data recovery from storage device
Post on 18-Jul-2015
88 Views
Preview:
TRANSCRIPT
1PVG's COET Pune.
Data Recovery From
Storage Device
Guided By:PROF.M.R.Apsangi
Introduction To Data Recovery
PVG's COET Pune. 2
Kishor Waghole
Presented By:
Overview
PVG's COET Pune. 3
1.What is Data Recovery
2.Causes of Data loss
Hardware and System ProblemsHuman ErrorsSoftware Corruption or Application ErrorComputer VirusesNatural Disasters
3.Uses of Data recovery
4.Data Loss Prevention
5.Data Backup devices
6.Data Recovery Technique
Using PCB board change
What is Data Recovery
Data recovery is the process of restoring data that has been lost, accidentally deleted, corrupted or made inaccessible for any reason, from electronic storage media (hard drives, removable media, optical devices, etc...)
There are occasions when damage to data is permanent and complete data recovery is not possible. However, some data is usually always recoverable.
PVG's COET Pune. 4
Causes of Data Loss
PVG's COET Pune. 5
Cause Example Percentage
Hardware and System Problems
Disk drive crashes, Electrical outages and power surges, Manufacturer defects etc..
45%
Human Errors Accidental Deletion, Overwriting of files etc.. 33%
Software Corruption or Application Error
Application displays an error message when document is opened, Installing corrupt application
etc..
12%
Computer Viruses Viruses such as MyDoom.A or MyDoom.b etc.. 6%
Natural Disasters Fires, Floods, Lightning, Earthquakes etc.. 4%
Uses Of Data Recovery
Average User:
Recover important lost files
Keep your private information private
Law enforcement:
Locate illegal data
Restore deleted/overwritten information.
Prosecute criminals based on discovered data
PVG's COET Pune. 6
Data Loss Prevention
PVG's COET Pune. 7
Avoid heat and vibration- Keep computers in a dry, clean place
Run Scandisk, defrag and anti-virus software- Run Scandisk every 2 to 3 weeks- Defrag! Data recovery success is more likely when damaged files are clustered- Update your anti-virus at least 4 times a year and enable auto update features
Use uninterrupted power supply (UPS)
Data Backup
PVG's COET Pune. 8
Complete backup- Full backup of entire PC or hard drive- Backs up all server and PC volumes, directories and files
Partial backup- Will either copy all files changed since last complete backup or files changed since last backup- Useful when it’s important to have the latest version of each file
User-defined backup- Copies a user-defined set of files- Useful for groups working on a mission-critical project
Backup Hardware
PVG's COET Pune. 9
CDs, DVDs and Blue-Ray disks- Inexpensive, quick, months to years of storage
Thumb drives- Inexpensive, quick, larger storage capacity than CDs/DVDs, months to
years of storage
Internal hard drive- Easy transfer from one hard drive to another, many years of storage
External hard drive- Easy transfer from internal to external hard drive, better connection options, long-term storage
Data Recovery Techniques
PVG's COET Pune. 10
USING CB BOARD CHANGESacrificial PCB board
Data Recovery Using CB Change
PVG's COET Pune. 11
Remove Control Board (CB)
Find Sacrificial Drive
Careful to determine if the model and firmware match.
Learn everything about how CB is connected to the drive.
Remove the controller board of the failing drive and Working drive.
Attach the working board to the failing drive.
Advantages & Disadvantages of CB Change
PVG's COET Pune. 12
Advantages:
Data Can be RecoveredCan be done on your own
Disadvantages:
No 100% guaranty.Finding of sacrificial drive.CB has to handle with care.
Data Recovery using NTFS File System
PVG's COET Pune. 13
Presented By:
Hrishikesh Vibhute
Overview
PVG's COET Pune. 14
1.Data recovery using software
2.NTFS file system
3.Changes in NTFS file system when file deleted
4.Recovery cases
5.Data recovery using NTFS
6.Recuva wizard
7.Advantages & disadvantages of data recovery using NTFS file system
Data Recovery Using Software
PVG's COET Pune. 15
only restore data not overwritten.
