An introduction to data recovery

Page content

A wise man once said that backups are like seat belts: you don’t appreciate just how important they are until you have had to rely on one. But for many that realization comes only after a failed hard disk, virus attack or an accidental press of the delete button has wiped out precious data without a backup to fall back on. So what can you do if you find yourself in this situation?

The good news is that it is possible to recover data that has been deleted or rendered inaccessible by a faulty hard disk. Data recovery falls into two categories: physical and logical recovery. Physical recovery is required if your hard disk has suffered a mechanical failure (usually characterized by clicking or other strange noises) and is no longer recognized by your PC. In this case you generally have little choice but to get the drive professionally recovered. Logical recovery is the process of recovering deleted or corrupted data off an otherwise functioning drive. The good news is that you can usually perform this recovery yourself.

Recovering deleted data is made possible by the fact that when a file is deleted the information the file held is not actually removed from the hard drive. The space that a file occupied is simply marked as being free, allowing the operating system to reuse the space. This is why it is possible to recover such data; indeed deleting a file in a way as to guarantee that it can not be recovered requires the use of special tools. So assuming that the space that the deleted file used to occupy has not been overwritten there is a good chance that the file can be recovered. You may have even heard of criminal cases where the authorities were able to recover incriminating evidence that was supposedly deleted.

It’s important to note that data is recoverable until it is overwritten, but simply turning your PC on and booting into the OS can be enough to overwrite deleted data. Operating systems write log files, download updates, defragment the disk and more without you actively performing any file access on your own, and every time data is written to the hard disk you have less chance of recovering your deleted files.

There are a number of ways you can avoid overwriting deleted data. The easiest is to boot from a CD. By running the recovery application from a bootable CD you avoid risking the OS overwriting the deleted data with its usual disk access. You could also boot the PC from a 2nd hard disk and attach the drive with the deleted data as a slave, or attach the drive with the deleted data as a slave drive on a 2nd PC. A boot CD is by far the easiest method though as it doesn’t require a 2nd PC or a spare hard disk with an OS installed on it.

It is also important not to recover the deleted files back onto the same drive that they were originally recovered from. It’s best to have access to an external drive, USB flash drive or network location to recover the data to.

The ability to create a complete “sector copy” image (a fancy way of saying a complete copy) of a hard disk is also useful, and in some cases necessary for drives that are on the verge of mechanical death. By getting a sector copy of a drive you can attempt to recover your data in a variety of ways from that image without risking any further deterioration of the original drive.

While the specific process for recovering data will differ depending on what program you use (and there are quite a few) as long as you:

  1. Stop all work on the PC as soon as you delete a file you want to recover,
  2. Do not boot from or install any software onto the drive with the data that is to be recovered,
  3. Save any recovered files onto a separate drive, and
  4. Create an image of a drive that sounds like it is about to die

Then you have quite a good chance of a successful recovery.