The Relationship between Data Recovery and Computer Forensics

Data Recovery & Computer ForensicsData Recovery is a process of recovering the data from hardware or software components after various data disasters. Data access becomes void after some disaster and special data recovery techniques are usually needed to access this lost data again.

Computer forensics, also called cyber forensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. A computer can be the target of the crime, it can be the instrument of the crime, or it can serve as an evidence repository storing valuable information about the crime. Moreover the hard disk is the core carrier of all important information. In some sense, hard disk is a very precise micro-computer. Only with the normal running of the micro-computer, can we access to the OS,

Data recovery can be a vital aspect of Forensic Examinations since some drives may be corrupt and impossible to image.

The reasons which cause the hard drives corruption/impossible to image:

1. Logical Malfunctions:
• Accidental Disk Format
• File Deletion
• Partition loss or corruption
• Lost or Missing files and folders
• Re-formatted or re-partitioned drive

2. Physically Malfunctions:
• PCBA malfunction
• Motor/bearing failure
• Parking element failure
• Platter surface scratch
• Head Problem
• FW problem

How to using data recovery skills & tools to assist computer forensics work?

1. To the Logical Disk Crash problems: there are many famous computer forensics software in the market, such as Encase, X-Ways, FinalForensic, F-Response and so on. They are very good at data retrieval, analysis, auto-report and data archiving. With the development of science they will be more professional.

2. To the Physically Bad Hard Disk problems:

PCBA malfunction: You just need to find an identical donor hard drive which has the same model number, at least first 3 digits of Serial Number and PCBA version number, the best the motor number. And then swap the PCBA by using professional tools, such as ACE: PC-3000; SalvationDATA: HD Doctor Suite, etc.

Motor/bearing failure: You can exchange the platters and head stack to the hard drive which has good motor/bearing by using the professional tools. In my opinion the HD HPE PRO is the best choice. You also need to find the identical donor hard drive.

Parking element failure: Exchange the failed head stack with a donor hard drive by using HD HPE PRO.

Platter surface scratch: Bad sectors are a common problem we faced during traditional imaging. It will cause system death, HD irresponsive, even directly destroyed during image process. To the problem, you should use the disk imaging tools, such as: ACE: UDMA DE; SalvitonDATA: Data Compass; DeepSpar: Disk imaging, etc. These tools can help you retrieve the data from partially damaged bad sectors.

Head Problem: The head stack is totally damaged: You should swap the head stack with a donor hard drive by using HD HPE PRO.

FW problem: ACE: PC-3000; SalvationDATA: HD Doctor Suite can help you repair the damaged firmware or the firmware module disorder.

Read More

CD Optical Storage Glossary of Computer Terms (Letter A)

Access time
In mass storage devices, the time elapsed to read or write to or from a device.

Additive color system
A color reproduction system in which images are reproduced by mixing appropriate amounts of red, green, and blue lights.

Animation
A synchronized sequence of graphics that conveys action.

Antialiasing
The process of reducing the visibility of jagged edges by using gray scale pixel values to smooth and feather contrasting intersections of bitmapped objects.

Application
A computer program written for a specific purpose.

Aspect ratio
The ratio of width to height of an image. The standard aspect ratio of broadcast television and most computer displays is 4:3. The 35mm slide standard is 3:2.

Asymmetric system
A video system that requires more equipment to store, process, and compress a digital image than it needs to decompress and playback. Intel’s DV I and Phillips/Sony’s CD-I systems are asymmetric in full fidelity mode.

Audio track
A CD- DA track with digital audio samples encoded as 16 bit numbers.

Audio
Sound portion of a video signal. or separate sound used to; annotate objects on frames including text, graphics, animation and still images.

Authoring language
A high- level programming language using English or mnemonics and simple commands specifically designed for developing multimedia applications. Often included as a subset of an authoring system.

Authoring system
A software product designed to allow users without specific programming skills to develop and test multimedia applications.

Averaging
The process of smoothing the selection or image by averaging the values of the surrounding pixels over a specified radius.

Read More

RAID Array & Server Glossary of Computer Terms (Letter U)

Usable storage capacity
Disk array capacity that is usable for data storage (vs. for mirroring or parity data). For example, under mirroring (RAID 1 and 0/1), usable storage remains a constant fifty percent (half of storage is always used for redundancy). This is in contrast to other RAID levels such as RAID 5, in which usable storage capacity is determined by the formula of “n-1”. “n” is the total number of disk drives and “1” is the number of disks worth of capacity used for parity (redundancy) overhead. So, as the number of disks in the array grows, the usable storage capacity percentage increases in relation to parity (redundancy) information.

