1PVG's COET Pune.

Data Recovery From

Storage Device

Guided By:PROF.M.R.Apsangi

Introduction To Data Recovery

PVG's COET Pune. 2

Kishor Waghole

Presented By:

Overview

PVG's COET Pune. 3

1.What is Data Recovery

2.Causes of Data loss

Hardware and System ProblemsHuman ErrorsSoftware Corruption or Application ErrorComputer VirusesNatural Disasters

3.Uses of Data recovery

4.Data Loss Prevention

5.Data Backup devices

6.Data Recovery Technique

Using PCB board change

What is Data Recovery

Data recovery is the process of restoring data that has been lost, accidentally deleted, corrupted or made inaccessible for any reason, from electronic storage media (hard drives, removable media, optical devices, etc...)

There are occasions when damage to data is permanent and complete data recovery is not possible. However, some data is usually always recoverable.

PVG's COET Pune. 4

Causes of Data Loss

PVG's COET Pune. 5

Cause Example Percentage

Hardware and System Problems

Disk drive crashes, Electrical outages and power surges, Manufacturer defects etc..

45%

Human Errors Accidental Deletion, Overwriting of files etc.. 33%

Software Corruption or Application Error

Application displays an error message when document is opened, Installing corrupt application

etc..

12%

Computer Viruses Viruses such as MyDoom.A or MyDoom.b etc.. 6%

Natural Disasters Fires, Floods, Lightning, Earthquakes etc.. 4%

Uses Of Data Recovery

Average User:

Recover important lost files

Keep your private information private

Law enforcement:

Locate illegal data

Restore deleted/overwritten information.

Prosecute criminals based on discovered data

PVG's COET Pune. 6

Data Loss Prevention

PVG's COET Pune. 7

Avoid heat and vibration- Keep computers in a dry, clean place

Run Scandisk, defrag and anti-virus software- Run Scandisk every 2 to 3 weeks- Defrag! Data recovery success is more likely when damaged files are clustered- Update your anti-virus at least 4 times a year and enable auto update features

Use uninterrupted power supply (UPS)

Data Backup

PVG's COET Pune. 8

Complete backup- Full backup of entire PC or hard drive- Backs up all server and PC volumes, directories and files

Partial backup- Will either copy all files changed since last complete backup or files changed since last backup- Useful when it’s important to have the latest version of each file

User-defined backup- Copies a user-defined set of files- Useful for groups working on a mission-critical project

Backup Hardware

PVG's COET Pune. 9

CDs, DVDs and Blue-Ray disks- Inexpensive, quick, months to years of storage

Thumb drives- Inexpensive, quick, larger storage capacity than CDs/DVDs, months to

years of storage

Internal hard drive- Easy transfer from one hard drive to another, many years of storage

External hard drive- Easy transfer from internal to external hard drive, better connection options, long-term storage

Data Recovery Techniques

PVG's COET Pune. 10

USING CB BOARD CHANGESacrificial PCB board

Data Recovery Using CB Change

PVG's COET Pune. 11

Remove Control Board (CB)

Find Sacrificial Drive

Careful to determine if the model and firmware match.

Learn everything about how CB is connected to the drive.

Remove the controller board of the failing drive and Working drive.

Attach the working board to the failing drive.

Advantages & Disadvantages of CB Change

PVG's COET Pune. 12

Advantages:

Data Can be RecoveredCan be done on your own

Disadvantages:

No 100% guaranty.Finding of sacrificial drive.CB has to handle with care.

Data Recovery using NTFS File System

PVG's COET Pune. 13

Presented By:

Hrishikesh Vibhute

Overview

PVG's COET Pune. 14

1.Data recovery using software

2.NTFS file system

3.Changes in NTFS file system when file deleted

4.Recovery cases

5.Data recovery using NTFS

6.Recuva wizard

7.Advantages & disadvantages of data recovery using NTFS file system

Data Recovery Using Software

PVG's COET Pune. 15

only restore data not overwritten.

