Data recovery

From InfoAnarchy
Jump to: navigation, search

Also see: Undelete Attack | File wipe | Backup | Filesystem

Data recovery is the process of recovering lost data.

How Files are Deleted

Initially, when a file is deleted, it doesn't really go anywhere. Instead, the "header" or portion of the file explaining its identity and purpose to the operating system, is removed. The data is then gradually overwritten over time. On computers with large hard drives used for only checking e-mail and surfing the Web, a file may go without being overwritten for weeks or even years.

Delete Recovery

Many programs, such as Norton Utilities, allow individuals who accidentally or intentionally deleted files to go back and restore them. This is not possible after a given amount of time.

This process of over-writing files is the only method to prevent it from being recovered anymore by most programs. Even when it is overwritten one or a few times, it leaves traces behind on the hard disk, allowing the possibility of data recovery for more advanced software. There are many ways , to again get the deleted data through some data recovery techniques.

In Windows, when a file is deleted it is moved to the recycle bin. It is not really gone, it is choking up disk space there and when it's a virus it will still be active. This moves file deletion to file moving to recycle bin, and file deletion to file unlinking, confusing these definitions. KDE clearly gives 3 possibilities to the user: traditional deletion of one or multiple files (unlinking). File wiping (aka 'shred'), which means the file will be overwritten a number of times, resulting in either hard or impossible data recovery. This requires more resources than simple unlinking. And finally, move to trash bin, which is indeed just poking around one or multiple files. In the case a file was moved to the recycle bin, it can simply be restored by going to the recycle bin, selecting the files, and press restore. In the case a file got deleted, it simply got unlinked, which saves disk space. If it didn't got unlinked, it can in most situations be restored using a special software program for data recovery.

Companies allow data recovery of a hard disk but prices can vary widely. You should also check out which method they'll be using to recover the data, and see if you can't do it yourself instead.


In the case of a partition being deleted, if there is a backup of the partition table, it can be restored. Another way is to use a 3rd party program that scans the disc. When using LILO, the MBR gets fscked sometimes. Solutions: backup MBR or use Grub.

How Files are Damaged

Occasionally, either by an act of nature or from a poor media, files do not write correctly. One of the most common ways is via 3 1/2 inch disks which are still a common media for transporting most text files. Laptops get dropped, water spilt on them, and viruses delete whole databases.

Less acts of nature and more poor design, the FAT filesystem used in Windows computers is known for writing to data to the hard drive poorly, hence the need for "Scan Disk" to find errors. Linux, which until recently lacked a feature called a Journaling Filesystem could also lose data if a computer shuts down unexpectedly (related article).

Damage Recovery

When media is damaged, it may be possible to use software or contact an outside company to try and recover the data files on a given media.

See: Open Directory Project: Data Recovery

Is my file damaged?

Correct Player Problem

Sometimes one or multiple files are assumed do be broken, while they are not. An example could be a DiVX movie which only plays sound. The correct codec is then not installed. Another reason could be because the file has the wrong extention. You can't tar -xzf a tar.bz2 which has a tar.gz extention. Various other possibilities exist.

Checking Integrity

It is possible to check if a file has been modified in any way, either damage or overwrite by use of a separate Hash file. Most commonly, files can be checked after download, via md5sum, rmd160, sha1 or gnupg provided that where you downloaded it provides that sum for you. When downloading a Linux ISO, there is mostly either a md5sum or gnupg sign available.

Regarding BSD servers: When using BSD's ports collection, there is at least a md5 of the tarball. At least OpenBSD uses both md5, rmd160 and sha1 for each port. Crc32 is depreciated since it is a too weak.

In some situations it is wise to make such a sum of your own files, so that you can check out at any time if they are still the same. Programs like Aide, Tripwire and other IDS make a database of md5's of a number of selected files and directories. This can also tell you wether a file got modified/moved/deleted by a hostile cracker, for example in the process of a rootkit or worm installation.

Some P2P programs like KaZaA and BitTorrent do this for you. However that does not proof the original software was virus, trojan or worm free at all. Use such software at your own risk.


Instead of recovering data, it is much more easier to backup your important data regularly and restore it in the event of damage or failure. See: Backup. Dump and tar are simple ways to backup on *Nix.

Related Software



Commercial Services