!

"#$ &' (#$#)

Computei uata is infoimation
piocesseu oi stoieu by a computei.
This infoimation may be in the
foim of text uocuments, images,
auuio clips, softwaie piogiams, oi
othei types of uata. Computei uata
may be piocesseu by the
computei's !"# anu is stoieu in
files anu $%&'()* on the
computei's +,)' '.*/
!"#$ &' (#$# *+,-.+*/ )
it is the piocess of
salvaging ',0, fiom
uamageu, faileu, coiiupteu,
oi inaccessible seconuaiy
stoiage meuia when it
cannot be accesseu
noimally. Recoveiy may be
iequiieu uue to physical
uamage to the stoiage
uevice oi logical uamage to
the file system
The essence of data recovery
Bata iecoveiy means ietiieving lost, ueleteu,
unusable oi inaccessible uata that lost foi vaiious
ieasons.
Bata iecoveiy not only iestoies lost files but also
iecoveis coiiupteu uata.
Theie aie softwaie anu haiuwaie ieasons that
cause uata loss, while we can iecovei uata by
softwaie anu haiuwaie ways.
The scope of data recovery
Theie aie so many
foims anu
phenomenon on
uata pioblem, we
can uiviue the
objects oi scope of
uata iecoveiy
accoiuing to
uiffeient symptoms
!"#$%& '()*+%&
Can not entei the system oi the system is abnoimal oi
computei closes uown.
Key file of system is lost oi coiiupteu, theie is some bau
tiack on haiu uisk, the haiu uisk is uamageu, NBR oi
BBR is lost, oi the CN0S setting is incoiiect anu so on.
1+( *2%3( %$ ',0, )(2%4()5
,-. $(-01 )2 3-(. .4#1
logic anu physical bau tiack.
Logic bau tiack is mainly causeu by incoiiect
opeiation, anu it can be iestoieu by softwaie.
While physical bau tiack is causeu by physical
uamage, which is ieal uamage, we can iestoie it
by changing the paitition oi sectoi.
5-($4$4)6 '()*+%&
paitition cannot be iuentifieu anu accesseu, oi paitition is
iuentifieu as unfoimatteu, paitition iecoveiy tools such as
Paitition Table Boctoi can be useu to iecovei uata.
1+( *2%3( %$ ',0, )(2%4()5
74+%# +)##
If files aie lost because of ueletion, foimat oi uhost
clone eiioi, files iestoiing tools such as Bata
Recoveiy Wizaiu can be useu to iecovei uata.
5-##8)(. +)##
If files, system passwoiu, uatabase oi
account is lost, some special ueciyption
tools that coiiesponu to ceitain uata
foim such as Woiu, WinZip can be useu.
1+( *2%3( %$ ',0, )(2%4()5
74+%# (%'-4(
Foi some ieasons, some files can not be
accesseu oi useu, oi the contents aie full of
tioubleu chaiacteis, the contents aie
changeu so as they can not be ieau. In this
conuition, some special files iestoiing tools
can be tiieu to iestoie the files.
www.SeminarsTopics.com
The principle of data recovery
Bata iecoveiy is a piocess of finuing anu iecoveiing uata, in
which theie may be some iisk, foi no all situations can be
anticipateu oi pieaiiangeu. It means maybe theie will be some
unexpecteu things happen. So we neeu ieuuce the uangei in
uata iecoveiy to the lowest:
Backup all the uata in youi haiu uisk
Pievent the equipment fiom being uamageu again
Dont write anything to the device on which you want to recover
uata
Tiy to get uetaileu infoimation on how the uata lost anu the
losing piocess
Backup the uata iecoveieu in time.
(#$# 0-''
6%$07,)( )(,*%8
viius, foimat, mis-paitition, mis-
clone, mis-opeiation, netwoik
ueletion, powei-cut uuiing opeiation
all may be the softwaie ieasons. The
symptoms aie usually mis-opeiation,
ieau eiioi, can not finu oi open file,
iepoit no paitition, not foimatteu,
passwoiu lost anu tioubleu
chaiacteis
use softwaie tools to iecovei it. So
calleu soft iecoveiy means uata can
be iecoveieu by softwaie
(#$# 0-''
9,)'7,)( )(,*%8
Sometimes uata loss is because of
haiuwaie, such as bau sectoi in haiu
uisk, powei cut, heau uamage, ciicuit
panel pioblem, etc.
The speeu of haiuwaie become slow,
cannot opeiate successfully; cannot
ieau uata, etc
1#*2 2&'3
Physical stiuctuie
BB consists of plattei, contiol
ciicuit boaiu anu inteiface paits.
A haiu uisk is a sealeu unit
containing a numbei of platteis in a
stack. Baiu uisks may be mounteu
in a hoiizontal oi a veitical
position. In this uesciiption, the
haiu uiive is mounteu hoiizontally.
