Surviving a home data disaster: How Shirley got her files back

Recovering 736 missing digital images can be arduous -- and expensive

1 2 3 4 5 6 7 Page 5
Page 5 of 7

Initial setup

Barry began by asking me to remove the hard disk from Shirley's computer. At that point I could either ship it to Ontrack or, if I had another machine with Internet access into which I could install the hard drive, let Barry attempt a remote recovery. I had an extra eMachines box handy, and Barry walked me through moving the drive between systems.

The next step was to remove the drive letter (as described above) so the eMachines host computer wouldn't write to Shirley's drive. Barry then directed me to a Web page from which I downloaded and installed the remote control software he would use to begin an analysis.

While I just assumed that the files in question had been accidentally erased, Ontrack makes no assumptions as to why files have been lost. It could be due to accidental deletion, file system corruption or something more sinister, such as a virus or physical drive problem.

Ontrack's internal tools work differently than its commercial DataRecovery tools, which rely on predefined recovery algorithms. Ontrack and other developers of commercial recovery software make decisions about how their programs will go about the recovery process, but in some cases an alternative approach may work better than the algorithms the programmers chose to use in a given utility.

"There may be some cases where I can put things back together so that those [methods] are not assumed and rebuild things by hand," Barry says.

He began by using a program called Remote Advisor to assess the physical condition of the drive. This includes testing the disk's sectors and its electronics, including its memory cache.

A cache failure would present incorrect data about what's on the disk to recovery tools and would write incorrect data back to the disk, said Barry, meaning that data couldn't be recovered remotely. However, technicians might still be able to recover the data if the disk was sent into the lab.

Shirley's disk passes Ontrack's test. (Click image for larger view.)
Shirley's disk passes Ontrack's test. (Click image for larger view.)

Shirley's disk passed the tests. Barry then ran a program called Mulligan, which protects the drive from any changes. "Any sectors that need to be changed during the evaluation process get written to a rollback file, not to the drive itself," he says. The rollback file is a RAM disk on the host computer. A second copy is stored on Ontrack's servers.

There's nothing pretty about these tools, which present white text on a blue background as the user interface and are a carryover from earlier MS-DOS versions of the tools. Internal tools don't get prettied up, since the public doesn't usually see them. "We'd rather spend our money on more capabilities," Barry says, adding that he finds it faster to use the older, DOS-based template and menu screens.

Next, Barry used the Windows NT Device Examination Utility to inspect individual sectors of the drive, each of which holds about 512 bytes of data. The program presents the contents in hexadecimal code on the left side and ASCII text on the right.

clear.gif
clear.gif
 
clear.gif
Tip:  Perform a physical drive test before attempting data recovery on a hard disk. If the drive has a bad cache or other physical ailment, attempting data recovery could permanently destroy the data you're trying to restore.
clear.gif
 
clear.gif
clear.gif

Barry first inspected the master boot record for potential damage. Sections filled with zeros raise a red flag that a boot sector virus or some other damage may be present elsewhere on the disk. Next he reviewed the NTFS boot sector. "I don't know what Microsoft has in there or what it's doing, but I know how it should look," he says. This one looked fine.

From there, Barry began a first file recovery pass, which looked for all deleted and undeleted JPEG files. He then followed up with a low-level signature search of all of the unallocated space on the disk drive, looking for any file that appeared to be a JPEG image. The recovered files were then saved not to Shirley's disk but to the primary disk on the host computer. I had the results a few hours later.

The results

The file recovery pass found 1,108 total JPEG images on disk, 155 of which were deleted JPEGs. After installing an ActiveX control in Internet Explorer, I was able to view the analysis results on the Ontrack server. The reporting tool, VeriFile, sorted the listed JPEG files into folders.

Again, most of the detected JPEG files were missing the file record data that would have indicated the original folder location. Those files were dumped into a newly created Found.ODR folder that had multiple child folders within it. The top level and 18 subfolders beneath it used nonintuitive folder names such as 0000B9AD.DIR.

I asked Barry where these names came from. "To preserve the hierarchical structure of the original file system, we created folders for the files that used to reside in a particular folder. The folder names created are based on the unique numbering system that NTFS uses to manage file-to-folder relationships," he said.

VeriFile flags each file as either good, repairable or partially recovered. Repairable files have some file system damage but can be restored. Partial files have read errors but may be partially intact and viewable. In this case, files may have been partially overwritten or the metadata that described which areas of the disk contained the file data may have been erased.

The deleted file recovery results shown in VeriFile. (Click image for larger view.)
The deleted file recovery results shown in VeriFile. (Click image for larger view.)
1 2 3 4 5 6 7 Page 5
Page 5 of 7
  
Shop Tech Products at Amazon