Working with a Data Recovery Service
Back from the Brink
Nothing protects your data like a well-conceived system of backups. However, no one is perfect, and mistakes happen. In most cases, you can recover data you thought was lost by sending your disk to a data recovery service.
I once worked for a company that committed one of the cardinal sins of system administration. They forgot to verify the backups. Although they did check to make sure everything they had specified was actually being written to the backup media, they forgot to verify that they were actually backing up everything they should, and they missed a single directory with important information.
As you might have guessed, one day, the hard disk crashed. The crash was unexpected, because the drive was not more than a year old, and it was obvious that this was a physical crash because the drive was making some really nasty noises when we turned it on. The system did not recognize the drive at all, so we couldn't do anything at the operating system level to recover the data. The initial reaction was that this data was gone for good.
The drive was making a series of short clicks that sounded like metal on metal. I was relieved that I wasn't hearing a steady scraping sound that might mean the read-write heads were digging themselves into the hard disk platters at thousands of revolutions per minute. This gave me a glimmer of hope that the problem was simply the drive mechanics (perhaps an issue with the arm containing the read/write heads) as opposed to damage to the platters. However, for the average user, the situation is equally hopeless either way. I thought about perhaps buying another identical drive and swapping out the platter spindle, but that still would not guarantee that I could access the data, and it was entirely possible that I could damage the drive beyond repair.
Linux magazines (including this one) are full of articles on recovering lost files. Most of these articles discuss Linux utilities that will look for data that is deleted or lost on a working hard disk. But what if your hard disk isn't working? What if the disk is just broken in the old fashioned sense of having experienced a mechanical failure? No Linux command-line utility will rebuild a broken drive head or resurrect a disk that has failed electrically. In these cases, your only hope might be a professional data recovery service. The details vary, but the goal of a data recovery service is always the same: Figure out how to access the data on the disk, and copy it safely to another storage medium.
If a disk with valuable data reaches an extreme state of disrepair, and you don't have a backup, you are better off letting a specialist handle the recovery. In that case, your own responsibilities are:
- figure out when the disk failed,
- avoid further damage through unnecessary software checks and general poking around, and
- choose the best and most cost-efficient data recovery service.
To accomplish these objectives, you need to know a little about what data recovery companies do and what questions to ask about their services. Read on for some tips on working with third-party data recovery services.
Drives can fail in a number of different ways. The most obvious way is some form of misalignment or head malfunction that results in scraping the platters, thus making them unreadable. The drive can also fail because of some mechanical problem with the drive mechanism, which sometimes means the data is still intact. Another cause for failure is much less visible. In fact, it is invisible. Unlike old vinyl records, the tracks on a hard disk are much too small to see. Each hard disk track is hundreds of times smaller than a human hair. Dust particles, or even minuscule water droplets from a sweating forehead, have the potential of landing somewhere on the drive and making certain portions unreadable. For this reason, companies that specialize in data recovery must provide a clean setting, free of dust and other foreign materials (Figure 1). The need to maintain a hyper-clean environment is one of the reasons why data recovery services are often expensive and left to a relatively small (but growing) collection of specialist companies.
Preventing contamination is one of the key objectives of professional data recovery. Any serious data recovery service will have a so-called clean room. As the name implies, such a room meets a predefined level of cleanliness, typically measured in the number of particles of a given size within a predefined volume of air.
Many governments set standards for clean rooms. In the US, Federal Standard 209E is still common, although in 2001 the U.S. General Services Administration (GSA) announced this standard would no longer be maintained. Instead, the GSA has recommended the International Organization for Standardization (ISO) standard ISO 14644.
A clean room is not necessarily sterile. Depending on the class of clean room, it might contain microbes, as well as other contaminants. A clean room simply maintains a "controlled" level of contamination that specifies the maximum number of particles per volume. (See the box titled "ISO Clean Rooms.")
