Hard Disk Recovery

In my last installment Recovering FAT 32 With File System Markers, I offered a brief outline of a case that destroyed a FAT32 file systems major components. This was done by formatting the drive using an operating system that is not native to the file system. In other words, a Mac was used to format the drive when the original formatting used was Microsoft. In addition I concluded that a way to recover the data on the drive was to use the file entry record that is created for each file, and folder, in the fil system. In this article I will explain the on-disk format of the file entry record and some of the mechanics used to relate clusters.

Since a small program will be offered at the end of this sequence of articles the on-disk explanation will use ‘C’ notation and a defined record data type using structures. The following is the structure I use in my software to denote a file entry record.

#pragma pack(1)
typedef struct
{
UCHAR FE_Name[8];
UCHAR FE_Extension[3];
UCHAR FE_Attribute;
UCHAR FE_NTReserved;
UCHAR FE_TimeCreatedTenth;
USHORT FE_TimeCreated;
USHORT FE_DateCreated;
USHORT FE_DateLastAccess;
USHORT FE_StartClusterHI;
USHORT FE_TimeLastWrite;
USHORT FE_DateLastWrite;
USHORT FE_StartClusterLO;
UINT FE_FileSize;
}FILE_ENTRY, *PFILE_ENTRY;
#define SZ_FILE_ENTRY sizeof(FILE_ENTRY)
#define FILE_ENTRY_NULL (PFILE_ENTRY)0

This file entry record format has been in use since the inception of DOS FAT File System. There may have been some fields that were at one time referred to as reserved but the size and basic design of the record has always remained the same. The following is a description of the fields used to recover the original folder heierarchy.

1. FE_Name[8] — This is from the old 8.3 notation and the first eight characters of the file name. In later articles I will cover the long file name logic and how we can use that to enhance our search routines. It is important to note that if the file name is less than eight characters the rest of the name is space filled (0×20)

2. FE_Extension — The second part of the 8.3 notation that has the same rule set as the FE_Name field. When displayed the data in this field is after the period ‘,’.

3. FE_StartClusterHI — Stored here is the binary high short value of the starting cluster of the file, and or folder.

4. FE_StartClusterLO — Stored here is the binary low short value of the starting cluster of the file, and or folder

5. FE_FileSize — Lastly the file size. If this file entry record defines a folder then this value is zero (0×00). In addition you can see that the file size is an unsigned int, so the largest file size that can be stored is 4,294,967,295 bytes, or 4GB.

Now the time of file creation and last update are important as well but the five fields that I have outlined are necessary to recover the folders.

In my next installment I will outline the attributes of the file entry record that can define a folder entry.

Related Articles:

• Part 1 Recovering FAT 32 With File Entry Data
• Part 2 Recovering FAT 32 With File System Markers
• Freeware Data Recovery
• Hard Drive Recovery
  

In my last installment, Recovering FAT 32 with File Entry Records, I talked about USB and Fire Wire devices and how they are susceptible to damage. In addition I spoke about the file system used to store data on these devices as being FAT32 in order for the manufacturer to optimize their marketing base. Finally, I spoke about the fact that if the device is formatted by a non-native operating system (non windows) how could the data be recovered if in fact certain critical components were destroyed or masked. As an example I am using a live case for this particular instance. This clients drive lost the MBR, OS Boot Records, and FAT markers by formatting their MyBook usng a Mac. These are major system components with critical data that is necessary to align the drive. What can we now use to bring this FAT file system back into a state where we can recover the data.

In the FAT file system the index records for each file and folder are not stored in one static area. As an example of an alternate technique, if you were to format a drive using Windows XP then, of course, the default file system would be NTFS. One of the characteristics of NTFS is that it uses a Master File Table to store all the information about each file and folder. The MFT is stored almost exclusively in the same place every time a drive is formatted. Normally the MFT will start at cluster 786432 (LBA 6291456 assuming a 4K cluster) and will extend contiguously for several thousand records. In other words, the entire index for your file system is stored in an area approximately 150MB to 200MB in size. If this area were zeroed out it would destroy all of the information as to where your files are stored and in most cases hamstring the end-users ability to recover their data, especially if the data is fragmented. One may think that 200 MB of data is a lot of data to zero out, but I can assure you with Windows XP optimized for disk I/O and hard drives using a blazing fast DMA the destruction of the MFT would almost be transparent. You would never know it happened until it was too late.

