Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Data Recovery works


  • Please log in to reply
14 replies to this topic

#1 danibleepingcomputer

danibleepingcomputer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 24 March 2014 - 12:28 PM

Hello guys! well I was wondering that how do the data recovery software gets our data back after when it's deleted?

To my knowledge, when we delete data it's not a zero level delete it just removes the tracking information but leaves the data there so the data recovery software tries to build back that tracking(finding or addressing) information.

 

so if this above statement is true then data recovery software should be able to recover data as long as the data is not over-written or deleted completely(at zero level---- I mean all the stored bit's or 0/1's be changed to 0)

 

Now the thing which still is not making sense is that some people have told me that they have recovered more data from a memory device than the total capacity of that memory device (say they recovered 1.8GB data from 1GB memory card) !!! how??? Is this really possible or they are making a false statement?

 

if I write a file say "A" on { (xxxx)hex to (yyyy)hex } address and then I over-write another file say "B" on that same address { (xxxx)hex to (yyyy)hex } ; then is it possible using any data recovery software in this world that I recover the file "A". Well according to my knowledge that is impossible or at-least not possible ---- actually I'm confused so please help me on this topic



BC AdBot (Login to Remove)

 


#2 the_patriot11

the_patriot11

    High Tech Redneck


  • BC Advisor
  • 6,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wyoming USA
  • Local time:10:32 AM

Posted 24 March 2014 - 06:46 PM

depending on the quality of the software, you can sometimes recover data that has been written over. Usually only seen on hardware/software used by law enforcement such as the FBI, but if someone knew what they were doing you can use it for home use.


picard5.jpg

 

Primary system: Motherboard: ASUS M4A89GTD PRO/USB3, Processor: AMD Phenom II x4 945, Memory: 16 gigs of Patriot G2 DDR3 1600, Video: AMD Sapphire Nitro R9 380, Storage: 1 WD 500 gig HD, 1 Hitachi 500 gig HD, and Power supply: Coolermaster 750 watt, OS: Windows 10 64 bit. 

Media Center: Motherboard: Gigabyte mp61p-S3, Processor: AMD Athlon 64 x2 6000+, Memory: 6 gigs Patriot DDR2 800, Video: Gigabyte GeForce GT730, Storage: 500 gig Hitachi, PSU: Seasonic M1211 620W full modular, OS: Windows 10.

If I don't reply within 24 hours of your reply, feel free to send me a pm.


#3 Platypus

Platypus

  • Moderator
  • 14,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:32 AM

Posted 25 March 2014 - 01:00 AM

It's certainly possible to finish a data recovery with more results than the storage capacity of the drive. But this will not all be valid data.

 

If a drive is filled, some content deleted then filled again and all the contents deleted, the potential content recovery will be larger than the drive capacity. If recovery software is able to identify the original locations of all the deleted files, then recreate the files using the current content of those drive clusters, each cluster can be the correct data for, at the most, only one of each of the files. (But maybe neither.) This type of recovery would inevitably produce a significant proportion of corrupted files.

 

Your assessment of being unable to recover the contents of an earlier file after it has been overwritten with the contents of a later file is correct. Recovery software could reassemble the form of the original file, but the content of the later file would be stored there, so that's what would appear. This type of recovery software relies on the recovery being done soon enough, before the original file content is overwritten by later data saves.

 

Forensic recovery is required in order to attempt to recover data that has been overwritten. Specialist software will no doubt be used by laboratories doing this, but in conjunction with equipment like a magnetic microscope. This enables examination of the  magnetic domains across the entire platter surface, not just the data tracks. Two possible techniques for recovering data previously held are looking in the guard bands that exist between tracks for the extreme edges of prior data, and comparing the magnetic flux of individual bit sequences to try to determine if their state was the same or different before it was set to how it is now.

 

This process is extremely time consuming and expensive, so it's only viable to try on valuable data, either in terms of how much its loss will cost, or for crime-solving or security purposes.


Top 5 things that never get done:

1.


#4 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:32 AM

Posted 25 March 2014 - 01:35 AM

Just think of a file deletion as removing it from the view of your screen, the linear record is more than likley still goign to be in the master file table $MFT.

Just dont defragg the drive other wise it re-ajusts the MFT record and creates a new record. Slowly spinning the drive and looking for magnetic wave length heights, they can tell by the binary  value which cluster/sector has been erased with 0's or 1's as the distortion from the platter appears.