Do not work on physically damaged drives.

Uses various file system such as FAT32,NTFS to recover data

Can be used to restore permanently deleted files, from removable devices etc..

Recuva, Undelete Pro, EasyRecovery, Proliant, Novanet, etc..

Prices range from Free-1000

NTFS File System

PVG's COET Pune. 16

preferred file system for Microsoft’s various desktops and server.

File Records are stored in a special table called as Master File Table (MFT).

MFT does not store the data of file (unless the data is small to be able to fit in MFT Entry).

The information about file is stored in MFT Entry as series of attributes.

Each attribute has an identifier which identifies type of attribute

PVG's COET Pune. 17

Type Type Identifier(Hexadecimal) Attribute NameIdentifier(Decimal)

16 0x10 $STANDARD_INFORMATION32 0x20 $ATTRIBUTE_LIST48 0x30 $FILE_NAME64 0x40 $VOLUME_VERSION64 0x40 $OBJECT_ID80 0x50 $SECURITY_DESCRIPTOR96 0x60 $VOLUME_NAME112 0x70 $VOLUME_INFORMATION128 0x80 $DATA144 0x90 $INDEX_ROOT160 0xA0 $INDEX_ALLOCATION176 0xB0 $BITMAP192 0xC0 $SYMBOLIC_LINK192 0xD0 $REPARSE_POINT208 0xE0 $EA_INFORMATION224 0xF0 $EA256 0x100 $LOGGED_UTILITY_STREAM--- 0xFFFFFFFF End of Attributes

PVG's COET Pune. 18

first sixteen entries in MFT only for NFTS metadata files which are reserved File Records for user created files are added after that reserved entries.

NTFS FILE SYSTEM METADATA FILES

Entry Number NFTS Metadata File Name

0 $MFT1 $MFTMirr2 $LogFile3 $Volume4 $AttrDef5 . (Dot)6 $Bitmap7 $Boot8 $BadClus9 $Secure10 $Upcase11 $Extend

PVG's COET Pune. 19

Files and folders are differentiated using simple flag values present in MFT Entry

MFT HEADER FALG VALUE DETAILS

Value Description

0x00 Deleted File Entry0x01 File Entry0x02 Deleted Folder Entry0x03 Folder Entry

size of MFT Entry is only 1024 bytes .For each user data file the File Records are stored in a special table called as Master File Table (MFT).this dual behavior the attribute header also has two types:

1.Resident Attribute Header (Small data size stored in MFT).2.Non-resident Attribute Header. (Large data size)

PVG's COET Pune. 20

When we delete a file on NTFS file system:Step 1:

File’s MFT Entry is made unallocated by changing the flag values in MFT Entry Header. For files it is changed from0x01 to 0x00, and for folder it is changed from 0x03 to 0x02.

Step 2:

$Bitmap attribute of $MFT metadata file is processed and value 0 is set for the file’s MFT Entry.

Step 3:

The non resident attributes of file’s MFT Entry are processed and their clusters are set to unallocated in $BITMAP metadata file.

when file is deleted on NTFS files system, actual data content of the file is not deleted. Only the changes to the MFT Entry Header and some metadata files are made

PVG's COET Pune. 21

Recovery Cases

Deleted file

File 1 File 2

Unallocated space Unallocated space

Totally recoverable model

File 1 File 2

Deleted File

Partial recoverable model

File 1 File 2

Deleted File

Non recoverable model

PVG's COET Pune. 22

Steps followed in deleted file recovery are:

1.Search

2. Process it’s $DATA attribute

3. If $DATA attribute is resident Just copy it to external location.

4. If $DATA attribute is non-resident, file’s contents are present in external cluster.

5. If all clusters have allocated status as 0, then complete recovery is possible.

6. If some clusters have allocated status as 1, then the partial recovery is possible.

7. If all clusters have allocated status as 1, then the file’s contents are lost and recovery is impossible

What Happens when File is Deleted

PVG's COET Pune. 23

information is stored in two ways1. data is stored physically on the magnetic hard drive. 2. all stored data is managed by a file system

File system gives information table revealing the exact location of data

on the hard drive a certain file is stored.