Do not work on physically damaged drives.
Uses various file system such as FAT32,NTFS to recover data
Can be used to restore permanently deleted files, from removable devices etc..
Recuva, Undelete Pro, EasyRecovery, Proliant, Novanet, etc..
Prices range from Free-1000
NTFS File System
PVG's COET Pune. 16
preferred file system for Microsoft’s various desktops and server.
File Records are stored in a special table called as Master File Table (MFT).
MFT does not store the data of file (unless the data is small to be able to fit in MFT Entry).
The information about file is stored in MFT Entry as series of attributes.
Each attribute has an identifier which identifies type of attribute
PVG's COET Pune. 17
Type Type Identifier(Hexadecimal) Attribute NameIdentifier(Decimal)
16 0x10 $STANDARD_INFORMATION32 0x20 $ATTRIBUTE_LIST48 0x30 $FILE_NAME64 0x40 $VOLUME_VERSION64 0x40 $OBJECT_ID80 0x50 $SECURITY_DESCRIPTOR96 0x60 $VOLUME_NAME112 0x70 $VOLUME_INFORMATION128 0x80 $DATA144 0x90 $INDEX_ROOT160 0xA0 $INDEX_ALLOCATION176 0xB0 $BITMAP192 0xC0 $SYMBOLIC_LINK192 0xD0 $REPARSE_POINT208 0xE0 $EA_INFORMATION224 0xF0 $EA256 0x100 $LOGGED_UTILITY_STREAM--- 0xFFFFFFFF End of Attributes
PVG's COET Pune. 18
first sixteen entries in MFT only for NFTS metadata files which are reserved File Records for user created files are added after that reserved entries.
NTFS FILE SYSTEM METADATA FILES
Entry Number NFTS Metadata File Name
0 $MFT1 $MFTMirr2 $LogFile3 $Volume4 $AttrDef5 . (Dot)6 $Bitmap7 $Boot8 $BadClus9 $Secure10 $Upcase11 $Extend
PVG's COET Pune. 19
Files and folders are differentiated using simple flag values present in MFT Entry
MFT HEADER FALG VALUE DETAILS
Value Description
0x00 Deleted File Entry0x01 File Entry0x02 Deleted Folder Entry0x03 Folder Entry
size of MFT Entry is only 1024 bytes .For each user data file the File Records are stored in a special table called as Master File Table (MFT).this dual behavior the attribute header also has two types:
1.Resident Attribute Header (Small data size stored in MFT).2.Non-resident Attribute Header. (Large data size)
PVG's COET Pune. 20
When we delete a file on NTFS file system:Step 1:
File’s MFT Entry is made unallocated by changing the flag values in MFT Entry Header. For files it is changed from0x01 to 0x00, and for folder it is changed from 0x03 to 0x02.
Step 2:
$Bitmap attribute of $MFT metadata file is processed and value 0 is set for the file’s MFT Entry.
Step 3:
The non resident attributes of file’s MFT Entry are processed and their clusters are set to unallocated in $BITMAP metadata file.
when file is deleted on NTFS files system, actual data content of the file is not deleted. Only the changes to the MFT Entry Header and some metadata files are made
PVG's COET Pune. 21
Recovery Cases
Deleted file
File 1 File 2
Unallocated space Unallocated space
Totally recoverable model
File 1 File 2
Deleted File
Partial recoverable model
File 1 File 2
Deleted File
Non recoverable model
PVG's COET Pune. 22
Steps followed in deleted file recovery are:
1.Search
2. Process it’s $DATA attribute
3. If $DATA attribute is resident Just copy it to external location.
4. If $DATA attribute is non-resident, file’s contents are present in external cluster.
5. If all clusters have allocated status as 0, then complete recovery is possible.
6. If some clusters have allocated status as 1, then the partial recovery is possible.
7. If all clusters have allocated status as 1, then the file’s contents are lost and recovery is impossible
What Happens when File is Deleted
PVG's COET Pune. 23
information is stored in two ways1. data is stored physically on the magnetic hard drive. 2. all stored data is managed by a file system
File system gives information table revealing the exact location of data
on the hard drive a certain file is stored.
