Does anyone know how the professional data recovery firms recover data from corrupted and damaged disks? What software, hardware, etc is used?


Any info is appreciated.

yeah - they examine the disk surface and pull everything to a big file. Then they go through the file for things that look like file headers and eof markers. Everything in between will likely be a file.

There are tricks depending on the sort of damage.

Why do you ask?

i'm really just curious. I was wondering how I could do this sort of thing myself to increase my skills.

This may interest you:
http://fire.dmzs.com/

1. deleted files
2. damaged partions/partition tables
3. damaged hardware

if you plug the hdd into your linux system, and it shows as a blck special device like /dev/hdd - then you can use grep to dump the content of the device to a text file and hunt through it.

There are special routines for specific file-systems like ext2 and fat32. Most of these things come under the heading "forensics".

if the hardware is damaged: then you need a combination of soft and hard skills to extract what you can. eg. if the hdd won't power up - you need to get the physical copper disks to a working motor and head first. If you are trying to recover data from half a floppy - you will want to fill in the missing half somehow and look at some sort of literal reading of the available tracks.

What if the disk has been in a rubbish tip for six weeks? A year? In the rain?

This moves more into the sort of thing that law inforcement will want to do. And it does not look very hopeful.

That is why the reason you are asking is important.

I don't actually have any damaged disks that i need to pull data off of. I just wanted to know how it was done. I see on alot of forensics shows (CSI, Law and Order, etc.) that they take a mangled disk or cd and pull data off of what is left. And I know that it's possible to pull data off disks that have been burned and whatnot. I just wanted to know how they do it.

Thanks alot for the link too. I haven't tried that distribution yet, but I'll definately check it out.

Only kinda possible ... like it is possible to read the print on a burned peice of paper. You just don't expect to.

These shows are entertainment (I guess you realise that). In real life, you don't get a team of three people working only one case for days at a time. You get one guy working 100 cases a day.

As for the computer forensics: there are few boxed solutions. Each case is unique.

In the case of the burned PC - it is quite likely that the HDD has survived and can even be powered up. Even if the HDD case has been burned, and the insides melted, the actual bit that stores the data is 2-4 copper disks. These don't burn (though they can oxidize badly) ... recovering such a thing involves removing the copper disks and sticking them into a new HDD shell (a technician will have one canibalised for the purpose - you make them yourself or order from a factory) and then plugging them in to see what you can see.

Naturally, recovery from windows is easier than from linux - due to the inherent insecurity of windows and the OS of choice for forensics is .... is that a penguin I see?

But it is not a matter of clicking away on the keyboard, waving the mouse, and wollah: it's done.

It helps if you have some idea what kind of data you want. Text is easiest because it'll show on a ascii dump. Formatted text, like for a wysiwig editor, is harder. Binary files for some arbitrary program you can pretty much forget about.

Other situations are like if soemone attempts to destroy evidence by chucking his laptop into a lake ... or what if your PDA is eaten by a crocodile, you shoot the crocodile, gut it, and recover the PDA. It has important info - maybe worth millions - that you havn't had a chance to backup to a secure store yet. Can you recover it?

Given the time, expertise and resources (read: money): it is amazine how much you can get back. However: some things are just plain gone.

I know that these shows are fictional and entertainment. But sometimes they show things that make just enough sense that it makes me wonder if it's possible, and if it is possible, how it's done in reality.

Thank you though, you've given me the most complete answer i've ever been able to find. I have just one more question...Do you know of a list of books/websites that have more information?

Thank you for all your help.

~Dave

A friend of mine used to work for a company that was hired by Kuwait to recover data from their systems, that had been torched by the Iraqis.

Yeah - the actual disk part of a hard drive can survive a fire - especially if it was inside the box at the time.

Of course - oil rigs use hardened systems.
And you should see what aircraft "black boxes" go through.

OTOH: pouring battery-acid into the drive case would ERASE the drive.

Most big companies simply use RAID to ensure that they can always recover their data anyways(of course, they still do backups). My uncle(a lawyer) recently had his server crash, and he just pulled out the bad drive, put in a new one, and let the magic of RAID work...

Here's a bunch of links for some light reading:

www.forensics.nl/links

I apologise for the stupid URL format but this bulletin board insists that you make three posts before letting you include URLs in your posts. Very lame.

If you're particularly interested in methods of recovering data even from magnetic media that has been erased, this is a particularly good read:

http://www.cs.auckland.ac.nz/~pgut00...ecure_del.html

It focuses on how to securely erase data, but to effectively do that you need to know how it is possible to recover erased information, and the article gives some idea about how this is done. Probably a very good primer for you.

Enjoy!

EDIT: Interestingly I am able to edit my post to add the URL after posting without the URL and before making three posts.

I just returned from a computer forensics class last week. You may also be interested in yet another bootable CD called Helix. It's top of the line stuff, and it's been certified for use with the FBI.

Likewise, sorry for the URL (I agree, that is lame). www dot e-fense dot com forwardslash helix

Better to inconvience (only minorly) a few brand new people, than to have to put up with getting these forums plastered with spam and links to Viagra "sales representatives" and their ilk.

Another post or two and you guys can join the party and start posting links of your own!

I've decided to take further discussion on this topic to this thread:

http://www.linuxquestions.org/questi...d.php?t=434553