Documente Academic
Documente Profesional
Documente Cultură
Contents
1 Introduction 1
1.1 Data Recovery - Definition . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Importance of Data Recovery . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 Recovery from logical damage . . . . . . . . . . . . . . . . . . . . . . . 2
1.3.1 consistency checking . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3.2 Data carving . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Organization Of the Report . . . . . . . . . . . . . . . . . . . . . . . . 4
4 Conclusion 16
4.1 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2 Future advances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
References 17
Chapter 1
to achieve the specific task. Data which cost years of hardships may be lost in a flash
due to a single mistake! We may be coming across such painful experiences too often.
Increasing hastiness and pace of life resulting in accidental deletion of valuable useful
data added to the agony. This reveal only one side of the importance of Data Recovery,
the other side is nothing other than the forensic importance of the data recovery. The
change tha the forensic need have is, here the data may not be accidentally deleted
but that makes a difference in the reocevry mode also as in this face the recovery will
be difficult as the deletion would have been performed in an intention that the data
should never get recovered.
These situations were the circumstances which lead to the need of
recovering the lost data .In such cases of accidental loss of stored data, we will be
barely in need of such a recovery software and some times more than a software which
can perform usual undeletion. Hence the data recovery became important. The data
recovery procedure became important irrespective of the file systems used. In each
file system the data recovery process depends on the type of file systems and their
features. Besides this there are drive independant data recovery methods also.
all. The second issue that arises is the disregard for data files. If chkdsk finds a data
file to be out of place or unexplainable, it may delete the file without asking. This is
done so that the operating system may run smoother, but the files deleted are often
important user files which cannot be replaced. Similar issues arise when using system
restore disks (often provided with proprietary systems like Dell and Compaq), which
restore the operating system by removing the previous installation. This problem can
often be avoided by installing the operating system on a separate partition from your
user data
• Usually use file journals or allocation tables for finding traces of the file.
• Once the file is found in defferent blocks of the hard disk some data carving
tools are used to carve the data.
• The file is either re-established where it was previously and then copied to new
location, or a new copy of the file is created using the carvd data.
• The method works well, when the data is not over written and some traces are
there in the file system.
2. Chapter 3 describes the importance and method of Recovery when the data is
over-written.
Chapter 2
Hard drives are assembled in clean rooms (cleaner than surgical rooms) and then
sealed. Hard drive platters spin at a rate of 4,200 to 10,000 rotations per minute.
Opening the hard disk drive to inspect the contents, by anyone but properly trained
personnel in a controlled environment, could lead to damages in the magnetic media.
Damage can occur because the read/write heads move at a very close distance to
the spinning hard drive platters [1]. As the platters spin, it is only a matter of time
before the head comes into contact with dust or debris on the platter. At this point,
an impact will occur, the surface of the platter containing the magnetic media will
become damaged and the data contained within this magnetic media will be lost
forever.
3. Control spindle rotation and head positioning, typically using the magnetic servo
patterns on the disk surfaces.
4. Determine the layout and format of each surface, defects and defect mapping
strategies.
6. Decode the precoding, scrambling, RLL, parity-assist ECC, and any other codes
to reveal user data.
The sectors or blocks creted from the detected and decoded user bits must still be
assembled into useful files. It is at this latter task where logical recoveries typicall
start. Interestingly, data forensic examinations can only begin after the physical and
then the logical recoveries have been completed.
and servo system parameters without rewriting over data.[1] This capability is needed
both when the system area information is corrupted and when a headstack transplant
is necessary.
The ’system information’[1] or the area where it is located, is also termed as
system area, mintenance tracks, negative cylinders, reserved cylinders, caliberation
area, initialization area and diskware. The system information includes the drive
specific hper-tuned parameters along with the normal characteristic parameters of
the hdd.The system area may become corrupted due to malfu nctioning circuits,
firmware bugs, exceeding the operational shock specifications of the drive, or position
system errors. Another, more common, reason for system area corruption is a loss of
power during an update of the system area itself. This might occur when systemlogs
are being updated or when th G-list is being changed. The G-list, or grown defect
list, holds information about the location of defects that have been found in the
field during drive operation. The G-list is typically used for sector swapping, or
sector reallocation. Related o this is the P-list, or primary defect list that stores the
location of media defects that were found during manufacturing. This is typically
used for sector slipping and is not udated in the field.
