Data Recovery

Data Recovery Seminar Report Submitted by Kelzang Tshering Eit2011013 Bachelor of Engineering in Information Technology College of Science and Technology Rinchending :: Phuentsholing May, 2014  Abstract In the present world computer market offers storage of huge data in the digital form and they are stored in devices such as internal and external drives, USB flash drives, memory cards of phone and cameras and CD/DVD devices in the file format and takes some storage space of drives. The stored data can be accidentally deleted or formatted, in either case the files or data is lost and there comes the need of data recovery. Data recovery is possible because the link to file is deleted from the memory but it exists in memory. ACKNOWLEDGEMENT The department of Information Technology has a system of doing seminars when we are in the second semester of 3rd year and it is good idea where when we are in final year we could solely concentrate in doing the project. I would like to acknowledge Information Technology department, college management for providing us the required facilities and Mr. Tsheten Dorji, Head of the Information Technology department for guiding me through the process of seminar and lastly thank all who directly or indirectly involved in contributing to my seminar.  Table of Contents  List of Figures Figure 1.1: methods of overwritten data...................................................................................13 Figure 1.2 Atomic concentration of Fe, Ni in a magnetic disk.................................................16  List of Tables Table 1.1: software package....................................................................................................... .9Table 1.2: List of forensic tools................................................................................................11Table 1.3: Hierarchy of files.....................................................................................................15  List of Abbreviations Sl. No. Terms Descriptions 1 OS Operating System 2 CD Compact Disk 3 ROM Read Only Memory 4 SSD Solid State Disks  Introduction Data Recovery is process of retrieving data from damaged secondary devices which are not accessible normally, it is making data or file accessible from formatted devices. Recovery may need because of physically damage to secondary drives, accidentally deleted files, accidentally formatting of drives and virus attack the data or files. The most common scenarios is Operating System (OS) failures or accidental damages, then one have to copy the file to other devices and this can be done in many ways. Such scenarios can be easily solved using LiveCD and many can provides means to mount the system and back up the removed medias or data. Another scenario involves disk-level failure and it includes compromise of file system or disk partition or hard disk failures. In any of these cases reading of data is not easy. Depending on the situation, solutions involve repairing the file system, partition table or master boot record or hard disk recovery techniques ranging from software-based recovery of corrupted data, hardware-software based recovery of damaged service areas (also known as the hard drive's "firmware"), to hardware replacement on a physically damaged disk. In a third scenario, files have been "deleted" from a storage medium. Typically, the contents of deleted files are not removed immediately from the drive; instead, references to them in the directory structure are removed, and the space they occupy is made available for later overwriting. In the meantime, the original file contents remain, often in a number of disconnected fragments, and may be recoverable. LITERATURE REVIEW The notion of person has to be made clear that by deleting from recycle bin does not delete files permanently it only deletes from the listing of file from memory but it remains in drive for future use. By not deleting files permanently the personal file may disclose to others and act of identity theft may easily occur. In one of research paper it say “of the fifty-five hard drives studied approximately 300,000 files contained identifiable information”. Identity theft is one of largest affecting person because of leaving their information on the computer after deleting from recycle bin. It affects credit denial, gaining loans and credits. To know the risk completely of hard drive disposal one should know the working of hard drive and working includes how data is written, deleted and stored in drive. The file that are sent or deleted to recycle bin or trash they are recoverable. When file is deleted using “delete” or “move to trash” function of Operating System, to save time deletes only pointer to file location or path from the hard disk and then Operating System erases path by labeling appropriate cluster in file location tables as “Free space”. Data can be recovered using programs available and most program searches for “free space” and slack space and other searches for unallocated space which means operating system does not recognize it as a part of partition. The method available is removing read/write head and using specialize hardware to scan the surface, erasure programs. The following Table 1.1 show erasure programs which you can purchase at very cheap rate from computer store or online website Amazon.com, E bay. Name of software package Cost for Single user license Symantec’s Norton Utilities $50-$80 Directory Snoop from Briggs Software $39.95 Recovery My Files from Get Data $70 Win Hex $50-$200 depending on features Easy Recovery from Ontrack $200-$325 depending on features ProDiscovery Basic