Read More

RAID Array & Server Glossary of Computer Terms (Letter W)

Write-Back Cache
A caching strategy whereby write operations result in a completion signal being sent to the host operating system as soon as the cache (not the disk drive) receives the data to be written. The target disk drive will receive the data at a more appropriate time in order to increase controller performance. An optional cache battery backup can be used to protect against data loss as a result of a power failure or system crash.

Write-Through Cache
A caching strategy whereby data is written to the SCSI drive before a completion status is returned to the host operating system. This caching strategy is considered more secure, since a power failure will be less likely to cause loss of data. However, a write through cache results in a slightly lower performance.

Warm swap
The ability to remove and replace a disk drive while the power is on. All bus activity must be paused (usually done through a utility within the array management software) to maintain data integrity during removal or replacement. Typically used when hot swap is not supported by the server or storage enclosure drive tray.

XOR
Exclusive “Or”, a computer language function that generates parity in RAID systems; “this or that but not both

Read More

RAID Array & Server Glossary of Computer Terms (Letter T)

Terminator
A part used to end a SCSI bus.

Termination
A method of matching transmission impedance of a bus to eliminate signal reflections from the physical ends of the bus.

Throughput
The number of I/O requests satisfied per unit of time (usually per second).

TPC-C, Tpm-C

The Transaction Processing Performance Council (TPC) is a standards organization that measures transaction throughput of systems. One of their benchmarks is Tpm-C, which reflects price and performance metrics. TPC-C reflects new order transaction rate, a benchmark for transaction speed. Mylex products have won consistently high TPC-C results.

Transfer Rate
The rate at which data moves between the host computer and storage, input, or output devices, usually expressed as a number of characters per second.

Read More

Mac File Recovery

Mac is a series of personal computer designed, developed, manufactured, and marketed by Apple™ which uses its own designed and developed operating system called MAC OS. The original Mac used “Motorola” and “IBM” processors, however recently they have launched their new hardware based on Intel x86 processors. The Mac OS which is used natively on Mac hardware was originally known as “System Software,” the current version of Mac OS is Mac OS X which has been code named like puma, jaguar, panther, tiger and leopard.

Mac OS X saves data using HFS and HFS+ (Extended and Journaled) file system; like all other platforms, Mac users also face data loss, some of the most common causes for data loss which are supported at Disk Doctor Labs have been indicated below.

What are the Symptoms of a Data Device Failure?
Your data device might be displaying any one of the symptoms listed below. This can be due to physical damage to the storage device or logical corruption to the file system or operating system. Below, we have listed many of them.

• Mac Machine won’t boot
• Clicking sound heard from device
• Hard disk drive not spinning up
• Electronics controller card is damaged
• Smoke was observed / smelled
• Virus attack has corrupted the file system
• Accidentally deleted files / directories
• Accidental reformatting of partitions
• Missing or deleted partitions
• Applications are unable to run or load data
• Device firmware has become corrupt
• Hard disk drive components failure
• Fire or water damage
• Inaccessible drives / partitions

What are My Data Recovery Options?
Disk Doctors’ has been serving Mac users as well as printing, graphics design, animation, and entertainment industries that mostly use Mac platforms.

If your device has displayed any of the symptoms listed above, then you may consider any of the following recommendations.

DIY (Do It Yourself):
Although data storage devices in most of the Mac laptops and desktops are not easily accessible, but if one is technically savvy and comfortable in handling the data storage devices, and sure about physical fitness of their data storage device, then they can download demo versions of recovery software to determine whether the issue could be addressed using a recovery utility before spending money to purchase the software. If this helps, then more power to you.

Note: Data storage devices in most Mac machines are not easily accessible; and any attempt trying to get the hard disk drive out may result in unnecessary damage to the machine itself. Therefore, we do not recommend this solution to most; as we have observed the situations getting out of hand while attempting DIY quite often mostly due to inexperience. And often destroying any chances of future recovery attempts.

Get Professional Help:
If your data is vital, then seeking professional help to recover is the only way to go about it. Professional help includes only well established and reputed data recovery companies with a proven track record.

How Much Data Recovery Would Cost?
The recovery cost for a single Mac hard disk drive with HFS or HFS+ can run a wide range (anything from $350 to $3000 depending upon the nature of problem).

