Today's data recovery tools had arrive a long way compared to the easy "undelete" of two decades ago. Instead of relying solely on the file system, today's data recovery tools implement extremely complex algorithms allowing them to successfully recover files from raw volumes. A "raw" volume means that some disk system structures such as the master boot record (MBR) or the file system are damaged, blank or missing entirely. This article describes algorithms that are used recover files from RAW disks volumes.
Finding Disk Volumes
Before we begin looking for individual files, it is valuable to locate all partitions (disk volumes) stored on the difficult drive. Normally, information about the volumes is stored at the beginning of the disk in a record called Partition Table. Windows maintains one or more partition tables detailing the location of each partition. Partition tables contain information about the beginning and end of the volume as well as its type.
Sometimes, however, the difficult steer is corrupted so badly that individual disk volumes (partitions) are not available. If this is the case, it is valuable to locate the volumes on the disk in order to locate the location of their file systems.
Finding the File System
The easiest way to locate disk volumes is detecting the presence of the file system, a structure that's normally stored at the beginning of the volume. When recovering information from a volume, partition recovery tools normally assume that each volume has a data structures. If the partition table is damaged or no longer available, the tool has to scan the disk looking for available filesystem (or multiple file systems if the disk contained multiple partitions).
Many filesystems have fixed signatures making them relatively easy to locate. For example, the FAT (File Allocation Table) contains values of 055 and 0xAA located in 510th and 511th bytes of the first sector of the volume. These signatures are used to detect the presence of the file store. Other systems (e.g. ext2/3, NTFS, HPFS and so on) have different persistent signatures and different detection algorithms, but general principle remains the similar. Additional checks are performed after encountering these signatures. If, after all the checks, the algorithm confirms the presence of a file store, the tool can then determine the beginning of a volume.
Scanning the Volume
After successfully locating every volumes, we can pick a single partition to extract information from. It is important to realize that raw hard disks may contain damaged, corrupted, blank or inconsistent filesystem records; therefore a great data recovery tool may not rely solely upon information stored in the filesystems. However, ignoring such information completely would not be a fine idea, as the file system contains records pointing to many types of files that cannot be discovered otherwise.
Finding Disk Volumes
Before we begin looking for individual files, it is valuable to locate all partitions (disk volumes) stored on the difficult drive. Normally, information about the volumes is stored at the beginning of the disk in a record called Partition Table. Windows maintains one or more partition tables detailing the location of each partition. Partition tables contain information about the beginning and end of the volume as well as its type.
Sometimes, however, the difficult steer is corrupted so badly that individual disk volumes (partitions) are not available. If this is the case, it is valuable to locate the volumes on the disk in order to locate the location of their file systems.
Finding the File System
The easiest way to locate disk volumes is detecting the presence of the file system, a structure that's normally stored at the beginning of the volume. When recovering information from a volume, partition recovery tools normally assume that each volume has a data structures. If the partition table is damaged or no longer available, the tool has to scan the disk looking for available filesystem (or multiple file systems if the disk contained multiple partitions).
Many filesystems have fixed signatures making them relatively easy to locate. For example, the FAT (File Allocation Table) contains values of 055 and 0xAA located in 510th and 511th bytes of the first sector of the volume. These signatures are used to detect the presence of the file store. Other systems (e.g. ext2/3, NTFS, HPFS and so on) have different persistent signatures and different detection algorithms, but general principle remains the similar. Additional checks are performed after encountering these signatures. If, after all the checks, the algorithm confirms the presence of a file store, the tool can then determine the beginning of a volume.
Scanning the Volume
After successfully locating every volumes, we can pick a single partition to extract information from. It is important to realize that raw hard disks may contain damaged, corrupted, blank or inconsistent filesystem records; therefore a great data recovery tool may not rely solely upon information stored in the filesystems. However, ignoring such information completely would not be a fine idea, as the file system contains records pointing to many types of files that cannot be discovered otherwise.
No comments:
Post a Comment