Home | Pricing | Shipping Form | Standard Recovery | Forensic Recovery | About us | Glossary | RAID


© 2006-2015 by Ross Johnson

Bit: the smallest unit of computer data, a bit represents one of two states; 'on' or 'off' (or '1' or '0'). On magnetic media such as a hard drive or floppy disk, an electro-mechanically generated unit of magnatisim will represent a bit. A floppy disk can hold millions of bits.

Byte: 8 bits stored in a 'logical' grouping (i.e. 8 consecutive bits with a known start and end on the storage media.

Storage Medium examples: hard drive, CD, DVD, floppy disk.

Clean Room Repair: the hard drive is opened in a ‘class-100’ clean room to prevent dust and particle contamination of the media that could cause severe damage during use. The hard drive is then temporarily repaired with compatible shelf parts in order to extract raw data for later recovery/reconstruction. The shelf parts are then removed and the hard drive is re-assembled to its failed state.

Data (i.e. user data or data files): information files created by users via programs.


‘Companyfile.qbw’ created with Quickbooks Pro;

‘Report.doc’ created with Word

doc, qbw, xls, pst, ppt, jpg are examples of data file extensions (i.e. 'file types').

Raw Data (i.e. bit stream): all bits on a storage medium, regardless of logical structure or intended use, this includes; user data, data files, programs, deleted data, hidden data, file structure information, file system data. partition data, etc.

Data Recovery: from failed/failing storage media such as a hard drive or memory card; the extraction of raw data (bits) to new media and the subsequent rebuild of data files. Most data recovery companies perform ‘standard’ recovery which recovers/rebuilds the file system structure in order to find the remaining directory information and thus the relative files. Anything not recovered in this manner is often deemed ‘unrecoverable’, even though the raw data files (without names) or partial content may still be available. A few data recovery companies are able to do more and can perform; content recovery, ‘file type’ signature search, file repair, data stitching and more. This type of non-standard recovery/reconstruction (usually called ‘forensic’) is often much more expensive and you, the client, may have extra work to do, such as identifying and renaming files.

Data Reconstruction / stitching / repair: the rebuilding of data ‘files’ from raw data to a usable state for use by a program capable of utilizing that file type.

Forensic Recovery & Electronic Discovery: analysis of raw data and subsequent extraction/reconstruction of data files, deleted files, encrypted data, embedded data, hidden data, partial files. etc. Often used in court/legal proceedings such as employer/employee disputes, divorce, criminal. Also a useful tool for employers, parents and gaurdians to audit/review a computer for improper access\usage.

Write block: special hardware used by data recovery, forensic recovery, law enforcement and few others that protects media from being altered during the recovery process. Critical for forensic recovery to prevent altering evidence and a practical safeguard for all recovery. Generally not found in IT departments or local shops due to high cost vs. low need.

Slave or slaving: a standard method used by IT and local shops to retrieve data from a hard drive. The source drive with the desired data is basically hooked up (slaved) to another computer that boots to Windows. This is a reliable method when both drives are problem free but is completely unacceptable for data recovery and should be inadmissible for forensic recovery. There are many ways for the source to be damaged. Windows will often try to 'repair' found errors on drives that are slaved and therefore will make changes to media that should not be altered. Windows performs automatic, "data house-keeping" (organizing) of hard drives and can use any cluster it detects as being available. This may overwrite data you are trying to recover.

(Even with write block, booting to windows can be risky for a damaged, slaved source drive)

Slaving is not a method of recovery.

Sectors: Usually - a factory defined area on the media that holds 512 bytes of raw data. It is the smallest amount of data that can be written or read from the media (<-great litmus question for your local repair shop) - an attempt to alter one byte will force a re-write of the other 511 bytes and therefore risks further damage to failing media. The ability to read a sector on failing/damaged media should not imply the ability to write to that sector. [For the technically inclined, there is really much more detail, including information stored between sectors used to track sector usage, CRC and more.]

Clusters: are defined by the file system (e.g. FAT or NTFS) when the media is formatted. Clusters within a volume/partition are equal in size and consist of one or more contiguous sectors on the media (e.g. 16 sectors equaling 8192 bytes). A cluster is the smallest unit of data the operating system manipulates, a file made up of a single byte will be allocated a whole cluster to store the single byte.

Contiguous sectors: adjacent or neighboring sectors.

Contiguous clusters: adjacent or neighboring clusters.

drive geometry + drive translation + LBA: (simplified) these three combined (by the hard drive's circuit board), present sectors from the hard drive to the motherboard and subsequently the operating system in a consistent order. The first sector you can access on a hard drive is addressed or numbered zero; the second sector address is 1; the third address is 2 and so on the the end of all sectors. A 40 GB hard drive may have over 80 million sectors; each with 512 bytes of storage space. In reality the method of storage on the physical hard drive is more complicated and beyond the scope of this explanation and beyond all retail recovery software and local tech shops. Simply stated, modern hard drives store data in a mannner that is inconsistent to humans, operating systems and motherboards. Therefore, modern hard drives perform their own translation from their internal storage structure to the structure presented to the motherboard -> operating system -> and even humans.

Fragmentation: data files that are NOT stored in contiguous clusters. 

NTFS File Compression: a data storage reduction method optionally used by Windows 2000 and XP. Files originally stored with this method and subsequently deleted are considered non-recoverable by most. However, if the raw data is reasonably intact, there is a known method to manually recover, decompress and extract the data files (with some effort).

Email storage: Email programs such as AOLOutlook and a few others store all of their content in one large self contained propietary package. If the package can be recovered intact then the original program can be used to access the data. If the package is in pieces or damaged in the raw data area it is considered non-recoverable by most. However there are known methods to manually search the raw data area to find and stitch the remaining pieces together for a partial or complete recovery. 

Quickbooks: also uses a self contained propietary package and cannot withstand much damage. Basically because math formulas are performed on the contained data and any missing/damaged data may result in 'bad math'. However there are known recovery methods that may be able to recover a good 'range' of data if the complete range is damaged.