When a file is deleted only the information stored in the file system’s table is removed but file remains on hard disk.

location of the deleted files was marked as vacant, the operating system may then write new data over the old data, which terminally deletes that information.

Recuva

PVG's COET Pune. 24

Recuva is a data recovery program for windows. It is able to recover files that have been "permanently" deleted. The program can also be used to recover files deleted from USB flash drives, memory cards, or MP3 players.

The program works on both FAT and NTFS file systems.

PVG's COET Pune. 25

After installation of Recuva Wizard

PVG's COET Pune. 26

Specify Location

PVG's COET Pune. 27

Specify Deep Scan is Required or not Scanning required file

PVG's COET Pune. 28

Showing Results

Advantages & Disadvantages of Data Recovery From NTFS

PVG's COET Pune. 29

Advantages:

Data Can be RecoveredVarious Software are availableUser Interface.Easy to handle.

Disadvantages:

Not work if data is overwritten.

Data Recovery Using Macroscopic Technique

PVG's COET Pune. 30

Presented By:

Sushil Surwade

Overview

PVG's COET Pune. 31

1.Scanning Probe MicroscopyIntroductionTypes

2.AFM(Atomic Force Microscopy)IntroductionBlock Diagram

3.MFM(Magnetic Force Microscopy)IntroductionWorking

4.Difference Between AFM and MFM

5.Advantages and Disadvantages

Scanning Probe Microscopy (SPM)

PVG's COET Pune. 32

First scanning probe microscope invented in 1981 by Binning and Roher

Uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface to be analyzed

produce a topographic view of the surface, using a PC as a controller

Types• AFM (Atomic Force Microscope)• MFM (Magnetic Force Microscope)

Wide range of applications• Topography of Atomic Structure• Magnetic/Electric fields• Topography of CD Platter

Working Of SPM

PVG's COET Pune. 33

Scanning probe microscopes operate by detecting the deflection in the cantilever

Modern scanning probe microscopes use a split photo diode to detect the deflection

Atomic Force Microscope(AFM)

PVG's COET Pune. 34

AFM are based upon scanning a probe

Most widely used branch of scanning probe microscopy

Operates by measuring the interaction force between the tip and sample

Electrostatic force between the tip and the surface

Working Of AFM

PVG's COET Pune. 35

The direction of current flow is determined by the polarity of the bias.

For -ve Biased

For +ve Biased

Working Of AFM Cntd.

PVG's COET Pune. 36

Imaging of the surface topology may then be carried out as follows:

periodic variation in the separation distance between the tip and surface atoms.

current will be large at upper site whilst above hollow sites tunnelling current will be much smaller.

A plot of the tunnelling current v's tip position therefore shows a periodic variation which matches that of the surface structure

Magnetic force microscopy

PVG's COET Pune. 37

images the spatial variation of magnetic forces on a sample surface.

MFM is derived from scanning probe microscopy (SPM)

An image of the field at the surface is formed by moving the tip across the surface and measuring the force.

Together with software, MFM can see past various kinds of data loss/removal.

Each track contains an image of everything ever written to it, but each layer gets progressively smaller the earlier it was written.

PVG's COET Pune. 38

MFM Working image showing the bits of a hard disk

Difference Between AFM & MFM

PVG's COET Pune. 39

AFM MFM

1) Electrostatic Force or Van Der Wall Force

1) Magnetic Force

2)Biasing is done 2)Biasing is not done

3)Flow of electron causes current

3)No flow of electron

Advantages & Disadvantages of SPM

PVG's COET Pune. 40

Advantages:

Data Can be RecoveredGives Topographic ViewOverwritten Data Recovery is possible.

Disadvantages:

Much costly.Can not be done at home.

