QueTek
  
  
Recovery Services > Data Recovery techniques
Data Recovery Techniques
 

Recovery using metadata

When this technique is possible, it yields the most complete results. Metadata is structural information about the files and folders maintained by a file system, such as:
  • The file (or folder) name and the path of the parent folder.
  • The date and time the file (or folder) was created.
  • Who can access the file (or folder) and with what access rights (such as read, write and execute.)
  • Most importantly the size and locations on disk of the contents. The contents of a file are user data. The contents of a folder are the metadata of the files and sub-folders contained inside the folder.
File recovery using metadata is the most basic and preferred technique. It can restore both the file contents and folder structures. Basically File Scavenger™ scans a drive looking for file system metadata and uses the metadata to reconstruct the files and folders.

This technique works well when metadata is still present, such as in the following scenarios:
  • Volume corruption due to transient hardware issues, power interruption, etc. causing the volume to become inaccessible.
  • Volume deletion. The operating system usually removes the volume from a master table but otherwise leaves intact the metadata contained inside the volume.
  • Some file systems such as NTFS preserve the metadata when a file is deleted
  • Some file systems such as NTFS and XFS preserve most metadata when a volume is reformatted.
This technique is not possible without metadata, such as in the following scenarios:
  • The metadata has been overwritten due to various reasons.
  • ext3, ext4, UFS1, UFS2, FAT and FAT32 zero out all or part of the metadata when a file is deleted.
  • ext3, ext4, UFS1, UFS2, FAT and FAT32 zero out most metadata when a volume is reformatted.

Raw recovery

When file system metadata is absent, File Scavenger™ resorts to raw recovery. This technique works for file types with a unique data patterns that indicate where a file begins and ends. The beginning of a file can be detected by the presence of a unique "header". The header may also contain the length of the file, therefore indicating where the file ends. For example, a bitmap (.BMP) file starts with a unique bitmap header that also contains the length of the bitmap file. When the header does not contain the length, a unique end-of-file data pattern may exist, such as in the case of a PDF file. The following file types have a unique header and are well suited for raw recovery: JPEG, bitmap, PDF, ZIP, etc.

Raw recovery restores a file without the original name and folder path. This limitation necessitates manually sorting out the recovered files. For a large number of files this task may be practically impossible.

Raw recovery requires the contents of a file to be contiguous on disk. For a file with fragmented contents, it can restore the first fragment but will miss the remaining fragments. File contents are usually contiguous when the file is first created on or copied to a volume. The contents become fragmented when the file is modified.

The data storage scheme used by ext3, UFS1 and UFS2 causes all files larger than 12 blocks (a block is usually 4KB) to have fragmented contents.

File carving

In many cases this technique can recover a file with fragmented contents when the file's metadata is either missing or incomplete. It is very complex and only possible for certain file types with detectable data patterns. It consists of two steps:
  1. Detect the file fragments by looking for the file type's data patterns.
  2. Using knowledge of the file format, arrange the fragments in the correct order to form the original file.
File carving uses many complex algorithms specific to the file type and individual situation. It is too complex to be incorporated in a program. Instead it is available only through our fee-based data recovery service, primarily for high-valued data due to the associated costs. For example we used this technique to recover several VHD files on a reformatted ext3 volume. In principle a reformatted ext3 volume is unrecoverable because most metadata is zeroed out. However using our knowledge of VHD file format, we were able to recover the VHD files.