That being said, conversely the FAT file system stores their folder and file information in clusters using a file entry record. As the file system matures the clusters that are used move farther down the drive since data is now occupying the clusters closer to the beginning of the drive. The FAT chaining system is used for folders that have more files than can be stored in a single cluster. It is easy to see that the folder information can be scattered across the drive. Although this plays havoc with hard drives and access speeds it makes it difficult to destroy the file system. This cluster scattering was not by design and to this day is considered a drawback to the file system, however, it does make data recovery much easier when major file system components are lost.

So now that we know that file entry records are used to index the file system for FAT the problem arises as to how best to identify a file entry record from the billions of other bytes on the hard drive. In my next installment I will outline a file entry record and reveal the attributes that allow us to filter a folder storing file names from all of the other data.

Related Resources:

Recovering FAT 32 with File Entry Records - the first part of this series.

External Hard Drive Recovery

Hard Drive Recovery

External USB hard drive devices have been a real ‘boon’ for the hard drive recovery industry. From the fact that they dissipate heat poorly, they are susceptible to vibration, and your dog walking past your computer happily wagging its tail can knock your precious data on the floor and destroy those irreplaceable pictures you took on your vacation last year, USB and Fire Wire drives comprise twenty five to thirty five percent of our hard drive recovery business. In addition to this the manufacturers thought they would be smart and format these external gems using the FAT32 file system. The reasoning behind this is that this particular file system is well documented, and Linux, Mac, and of course Microsoft can read from, and write to this file system.

In theory, this sounds like a great marketing idea having the ability to sell external USB and Fire Wire hard drives to three different operating systems. In theory. In practice, it presents some unique problems. As an example; a real life example, I have in my posession a Western Digital My Book that was formatted originally as a FAT32. However, this particular My Book was used for video editing and storage for a documentary on a Mac. For whatever reason this particular client decided to format the drive. In speaking with the client, this was not the intention. That being said, the drive was formatted using an EFI format that destroyed huge chunks of the FAT as well as destroying the OS Boot record, and the back-up OS Boot Record. In addition, the Master Boot Record had odd data for the partition starting points, and file system type on the external hard drive.

Now, with the MBR in the wind, both the OS boot records destroyed, and the beginning markers of both FATS gone, has does one reconstruct the original configuration of the FAT32 file system? In the next installment I will illustrate how Microsoft leaves little remnants of the file system all across the drive, and how these remnants can be used to recover the file system.

Related Resources:

hard drive recovery

external usb firewire hard drive data recovery

We have a Free Partition Repair Tool that I get a lot of calls about. The problem most people have when using it is trying to figure out what goes into each of the fields. When a hard drive has a missing partition it is hard to know what is supposed to go in to those fields.

As you can see my external hard drive has no partition and because of this I will need to enter all of the numbers that go in the fields. Each line is equivalent to a different partition on the hard drive. For this How To I am only worried about single partition hard drives.

When I do a remote data recovery of a partition I would have WinHex available in order to have the ability to look at multiple facets of the file system. Once in WinHex with the target hard drive open I will then go to sector 0, where the Master Boot Record (MBR) resides.

This is a view of the MBR on my hard drive that has no partition record, and therefore no access to the data on that drive.

I will then go up to view and then choose the template manager. In here I will chose Master Boot Record template and apply it.

As you can see there is no information in the partition. Everything is zeroed out. This can be seen a lot with viruses and also with accidentally deleting the partition from the hard drive in the Windows Installer program.

From here I will go up to position and then go to sector. I will input sector 63 and I am now at the NTFS Boot Sector.

Here you can see the NTFS file system and this will help you to know you are in the proper place. I can now go back up to View and then to the Template Manage and apply the Boot Sector NTFS template to this sector.

Now that I have the template open I can look to see what the total sectors of the hard drive are. Now generally speaking for most single partition NTFS hard drives whatever you see in the total sectors in the template plus 1 is what the total sectors of the hard drive are.

With my hard drive, the total sectors are 39086081 add 1 to that and we have 39086082. Now I need to go back to sector 0 and open the MBR template again.

Now that I know what the total sectors are, the other settings are easy enough and pretty standard. They should be as follows. The active partition field is 80 and will l mark the partition as “active”. The next field is the Start Head which should equal one (1). Next we have Start Sector which is also one (1). The starting Cylinder will be left at 0. Partition Type for NTFS is 07. End head is 254 End Sector is 63 and end Cylinder is 1023. The sectors Preceding the Partition is 63. All of these fields are in most cases always the same. Sectors in Partition is equal to the total sectors as reflected in the boot sector plus 1, so for this hard drive it will be the number from above we already figured out, 39086082.

Now we want to close this window and click yes when it asks if we would like to write the MBR. Then we want to close WinHex. It is going to give us a warning about writing to the drive. I would have to say here that if you are not SURE these are the proper settings for your drive, it is not a good idea to be writing them down. You can cause damage to data, and also make it harder for a hard drive recovery technician to fix it later.

