Buy OnlineDR Engineers versus DR Software – Why People Matter
Data Recovery ArticlesWhat is Data Recovery?
Data Recovery is a phrase that gets bandied about freely in glossy computer magazines and in airport advertising. Type ‘data recovery’ into any search engine and you’ll discover that the internet is saturated with links of rescuing data.
This begs the question; what is data recovery?
Merriam-Webster defines recovery as the “act or process of getting something back.” Synonyms of recovery are: reclamation, recoupment, repossession, and retrieval. Related words are: replenishment, redemption, and rescue. In the computer environment file data can represent all sorts of information types; picture, music, multimedia, spreadsheets, and document files.
Data recovery, then, is the reclamation of lost or missing original data. Computer data is fluid; it changes constantly. This article for example, went through six drafts. While the content was generally the same during the writing process, the difference between draft one and draft six is very important. If this document file was lost before publication, the author would want to have the most recent original version—not a copy from the last backup. If the author had never made a backup of this article, they would absolutely have to have the original.
What are your options when data loss happens? This month’s article is going to concentrate on what data recovery is and reveal some misconceptions associated with data recovery. Additionally, the discussion will focus on the pros and cons of data recovery software.
Data Loss - Point of Failure
Data recovery is required when access to file data fails. This point of failure can be caused by physical or electronic problems with the storage device. When there is a physical problem with the storage device, focus is placed on getting the device operational so that the data can be read and extracted.
If there is nothing wrong with the storage device but the files are inaccessible, then next point of failure can be caused by errors within the file system. All storage devices need a system of organizing and mapping out the stored files. When this file system information is corrupted, the data may still physically reside on the device, yet the ‘pointers’ or ‘map’ to the files requires repair to make the connection from file name to the file data.
Data Recovery Utilities – What They Are Not
Let’s focus on the file system repair. Most users with a working knowledge of the operating system they use may be familiar with some of the volume (the physical amount of hard disk storage space, fixed in size, that is the highest level in the directory structure) repair tools that come with the system they have. For instance, Microsoft® DOS and Windows® users are familiar with the program Scandisk and CHKDSK, UNIX and Linux users are familiar with the program FSCK, Novell® Netware administrators are familiar with the program VREPAIR and REBUILD, and Apple® Mac users are familiar with the program DISK FIRST AID.
These utilities are sometimes referred to as data recovery tools because they fix the file system. It is more accurate to describe these utilities as ‘volume repair’ tools. These tools do not verify the file data; the analysis is on the file system itself. The goal of these tools is to make sure that the volume is “consistent” or without error.
Because these utilities are designed to fix the volume, any file system references, or ‘pointers’ that are incorrect or that conflict with other ‘pointers’, will be rectified. The repair utilities will start making automated changes to the file system to eliminate those conflicts— sacrificing the data in order to make the volume consistent.
Many have asked why these utilities would cause such damage. The answer lies in the purpose of these programs. These utilities are volume repair tools not data recovery tools. And to their credit, most have some sort of ‘Read-Only’ mode that will allow you view the problems found without committing to fix them. So you could make a choice as to whether to allow the utility to run. (For more information on the usage of some of the volume repair utilities, see the References section.)
Automated Data Recovery Software
What about the do-it-yourself data recovery tools that can be found on the internet? Are these of any value? These types of software tools are designed by individuals or companies who have a working knowledge of file systems. The design goal of this software is to be smarter than the volume repair utilities and also to find data that the file system no longer points to. Do-it-yourself data recovery tools analyze the file system and the data and provide a way to view or copy out the found files. In general, most do-it-yourself data recovery tools look for:
- Partition structures
- Volume definition structures
- File system structures
For extended or advanced scans of storage media, software may bypass the beginning structures and search only for file system structures or specific file types. This advanced search may find names of files you used to have, yet the data may be unusable or unreadable.
The reason for limited results with data recovery software is because of the pre-programmed path that the software uses to find the missing files. These pre-programmed recovery algorithms follow a defined course. This type of automated software must begin searching with assumptions of volume definitions. If these assumptions are incorrect the results will be poor. For instance, one assumption is where the partition and volume begins—if no reliable references can be found for the volume start or if an ‘Advanced’ mode is chosen, the software may start finding names of files the user recognizes but ‘pointers’ to the data do not line up with what the data really is—thereby making the files found unusable.
Another example of automated data recovery software making recovery assumptions is the cluster or block size. File systems allocate space to files in units called clusters. Each cluster contains from 1 to 64 sectors, depending on the type and size of the disk. A cluster is the smallest unit of disk space that can be allocated for use by files. If there is not a reliable reference for what the cluster size is the software has to make a best guess. If that detail is wrong, you may see the names of your files, but, again, the data will be unusable.
Does this mean that all software-based data recovery tools are worthless? Not at all. Automated recovery software is great for simple data loss situations involving deleted partitions, deleted volumes, and simple deleted data.
The above data loss situations do not represent all scenarios. For many situations, the recommended course of remedy is the expertise of an experienced data recovery engineer. Examples of data loss where an experienced engineer is the best course of action are:
- Hard drives requiring clean room repair
- Logical Volume Management configuration
- Dynamic Disk configuration
- RAID Array configuration
- SAN Recovery
- NAS Recovery
- Database Recovery
- Email Server Recovery
- Complex Deleted Data Recovery
- Volume Overwrites
The Value of Experience
Professional data recovery companies are experienced at providing quality recoveries. In many cases, the recovery is not a straightforward process due to damage to the file system. A data recovery engineer can visually identify unusual corruption and correct it so that the file data is accessible. Using complex calculations, the engineer will begin determining the start of the data volume and then build structures pointing to the user data files. In contrast, data recovery software would brute-force the recovery.
