Surviving a home data disaster: How Shirley got her files back

Recovering 736 missing digital images can be arduous -- and expensive

1 2 3 4 5 6 7 Page 2
Page 2 of 7

The defragmentation process realigns all pieces of each file so that the constituent parts are contiguous on disk. It does this by moving the data from the old locations to new, contiguous sectors. That increases the chance of recovery for two reasons. First, it's more likely that deleted files will still be in contiguous sectors.

clear.gif
clear.gif
 
clear.gif
Tip:  Defragmenting your disk drive regularly can increase chances for recovery when data loss occurs.
clear.gif
 
clear.gif
clear.gif

Second, defragmentation offers another possible route to file recovery, because it doesn't overwrite the data in the old sectors. Instead, the file system simply releases those locations as free space. If a file or any part of it has been damaged, it may be possible to search for and find a copy that was left behind when the disk was defragmented.

Of course, this assumes that the old sectors haven't been overwritten and that you defragmented the disk drive before -- not after -- the file loss occurred. Doing so after the fact could be disastrous.

The signature search technique for repairing overwritten or damaged files won't work with JPEGs and other image files, but it will work with any file format that contains enough structured data to allow the file to be reassembled in the proper order. It can be successfully used on Outlook, Word and SQL Server database formats, for example. Even when some pieces aren't recoverable, the user may be able to get at least part of the file back.

clear.gif
clear.gif
 
clear.gif
Tip:  If a file has been partially overwritten, some or all of the data may still be recoverable.
clear.gif
 
clear.gif
clear.gif

But when it comes to image files, fragmentation or a few sectors of corrupted data can be a virtual death sentence. "Since [a JPEG file] is compressed, if you're missing a chunk of that it's very important," says Barry. "I can't do anything if a piece of it has been overwritten."

That also means that looking for bits of the files left behind after defragmentation wouldn't be of much help in recovering Shirley's JPEG images. Since the data for the repair comes from an old sector location, the data set is by definition noncontiguous, or fragmented.

What not to do

So as I undertook to recover Shirley's images, I was aware that I faced some serious obstacles. Unfortunately, while I thought I knew what I was doing, I made a few potentially destructive mistakes. Here's the first one: Once I returned to my office and set up Shirley's machine, I turned it back on. As long as I didn't save anything to the hard disk drive, I figured, everything would be OK.

As it turns out, if the missing data is on the same drive partition that boots Windows (usually the C: drive) this is a big no-no. But I didn't know that. So I powered up, began a search of the disk drive for the missing files and double-checked the Recycle Bin, which came up empty. Those seemingly harmless steps could have cost me some files.

clear.gif
clear.gif
 
clear.gif
Tip:  Simply starting up Windows generates a flurry of disk activity that can overwrite files you are trying to recover.
clear.gif
 
clear.gif
clear.gif

Later, when I finally did call for professional help, I received a gentle reprimand. "The worst thing you can do is restart the machine," Barry says. If the files were accidentally deleted, they would now reside in unallocated space that was up for grabs. Windows could quickly overwrite the file you want to recover.

"Any XP machine is doing so much writing under the hood it's absolutely incredible," Barry says. All of this happens in the background, regardless of whether the user is creating files or writing data to the disk.

Just how incredible is it? If you'd like to see for yourself, download Mark Russinovich's FileMon and DiskMon utility programs from the Microsoft Web site. Both programs trap read and write requests from the operating system. DiskMon shows every read and write request made while Windows is running, and FileMon shows the specific files that are being affected. Even simple activities such as running the Windows Notepad or Solitaire programs will create a flurry of disk activity. "It will blow you away," Barry says.

clear.gif
clear.gif
 
clear.gif
Tip:  If files to be recovered are on the same partition as Windows, use a recovery utility that can boot from the CD-ROM drive.
clear.gif
 
clear.gif
clear.gif

So how do you work on the problem if you can't turn the machine back on? If you have a disk utility program that can create a bootable CD-ROM disc, you can get around this problem by booting and running the recovery software from there. If you don't, the proper procedure is to remove the hard drive from the machine and either install it in another computer as a secondary disk drive or place it into an external USB drive enclosure attached to another machine. From there you can work on it as a secondary drive using recovery tools installed on the other machine.

 
Caption: Removing the drive letter. (Click image for larger view.).
Removing the drive letter. (Click image for larger view.)

To be sure that Windows won't write to the secondary drive, it's best to remove the drive letter that Windows assigns to it. Barry recommends this step whether you are attempting recovery from a second machine or using a bootable Windows CD-ROM disc. "Be on the safe side. Remove the drive letter and point the software to the device," he suggests. (Note: While this applies in a deleted files recovery, this step is not necessary with other data-loss scenarios, such as a missing partition or file-system corruption, since a drive letter assignment has no bearing on that situation.)

You remove the drive letter by right-clicking on My Computer, clicking on Manage, selecting Disk Management and then selecting the secondary drive (not the primary one!). In the menu at the top of the dialog box, select Action --> All Tasks --> Change Drive Letter and Paths, then click on the Remove button.

If Windows has the drive "open," you'll be prompted to restart the machine before the changes take effect. You can then verify that the drive letter assignment has been removed by repeating the steps above. While Windows can't see the drive anymore, a disk utility usually can, since it detects and works with the device directly, rather than going through the operating system.

1 2 3 4 5 6 7 Page 2
Page 2 of 7
  
Shop Tech Products at Amazon