from Technology Pathways $995 Table 1.1:Software Package (B. Dawn Medlin&Joseph A. Cazier, A Study of Hard Drive Forensics on Consumers’ PCs: Data Recovery and Exploitation) They had recovered data from hard disk and found drives contain biodata, phone numbers, addresses, bank account and medical reports. In which such data are potential threats and to prevent you from threats they recommend Secure Erase to delete your files rather than delete function of system. The software has to purchase at reasonable rate but there are also open source version called “Darik’s Boot and Nuke” (Jones, 2005). PHYSICAL DAMAGE There is wide variety of physical damages and physical damages always cause the loss of data. CD-ROMs can be failed due to metallic substrate or dye layer scratched off, Hard disk can be failing because of several issues such as head crushes and failed motors and Tapes can be easily broken. Physical damage can also cause logical structure of file system is damaged as well. Physical damage is normally difficult to be repaired by end users. For example, opening a hard disk drive in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head causing new head crashes that further damage the platter and thus compromise the recovery process. Generally end users are not that expert to recovery the data. RECOVERY TECHNIQUES The data recovery from physically damaged hardware involves different techniques. Some damaged can be repaired by replacing of parts of hard disk and it is usable to some extend but there may still exist logical damages. To recover the image from the surface if drives there use the specialized disk- image procedure, the image is then saved to reliable medium and the saved image is analysis for logical damages which may help in reconstructing the original image or data. The tools, techniques and methodologies of electronic investigation, gathering and analysis have been tried and proven and are accepted in many countries. While recovering the data the integrity of the original media must be maintained throughout the entire investigation. Table1.3 show the important forensic tools. Tool Platform Nature Drivespy DOS/windows Inspects slack space and deleted file meta data. Encase Windows Features sophisticated drive imaging and preview modes, error checking, and validation, along with searching, browsing, time line, and registry viewer. Graphical user interface. Includes hash analysis for classifying known files. Forensic Tool kit Windows Graphic search and preview of forensic information, including searches for JPEG images and Internet text. I Look Windows Handles dozens of file systems. Explorer interface to deleted files. Generates hashes of files. Filtering functionality. This tool only available to US government and law enforcement agencies. Norton Utilities Windows Contains tools useful for recovering deleted files and sector-by-sector examination of a computer’s hard disk The Coroner’s tool kit Unix A collection of programs used for performing post-mortem forensic analysis of Unix disks after a break-in XWays Windows Disk Cloning and Imaging, Native support of NTFS, FAT, Ext2/3/4, CDFS, UDF, Complete access to disks, RAIDs, and images more than 2 TB in size, Various data recovery techniques and file carving, Gathering slack space, free space, inter-partition space, and generic text from drives and images, and Mass hash calculation for files (CRC32, MD4, ed2k, MD5, SHA-1, SHA-256, RipeMD, etc.). Task Unix Operates on disk images created with dd. Handles FAT, FAT32, and toolkit. Analyzes deleted files and slack space, and includes time-line NTFS, Novel, Unix, and other disk formats. Built on Coroner’s Toolkit. Table 1.2: List of forensic tools (Bhanu Prakash Battula, B Kezia Rani, R SatyaPrasad & T Sudha, Techniques in Computer Forensics: A Recovery Perspective) HARDWARE REPAIR A damaged printed circuit board (PCB) cannot be replaced for the newer Hard drives and the hard drive has particular surface called System Area, it is not accessible to the end user, contains adaptive data that helps the drive operate within normal parameters. The one function of System Area is to log defective sector within the drives, which tells the information about where can data be written and where it can’t be written. The sector is stored in chips attached to PCB and hard drive has unique sectors. If data written in the PCB does not matched with the data in platter then it is not calibrated properly. LOGICAL DAMAGE The logical damage means the problem is not with the hardware but there is need of software-level solutions. Corrupt partitions and file systems, media errors In some case the data on drives cannot be readable because of damage to partition table and file system or media errors. In most cases the loss of data can be recovered by repairing damage to the file system or partition tables using specialized recovery software such as Test disk, software like DD rescue can image media despite intermittent errors, and image raw data when there is partition table or file system damage. The above recovery can be done by normal users without the expertise. Sometimes data recovery can be recovered using simple tools and more severe times require the invention of tools by experts particularly if data is irrecoverable. Data curving is process of recovering data from drives using the knowledge of structure. OVERWRITTEN DATA When data is physically overwritten on the hard disk then it is assumed that previous data cannot be recovered. A computer scientist Peter Gutmann, in one of his research paper says that overwritten data can be recovered through magnetic force microscope. Although