Read More

Guideline for Diagnostics – Data Recovery

This is intended to be a guideline for determining whether a hard drive is failing physically or if the drive is a candidate for software recovery by technicians in the field.

There are many commercial utilities that will allow users or qualified technicians to recover data from a hard drive that is otherwise inaccessible. Commercial utilities work with varying degrees of success. The question to be asked is when is it a good idea to use these utilities versus when is a good idea to send the hard drive to Data Recovery Group?

The first step is to determine if the hard drive is functioning. If the hard drive is functioning properly it should be recognized in the CMOS and you should be able to boot the system from another media source, such as a floppy, CD-ROM, or another hard drive. If there are any BIOS errors when attempting to boot the system the hard drive has malfunctioned and needs to be sent to Data Recovery Group. If during the boot process the system is unable to boot from an alternate media source, this is another indication that hard drive is malfunctioning. Further attempts to boot the system could seriously reduce the likelihood of a successful data recovery.

If the system can be successfully booted the next step is to attempt to run the data recovery utility. Most utilities work in the same way. The first step the data recovery utility performs is to scan the drive to locate the file system components. Most utilities will display this scan with some type of progress meter. It is necessary to monitor progress and to stay with the hard drive while the utility is operating. If the hard drive starts to make unusual noises stop the scan immediately and power down the computer. The hard drive will need to be sent to us. Another thing that needs to be watched is the rate of progress for the utility. Usually there will be a count of sectors read. The count should steadily increase and it should not stop. If the count or progress does stop the scan should be terminated and the computer powered down. Failure to stop could jeopardize the likelihood of a successful data recovery. The hard drive should be sent to Data Recovery Group.

If there are any signs that the hard drive is failing physically, it is important that software data recovery utilities not be used on the hard drive. Hard drives usually fail gradually and this failure process will be accelerated during a full scan of the hard drive necessary for most data recovery utilities to recover the data.

It is important to read the instructions provided with any data recovery utility you may use on a hard drive. It is important that if you can complete a scan of the failing hard drive that the recovered files are not saved back to the hard drive you are trying to recover. It is possible o save recovered files on the source drive and if this occurs the recovered files could overwrite other files you are trying to recover.

In conclusion, it is very important to determine if a drive has any physical failure before attempting to recover the data using a utility. Data Recovery Group has received many hard drives from customers where the data could have been recovered had we received the drive right after the original failure. Repeated attempts to recover the data with software rendered the drive useless and the data not recoverable.

Read More

Top 10 About Data Recovery

1. Top 10 disaster recovery tips
This week Stephen Owen, EMEA product manager at Adaptec, runs through the basic steps for ensuring that IT disaster doesn’t entail doom for your business.Disaster recovery is one of those things that can make or break a company.

The majority of firms that suffer a disaster without a recovery plan go out of business within two years, according to research. But even the simplest check list can give you a much better chance of a happy outcome.

2. Top 10 Hard Drive Recovery Services
If your hard drive makes noises, is unable to read data or you need to recover your valuable data,shut down the computer, remove the hard drive, and call any of these data recovery services.

3. Top 10 data loss disasters of 2008
Data recovery firm Kroll Ontrack has announced its fifth annual data disaster league, featuring the top 10 worst data mishaps from 2008.

A video of the top five data disasters has also been produced by the firm.

The annual global list consists of real data loss situations compiled by engineers from the firm’s 32 offices worldwide, who have helped users to recover data.

“No matter how stringently you protect your data with encryption and back-ups, there’s little you can do when your laptop goes for a swim,” said Phil Bridge, managing director of Kroll Ontrack UK.

“Previous list-topping incidents include ant and cockroach invasions, a dirty sock encasing a hard drive, and the weight of an aeroplane driving over a laptop.”

4. Top 10 things you must read about Disaster Recovery/Business Continuity and VMware
Disaster recovery can often be painful and difficult to setup but is usually a necessity in large corporate environments. Implementing a proper DR strategy can always be challenging but fortunately virtual servers can simplify your DR implementation. Often some companies use a few virtual servers as a lower cost alternative to many physical servers at their DR sites. There are many different methods and approaches to implementing DR in virtual environments and based on your requirements you may use either one or a combination of these methods. There are also many vendors that offer products to help you replicate data between your main and DR sites. This top 10 list covers the many types of implementation stategies that can be used with DR as well as some of the 3rd party products that can help you with this. It mostly consists of VMworld presentations where an entire track is devoted to disaster recovery and business continuity.

