Information: Data Recovery Knowledge Basics _ Application Skills

Source: Internet
Author: User
Only data on the computer is the most critical, and data loss is the biggest loss. Let me explain some of the basics of data recovery.
First of all, for important data, backup data is the fundamental way to prevent data loss, and data recovery relies on many factors, it is difficult to fully recover data, generally can only recover part of the data.
Data recovery is to retrieve lost data, such as completely delete a file or folder, reformat the disk, repartition the disk and so on will cause the loss of data. More serious data loss is the storage medium hardware damage, for example, the hard drive accidentally broken, hard disk is not recognized at all, the hard drive has a lot of bad way and so on. The most noteworthy point is that once you realize that the data is lost, immediately stop some unnecessary *, mistakenly delete, mistakenly, do not write data to the disk! After the disk is broken, do not add electricity! Disk appears bad way to read, do not repeatedly read the disk and so on.
Hard disk failure can be divided into two major categories: hard and soft faults. Hard fault, namely PCBA board damage, disc scratch, chip and other original devices burnt out, broken needle break, the head voice coil motor damage, etc., is due to the hard disk of its own mechanical parts or electronic components damaged and caused. Violent vibration, frequent switching machines, circuit short-circuit, power supply voltage instability, such as easy to cause physical failure of hard disk, hardware fault generally performance for CMOS hard drive, often a "click click" of the magnetic group impact sound or motor does not turn, power after no sound, the head does not cause errors such as reading and writing, Most of the cases described above are typically sent to a dedicated data recovery Center to detect and recover data.
Hard disk software failure is the hard disk data structure for some reason, such as the virus caused by the hard disk data structure is not even recognized the formation of the fault. In general, the motherboard BIOS hard drive automatic detection (IDE HDD Auto detection) feature detects hard drive parameters and is a soft fault. Under normal circumstances, the hard drive in the event of a failure in the system will display a number of prompts on the screen, so we can follow the on-screen display of information to find the cause of the failure, targeted implementation of the solution. Soft faults include error partition, error format, mistakenly delete, clone, MBR loss, boot sector loss, virus damage, hacker attack, loss of partition information, RAID0 disk array, RAID1 disk array, RAID5 disk array failure, and other factors caused by data loss. Hard disk soft faults are easier to fix than physical failures, and the damage to the data is less than the physical failure of the hard disk.
The following mainly explains the hard disk after the soft failure of the approximate method of data recovery, part of the principle can be used for USB disk, CD-ROM and other data recovery.


Basic knowledge-hard disk, zoning and file system introduction


Hard drive internal structure

About the hard disk structure of the article has been very much, but really want to make it clear, even if a special book can not finish, so here is no longer from the beginning of the story.
The most basic component of hard disk is a platter coated with magnetic media made of hard metal materials, and the number of platters of different capacity hard disks varies. Each platter has two sides and can record information. The platters are divided into many scalloped areas, each region being called a sector, and each sector can store 128x2 N-n=0.1.2.3 bytes of information. In DOS, each sector is a 128x2 of 2 times = 512 bytes, the disc is centered on the disc center, concentric circles of different radii are called tracks. In a hard disk, a cylinder consisting of a track of the same radius of different platters is called a cylindrical surface. The track and the cylinder are circles of different radii, in many cases, the track and cylinder can be used interchangeably, we know that each disk has two faces, each face has a head, the habit of using magnetic number one to distinguish. sector, track (or cylinder) and the number of heads constitute the basic parameters of the hard disk structure. In older hard drives, the older CHS (CYLINDER/HEAD/SECTOR) structure is used. Because a long time ago, when the capacity of the hard disk was very small, people used the structure similar to the floppy disk production of hard drives. That is, each track of the disk disc has the same number of sectors, resulting in the so-called 3D parameters (disk Geometry), that is, the number of heads (Heads), cylinder number (cylinders), sector number (sectors) and the corresponding 3D addressing mode. For today's new hard drives, all have not adopted such a structure, but the use of a more scientific structure, the current hard disk is linear addressing is directly using the sector area code to access the hard drive, 137G below the hard disk using 32-bit integer as the sector area code, The hard drive above 137G uses a 48-bit integer as the sector area code.