Gutmann's theory may be correct, there is no practical evidence that overwritten data can be recovered, while research has shown to support that overwritten data cannot be recovered. The figure 1.1 show method of overwritten data. Figure 1.1: method of overwritten data REMOTE DATA RECOVERY It’s not necessary to access the damaged hard drive physically by the experts but can be recovered by software techniques; they can be used remotely with the use of different computer at different location through the internet. Remote recovery needs stable connection of bandwidth but remote recovery is not applicable for those accesses to hardware. Phases of data Recovery The data recovery has four phases, each phase’s stands for different level and range of data recovery capabilities. Each phase requires different HDD repair tools and data recovery tools to work with and each phase must made sure for the proper recovery. Phase 1: repair the hard drives Phase 2: image the drive to new drive Phase 3: Logical recovery of files, partition, MBR, and MFT. Phase 4: Repair the damaged files that were retrieved. TYPES OF ATTEMPTS IN DESTROYING FILES Modern computer system contain assortment of data, including OS file system, application programs, user data stored in file system. Table 1.2 shows the hierarchy of file system. Level Where Found Description Level 0 Regular file Information contained in the file system. Includes file names, file attributes, and file contents. One can directly access them. Level 1 Temporary files Temporary files, including print spooler files, browser cache files, files for “helper” applications, and recycle bin files. Most users either expect the system to automatically delete this data or are not even aware that it exists. Note: level 0 files are a subset of level 1 files. Level 2 Deleted file When a file is deleted from a file system, most operating systems do not overwrite the blocks on the hard disk that the file is written on. Instead, they simply remove the file’s reference from the containing directory. The file’s blocks are then placed on the free list. These files can be recovered using traditional “undelete” tools, such as Norton Utilities. Level 3 Retained data blocks Data that can be recovered from a disk, but which does not obviously belonged to a named file. Level 3 data includes information in slack space, backing store for virtual memory, and level 2 data that has been partially overwritten so that an entire file cannot be recovered. A common source of level 3 data is disks that have been formatted with Windows Format command or the Unix new command. Even though the output of these commands might imply that they overwrite the entire hard drive, in fact they do not, and the vast majority of the formatted disk’s information is recoverable with the proper tools. Level 3 data can be recovered using advanced data recovery tools that can “unformatted” a disk drive or special-purpose forensic tools Level 4 Vendor hidden block This level consists of data blocks that can only be accessed using vendor-specific commands. This level includes the drive’s controlling program and blocks used for bad-block management. Level 5 Overwritten data Many individuals maintain that information can be recovered from a hard drive even after it is overwritten. We reserve level 5 for such information. Table 1.3: hierarchy of files (Bhanu Prakash Battula, B Kezia Rani, R SatyaPrasad & T Sudha, Techniques in Computer Forensics: A Recovery Perspective) The most common ways of damaging hard drives include: Physically destroying the drive, rendering it unusable. Degaussing the drive to randomize the magnetic domains-most likely rendering the drive unusable in the process. Overwriting the drive’s data so that it cannot be recovered CONCLUSION In this paper the techniques discussed plays vital role and each technique has its own advantages and draw backs. We also discussed the importance of recovery and how the data is been recovered. The delete from computer does not mean it is deleted from the hard drive and don’t think it cannot be recovered. References [1] http://en.wikipedia.org/wiki/Data_recovery [2] www.krollontrack.com/data-recovery/ [3] Andrew S.Tanenbaum, “Modern Operating Systems” Prentice Hall, Dec. 2007. [4] Dinan, Thomas Edward, Robertson, Neil Leslie, Tam, Alan Jun-yuan, “Magnetic head for hard disk drive having varied composition nickel-iron alloy magnetic poles”, U.S. Patent No.6,912,771. July 5, 2005. [5] Michele C. S. Lange, Kristin M. Nimsger, ‘’Electronic evidence and discovery’’, American Bar Association, 2004. [6] Anthony Verducci, “How to Absolutely, Positively Destroy Your Data”: DIY Tech, February,2007. [7] http://www.popularmechanics.com/technology/how_to/4212242.html [8] Nelson, Bill, Philips, Amelia, Enfinger, Frank and Stewart, Chris, “Guide to Computer Forensics and Investigations”, Thomson, Cousre Technology, Boston, 2004. [9] http://www.computerforensics.net/forensics.htm [10 ] Thomas Rude CISSP, “Evidence Seizure Methodology for Computer Forensics”. [11] http://www.crazytrain.com/seizure.html [12] http://www.forensics.com [13] Wofle, Henry B, Computers and Security, El sevier Science, Ltd, pp. 26-28. [14] http://www.sciencedirect.com [15] David Icove, Karl Seqer, William Von Storch, “Computer crime: A Crime-figher’s Handbook”, [16] O'Reilly Media, Inc, USA (1 Aug 1995). [17] http://www.x-ways.net/forensics/index-m.html. [18] http://en.wikipedia.org/wiki/EnCase. [19] http://www.digitalintelligence.com/software/disoftware/drivespy/ [20] www.accessdata.com [21] www.sleuthkit.org/ [22] www.forensicswiki.org/wiki/ILook [23] www.porcupine.org/forensics/tct.html 0 1 1 1