An example of the advantage of the human engineering process is where the user may have been using a third party partitioning application and the software crashed leaving the data in an incomplete state—half of the data had been moved to the new partition, the other half left in its original location. An experienced engineer would notice the severe corruption to the file system and would work to recover both sets of data.
In the case of multi-drive storage arrays or RAIDs (redundant array of independent disks), senior engineers are the preferred choice for accurate data recoveries. (There are many different types of RAIDs that can be implemented either in dedicated hardware or custom software running on standard hardware.) The complex recovery of RAID 5, 6, 0+1, and 1+0 arrays requires an expert understanding of how a RAID controller card distributes data and a thorough knowledge of file systems. The recoveries of large storage arrays are usually successful by engineers who work to piece these large ‘jig-saw’ puzzles of data together; even when there is damage to the data stripes.
In one case, the RAID configuration of a large 32-drive RAID 5+0 was lost. The IT department had a power loss and the RAID controller could no longer see the logical array. The IT department had tried working with the OEM manufacturer to get the 1.3 Terabyte array back online but without any success. The administrators of the storage volume were at an impasse—the array could not be restored and any further configurations would potentially damage whatever data was left on the volume. Without any backup of a volume of this size, the only choice was to engage a professional data recovery company.
When the drive cabinets arrived, engineers started work immediately to isolate the fibre channel drives. Due to the complexity of the multi-drive storage array, two senior engineers worked to put the drives back in order.
While the client had maintained that it was one large RAID 5 array, it was discovered that there were four separate RAID 5 arrays being presented to the storage management software. The software, in turn, then striped these 4 separate RAID 5 arrays together in a RAID 0 arrangement. After working around the clock, the complete array was reassembled by hand and data was copied out. This was a 100% recovery—none of the data files were damaged. This array could only have been completed by engineers; automated recovery software could not have put these 32 drives back together.
Understanding Data Organization
The way computers store data on media is different for every operating system. Whether the media is tape, CD-ROM, DVD, or hard disk, there is a unique data organization method for each media type.
All computer hard disk file systems can be categorized under two types of methods: Linked Allocation or Indexed Allocation. There are many file systems that have been designed over the years and only a handful are used in mainstream computing. Here are some examples of the two file system categories:
|
Linked Allocation
|
Indexed Allocation
|
Understanding the details of these various methods of storing data is what an experienced engineer brings to each job. Whether the file system is an enterprise-level system handling millions of files or something as simple as the File Allocation Table (FAT) file system, experienced recovery engineers understand the principles of data storage and organization.
For instance, in the FAT file system, there are many structures that define a volume and point to data. If just one byte changes on any of these definitions, the data will not be accessible. The directory system is another clearly defined structure that holds the names of folders and files. If this area is damaged ever so slightly, the names will not correspond to the data.
Other file systems, such as Linux (EXT, XFS, JFS), Netware (Traditional, NSS), and Windows (NTFS), are unique in data organization methods. These robust file systems do more than just record the file name, creation date, and file size, they document other information about the file.
The expertise required for data recovery is more than just running automated software. It may not be possible to staff engineers with the background needed to provide quality recoveries in your organization. This is when employing a reputable data recovery service is crucial. Ontrack realizes that you and your users are busy and that time is of the essence when it comes to data loss. Therefore, leave the recovery to experienced and knowledgeable recovery engineers who understand how data is stored.
The Goals of Quality Data Recovery
The two disciplines of data recovery are engineers who specialize in electro-mechanics and work in a cleanroom, and engineers who work in the lab and specialize in file system structure repair. Ontrack has always held these two disciplines separate and have developed the engineers to become experts in their fields. This approach has allowed the engineering staff to concentrate fully on challenging recoveries. Data recovery is a science. By thorough investigation and observation, developing recovering strategies, testing those strategies, and verifying the data, the results are quality recoveries.
Automated software utilities have their place in providing solutions for simple data loss situations. When using these utilities, the files should always be tested before releasing the user’s data. If the quality of the recovered data is not usable, then turning to a professional data recovery service with experience would be in the best interest of the user or client. After all, what are the goals of true data recovery? To get back the original file data.
Microsoft® Scandisk for the Win 9.x/ME operating system
http://support.microsoft.com/default.aspx?scid=kb;en-us;186365
Microsoft® CHKDSK for the Windows XP operating systems
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prkd_tro_xudm.asp
Novell® Netware VREPAIR: http://www.novell.com/documentation/oes/index.html?page=/documentation/oes/utlrfenu/data/htb2yt1x.html
Novell® Netware NSS rebuild:
http://www.novell.com/documentation/oes/utlrfenu/data/h4uk0rz1.html
Unix-Sun® FSCK usage:
http://docs.sun.com/app/docs/doc/816-0211/6m6nc66qt?a=view
Unix-IBM® AIX FSCK usage:
http://www16.boulder.ibm.com/pseries/en_US/cmds/aixcmds2/fsck.htm#a10192c87
Linux SuSE® FSCK usage:
http://support.novell.com/techcenter/articles/nc2005_08g.html
Linux RedHat® FSCK usage:
http://www.redhat.com/docs/manuals/linux/RHL-7-Manual/ref-guide/s1-sysadmin-rescue.html
© 2005 Kroll Ontrack Inc.
