Disk Drive Data Recovery Procedures
Evaluation for Disk Drive Data Recovery
Logical Recovery (some examples)
RE-FORMATTING/RE-PARTITIONING /RE-SIZING: “Oh oh!!.. I just formatted the wrong volume and now I can’t see my data”. If this scenario happens to you in Windows, don’t despair we CAN recover your data. But once again, to ensure we have the best chance and to prevent any critical overwriting of key data structures, please stop using the computer immediately. Doing a format will erase a very small part of the MFT or Master File Table or “operating system’s index of files” as we referred to it earlier. The remainder of the index is intact and can be rebuilt by Memofix.
VIRUS ATTACK: The news media loves to sensationalize computer viruses but in reality we recover data in well over 99% of all virus related data loss situations. The majority of viruses causing data loss tend to disable a users access to their system by overwriting the boot sector. This is very effective at keeping you from using your system but any competent data recovery service will have little trouble repairing such damage.
ENCRYPTION: Encryption was developed to ensure the security of a user’s data should it fall into unscrupulous hands. In theory any encryption password can be discovered by using brute
computer force and time but in reality the time and/or resources required would make it impractical to all but the most motivated. More often encryption is broken by a hacker using other means to discover the password like keyboard recorders or reading the un-purged RAM contents. When recovering the data off encrypted volumes there are two approaches that Memofix Data Recovery Services Toronto may take.The 1st method is only feasible when our evaluation finds the PHYSICAL problems with the hard drive AND we are able to repair the hard drive AND we are able to mirror it off with NO read errors. Then we can ship an exact image back to the client which should be as functional as before it failed. In this approach we have no way of validating the success of the recovery but the client never needs to reveal his password or his data to anyone.In the 2nd PREFERRED method we need to first decrypt the data from every readable sector of the hard drive. We are able to do this for most Encryption programs including, WinMagic SecureDoc, Symantec Endpoint Encryption and PGP Whole Disk Encryption. Once the entire volume is decrypted we can treat the recovery normally and deal with any damaged file system structure or bad files as a result of read errors etc.Also be aware that several hard drive manufactures including Seagate and Hitachi are now offering hardware encryption options on some of their hard drives. Referred to as FDE or Fixed Disk Encryption, there are no known methods to recover the data without the original password.
Physical Recovery (some examples)
HEAD CRASH: A head crash refers to the damage that occurs when the heads come into contact with the spinning disks. In a good working hard drive, the heads float on a microscopic layer of air just above the surface of the disks. But if the drive is bumped while spinning, the heads may easily break through this air cushion and touch down on the surface of the disks. The disks are composed of an aluminum or glass core, coated with a super thin MAGNETIC coating. Unfortunately, your data IS the magnetic coating! When the heads touch down they begin to score the disk as it spins under the pressing head. Within milliseconds a complete ring around the disk may form and clouds of black data dust are released into the sealed chamber. In the process the head is completely destroyed or in the case of a multiple head drive, this scenario is likely unfolding with many heads simultaneously. If allowed to continue, the damage will quickly dissolve any chance of recovering the data. Disk Drive data recovery from such a scenario is NOT always possible and almost always expensive. The first step is to disassemble the drive and remove as much of the black dust as possible. The platter surfaces are then cleaned and lubricated using proprietary techniques. Several compatible parts drives are located. The head assembly from one donor is removed and prepared for installation into the defective drive. The new head assembly is installed and aligned in the crashed drive. Imaging of the surfaces starts from one clean end of the platter towards the crashed area. Imaging is stopped as we begin to enter the crashed area and restarted from the opposite end towards the crash. As we again approach the crashed area, the heads will become damaged permanently. In an effort to get as much of an image as possible we will often repeat this procedure 3 or more times using different sets of donor heads. When we determine that we have as much of the data as is likely possible, we analyze the image for any file structure damage and subsequently repair it. Once the file system structures are repaired enough to allow access to the data, a complete list of good and bad data files is created.
DRIVE DOES NOT SPIN UP DUE TO A BAD SPINDLE MOTOR: Once regarded as an almost unrecoverable disk drive data recovery situation, seized spindles are no longer the bad news they once were. While to the layman it seems like an easy fix; just re-install the platters or disks into a new drive. In reality only a single platter drive allows this simplistic approach. When you have a drive with multiple disks, as most drives now do, the disks must be moved as a single unit with no change in their physical relationship to each other. The disks must remain aligned vertically to such accuracy that just loosening the screws that secure the platters down WILL destroy the alignment and any chance of a successful disk drive data recovery.We have developed several proprietary techniques and specialized tools for dealing with “no spin” motor type cases, but due to the propriety nature of these techniques we prefer not to disclose them in any detail. Suffice to say, we are able to transplant stacks of disks up to 4 platters and acheiving industry success rates of over 85%. Very few disk drive data recovery companies can accomplish this.
SYSTEM AREA PROBLEMS: The “System Area”, the “Maintenance Tracks” or the “Engineering Tracks” are all common names for a special hidden data area found on the hard drive. Being totally invisible to the user, the System Area is accessible only for the hard drive’s service use. It contains the equivalent of the drive’s own operating system and is used for such functions as error management and performance tuning. In fact this same area is also used for special functions like storing the drive’s SMART history and setting up a HPA or Host Protected Area. Every manufacture has its own System Area design with very little common ground. Even within a manufactures product lines there are big differences in how the System Areas are implemented. The amount of time required to reverse engineer System Areas makes this approach not practical for average disk drive data recovery. Fortunately, there is a very specialized piece of equipment that solves most System Area problems on most manufactures drives. But of course it’s very expensive and consequently many lesser equipped data recovery companies do not possess this equipment. The System Area is one of the first items checked by a freshly powered hard drive and it must be error free for accessing the client’s data area. If the drive fails this check we can use our specialized equipment to repair the damaged modules and re-acquire access. If it is impossible to fix the System Area due to read errors on the media, there is another technique that may be applied. This alternative method involves the creation of a dummy System Area on another good working drive. Critical and unique modules for the System Area are then transferred from the client drive to the dummy drive and the client drive is temporarily initialized using this dummy System Area and a technique called PCB hot swapping. This procedure will give us temporary access to the client’s data area and provide a successful disk drive data recovery.
FILE AND FOLDER DELETIONS: In most operating systems the deletion of a file does not mean the actual file is deleted or overwritten but rather that its entry in the MFT or “operating system’s index of files” is tagged to show the file as being deleted. This lets the operating system know that the sectors where a particular file is stored can now be re-used for future use. This is why it is so important to immediately quit using your computer should you delete a critical file. Even when a computer appears to be doing nothing, there are tons of read/write operations occurring just to maintain the system and any one of them could be the write operation that overwrites your data forever.
Copyright © 2018 Memofix Hitech Services Inc. All rights reserved.