Also if you used WinHex to look at the total sectors of the drive and would like to use the Free Partition Recovery Tool to put the partition down to the drive you can do that also. It very simple as the fields from WinHex and from the partition recovery tool coincide with each other. WinHex has a demo view version you can use to find the total sectors and then you can use the free partition tool to write the information down to the drive without having to spend any cash. You should be able to reboot the machine now and have full access to your data. As always if you have any questions please feel free to give me a call. 727-345-9665 and ask for software support. You may also ask questions by leaving a comment below. We try to answer all questions within 24 hours. By asking question in the comments on this page we will be able to help other users that have similar questions.

For more information visit these pages:
Freeware Data Recovery

This is the first article in a series that will explain how hard drives work, why they fail and what you as users can do to protect your data. When looking at hard drives the first step is to identify what it’s form factor is. Simply put, the form factor is the size of the hard drive and how it connects to your computer.

The most common type of hard drive form factor is 3.5 inch for desktop disks. Laptop hard drives are almost alwas 2.5 inch form factor. Almost all computers manufactored today for consumers and small businesses have either IDE or SATA hard drives with a normal 3.5 or 2.5 inch form factor.

Why Is a 3.5 Inch Hard Drive Form Factor actually 4 inches wide

The 3.5 inch form factor doesn’t actually refer to the physical measurement of width or height of the drive, but refers to what the size of the bay is on the computer. Originally the 3.5 inch form factor was used in reference to the size of the PC’s floppy drive. Today hard drives are typically smaller than their counterparts from 5 years ago.

Watch the video below for a visual guide to common hard drive form factors:

[See post to watch Flash video]

Laptop hard drives are 2.5 inch form factors and like desktop disks, can be either IDE or SATA. The video above shows the difference between the cables and power connections on the two types of hard drives. Today there is also a significant difference in hard drive pricing when it comes to SATA and IDE. When looking at hard drive recovery, we don’t charge more for one or the other.

  Okay, I know this is not about how to read bad parity in a drive in order to find a the stale drive in an RAID five.  This is an important subject, however, I also think it is important to know why heat and a swelling platter can cause hard drive damage.

  In its simplest explanation a hard drive works much like the old phonograph record players.  The record would be placed on a spindle and a needle that is on the end of a tone arm would be placed on the record.  The needle reads the recorded music from the record and transfers that data to the amplifying device.  Now that being said how is a hard drive like a phonograph record? 

  A hard drive has a platter or set of platters that are similar to the vinyl record.  These platters are mounted on a spindle. There is also a ‘tone arm’ only on a hard drive it is called an actuator arm.  At the end of the actuator arm is a set of heads which are comparable to the phonograph needle.  This is a basic description of a hard drive, however, there is one huge difference in functionality.

  On a phonograph record the needle sits ON the record.  With a hard drive the needle floats on a cushion of air over the platters.  Since this is the technology used then it is important that the heads remain at a constant distance from the platters.  When a head reads a hard drive it doesn’t send a single beam to the hard drive to read it.  The signal looks like a cone and the farther the head gets from the drive the wider the cone is.  Conversely, the closer the to the platter the more compressed the cone is. 

  With this being said, each track on a hard drive is basically equidistant from each other.  So, if the head is the correct distance from the platter then the head will read only that track.  However, if the head is too far away it will read multiple tracks, this is called over-scan.  If the heads are too close only part of the track will be read, this is called under-scan.  As an example imagine a paint sprayer and you are spraying a picket fence.  Each slat on the picket fence is a different color.  Now, if you hold the paint gun (head) too far away from the fence (platter) it will spray the neighboring slats (tracks).  On the other hand, if the paint gun is too close you only spray part of the slat.

  With these facts here is why platter swelling is bad.  A platter is not completely flat.  Microscopically there are many flaws in a platter, however, because the heads float on a cushion of air the imperfections do not affect the physics of the read.  If, however, the platter swells then the imperfections become accentuated and the cushion of air can no longer compensate.  In many cases the platter imperfection can become so large that it exceeds the distance of the air cushion and actually touches the head.  This is called a head crash and can scratch the platter, damage the head and wreak all kinds havoc with a hard drive.

  If your computer is in a room that exceeds eighty degrees then that could cause platter swelling.  If your tower is inside of a desk and the air flow is restricted that will cause platter swelling.  If there is dust in your tower then that restricts airflow and can cause platter swelling. 

  So keep your tower dust free, keep your computer room cool, and keep the tower in an area with good air flow.