Figure 2.1: The beginning of the identification sector (IDNT) of the system area for
a 2.5 Hitachi drive is shown. The left coloumn is the offset index from the beginning
of the sector; the next two wide columns contain the hexadecimal interpretation of
the data stored there.The rightmost column shows the ASCII equivalent of the hex
values, when an equivalentexist.
Corruped system area information can be rewritten as a form of the part re-
placement. For some drive models, the system area contains only a small amount of
information, such as a unique drive serial number, the P-list and G-list, S.M.A.R.T.
data, and a drive passsword possibl encrypted. Small amount of drive specific details
indicates that the drive is more amenable o part replacement.Some drive models have
larger system areas, which may span tens of tracks. This tpically indicates that a drive
emplos hyper-tuning and hence is much less amenable to traditional part replacement,
especiall head transplantation and system are refresh. If the system information is
rewriten from archival copies of the data from other similar drives, the hyper-tuned
parameters will not match those needed for the drive’s original components. These
head-specific parameters must be re-optimized and rewritten to the system area.
to be acquired and used: first for servo positioning and then for data detection. To
acquire a good signal, the read bias currents must be approximated for each head.
Figure 2.2: The dull ring near the middle diameter of this spinning disk is the result
of a head crash. The headstack shown is a new replacement from a donor drive. The
flex circuit at the top of the picture is connected to the old damaged headstack. The
new headstack’s flex circuit (lower right) is connected to circuitry that replaces the
drive’s electronics.
Chapter 3
A good part of the computer users are still to know about the most important nd
interesting feature of our most common storage media, the magnetic storage media,
which is it’s capability to remember anhting ever written on it till it is completely
destroed by a degauss under strong magnetic field. Magnetic hard drives are used
as the primary storage device for a wide range of applications, including desktop,
mobile, and server systems. All magnetic disk drives possess the capability for data
retention,[5] but for the majority of computer users, the hard disk drive possesses the
highest lifespan of all magnetic media types, and therefore is most likely to have large
amounts of sensitive data on it.
In reality, magnetic media is simply any medium which uses a magnetic signal to
store and retrieve information. Examples of magnetic media include: floppy disks,
hard drives, reel-to-reel tapes, eight-tracks, and many others.[6-7] The inherent sim-
ilarity between all these forms of media is that they all use magnetic fields to store
data. This process has been used for years, but now that security concerns are being
brought more into focus, we are now starting to see some of the weaknesses of this
technology, as well as its well-known benefits.
• In the past, tips were made of etched magnetic wires such as from Nickel
• Now, tips are batch fabricated (tip-cantilever) using a combination of mi-
cromachining and
• First, the topographic profile of each scan line is measured. That is, the tip is
brought into close
• The magnetized tip is then lifted further away from the sample.
Figure 3.2: Two pass method for MFM, where on the first pass, the topography is
obtained, while on the second pass, the magnetic structure is imaged
The resulting tunneling current is a function of tip position, applied voltage, and the
local density of states (LDOS) of the sample. Information is acquired by monitoring
the current as the tip’s position scans across the surface, and is usually displayed
in image form. STM can be a challenging technique, as it can require extremely
clean and stable surfaces, sharp tips, excellent vibration control, and sophisticated
electronics.
3.3.1 Procedure
First, a voltage bias is applied and the tip is brought close to the sample by some
coarse sample-to-tip control, which is turned off when the tip and sample are suffi-
ciently close.[4] At close range, fine control of the tip in all three dimensions when near
the sample is typically piezoelectric, maintaining tip-sample separation W typically
in the 4-7 range, which is the equilibrium position between attractive and repulsive
interactions[4]. In this situation, the voltage bias will cause electrons to tunnel be-
tween the tip and sample, creating a current that can be measured. Once tunneling
is established, the tip’s bias and position with respect to the sample can be varied
(with the details of this variation depending on the experiment) and data is obtained
from the resulting changes in current.