File Carving In Data Recovery

PVG's COET Pune. 41

Presented By:

Mohit Shaha

Overview

PVG's COET Pune. 42

1.File Carving Introduction

2.Working of File Carving Technique

3.File Carving Basic Idea & Drawback

4.Steps in Data Recovery by File Carving

5.File Carving TechniquesHeader embedded length carvingFile structure based carvingFragment recovery carving

6.Disk Digger wizard

7.Advantages and disadvantages of file carving

File Carving Introduction

PVG's COET Pune. 43

recovers files based on information about their structure

Does not match file system information.

operate by looking for file headers and/or footers, and then "carving out"

Can be Used when file system metadata has been destroyed

Scalpel, FTK, Encase, Foremost, PhotoRec, DiskDigger

Working Of File Carver

PVG's COET Pune. 44

There is specific Header and Footer for each file

Header and Footer Depend Upon Type Of File

With Header and Footer data can be retrieved from memory

Various Header Format For Different Types of Files

Hex File Type

42 50 47 fb bpg

FF D8 FF E0 jpg, jpeg

25 50 44 46 pdf

File Carving - Basic Idea

PVG's COET Pune. 45

one cluster

one sector

header, 0x474946e8e761(GIF)

unallocated clusters interesting file

footer, 0x003B(GIF)

Problems With Basic Idea

PVG's COET Pune. 46

header, 0x474946e8e761(GIF)

footer, 0x003B(GIF)

one cluster

unallocated cluster

interesting file

Steps In Data Recovery By File Carving

PVG's COET Pune. 47

F1

G1

FX

H1

GY

HZ

C

o

l

l

a

t

i

o

n

P

R

E

P

R

O

c

E

S

S

I

N

G

FX

GY

HZ

R

e

a

s

s

e

m

b

l

y

G

F

H

P

o

s

t

p

r

o

c

e

s

s

i

n

g

File Carving Techniques

PVG's COET Pune. 48

Techniques:

1) Block Based Carving

2)Statistical Carving3)Header/Footer Carving4)Header/Maximum File Size Carving5)Header/Embedded Length Carving6)File Structure Based Carving7)Semantic Carving8)Carving with Validation9)Fragment Recovery Carving10)Repackaging Carving11)Smart Carving12)Hash Carving13)Fuzzy Hash Carving

Header Embedded length carving

PVG's COET Pune. 49

Header Required.

Analyze length encoded in header

Useful for documents

Problems:

1)Not work properly if file is fragmented.

File Structure Based Carving

PVG's COET Pune. 50

Uses knowledge of internal structure of file.

Match to other sectors that contain similar data structures.

Use knowledge of the file type’s data structures to search for structure parts expected to exist in later sectors

Fragment recovery carving

PVG's COET Pune. 51

Filter out the sectors between the fragments that don’t belong

Disk Digger Wizard

PVG's COET Pune. 52

PVG's COET Pune. 53

Select type of file

PVG's COET Pune. 54

Save file Which are recovered

Advantages & Disadvantages of File Carving

PVG's COET Pune. 55

Advantages:

Fragmented data can be recovered.Data can be recovered without file system.In built application.

Disadvantages:

Overhead of reassembly.Overwritten data can not be recovered.

How to Delete Data Securely

PVG's COET Pune. 56

Extremely Extreme Physical Destruction

•Chainsaws•Sledge hammers

Multiple Overwrites

•At least 3 to 5 times formatting and overwriting with random data.

Degaussing

•Process in which the media is returned to its initial state

Conclusion

PVG's COET Pune. 57

Individuals or companies may experience data loss at any time for many reasons.

There are various steps that should be implemented to help prevent data loss.

Data loss can be very costly and very upsetting.

There are several data recovery techniques that have proven to be successful or partially successful in recovering data.

Utilizing qualified professional data recovery specialists will aid in the degree of success of data recovery.

Future Scope

PVG's COET Pune. 58

New File Systems Can be developed or upgraded for easy recovery of data

New softwares can be developed for data recovery

PVG's COET Pune. 59