A lot more happens than that but thats the basics, maybe add that to your school paper (Thats what the question sound like its for lol)



#5 danibleepingcomputer

danibleepingcomputer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 25 March 2014 - 06:02 PM

what I get from you guys reply is that it is possible to recover more data than the drive's capacity

well to my mind it is possible only by the harware reverse engineering methods you guys mentioned but the software itself can't get the overwritten data back

Why! because I think whenever a software calls a memory device to fetch data from indicated address what happens is
The local fetch routine of that memory device responds only in one saved specific way and it cannot call same memory location in two differnet hardware protocols, am I wrong?

to get data from a memory location outside it's normal action we have to disassemble the memory device and put another harware to work with that memory device, isn't it so?

but with the device's normal action none software can fetch over written data to make this more simple say if I stored (1010)binary data in location (0000)binary and then I overwritten same (0000)binary location with (0110)binary data then tell me could a simple software fetch me back old data (1010)binary, I don't think so.
Because each time now the software will call location (0000)binary the data returned in normal I/O interface routine will always be newer data (0110)binary cause device doesn't have any harware inside which could further inspect whether data in location was changed or not

please don't get bothered I just wanna get into this topic well



#6 Platypus

Platypus

  • Moderator
  • 14,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:32 AM

Posted 25 March 2014 - 08:32 PM

You are correct.

 

If file #1 is stored in locations a, b c and d, then it is deleted and file #2 is stored there and deleted, recovery software can find the file records of #1 and #2 having been stored at locations a, b c & d (as long as the file directory and other metadata is intact). But since those locations now only contain their current data, software can create two files called #1 and #2, but they will both contain the data now in locations a, b, c & d.

 

This is of course greatly oversimplified - in reality it's extremely unlikey two files would totally overlap, so unless a recovery is done before a drive's content is altered, the actual contents of a recovered file can be rather random.


Edited by Platypus, 25 March 2014 - 08:33 PM.

Top 5 things that never get done:

1.


#7 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:32 AM

Posted 25 March 2014 - 10:26 PM

It cant overlap unless the allocation has been deleted from the MFT. Once you over write the sector, it creates the new MFT record. If defragging or over writting that sector you cant get it back (Not to my knowledge anyway, maybe hardcore FBI type movie style could)



#8 Platypus

Platypus

  • Moderator
  • 14,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:32 AM

Posted 26 March 2014 - 07:54 AM

There's no point confusing the issue for the OP by debating technicalities. danibleepingcomputer has asked for help with understanding a defined scenario where the location of two files that have previously existed overlap, to confirm their understanding that the data content of the first file is lost. Certainly only crosslinked files will currently overlap, but that's not what we're discussing.


Top 5 things that never get done:

1.


#9 danibleepingcomputer

danibleepingcomputer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 26 March 2014 - 03:42 PM

how can I attach images in my post? I don't see any attachment button/option visible.



#10 hamluis

hamluis

    Moderator


  • Moderator
  • 55,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:32 AM

Posted 28 March 2014 - 11:28 AM

Press the More Reply Options button...you will see the mechanism for attachments.

 

Louis



#11 danibleepingcomputer

danibleepingcomputer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 30 March 2014 - 12:51 AM

First of all thanks to Hamlius for telling me about this option. Thanks :)

 

Now to my post:

Thanks for explaining that's much now maybe a more specific question:
What do you guys comment about following question? {this question rather than text is a bit graphical to make it simple (see attached gif files)}

Attached File  Simple Question A.GIF   22.23KB   0 downloads

Attached File  Simple Question B.GIF   29KB   0 downloads

Attached File  Simple Question C.GIF   30.82KB   0 downloads

Thanks in anticipation.



#12 Platypus

Platypus

  • Moderator
  • 14,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:32 AM

Posted 30 March 2014 - 04:42 AM

IMO, that's quite a good way of illustrating that recovery software will only find the contents of file B on the device.


Top 5 things that never get done:

1.


#13 danibleepingcomputer

danibleepingcomputer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 30 March 2014 - 10:46 PM

So file "A" the blue file cannot be recovered by software only(without any hardware intervention) right???



#14 Platypus

Platypus

  • Moderator
  • 14,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:32 AM

Posted 31 March 2014 - 01:06 AM

Correct, to the best of my knowledge.

 

A way to observe this would be to use a Hex Editor (a software tool that can directly read and write the content of absolute addresses on media like hard drives or flash media) to examine the drive location where a file is stored, delete it and store a different file there, then observe the same drive location. This would be easy to do on a small drive that can be filled with a single file. Recovery software cannot do any more with regard to accessing drive contents than can be done by a tool like a Hex Editor. There are free Hex Editors readily available to experiment with.


Top 5 things that never get done:

1.


#15 danibleepingcomputer

danibleepingcomputer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 02 April 2014 - 04:24 AM

that concludes my answer; thanks to all of you guys Patriot, Platypus, Johny Jammer and Hamlius Thankyou all very much :thumbup2:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users