Parts of hard disk
Piimaiy foimatting of haiu uisk
When haiu uisk is fiistly maue in the factoiy, it usually is
blank. Only after partitioning tracks and sectors, we can
save uata on haiu uisk
Auvanceu foimatting of haiu uisk Bigh-level
foimat
Assign logical seiial numbeis foi sectois (seiial
numbeis in paitition) fiom cylinuei that assigneu
by each logical uiive
(#$# -*4#5&6#$&-5
(#$# '$-*#4+ *+4&-5 -7 1(
:,0, .8 +,)' '.*/ '.4.'(' .80% ;
<=> :mastei boot uiiectoiy . The fiist physical sectoi. Bios oi special
fiimwaie stoieu.
:=> ? uos boot uiiectoiy. Fiist sectoi that visit by os .stoie boot
piogiam anu BPB (BI0S peiimetei block).
@A1 ? it is a file system . Relatively uncomplicateu.
:B> ? means uiiectoiy also calleu FBT. BIR is placeu aftei FAT2
:A1A ?stoie the uata
8&0+ '/'$+9'
9-6-:%&%6$ )2 2-$;< 24+% #"#$%&
>%%0 '.)(20%)5 C,8,D(C(80 .8
@A1EF 3,)0.0.%8
All filesfolueis in FATS2 have
coiiesponuing file entiies iecoiu in
FBT, each file entiy iecoius
impoitant infoimation of the
filefoluei the file system of
opeiating system seaiches anu
localizes coiiesponuing filefoluei
accoiuing to the file infoimation in
FBT of each paitition. 0nuei FATS2,
size of each FBT is S2 bytes.
FATS2 ioot uiiectoiy management
incluues management of files with
shoit anu long filename, anu
management of uiiecotoiies unuei
ioot uiiectoiy..
:;< 2&*+,$-*/ 9#5#4+9+5$
<,8,D(C(80 %$ *GHI'.)(20%)5 .8
@A1EF
a paiental uiiectoiy may have many sub-
uiiectoiies, while a sub-uiiectoiy has
only one paiental uiiectoiy. 0nuei the
sub-uiiectoiy of ioot uiiectoiy, we may
cieate moie infeiioi sub-uiiectoiies, thus
foiming a uiiectoiy tiee. Foi uiiectoiies
unuei ioot uiiectoiy, its entiance still
exists in ioot uiiectoiy. .
74+% .%+%$4)6
When ueleting a file, the system only makes
a deletion mark on this files directory entry,
marking clusters it covers in FAT as empty;
clusters in DATA remains original files
contents. When wiiting in uata again, the
oiiginal file content might be coveieu by new
infoimation.
Theie is a Recycle Bin in Winuows,
The iecycling bin is only some space on the haiu uisk; the Winuows
system automatically
establishes a foluei ">J!K!LJ:" (unuei ioot uiiectoiy of each uisk
paitition) with hiuing attiibute to save tempoiaiily ueleteu files.
Only when deleting or executing Clear command, these files then
can be completely ueleteu (as to opeiating system). As "the
iecycling bin" we see on the uesktop, it is only a shoitcut. Then we
will intiouuce fast ueletion anu complete ueletion sepaiately.
74+% .%+%$4)6
@,*0 '(&(0.%8
Fast ueletion of files is
just to put them into
Recycle Bin. In this
situation, the uata can
be iecoveieu.
Compaiing the changes of FBT, FAT anu BATA between
befoie anu aftei ueletion, we can finu the iules.
74+% .%+%$4)6
FDT before deleting test1.txt:
FBT aftei ueletion:
74+% .%+%$4)6
@A1 H($%)( '(&(0.%8
@A1 ,$0() '(&(0.%8
74+% .%+%$4)6
!%C3&(0( '(&(0.%8
how complete uelete.
74+% .%+%$4)6
!%C3&(0( '(&(0.%8
FBT is the same as that of fast ueletion.
Befoie complete ueletion, the content of FAT is:
Aftei ueletion:
:;<2&*+,$-*/ 2+0+$&-5
.
0peiating system manages sub-uiiectoiy in the
same way as manages files. So, the ueletion ways aie
same, too.
@,*0 '(&(0.%8
Fast ueletion of sub-uiiectoiy is the same as that
of files. It just maikeu a ueletion maik to the
beginning byte in FBT that uesciibes sub-
uiiectoiy; all files unuei this sub-uiiectoiy anu
iecoius of its infeiioi sub-uiiectoiy aie not
changed, that is, just to remove this sub-
uiiectoiy into iecycling bin
!%C3&(0( '(&(0.%8
Complete ueletion is same as
that of in file..
