with a known start and end on the storage
media.
Storage Medium
examples: hard drive, CD, DVD, floppy
disk.
Clean Room
Repair: the hard drive is opened in a ‘class-100’
clean room to prevent dust and particle contamination of the media
that could cause severe damage during use. The hard drive is then
temporarily repaired with compatible shelf parts in order to extract
raw data for later recovery/reconstruction. The shelf parts are then
removed and the hard drive is re-assembled to its failed
state.
Data
(i.e. user data or
data files): information files
created by users via programs.
Examples:
‘Companyfile.qbw’
created with Quickbooks Pro;
‘Report.doc’ created with
Word
doc, qbw, xls, pst, ppt, jpg are
examples of data file extensions (i.e. 'file types').
Raw Data (i.e.
bit stream):
all bits on a storage medium, regardless of
logical structure or intended use, this includes; user
data, data files, programs, deleted data, hidden data, file
structure information, file system data. partition data, etc.
Data Recovery:
from failed/failing storage media such as a hard drive or memory
card; the extraction of raw data
(bits) to new media and the subsequent rebuild
of data files. Most data recovery companies perform
‘standard’ recovery which recovers/rebuilds the file system
structure in order to find the remaining directory information and
thus the relative files. Anything not recovered in this manner is
often deemed ‘unrecoverable’, even though the raw data files
(without names) or partial content may still be available. A few
data recovery companies are able to do more and can perform; content
recovery, ‘file type’ signature search, file repair, data stitching
and more. This type of non-standard recovery/reconstruction (usually
called ‘forensic’) is often much more expensive and you, the client,
may have extra work to do, such as identifying and renaming
files.
Data Reconstruction /
stitching / repair: the rebuilding of data ‘files’
from raw data to a usable state for use by a program capable of
utilizing that file type.
Forensic Recovery
& Electronic Discovery: analysis of raw data and
subsequent extraction/reconstruction of data files, deleted files,
encrypted data, embedded data, hidden data, partial files. etc.
Often used in court/legal proceedings such as employer/employee
disputes, divorce, criminal. Also a useful tool for employers,
parents and gaurdians to audit/review a computer for improper
access\usage.
Write block:
special hardware used by data recovery, forensic recovery, law
enforcement and few others that protects media from being altered
during the recovery process. Critical for forensic recovery to
prevent altering evidence and a practical safeguard for all
recovery. Generally not found in IT departments or local shops due
to high cost vs. low need.
Slave or
slaving: a standard method used by IT and local
shops to retrieve data from a hard drive. The source drive with the
desired data is basically hooked up (slaved) to another computer
that boots to Windows. This is a reliable method when both drives
are problem free but is completely unacceptable for data recovery
and should be inadmissible for forensic recovery. There are many
ways for the source to be damaged. Windows will often try to
'repair' found errors on drives that are slaved and therefore will
make changes to media that should not be altered. Windows performs
automatic, "data house-keeping" (organizing) of hard drives and can
use any cluster it detects as being available. This may overwrite
data you are trying to recover.
(Even with write block, booting to windows can be risky for a
damaged, slaved source drive)
Slaving is not a method of recovery.
Sectors:
Usually - a factory defined area on the media that holds 512 bytes
of raw data. It is the smallest amount of data that can be written
or read from the media (<-great litmus question for your local
repair shop) - an attempt to alter one byte will force a re-write of
the other 511 bytes and therefore risks further damage to failing
media. The ability to read a sector on failing/damaged media should
not imply the ability to write to that sector. [For the technically
inclined, there is really much more detail, including information
stored between sectors used to track sector usage, CRC and
more.]
Clusters: are
defined by the file system (e.g. FAT or NTFS) when the media is
formatted. Clusters within a volume/partition are equal in size and
consist of one or more contiguous sectors on the media (e.g. 16
sectors equaling 8192 bytes). A cluster is the smallest unit of data
the operating system manipulates, a file made up of a single byte
will be allocated a whole cluster to store the single byte.
Contiguous
sectors: adjacent or neighboring sectors.
Contiguous
clusters: adjacent or neighboring
clusters.
drive geometry + drive
translation + LBA: (simplified) these three combined
(by the hard drive's circuit board), present sectors from the hard
drive to the motherboard and subsequently the operating system in a
consistent order. The first sector you can access on a hard drive is
addressed or numbered zero; the second sector address is 1; the
third address is 2 and so on the the end of all sectors. A 40 GB
hard drive may have over 80 million sectors; each with 512 bytes of
storage space. In reality the method of storage on the physical hard
drive is more complicated and beyond the scope of this explanation
and beyond all retail recovery software and local tech shops. Simply
stated, modern hard drives store data in a mannner that is
inconsistent to humans, operating systems and motherboards.
Therefore, modern hard drives perform their own translation from
their internal storage structure to the structure presented to the
motherboard -> operating system -> and even humans.
Fragmentation: data files that are NOT
stored in contiguous clusters.
NTFS File
Compression: a data storage reduction method
optionally used by Windows 2000 and XP. Files originally stored
with this method and subsequently deleted are considered
non-recoverable by most. However, if the raw data is reasonably
intact, there is a known method to manually recover, decompress
and extract the data files (with some effort).
Email
storage: Email programs such as
AOL, Outlook and a few others
store all of their content in one large self contained propietary
package. If the package can be recovered intact then the original
program can be used to access the data. If the package is in
pieces or damaged in the raw data area it is considered
non-recoverable by most. However there are known methods to
manually search the raw data area to find and stitch the
remaining pieces together for a partial or complete
recovery.
Quickbooks: also uses a self contained
propietary package and cannot withstand much damage.
Basically because math formulas are performed on the
contained data and any missing/damaged data may result in 'bad
math'. However there are known recovery methods that may be
able to recover a good 'range' of data if the complete range is
damaged.