When a file is deleted only the information stored in the file system’s table is removed but file remains on hard disk.
location of the deleted files was marked as vacant, the operating system may then write new data over the old data, which terminally deletes that information.
Recuva
PVG's COET Pune. 24
Recuva is a data recovery program for windows. It is able to recover files that have been "permanently" deleted. The program can also be used to recover files deleted from USB flash drives, memory cards, or MP3 players.
The program works on both FAT and NTFS file systems.
PVG's COET Pune. 25
After installation of Recuva Wizard
PVG's COET Pune. 26
Specify Location
PVG's COET Pune. 27
Specify Deep Scan is Required or not Scanning required file
PVG's COET Pune. 28
Showing Results
Advantages & Disadvantages of Data Recovery From NTFS
PVG's COET Pune. 29
Advantages:
Data Can be RecoveredVarious Software are availableUser Interface.Easy to handle.
Disadvantages:
Not work if data is overwritten.
Data Recovery Using Macroscopic Technique
PVG's COET Pune. 30
Presented By:
Sushil Surwade
Overview
PVG's COET Pune. 31
1.Scanning Probe MicroscopyIntroductionTypes
2.AFM(Atomic Force Microscopy)IntroductionBlock Diagram
3.MFM(Magnetic Force Microscopy)IntroductionWorking
4.Difference Between AFM and MFM
5.Advantages and Disadvantages
Scanning Probe Microscopy (SPM)
PVG's COET Pune. 32
First scanning probe microscope invented in 1981 by Binning and Roher
Uses a sharp magnetic tip attached to a flexible cantilever placed close to the surface to be analyzed
produce a topographic view of the surface, using a PC as a controller
Types• AFM (Atomic Force Microscope)• MFM (Magnetic Force Microscope)
Wide range of applications• Topography of Atomic Structure• Magnetic/Electric fields• Topography of CD Platter
Working Of SPM
PVG's COET Pune. 33
Scanning probe microscopes operate by detecting the deflection in the cantilever
Modern scanning probe microscopes use a split photo diode to detect the deflection
Atomic Force Microscope(AFM)
PVG's COET Pune. 34
AFM are based upon scanning a probe
Most widely used branch of scanning probe microscopy
Operates by measuring the interaction force between the tip and sample
Electrostatic force between the tip and the surface
Working Of AFM
PVG's COET Pune. 35
The direction of current flow is determined by the polarity of the bias.
For -ve Biased
For +ve Biased
Working Of AFM Cntd.
PVG's COET Pune. 36
Imaging of the surface topology may then be carried out as follows:
periodic variation in the separation distance between the tip and surface atoms.
current will be large at upper site whilst above hollow sites tunnelling current will be much smaller.
A plot of the tunnelling current v's tip position therefore shows a periodic variation which matches that of the surface structure
Magnetic force microscopy
PVG's COET Pune. 37
images the spatial variation of magnetic forces on a sample surface.
MFM is derived from scanning probe microscopy (SPM)
An image of the field at the surface is formed by moving the tip across the surface and measuring the force.
Together with software, MFM can see past various kinds of data loss/removal.
Each track contains an image of everything ever written to it, but each layer gets progressively smaller the earlier it was written.
PVG's COET Pune. 38
MFM Working image showing the bits of a hard disk
Difference Between AFM & MFM
PVG's COET Pune. 39
AFM MFM
1) Electrostatic Force or Van Der Wall Force
1) Magnetic Force
2)Biasing is done 2)Biasing is not done
3)Flow of electron causes current
3)No flow of electron
Advantages & Disadvantages of SPM
PVG's COET Pune. 40
Advantages:
Data Can be RecoveredGives Topographic ViewOverwritten Data Recovery is possible.
Disadvantages:
Much costly.Can not be done at home.