If the tip is moved across the sample in the x-y plane, the changes in surface height
and density of states cause changes in current. These changes are mapped in images.
This change in current with respect to position can be measured itself, or the height,
z, of the tip corresponding to a constant current can be measured. These two modes
are called constant height mode and constant current mode, respectively. In constant
current mode, feedback electronics adjust the height by a voltage to the piezoelectric
height control mechanism[5]. This leads to a height variation and thus the image
comes from the tip topography across the sample and gives a constant charge density
surface; this means contrast on the image is due to variations in charge density.[7]
Chapter 4
Conclusion
The recovery data from the logically and/or physically damaged disk drives, and the
recovery of ove written data is now been done with a good amount of success. The
data recovery now have become a handy tool to the end-users as far as the logical
damages are concerned, although the recovery of data from the physically damaged
drives and over written data, which is done by the magnetic data recovery methods
have still to reach at the end users, the data recovery industr has grown through
hights of technology, that nowadays the situation is such that, data can be recovered
from any physically damaged drive untill it’s magnetic platters remain as such.[5]
And in case of the magnetic recovery also the present state-of-the-art has contributed
alot to the data recover industry that the magnetic recovery had reported recover
of data that had been over written upto 17 times. ie Through part replacement the
recovery of data from physically damaged drives has become easy. And with the use
of magnetic force microscopy and Signal tunneling microscopy the magnetic recovery
of over written data also have become possible to great extend.[4-7]
4.1 Challenges
The Recovery of data using part replacement and magnetic recovery methods are now
implemented in robust ways and hence the challenges it is facing or the areas where
the improvemetns have to be made are the improvements in efficiency of the steps in
the recovery procedure, in most occasions. The challenges are.
• The data can be recovered onl if the magneic platter is not damaged ; although
researches are there for improving the part replacement methods there is no
active reasearches that is intended to over coem this challenge.
to overcome this challenge, besides the manufacturers have also now started
designing the drives amenable for recovery.
• The part replacement methods and the magnetic recovery are usually of high-
cost.
• The strength of the magnetic fields ahve to be increased for recovery of data
that are deleted far beyond, and even data is recoverd, that are over written
more number of times the method doesn’t guarantee that the recovered data is
correct.
• The magnetic recovery with the present day technology, is not capable of re-
covering the data when the disk is degaussed under stronger magnetic fields ;
The degaussing will result in the permanent distruction of the drive and the de-
gaussing itself needs stronger magnetic field, here also there is no active research
going on to tackle his challenge.
• Improvement in algorihm that can extract data which is over written mor num-
ber of times, Although the present algorithms can extract data to a great extend
, improvement in the agorithm can use the result of the MFM and STM more
efficiently.
References
[1] Charles H. Sobey, Laslo Orto, and Glenn Sakaguchi ”Drive-Independent Data
Recovery: The Current State-of-the-Art”, IEEE transactions on Magnetics, IEEE
volume 42 February 2006
[2] Bennison, Peter F, and Lasher, Philip J, ”Data security issues relating to end of
life equipment”, Electronics and the Environment Conference, 2004 IEEE Inter-
national Symposium on May 10-13, 2004
[3] Cranor, Lorrie Faith, and Geiger, Matthew, ”Counter-Forensic Privacy Tools: A
Forensic Evaluation” February 1, 2006
[5] Garfinken, S.L. Shelat, ”Remembrance of Data passed: a study of disk sanitiza-
tion”,Security and privacy, IEEE International Symposium on February 2003
[6] Joshua J Sawyer, East Carolina University, ”Magnetic Data Recovery The Hid-
den Threat”, infosecwriters, December 2006
[7] L. Gao, L.P. Yue, T. Yokota, et al., ”Focused Ion Beam Milled CoPt Magnetic
Force Microscopy Tips for High Resolution Domain Images, IEEE Transactions
on Magnetics, IEEE Volume 40, 2004