CHS Structure System

Where: The number of heads indicates that the hard drive has a total of several heads, that is, there are several surface platters, the maximum is 255 (with 8 bits storage); The number of cylinders indicates that there are several tracks on each side of the disk, the maximum is 1023 (10 bits storage), and the number of sectors indicates that there are several sectors on each track, Maximum 63 (with 6 bits storage); Each sector is typically 512 bytes, you can theoretically take any number you like, but it seems that you have not found any value yet. So the maximum disk capacity is:

255X1023X63X512/1048576=8024MB (1m=1048576bytes)

or the hard disk manufacturer commonly used unit:

255X1023X63X512/1000000=8414MB (1m=1000000bytes)

Because the number of sectors per track is equal in the CHS structure of an older hard disk, the recording density of the heretics is much lower than that of the inner channel, which wastes a lot of disk space (the same is true for floppy disks). To further improve the hard disk capacity, now the hard disk manufacturers have to use the same density structure to produce hard drives. This means that the track length of each sector is equal, and the sector of the outer ring track is more than the inner ring track. With this structure, the hard disk no longer has the actual 3D parameters, the addressing mode is also changed to linear addressing, that is, the sector is the unit to address. In order to be compatible with old software that uses 3D addressing (such as software using the Biosint13h interface), vendors typically install an address translator within the hard disk controller that is responsible for translating the old 3D parameters into new linear parameters. This is why the 3D parameters of the hard drive can now have multiple choices (different working modes can correspond to different 3D parameters, such as LBA, LARGE, NORMAL). With the increase of disk density, the further complexity, function and speed of the mechanism, today's hard disk will be divided into a large capacity in the disk, known as the "System reserve" area, used to store the hard disk of various information, parameters and control procedures, Some even put the fireware of the hard disk into the system retention area (the original information is stored in the hard disk control circuit board on the chip). This can further simplify the production process, speed up production and reduce production costs, but on the other hand, but also greatly increase the number of hard disk fatal damage and shorten the life of the hard disk.


Principles and methods of data recovery


found that the hard drive failure, need to recover data, the first step to do is to detect, determine the cause of the disk failure and data corruption degree
You can take the correct steps to recover data only by clarifying the extent of the damage to the disk and the cause of the failure:

Hard disk internal failure, the performance of the general is CMOS does not recognize the hard drive, hard drive abnormal sound, then the probable cause of failure physical track damage, internal circuit chip breakdown, head damage and so on, can be used to repair means: internal circuit overhaul, in the super clean Open the disc cavity repair, this situation can only be sent to professional data recovery company.

Hard drive external circuit failure, if the CMOS does not recognize the hard drive, the hard drive is no different, then the possible cause of the failure of the circuit board is damaged, chip breakdown, voltage instability and so on, you can take the means of external circuit repair, or replacement of the same type of hard disk circuit board, generally need to send to professional data recovery

Soft fault, if the CMOS can identify hard disk, usually hard disk soft fault, the cause of damage is generally the system error caused by data loss, partition, mistakenly delete, false cloning, software conflict, virus destruction, etc., can be used in a dedicated data recovery software or manual methods.

The following is a detailed explanation of the soft fault data recovery method
1. Confirm the reason for the failure of data loss
1. Hard drive data loss, causes of failure include:

Virus destruction, false cloning, hard disk error format, the partition table lost, mistakenly deleted files, mobile hard disk letter can not recognize (unable to read the data, hard disk 0 track damage), hard disk partition, disc logic bad area, hard disk has physical bad area.

2. Document data corruption, such as Office series data files damaged, Zip, MPEG, ASF, RM and other file data corruption.

2. According to the cause of failure, the use of appropriate means and steps

1. Backup data, depending on the importance of the data to determine whether the need to back up the data, the general steps to back up the data is

1. Remove damaged hard drive, receive another good machine, note that there is enough hard disk space backup on the new machine

2. Use Ghost Raw Mode (raw), a sector of one sector to back up the damaged disk in a mirrored file. If there is a physical bad on the hard drive, it is best to make a disk image in a ghost way, then all the * is done on the disk image, so that the maximum protection of the original disk will not be further damaged, can maximize the recovery of data. --I guess the author is saying that the disk content is 克龙 to another disk to restore the affectation to avoid writing * on the original disk.

3. Repair hard disk data. There are 2 types of fixed hard disk data, one that is modified directly on the original hard drive and one that stores the read data on other hard drives. The basic idea is that based on the existing information on the disk to maximize the inference of the missing partition and file system system information, the damaged files and systems restore, so if the information loss too much, then it is impossible to recover the data. For example, after the deletion of a file, and then copied the larger file over, then most of the deleted files are new copies of the file covered, almost cannot recover.

