As a card-carrying computer geek, I often get calls from friends or family members regarding lost computer data. Sometimes the data has been accidentally erased. Sometimes it has been damaged by a virus. Sometimes the hard drive itself is the problem. Whatever the cause of the problem, the one constant is that people who are not IT professionals never back up their data.
Since I have been doing so much data recovery lately, I decided to write a series of articles on the subject. These articles will discuss the techniques I use on a regular basis. This article will discuss what to do when data loss occurs, when data recovery is and isn't possible, and how data recovery works.
Although the data recovery process itself can sometimes be complicated, the idea behind the process is simple. Data recovery is possible because a file and information about a file are two different things, stored in two different places. The Windows operating system uses a file allocation table to keep track of which files are on the hard drive and where those files are stored.
The best analogy to describe the way a hard drive's file system works is to compare it to a book. The file allocation table is like the book's table of contents. The actual files on the hard drive are like individual pages in the book.
To illustrate how the data recovery process works, let's take this analogy one step further. Say you need to install a new kitchen sink, so you buy a book on home improvement. You open the book and the table of contents tells you that the chapter on installing a kitchen sink starts on page 40. If you rip the pages containing the table of contents out of the book and shred them, have you lost the information on installing a kitchen sink? Of course not. The chapter on installing a sink is still in the book, it's just going to be harder to find since you no longer have a table of contents.
Data recovery works the same way. Often when data needs to be recovered, it is only the file allocation table that is messed up. The actual file that needs to be recovered may still exist on your hard drive in perfect condition. If the file still exists, is undamaged, and is not encrypted, it can be recovered. All you have to do is to find it.
On the other hand, if the file itself is damaged or missing or encrypted, recovery through normal means is impossible. That doesn't mean recovery is impossible, only recovery through the usual means. You can't magically recover what isn't there.
If a file physically damaged, your only hope of recovering it without a backup is to reconstruct the file. Many applications, such as Microsoft Office, place uniform headers at the beginning of files to designate that the file belongs to that application. Some utilities can be used to manually reconstruct file headers so that at least a portion of the file can be recovered.
In many cases, data loss is related to the file allocation table rather than to the data itself. A perfect example of this is what happens when you delete a file. When you delete a file, it is normally moved to the recycle bin. But if you delete a file from the recycle bin or remove it in such a way that causes it to never be placed in the recycle bin, the actual file is not deleted.
Instead, the operating system changes the first letter of the file name in the file allocation table to a sigma sign (older file systems used a question mark). The operating system also writes zeros to cluster chain entries within the file allocation table as a way of showing that the disk space previously used by the file is still available. When a file is erased in this manner, the file itself still exists until another file overwrites the area of the hard disk that was previously used to store the file that has been erased.
I have talked about how the process of erasing a file works, but a similar concept also applies to formatting a hard disk, or to corruption of the file allocation table. In any of these cases, the files still exist, they have simply been removed from the file allocation table (or renamed to something that Windows is designed to not display).
Recovering deleted data
Now that I have discussed what happens when a file is erased, let's talk about the recovery process. It has been my experience that when someone erases a file that they really need to get back, the first thing that they do is to install a data recovery utility. In reality though, this is the worst thing that you can do. Remember, the deleted file still exists on your hard drive, but the operating system has flagged the space occupied by the file as being available. This means that if files are written to the hard disk (such as occurs when you install a recovery utility), then there is a good chance that the file that you are trying to recover could be permanently overwritten.
It's worth noting that installing a data recovery utility isn't the only thing that can cause a deleted file to be permanently lost. Normal use of a PC results in frequent file I/O operations, many of which have the potential to make deleted files non recoverable.
If you are serious about recovering lost data, then the first thing that you should do is to turn off the computer and remove the hard drive. Next, take a spare hard drive (maybe an old one that's too small for day to day use), install it into your computer, and install Windows. Unless the data loss was the result of a viral infection, I don't recommend installing any anti virus software as doing so can sometimes interfere with data recovery.
Once you have Windows running using the spare drive, go ahead and install your data recovery utility. Next, shut the computer down and install the drive that contains the data that you are trying to recover, and install another blank hard drive of equal size. Boot the system and then do a sector by sector copy (not a file copy) from the drive containing your deleted data to the empty drive. When the copy process completes, shut down the computer and remove the drive that contains the original copy of your deleted data. You are now ready to begin the data recovery process.
There are two reasons why I recommend copying the drive prior to attempting a recovery. First, you never want to attempt a recovery on your PCs original drive. If you work directly with this drive, then there are no second chances if you make a mistake. If you are working with a copy though, and you make a mistake, you can always make another copy. The other reason why you should work off of a copy rather than the original drive is because if hard disk corruption is the cause of the data loss, there's a good chance that the corruption will spread. As such, it is critical that you minimize your use of the corrupt drive to avoid further data loss.
Not that you know a bit about the science behind data recovery, I can demonstrate some actual data recovery techniques in the articles to come.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinSystems.com and other TechTarget sites.