So your hard disk crashed and you’ve lost all your data – important files, photos of the kids, your contact list and save emails. You are frustrated because you know you should have been performing backups on a regular basis, but you didn’t and now the data is gone for ever. Or is it?
It’s not gone completely and you can get it back. What is the magic bullet? Hard disk forensics.
Hard disk forensics is based on the fact that when a file is deleted from the file system, it actually still resides on the hard disk. It has merely been removed from the file system’s memory. Think in terms of a filing cabinet with labeled folders. Deleting a folder just pulls the label off the folder but it is still there. Only if you actually pull that folder out and shred it are the contents irretrievable.
Now, a given sector of a hard disk can be overwritten, in which case forensics on that sector are more difficult, but if care is taken at the first sign of trouble (i.e. removing the hard disk and mounting it to a separate, clean system for analysis), data may be more easily retrieved.
It is recommended that you NOT run the disk as the primary disk (i.e. if your operating system is infected, you could cause further damage). The better option is to mount the hard disk on a known clean system that has commercial antivirus installed and up-to-date. Viruses and malware are generally inert on a disk until something runs them. If they have infected your OS, they will be running in the background if you boot from the infected disk. However, if you mount the disk as another drive, you can first scan for viruses and try clean or quarantine the malware. Then you can scan the drive for lost data. DO NOT run any executable (.exe) files or DLLs (.dll) from a suspect disk or you will potentially infect your clean system.
I used a hard drive dock to mount my hard drive for this. (here’s an example. These allow you to mount a hard drive to another system via a USB port. You can then view the contents of the drive like you would any other drive. Because the OS is not running that drive, any malware will be inert unless you activate (run) it. So now you can scan, clean, and/or perform forensics on the drive. If you do things this way, make sure that you get a dock that matches the interface for your particular drive, i.e. ATA, IDE, etc.
If you do not have another available system to connect to, or you don’t have a dock, or you otherwise don’t have the ability to remove the hard drive for mounting somewhere else, you can still perform forensics on the drive, but you do run the risk of any potential malware inflicting more damage.
Performing Forensics
There are a number of programs available to do hard disk forensics. As with anything, you get what you pay for. Analyzing and recovering a large portion of data with the file names and structure is more difficult, time-consuming, and the software to do it right is more expensive. I would start with freeware and see what you can achieve. If you find that you have recoverable data you could then decide to move to something more professional grade. Or you might find that the freeware fits your needs (if the number of files to be recovered is not too great).
Starting with Freeware
I started my process with a freeware program called DiskDigger. Unfortunately, DiskDigger is no longer freeware. The newer, limited feature shareware version can be obtained from http://diskdigger.org/. It costs $15 and if it suits your needs, I’d recommend it. But I would start by looking for the older freeware version to see if you have any potentially recoverable data to start with.
In my situation, DiskDigger was not enough to do the full job. I had a large amount of lost data (long story short, I had inadvertently run a system recovery and that begins by wiping out the file system – names, folders, everything) and I wanted to try to recover the file system as most of the photos that needed to be recovered had been sorted by date in the folder name. I used DiskDigger freeware to see if there was anything there worth pursing. Then I stepped up to something more professional grade.
R-Studio Professional Grade Recovery
Enter R-Studio. R-Studio provides professional grade recovery (http://www.r-studio.com/). I went ahead and purchased the Studio version which is $80. But there is a free trial version and also disk type specific cheaper versions. If you know you have an NTFS or FAT file system, you could get it cheaper (if you went this direction at all). I’d recommend the trial first if you think this is a direction that suits you. That way you can test it to see what you can get and make a determination if that’s worth $80 to you. If it turns out that you do not have recoverable data, you don’t want to compound the frustration by throwing good money after bad.
Also, they have a significant library of support documents to help you through the process and to be able to safely recover as much lost data as possible. I highly recommend you take the time to read through it.
For my money, it was worth the $80 to get the full version. I recovered all of my lost data (read: pictures of the kids) AND my file system. I have also used it several times since then in various other capacities. It is a useful utility I like to have in my toolbox.
It should be emphasized that the best way to use R-Studio is to create a disk image of the disk you are trying to recover data from. Then you can work from the image without risking damage to the original. That way, should you need to start over, you’ve got the master original.
Let me point out here that full-blown data recovery is time-consuming and potentially frustrating. There is a bit of a learning curve here and I must emphasize that *caution* is highly recommended. R-Studio has a LOT of info on using their product – it is wise to read and learn before doing anything. Also, the best way to start with this product is to make a mountable disk image of the problem disk, then work recovery from the image file. That way, if you make some type of mistake, you have the original disk in its pre-recovery state. You can always go back and make a new image to work on. Also note that the process takes up a lot of disk space. It’s probably best to work in chunks rather than try to run a full recovery on the entire disk (I learned this by doing – R-Studio can usually recover multiple versions of a single file which means that full recovery on 100GB of data could potentially result in over a terabyte of recovered files. Do a little at a time).
Enjoyed this article?
Don't miss a single post. Subscribe to our RSS feed!