One common sense is that if you want to recover data, do not run ScanDisk or Norton Disk Doctor software that directly fixes file system errors on the wrong disk, remember.


0 tracks, MBR and partition table DPT:

The 0 track is in a very important position on the hard disk, and the primary boot record area (MBR) of the hard disk is in this location. Once the 0 track is compromised, the hard drive's primary bootstrapper and partition table information will be severely compromised, causing the hard drive to fail to lift itself.
Mbr:
When partitioning the hard disk through Fdisk or other partitioning tools, the partitioning software establishes the MBR (main boot record) in the hard disk 0 cylinder 0 Head 1 sector, which is the primary boot recording area, in the first sector of the entire hard drive, in a total of 512 bytes of the primary boot sector, The main bootstrapper occupies only 446 bytes, 64 bytes to DPT (disk Partition table), and the last two bytes (AA) belong to the partition end flag. The role of the primary bootstrapper is to check that the partition table is correct and to determine which partition is the boot partition, and to transfer the partition's launcher into memory at the end of the program.
Dpt:
The partition table DPT (disk Partition table) divides the hard disk space into several separate contiguous storage spaces, that is, partitions. The partition table DPT is marked with a 80H or 00H start, with 55AAH as the end sign. The partition table determines the number of partitions on the hard disk, the start and end sectors of each partition, the size, and whether it is an active partition.
By destroying the DPT, the hard disk partition information can be easily destroyed. Partitioned tables are divided into primary partitioned tables and extended partition tables.
The primary partition table is located in the back of the hard disk MBR. Starting from 1BEH bytes, it occupies 64 bytes and contains four partitioned table entries, which is why the primary and extended partitions of a disk can only have a total of four reasons. The length of each partitioned table entry is 16 bytes, which contains the boot flag, System flag, starting and ending cylinder number, sector area code, number of magnets, and the number of sectors in front of the partition and the sectors occupied by the partition. Where the boot flag indicates whether the partition is bootable, that is, whether the partition is active. When the boot flag is 80″, the partition is an active partition, and the system flag determines the type of the partition, such as "06″ is a DOS FAT16 partition, 0b is a DOS FAT32," 63″ is a UNIX partition, and the starting and ending cylinder number, sector area code, Magnetic Number one indicates the starting and ending position of the partition.
The 16 bytes of the partitioned table entry are assigned as follows:
1th byte: Boot flag
2nd byte: Starting head
3rd byte: Low 6-bit is the starting sector, high 2-bit and 4th byte is the starting cylinder
4th byte: Low 8 bits of the starting cylinder
5th Byte: System flag
6th byte: Terminating head
7th byte: The lower 6 bit is the terminating sector, the high 2 bit and the 8th byte is the terminating cylinder
8th byte: End cylinder low 8 bit
第9-12 Bytes: Number of sectors before this partition
第13-16 Bytes: Number of sectors occupied by this partition
An extended partition occupies a table entry in the primary partition table as a primary partition. The sector indicated at the start of the extended partition (that is, the first sector of the partition) contains the first logical partition table, also starting with 1BEH bytes, and each partition table entry occupies 16 bytes. A logical partition table typically contains two partitioned table entries, one pointing to the current logical partition, and the other to the next extended partition. The first sector of the next extended partition contains a logical partitioned table, so that the extended partition can contain multiple logical partitions. For the convenience of illustration, we have numbered this series of extended partitions and logical partitions, and the primary extended partition is the 1th expansion partition, the first logical partition table contains two partitions labeled 1th logical AND 2nd, and so on.
The partition in the primary partition table is the primary partition, and the Extended partition table is a logical partition, and only one extended partition can exist.
FS is the file system, located within the partition, used to manage the storage of files in the partition and various information, including file name, size, time, actual disk space occupied. The file systems currently used by Windows include FAT12,FAT16,FAT32 and NTFS systems.
DBR (Dos boot Record) is the system boot recording area. It is located in the first sector of each partition of the hard disk and is the first sector to be accessed directly by the system, which typically includes a boot program for the system on the partition and a table of related partition parameters.
Cluster is the smallest data storage unit in the file system, consists of a number of contiguous sectors, the size of the hard disk is 512 bytes (almost all of the hard disk), that is, both a byte of the file to be allocated to it a cluster of space, the remaining space is wasted, the smaller the cluster, Then the higher the efficiency of the storage of small files, the larger the cluster, the higher the efficiency of file access, but the more serious the waste space.
Fat (file allocation table), which records the use of clusters in the partition, the size of the fat table is related to the size of the partition on the hard disk, and for data security, fat is typically two, and two fat is the first fat backup, for fat12,fat16, and FAT32 file system.
Dir is the shorthand for the directory, which stores the file or directory information in the root directory of the file system (including the file name, size, disk space, and so on), fat12,fat16 dir immediately after the second fat table, The FAT32 's root zone can be in any one cluster in the partition.
The MFT (Master file Table) is a data structure in NTFS that stores information about a file, including the size of the file, the time, the data space it occupies, and so on.
Taking FAT32 as an example, the 0-2 sector of the FAT32 partition is the DBR of the FAT32 file system, that is, the boot sector, and the 3-5 sector is a backup of 0-2 sectors. 6-31 sectors are empty, 32 sectors begin with the first fat table, and the size of the fat table is related to the size of the partition on the hard disk. Then came the 2nd Fat table, where the remaining space was occupied by the actual files, including directories and files. The root directory of the FAT32 file system is not necessarily the first cluster in the data area, it can be in any cluster in the data region, which is why FAT32 's root size is not limited by 255 files, which is one of the reasons FAT32 's file name can support long filenames.
The partition table is missing, showing that all partitions or sections of the hard disk have not been WinXP, and that the unpartitioned hard disk or unpartitioned space is seen in Disk Manager (Win2000 Win2003). There are several possibilities:
Virus, the CIH virus of the year will populate the partition table and the first partition data with invalid data, in this case, from the nature of the partition described earlier, the data for C disk is difficult to recover, and then the actual data for partitions such as D disk and E disk are not destroyed, but only the partition table is lost. So just find the correct starting and ending positions for partitions such as D disk and E disk, easy to recover.
Repartition, using FDISK to repartition the disk space distribution, then the original partition table was replaced by a new partition table, this time, the same is the original partition of the data is not damaged, only the partition table points to an incorrect location.