File Carving In Data Recovery
PVG's COET Pune. 41
Presented By:
Mohit Shaha
Overview
PVG's COET Pune. 42
1.File Carving Introduction
2.Working of File Carving Technique
3.File Carving Basic Idea & Drawback
4.Steps in Data Recovery by File Carving
5.File Carving TechniquesHeader embedded length carvingFile structure based carvingFragment recovery carving
6.Disk Digger wizard
7.Advantages and disadvantages of file carving
File Carving Introduction
PVG's COET Pune. 43
recovers files based on information about their structure
Does not match file system information.
operate by looking for file headers and/or footers, and then "carving out"
Can be Used when file system metadata has been destroyed
Scalpel, FTK, Encase, Foremost, PhotoRec, DiskDigger
Working Of File Carver
PVG's COET Pune. 44
There is specific Header and Footer for each file
Header and Footer Depend Upon Type Of File
With Header and Footer data can be retrieved from memory
Various Header Format For Different Types of Files
Hex File Type
42 50 47 fb bpg
FF D8 FF E0 jpg, jpeg
25 50 44 46 pdf
File Carving - Basic Idea
PVG's COET Pune. 45
one cluster
one sector
header, 0x474946e8e761(GIF)
unallocated clusters interesting file
footer, 0x003B(GIF)
Problems With Basic Idea
PVG's COET Pune. 46
header, 0x474946e8e761(GIF)
footer, 0x003B(GIF)
one cluster
unallocated cluster
interesting file
Steps In Data Recovery By File Carving
PVG's COET Pune. 47
F1
G1
FX
H1
GY
HZ
C
o
l
l
a
t
i
o
n
P
R
E
P
R
O
c
E
S
S
I
N
G
FX
GY
HZ
R
e
a
s
s
e
m
b
l
y
G
F
H
P
o
s
t
p
r
o
c
e
s
s
i
n
g
File Carving Techniques
PVG's COET Pune. 48
Techniques:
1) Block Based Carving
2)Statistical Carving3)Header/Footer Carving4)Header/Maximum File Size Carving5)Header/Embedded Length Carving6)File Structure Based Carving7)Semantic Carving8)Carving with Validation9)Fragment Recovery Carving10)Repackaging Carving11)Smart Carving12)Hash Carving13)Fuzzy Hash Carving
Header Embedded length carving
PVG's COET Pune. 49
Header Required.
Analyze length encoded in header
Useful for documents
Problems:
1)Not work properly if file is fragmented.
File Structure Based Carving
PVG's COET Pune. 50
Uses knowledge of internal structure of file.
Match to other sectors that contain similar data structures.
Use knowledge of the file type’s data structures to search for structure parts expected to exist in later sectors
Fragment recovery carving
PVG's COET Pune. 51
Filter out the sectors between the fragments that don’t belong
Disk Digger Wizard
PVG's COET Pune. 52
PVG's COET Pune. 53
Select type of file
PVG's COET Pune. 54
Save file Which are recovered
Advantages & Disadvantages of File Carving
PVG's COET Pune. 55
Advantages:
Fragmented data can be recovered.Data can be recovered without file system.In built application.
Disadvantages:
Overhead of reassembly.Overwritten data can not be recovered.
How to Delete Data Securely
PVG's COET Pune. 56
Extremely Extreme Physical Destruction
•Chainsaws•Sledge hammers
Multiple Overwrites
•At least 3 to 5 times formatting and overwriting with random data.
Degaussing
•Process in which the media is returned to its initial state
Conclusion
PVG's COET Pune. 57
Individuals or companies may experience data loss at any time for many reasons.
There are various steps that should be implemented to help prevent data loss.
Data loss can be very costly and very upsetting.
There are several data recovery techniques that have proven to be successful or partially successful in recovering data.
Utilizing qualified professional data recovery specialists will aid in the degree of success of data recovery.
Future Scope
PVG's COET Pune. 58
New File Systems Can be developed or upgraded for easy recovery of data
New softwares can be developed for data recovery
PVG's COET Pune. 59
top related