  Well, now that I got that off of my  technical chest hopefully next time I will cover the the mechanics of finding a stale drive in your RAID five.

  Until next time…

The next machine with a bad hard drive was my server. This server has been running as a server in our home for about 8 years. HAH! Now that is not to say that we haven’t done upgrades, because we have. We have always kept the “data” area of the drive separate and even though that data area has grown over the years it is in essence exactly the way it has always been. When we need more room we just make a new array and transfer the data over. Now on the array are all of the things you would expect, backups of our desktop machine, pictures of the family, tax information, drivers for all of our machines, and all of our work/personal documents. On the day of the crash I go to access the data drive on the server and it is no longer there. I think to myself, “hmm that is odd, let me reboot the machine”.

So I reboot the server and when it starts to come up I have a message that the array is in critical state and that one of the drives has dropped out. Now note that this is a common problem with this array, so I just figure I will go into Windows Sever 2003 and add the drive back in, no problem. WRONG, the drive can’t be added back in, so now I am sitting with an array I can’t get to and all the data I have ever had on it. (That’s right I didn’t back up) I eventually have to take it to our RAID guy Dick Correa, and have him fix it for me. He had to pull one of the drives because it was physically gone.

He then had to de-stripe them, then harvest all of my data off, and put it all on a 500 gig external for me. It was a Maxtor 200gb IDE drive, and all the others drives in the array are the same so all that I can guess is that I am just having total bad luck. That drive model is known to be pretty stable and all the other drives in the array are still in good working condition.

This article and video will show you how to use a USB enclosure to slave a laptop hard drive. Many times laptop - notebook hard disk drives come in here that we are able to recover with data recovery software. This video will help you use a USB enclosure to get data off of a failing laptop hard drive.

Hard Drive Recovery Video Series - How To Slave a Laptop Hard Drive

If you have a clicking hard disk drive chances are you need hard drive recovery and slaving your laptop will not help you get your files back. This method is for hard drives that are still recognized by the BIOS, they just don’t show you your data, or let you access it.

The software that you need to recover your data is dependent upon the Operating System that was on your laptop.

• For Windows XP or Microsoft Vista with NTFS File System use DART XP - this program will scan your laptop drive and show you the files that can be recovered before you actually buy the software. You can download the demo version for FREE without having to sign up for anything. DART XP Data Recovery Software. If the scan shows you the data you want, you can purchase it right through the software interface.
• For All other types of Windows or for external hard drives that are running NTFS, FAT, FAT 32 or FAT 16 you will need Recover It All. The Demo version also is FREE and will show you the data before you buy it. You can save the scan and purchase the sofrtware off of our website. Like all our products you don’t have to register it to get the demo and will receive the full version within seconds of purchasing it. Click here for the demo of Recover It All Data Recovery Software.

All of our data recovery software is guaranteed to work or you get your money back. Just like our data recovery services which are No Fix No Fee, we will show you your data before you buy!

DTI also has extended software support. Our software support people work right here in Florida. We don’t outsource anything ever! Our support phones are answered from 9 AM EST to 10 PM EST at 727-345-9665, if you are calling after normal business hours choose the software tech support option with your phone.

Remember if you need hard drive recovery DTI has the best support in the business, a class 100 clean room and a strict no data no charge policy on hard drive recovery. When it comes to laptop data recovery, DTI Data is second to none!

DTI Data Recovery is proud to announce that it’s Free NTFS Partition Repair software was positively reviewed by PC World! You can read the article on PC World’s website here.

Hopefully this data recovery software will help you recover your data. 

If you have any questions email support@dtidata.com or call 727-345-9665 Ext 236. If you need data recovery, give DTI a call.

I have been getting a lot of emails about my recent post: Data Recovery Experts: Why Use Them? Most people want to know how to tell if a data recovery company is a “real” company with a clean room, or a reseller, that is going to look at the drive, see if it is a Fed-Ex fix, then up sell it to one of their vendors.

I would get into serious trouble if I were to list the all the BS companies out there, that is a fact. However; I can tell you about some real companies and how they differ to us. I am not going to sit here and go on and on about how rocking DTI is. We are a real data recovery company, we have a class 100 clean room, and we develop all our software in house. We don’t outsource ANYTHING, EVER! We answer our own phones as much as humanly possible. Here is a link to my data recovery software blog, with pictures of everyone. We are a relatively small (24 employees) company that does a big job.

