Data loss can occur for a number of reasons. Be it because a file was accidentally deleted, the file system or OS has become damaged, or due to a storage failure at the software or hardware level, data goes missing when you least expect it. Today we highlight five data recovery methods to keep in mind for when the unexpected happens.
1. Boot the hard drive from another machine
If Windows fails to load, take the hard drive out of the problematic machine. Now, either mount it as a slave in another working machine or place it into an external drive enclosure. The goal is for the drive to appear as another drive letter in Windows Explorer, allowing you to view the contents of the drive and pick out the data you need.
2. Use a bootable Live CD/USB
Similarly, if you want to bypass Windows on the problematic machine and get access to the data itself, you can use a Live CD/USB. This will give you the ability to save the data to the network or an external USB drive. A Linux-based bootable operating system like DEFT or Ubuntu would be two examples of such Live CD/USBs.
3. Use a hex editor
A hex editor (such as HxD Hex Editor) will give you access to the data in ‘raw’ – hexadecimal – format. This is useful for when you are working with a hard drive where the partition is damaged and the file metadata is missing. If you know the structure of the file type you need to recover you can use the SOF (Start-Of-File) marker, or header, and EOF (End-Of-File) marker, or footer, to carve out data manually and save it into the correct file format.
Note: This method will not work if the hard drive is encrypted.
In the example below, I searched the hexadecimal data for FF D8 right the way through to FF D9 (the header and footer of a JPEG file) and exported that data to a file. Once I gave it a .jpg extension, I was able to open it and see a photo.
4. Write a script to carve out files automatically
Using the same concept as above, you could also write your own script to scan through a raw hard drive image and carve out data automatically. The basic logic of such a script would be as follows:
- Look for SOF marker
- Look for EOF marker
- Save data between SOF and EOF marker to a file
- Give the file the appropriate file type extension
If you wanted to look at a file carver that’s readily available, try PhotoRec or Scalpel, both open source. These are useful to help you practise and understand the underlying concept of data carving.
5. Use a data recovery tool
One of the easiest and fastest ways of recovering deleted data from a Windows operating system is to use a data recovery tool. An application like Recuva allows you to recover missing data from multiple file systems within minutes. PhotoRec, mentioned earlier, is a bit more labour intensive but very powerful and can recover over 400 file types from FAT, NTFS, ext and HFS+ file systems.
For situations where the partition is damaged, try TestDisk. TestDisk’s primary goal was to help recover lost partitions and make disks bootable again, but is also used for recovering deleted files from FAT, exFAT, NTFS and ext2 partitions.
Despite the obvious benefits of knowing how to recover data, being proactive – rather than reactive – in these scenarios, is often considered a more sensible approach.
If budget permits, nothing beats having a real-time backup solution in place that can restore data quickly and avoid the headache of needing to recover data in the first place. Such a solution will allow you to restore files to their original state on the original computer or to another computer on the network with a click of a button.