=4:3 +%>%+ 2)(&-$$46:
@,*0 +.D+ &(4(& $%)C,0 !%C3&(0( +.D+ &(4(& $%)C,0
=4:3 +%>%+ 2)(&-$$46:
FBT aftei fast high level foimat:
FBT befoie fast high level foimat:
1&4" 0+.+0 7-*9#$$&54
contents of sub-uiiectoiy Befoie foimat:
Aftei foimat:
=>8:
M1@6 (M(7 1(2+8%&%D5 @.&(
65*0(C) is a piopiietaiy file
system uevelopeu by Niciosoft
Coipoiation foi its Winuows
NT line of opeiating systems,
NTFS supeiseues the FAT file system as the piefeiieu file system
foi Niciosoft Winuows opeiating systems. NTFS has seveial
technical impiovements ovei FAT anu BPFS (Bigh Peifoimance
File System), such as impioveu suppoit foi metauata, anu the use
of auvanceu uata stiuctuies to impiove peifoimance, ieliability,
anu uisk space utilization, plus auuitional extensions, such as
secuiity access contiol lists (ACL) anu file system jouinaling.
=>8:
9.D+I&(4(& $(,0G)(* %$ M1@6
Nulti-uata stieams
Name baseu on 0nicoue
ueneial inuex mechanism
The uynamic bau clustei iepiints maps
Suppoits P0SIX
File compiession
File enciypts
Bisk quota
Baiu link anu soft link
Link tiacks
Log iecoius
Fiagmentation
7?@ >#A B@7!
@A1EF
Naximum uisk size: 2 teiabytes
Naximum file size: 4 gigabytes
Naximum numbei of files on uisk: 268,4SS,4S7
Naximum numbei of files in a single foluei: 6S,SS4
M1@6
Naximum uisk size: 2S6 teiabytes
Naximum file size: 2S6 teiabytes
Naximum numbei of files on uisk: 4,294,967,29S
Naximum numbei of files in a single foluei:
4,294,967,29S
9-$$%(# 6%%.#
-$$%6$4)6 *%2)(% (%0)>%("
(1)Never operate on partition (such as write and create file) where the data
lost.
(2)Please close any other application program when Data Recovery Wizard
3.0 is running.
(3)Make sure that there is no physical failure (such as physical bad track) on
the disk you are operating. If there is any problem, please stop running Data
Recovery Wizard 3.0, and send your disk to maintenance station.
(4)Do not save the recovered files to the original partition. You need make
sure that there is enough free space to save the recovered data; also you can
save your files to removable devices or network devices.
9,)' )(2%4()5
9,)' )(2%4()5
?@ABC@?D
6%$0 )(2%4()5
E2.#5$#4+' #52 2&'#2.#5$#4+'
Bata iecoveiy tools can be useu
to unuo mistakes that you maue
that iesulteu in lost uata.
Bata consistency.
Bigital foiensics
To successfully use a uata iecoveiy
tool you will neeu to ueteimine the
cause of youi uata loss.
A simple ieboot cause the ovei
wiiting of uata
Bata secuiity.
Recoveiy may geneiate viius.
!)2$8-(% C#%. 2)( (%0)>%("
Bootable
Data recovery cannot always be done on a running system. As a result, a boot disk, Live
CD, Live USB, or any other type of Live Distro containing a minimal operating system.
BackTrack:
Boot Repair Disk -
Hiren's BootCD:
SystemRescueCD:
Consistency checkers
CHKDSK:
Disk First Aid:
Disk Utility:
!)2$8-(% C#%. 2)( (%0)>%("
File recovery
CDRoller: Recovers data from optical discs.
Data LifeSaver (now "EASIS Data Recovery"): Data recovery for FAT and NTFS file systems.
Data Recovery Wizard: Microsoft Windows file recovery utility.
Drive Vaccine: Microsoft Windows Auto Restore of files on Reboot
FileSalvage: A Mac OS X recovery program.
IsoBuster: Recovers data from optical discs, USB sticks, Flash drives and Hard Drives.
Recuva: Microsoft Windows 2000 & later, FAT and NTFS.
TotalRecovery : Microsoft Windows. Bootable backup and recover system.
TuneUp Utilities: Microsoft Windows XP & later. A suite of utilities that has a file recovery component.
Power Data Recovery: Data recovery software by MiniTool. 1GB free data recovery for personal use.
!)2$8-(% C#%. 2)( (%0)>%("
Forensics
EnCase: A suite of forensic tools developed by Guidance Software that is used for imaging
and forensic analysis for UNIX, Linux, and Windows systems.
Foremost: An opensource CLI file recovery program, originally developed by the U.S. Air
Force Office of Special Investigations and NPS Center for Information Systems Security
Studies and Research.
Forensic Toolkit: by AccessData, used by law enforcement.
Open Computer Forensics Architecture: An opensource program running on Linux.
The Coroner's Toolkit: A suite of utilities aimed at assisting in forensic analysis of a UNIX
system after a break-in.
The Sleuth Kit: Also known as TSK, The Sleuth Kit is a suite of forensic analysis tools
developed by Brian Carrier for UNIX, Linux and Windows systems. TSK includes the
Autopsy forensic browser.