ISO Clean Rooms
ISO 14644 is split into nine classes for clean rooms based on the maximum number of particles per volume. The equivalent for Class ISO 9 was defined by the US 209E standard as "room air," whereas the ISO standard defines it more precisely as a maximum of 35,200,000 particles greater than 0.5µm/m3. Class 3 under the ISO standard is equivalent to the cleanest room under the US 209E standard, with a maximum of 1,000 particles larger than 0.1µm/m3. The cleanest room, ISO Class 1, allows only 10 particles larger than 0.1µm /m3 and none larger than 0.3µm/m3. If you consider that the thinnest human hair is larger than about 10µm, a hair would be more than 30 times larger than the maximum allowed per ISO Class 1.
In addition to defining the classifications for air cleanliness (ISO 14644-1), the standard also defines the specification for testing and monitoring the cleanliness (ISO 14644-2), test methods (ISO 14644-3), operation of the clean rooms (ISO 14644-59), and several other considerations.
The size of a clean room can vary based on its purpose. Some can be just a few square meters for special purposes (e.g., handling disease samples), whereas in manufacturing of microchips, the clean room could be a thousand square meters or more. Typically the cleaner the room, the smaller it is because of the expense of keeping the room contaminant free.
Keeping a clean room clean is more than simply filtering the air. Workers are often required to wear a full body suit, including special gloves and boots and a face mask. High-end clean rooms are typically set up with "positive pressure." The pressure on the inside of the clean room is greater than the outside. Therefore, any leaks will result in clean air leaking out of the room rather than contaminated air getting in. Some companies with clean rooms don't even allow paper and pencils in the room because particles flake off.
Tracking Down Your Data
Recovering data from a damaged hard disk is not simply a matter of swapping out defective parts. Data recovery services have special devices for accessing damaged disks. The technician also needs to understand the type of data on the disk. For example, a database usually consists of files on a hard disk, but recovering a database to a useful state requires an understanding of the underlying structure. During the recovery process, the technician must keep track of physical problems with the hard disk, as well as structural problems with both the database and the filesystem. A good recovery service will handle most common types of data, but it doesn't hurt to ask in advance and provide details on encryption, filesystem type, and other considerations that might affect the recovery process.
Most recovery services can also recover data from mobile devices, as well as digital photo disks. The most experienced services can recover data from tapes and almost any RAID system, as well as popular virtual machines such as VMware.
The data might appear inaccessible; however, external appearance is not always a measure of the potential for recovery (Figure 2). I have seen a photo of a hard disk taken from a burned out building where the disk appeared to be completely destroyed. Surprisingly more than 99 percent of the data was recovered.
Sometimes all that is necessary to rescue a disk is to move the disk platters to specially constructed devices that can then read the data and copy it to another hard disk. Naturally, the technicians do more than simply move the disk and copy the data. They also examine the disk for physical damage before starting the recovery process to ensure that even more data is not lost during the recovery process. If you have specific files or directories you need to have recovered, you can often provide a list to the recovery company, which they will use to concentrate their recovery efforts.
Data Recovery Triage
Never assume that the data is unrecoverable. Although a professional data recovery service will cost you money, the cost might be insignificant compared with the cost of lost data. Many services offer a free evaluation, so you can easily find out if the data is recoverable before you even decide if it is worth the money.
Certain actions could make matters worse: Running commands like
CHKDSK on Windows or
fsck on Linux can make the data even more difficult to recover, so you need to consider carefully whether you want to take that risk.
Be aware of the sounds your hard disks normally make, so you'll notice when they sound different. Unusual sounds might be your first evidence of a damaged disk. If the disk is still working, take the hint and back up the drive while you still can. However, if you hear a scraping sound (i.e., a head crash), you will likely do more damage if you continue.
Unless you can afford to lose the data completely, do not disassemble or attempt to repair the device yourself. Send it to a service with a clean room. If the drive has water damage, you should not attempt to clean or dry the device yourself. By no means should you use a hair dryer or similar device to dry a wet hard disk. You should also not open the drive to "help" dry it more quickly because you are exposing it to contaminants, which will likely make the problem worse. Furthermore, you should not try to recover data from a wet hard disk.
If the drive has been damaged in a fire, similar rules apply. Let the drive cool off naturally. Do not put the device in a refrigerator to cool it off more quickly. Sudden temperature changes can damage the metal and make recovery difficult. Data services recommend that you do not try to remove the hard disk from a burned out computer, because this could damage it further. Instead, they recommend you send them the entire computer.
Buy this article as PDF
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.