Recovery of mistakenly deleting files


What is the principle of the recovery of mistakenly deleting files? Why did you delete the file and then return it? Can all deleted files be recovered?

When we store a file, * The system first in a record of all the use of space in the table, find enough room to accommodate our new files, and then write the contents of the file to the corresponding hard disk sector, and finally in the form of the winning the space is occupied.

When we delete a file, we generally do not make the slice of the actual file, but only indicate in the table that the space is blank and can be allocated to other files. At this point, the actual content of the deleted file is not compromised and can be recovered. If we delete a file, then recreate a file, then the deleted file is occupied by the sector is likely to be used by the newly created file, this time can not recover the original deleted files. So once the file has been mistakenly deleted, it is important to note that you do not write * on the partition where the file is located, otherwise it is possible to overwrite the previously deleted file, causing the data to be unrecoverable.

For mistakenly deleted files, we have a lot of options, such as finaldata,recover4all,easyrecovery, these software use is very simple, directly follow the instructions of the wizard.

Here's a quick way to recover deleted data manually, especially if you use this automated method to restore the invalid, this method is appropriate to restore the obvious characteristics of the structure of simple files, such as text files, if the format is complex, you need to write a similar program to recover. The principle is to find the contents of the deleted file directly in the partition.

One example is Microsoft's VC6,VC6 IDE has a bug, has not been fixed, is to store the written program code, occasionally pops up a dialog box said unable to save the file, this time must be saved once again, if you directly close the VC6, You will find that the file was deleted (the bug was confirmed by Microsoft and has not been repaired until the VC6 SP5 patch).

A friend of mine encountered this bug when using VC6, and he thought VC6 had a problem, directly closed the VC6, the result is very laborious to debug very long one of the document is missing.

I first tried FinalData and Easyrecovery, and found a lot of previously deleted files, which is not needed. There is no way of the case, had to use the method of forced search

1. Run Winhex, select the Opendisk in the Tools menu, select the Logical disk in which the mistakenly deleted file is located,

2. Select the Search menu, use the Find Text command, on the open C disk directly search program code in the feature string "Increased processing REG_EXPAND_SZ",

3. After a period of time, the found code is located in the sector of the front and back of a number of sectors to copy down, copied to a new file, so that the original code.

For the recovery of structurally strong documents, if the automated approach does not work, you can write a small program to search for the same time to judge, or directly using the interface provided by Winhex to write a script, if the data is important, such a means is also very necessary. If the files are dispersed across multiple locations in the partition, you will need to rearrange the documents based on the internal structure of the document to fully recover the data.

The principle of false formatting is also very similar, just a quick format, and did not overwrite the original data, so you can recover.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.