Data Recovery from Raw Disks

Data RecoveryToday’s data recovery tools had come a long way compared to the simple “undelete” of two decades ago. Instead of relying only on the file system, today’s data recovery tools implement very complex algorithms allowing them to successfully recover files from raw volumes. A “raw” volume means that several disk system structures such as the master boot record (MBR) or the file system are damaged, empty or missing completely. This article describes algorithms that are used recover files from RAW disks volumes.


Finding Disk Volumes

Before we begin looking for individual files, it is very essential to locate all partitions (disk volumes) stored on the hard drive. Usually, information about the volumes is stored at the beginning of the disk in a record called Partition Table. Windows keep up one or more partition tables detailing the location of each partition. The partition tables contain information about the beginning and end of the volume as well as its type.

Sometimes, however, the hard drive is corrupted so badly that individual disk volumes (partitions) are not available. If this is the case, it is crucial to locate the volumes on the disk in order to find the location of their file systems.

Finding the File System
the easiest way to locate disk volumes is detecting the presence of the file system, a structure that’s generally stored at the beginning of the volume. While recovering information from a volume, partition recovery tools usually assume that each volume has a data structures. If the partition table is damaged or else no longer available, the tool has to scan the disk searching for available file system (or multiple file systems if the disk contained multiple partitions).

Many file systems have fixed signatures making them relatively easy to find. For instance, the FAT (File Allocation Table) contains values of 0×55 and 0xAA located in 510′th and 511′th bytes of the first sector of the volume. These signatures are utilized to detect the presence of the file store. Other systems (e.g. ext2/3, NTFS, HPFS) have different persistent signatures and different detection algorithms, but the general principle remains same. Additional checks are performed after encountering these signatures. If, after all checks, the algorithm confirms the presence of a file store, the tool could then determine the beginning of a volume.

Scanning the Volume

After successfully locating all volumes, we could choose a single partition to extract information from. It is very important to realize that raw hard disks may have damaged, corrupted, empty or inconsistent file system records; therefore a good data recovery tool may not rely solely on information stored in the file systems. However, ignoring such information totally would not be a worthy idea, as the file system contains records pointing to many types of files that cannot be discovered otherwise.