5. Top 10 most unusual data recovery jobs this year
Kroll Ontrack is a company specializing in recovering our all important data from hard drives that have suffered some form of accident. Some of the accidents come under the heading of “Bizarre,” and the company has been kind enough to release a list of its top 10 most unusual recoveries.

6. Data-recovery firm reveals top client mishaps
Ant infestations, oil saturation and failed parachute jumps are some of the unusual fates which have befallen innocent data-storage devices recently, according to data-recovery company Kroll Ontrack’s list of the most unusual recovery jobs it has faced in the last year.

7. Top 10 Reasons for Using Disk-based Online Server Backup and Recovery
Data protection solutions that combine the latest advancements in disk-based backup with secure, integrated online technologies offer small and medium-sized businesses (SMBs) fast and assured data protection.

8. Top 10 FREE Data Recovery Software
Recently there is a discussion in forum about data recovery. I am quite surprised to know that many people don’t think that data recovery software works. In my experience, it does work and it saved my @$! many times after accidentally deleting important files or after formatting a hard drive and forgot to backup some files. There was only once, I wrongly formatted my external hard drive and somehow I wasn’t able to get back all my files. I have 7 external hard drives, all same casing and no label. I guess the reason I wasn’t able to get back my files is because I might have copied some files to the hard drive.

9. Top 10 Data Recovery Bloopers
1. People Are the Problem, Not Technology

Disk drives today are typically reliable – human beings aren’t. A recent study found that approximately 15 percent of all unplanned downtime occurs because of human error.

10. Top 10 Free Computer System Recovery Tools
Your data’s trapped on a dead computer. You lost your login password. You never wrote down the product key on a non-working Windows installation. Your Mac won’t start.

11. Top 10 data backup news stories and tips
The top 10 data backup news stories of the year are listed below along with related expert advice. Some of the backup topics that we’ve been following this year include data deduplication, backup as a service, remote backup, tape transport and bare-metal restore.

Read More

7 Ways to Minimize Tape Failure

Tape backup is still the most frequently used backup method for business users because of its cost-effectiveness per megabyte of data, despite the increasing popularity of recordable CDs and DVDs. However, just like any technology, tape drives, backup tapes and tape backup software can fail.

There are ways to minimize the chances of a tape backup’s failing in the first place. Here are a few tips:

1. Verify your backups. Most backup software will automatically do a quick “read-after-write” verification and will offer optional full verification. The latter is both more thorough and more time-consuming, roughly doubling the backup time, but if your files are crucial, it makes sense to do a full verification regularly.

2. Store one backup tape off site. This will ensure your files are preserved if your site experiences a fire, flood or other disaster. Some companies swap backup tapes with other offices. With some smaller businesses, it often makes sense for one employee to take the backup tape home with him. Another option is using an off-site storage firm that provides fire-protected storage facilities for print and digital media as well as tape.

3. Store your tapes properly. With backup tapes on site, keep them stored in a stable environment, without extreme temperatures, humidity or electromagnetism. Do not, for instance, store the tapes in a safe on the opposite side of the wall from a large generator, whose electrical fields can wreck havoc with the data on them.

4. Rotate tapes. Use more than one backup tape. Instead of using the same tape time after time, rotate through multiple tapes. You can use any of a number of different systems for this. With the odd/even system, you use one tape on one day, a second tape the next day; reuse the first tape on day three, and so on. With the five-day rotation system, you use a different tape for each day of the workweek.

5. Track the “expiry date.” Backup tapes are typically rated to be used from 5,000 to 500,000 times, depending on the type of tape. Tape backup software typically will keep track of the tapes, regardless of the rotation system.

6. Maintain your equipment. Clean your tape backup drive periodically, following directions in its manual regarding frequency. Consider having an authorized maintenance person from the manufacturer of the tape backup drive or from a third-party repair firm check the alignment of the drive every 12 to 18 months. Most businesses just send the drive back to the manufacturer when it begins to have problems, but if a drive has problems, so can the backup tapes.

7. Do regular checkups. Periodically test the backup tapes and restore procedures. You can, for instance, restore the data on them to a different server or to a different partition or folder on the same server where the original information is stored.

At the end of the day, never assume your back up technology will never fail. It’s just as prone to failure as any other technology. Proper maintenance and testing of your tape

technology will mean when threats outside your control jeopardize your data, you can turn to your back ups with confidence and get your business running again smoothly. About

the author: Doug Owens is managing director of CBL Data Recovery Technologies’ San Diego laboratory.

Read More