Now on to the stuff that is going to get me in trouble : )

If you look at the top tier data recovery companies, and we all know who they are, they are what some believe to be the cream of the crop. They run a factory line recovery shop. They bait you with a range of prices, and if it is at all a difficult recovery, they are going to call you and bump the price up to 3 or 4 GRAND. I know this, since we have a bunch of their drives in the lab, and almost always have 1 or 2 sent in from people unwilling to pay. I am not saying they stink or are ripping you off, they just play the numbers game. (I recall one time being told “that if enough crap was thrown against the wall, some of it will stick” by the owner of a prominent data recovery company whose model is to charge a $150.00 per drive, “bench” or “evaluation” fee. Type my name into Google and you will see me referenced as their CIO. This is a common attitude out there.)

Now when you look at one of the oldest data recovery companies, they used to be the best, they were the creme de la creme, what everyone strived to be. Once they were bought out, their recovery rate dwindled. The drop off was so significant, that a lot of the top people left that company, I know because we are partnered with some of them that went off and started their own thing.

Now on to another front, recently one hard drive maker acquired another major hard drive maker. OK I can relate, maybe now their drives will actually get even better; however now they go out and buy a data recovery company. Huh? OK say I am a customer that just bought some drives, they fail, now I have to pay 3 grand to get my data back? That seems fishy to me.

The thing about these “big boys” is name recognition. Are Calvin Klines better than Wrangler? No, but they sure cost twice as much. You are paying for the name, nothing more, nothing less. There are no magical machines or proprietary technologies that one company has over the other. Data recovery is not rocket science, but it is all about research and development.

So we are ruling out the big boys who charge the big bucks. That leaves us with the hundreds of middle ground data recovery companies out there, and a few bad apples that think they can do data recovery for $199 or $399. What garbage. One air filter for a class 100 clean room is $850 and we need 4 a month to retain class 100 status. Forget about the parts. What are they a charity? Hard drive manufacturers don’t “give” us replacement parts, we have to buy whole hard drives on the secondary market. We have 1 employee and his assistant that do NOTHING but source parts all day every day. With the advent of large capacity drives, and constant revisions, one Western Digital model had 12 revisions in 1 year. That means that the board, heads, and code on the platters are all different, and they are NOT interchangeable. OK so forget about those bargain basement companies, we all know that you get what you pay for. In fact we constantly get in drives that have already been opened somewhere else. 90% of them have been opened outside of a clean room. We had to start a new program just for clients who sent their drives to one of these bargain basement companies only to be told it was “unrecoverable”. Read more about our “Adaptive Logic” process.

That points us once again to the middle ground. I read somewhere that 60% of all data recovery companies on the Internet are resellers. I would put that number closer to 90%, hell we have thousands of resellers ourselves. So where does that leave us? If your drive crashes; do your research into where you are going to send it. Don’t bother with companies that give a range, cause it will always be the high side. Forget about diagnostic or bench fees, all the good companies are no data no charge. We have a lot of competitors, but few equals. One of our real rivals went as far as to put a webcam in their lab to prove they have a clean room. Now that is cool.

Even though we are only 1 day a way Fed-Ex most people would prefer a regional company. The problem is if you aren’t in FL, TX, or Southern CA, UT, MN, IL, upstate NY, GA, or WA, there are NO local companies. Choose wisely, mapquest them, if they are off the beaten track they are probably working out of their garage. Don’t laugh I did it myself with Data Recovery Clinic and Exchange Recovery Clinic. I got drives in and sent them to DTI, took my share and moved on to the next. It is business, we tried to start a clean room and do it right, and even with a lot of backing, my partner and I couldn’t keep up with the changes in hard drives. DTI has 3 or 4 guys that do nothing but get new drives and break them to see how to fix and recover data from them. That’s what data recovery is: research and development, every day.

The fact is hard drives fail. It isn’t because the manufacturers are trying to rip us off, it is just a fact. Dick Correa our chief data recovery software engineer recently wrote an article about “hard drive bad sectors, how to recover data from them“, which explains in detail about the challenges hard drive manufacturers face. They even have a name for it: Mean Time Before Failure. That is the “mean” not the average of when your drive WILL fail. Not IF, but WHEN. If you want to know more about what that is, here is a link to IBM’s description of MTBF on archive.org.

We’ve established that hard drives fail no matter what. What are you to do? Back up your data. Other than the fans, the hard drive is the only other item in your computer that has constantly moving parts. It is also the singular most critical device in your computer. Over the next few months I will be reviewing backup solutions and commenting on the best. If for some reason yours doesn’t work, or failed (believe me it happens, read my post: Data Recovery Case Study - My Own Machine if you don’t believe me. They are still busting my chops about having to send in my own drive for recovery) know that you can trust the guys and gals at DTI Data Recovery.