Data Recovery Expert

Data Recovery Expert

Viktor S., Ph.D. (Electrical/Computer Engineering), was hired by DataRecoup, the international data recovery corporation, in 2012. Promoted to Engineering Senior Manager in 2010 and then to his current position, as C.I.O. of DataRecoup, in 2014. Responsible for the management of critical, high-priority RAID data recovery cases and the application of his expert, comprehensive knowledge in database data retrieval. He is also responsible for planning and implementing SEO/SEM and other internet-based marketing strategies. Currently, Viktor S., Ph.D., is focusing on the further development and expansion of DataRecoup’s major internet marketing campaign for their already successful proprietary software application “Data Recovery for Windows” (an application which he developed).

Ever received a Cyclic Redundancy Error?

Don't be tempted to back up your data straight away when the hard drive starts failing, think about taking a clone.

What is a Cyclic Redundancy Error…

You’ve probably just seen an error message pop up on your screen and are desperately searching the internet to find out what is going on. Generally a Cyclic Redundancy Error or CRC indicates that data cannot be read due to a malfunction. The heads have been unable to read a sector and this is usually indicative of a failing hard drive.

More often than not users try to copy their data to a safe place and find that the hard drive crashes whilst performing this task. When users copy out all their data, it puts a lot of strain on the hard drive and if it is already failing – catastrophe!

Recovering SQL databases.

If you operate an SQL server, you should be aware of the dangers and how to recover if the worst happens.

SQL server recovery information...

The thought of an SQL database crash is something which can cause nightmares. Lost information, corrupt data, inaccessible systems and inoperable services can all occur and whilst pre-planning can help to eliminate some problems, unforeseen emergencies can really mean a bad day in the office for all.

If your company operates an SQL server, here’s some information as to what you could be dealing with should the worst happen and the solutions available. The important elements of an SQL server.

Data recovery from voice loggers.

As data recovery from voice logging system becomes more widespread, we examine the history of voice logging systems.

Voice logging data recovery...

The necessity for the commercial logging of voice communications from telephone lines dates back to the early 1950's although there is evidence of patents for telephone answering and recording devices as early as 1903. The original commercial voice logging devices utilized analog magnetic tape as the recording media. The spools of 1/4” reel to reel tape were 10 1/2” in diameter and mounted on very large stable tape decks.

It is believed the earliest use for these cumbersome devices was used by both military and commercial logging of voice data for air traffic control. Although Magnasync Corporation were one of the early commercial manufactures of these devices the British company Racal became a market leader in voice logging. Racal Recorders designed and manufactured the voice logging systems and Racal Zonal the magnetic tape. Again these early magnetic tape voice logging systems utilized 1/4” magnetic tape on reel to reel spools. Both 1/2” and 1” tape was also used. These wider tapes allowed up to 64 simultaneous tracks of voice to be logged using analog recording techniques.

RAID 5 Failure and XOR Mathematics in NTFS 5 (Part 4)

We have had three installments on RAID 5 failure and how the XOR operation gives us insight into discovering the stripe size and drive order for an array. Understanding the next installment is critical to the entire method of reverse engineering a RAID 5 configuration.

We understand that when we use an XOR operation on the same bits we always return FALSE. So, XORing a TRUE and a TRUE give you a FALSE, and XORing a FALSE and a FALSE give you a FALSE. Understanding this, we can hopefully understand the following.

The Master File Table (MFT) Magic number is ‘FILE’. Four ASCII letters represented in HEX format as 46h, 49h, 4Ch, 45h. These HEX values correspond to the letters ‘F’, ‘I’, ‘L’, ‘E’ respectively. Now, when you XOR 46h with 46h you get 00h. This is illustrated in the following diagram.

RAID 5 MFT Recovery

Figure 1

RAID 5 Recovery and XOR Mathematics in NTFS 5 (Part 3)

In this installment we will explore the practical use of XORing within the context of a RAID 5 recovery. Although the use of this math function in and of itself does not constitute RAID recovery, there are attributes of the mathematics that lend itself to data signatures that can then be used to acquire the RAID 5 configuration. In order to apply the XOR operation we must first understand the format of the Master File Table (MFT), the very crux of the Microsoft NTFS file system.

 

File systems, like most database handlers, use a simple flat file, index method to do look ups and quick displays. The flat file being the MFT, and then INDX record used for fast lookup and displays. Each has its own use within the file system and to a large part are dependent upon each other.

Since the INDX record is not used in the context of RAID 5 recovery for this particular grouping of tutorials we will dispense with its use within the NTFS file system architecture.

Let us leave it to say that in a more advanced context the INDX record does have its uses when assessing a RAID 5. The MFT however offers the clearest path to drive order and stripe size when using the XOR operation. The figure below (Figure 1) is a generic RAID 5 with three drives. The MFT is exposed using the utility WinHex in order to better illustrate how we use XOR to find the parity block within a RAID 5.

mft-boot-record

Figure 1

 

Always eject your USB flash drives

Do you simply disconnect USB flash drives without ejecting them first? Well read on and find out why this is a bad idea!

Why should I eject my flash USB memory stick…

Don’t we all simply disconnect our USB flash drives without ejecting them first? That extra two seconds could be better spent doing something else right? Wrong! Unplugging without warning can cause data corruption. Mac and Linux users be especially aware!

The reason this is a bad idea is all down to ‘write caching’. Essentially your operating system will cache all the files to be written and perform the function in one go. The functionality is designed to improve performance. When a user disconnects a USB flash drive without warning, the cache is cleared out. If a write process is in operation, this inevitably will result in data corruption.

Compact flash media is getting ever popular

With capacities increasing all the time, compact flash media is increasingly popular for data storage and we are seeing more for recovery!

Data recovery from compact flash...

We received a SanDisk 4Gb Compact Flash card where the JPG data had been deleted. This was exasperated by the client attempts to recover the data using free software. When data on SD cards is deleted, the information is still contained within the media, but the signs, which tell the system where they are located, are destroyed so that they do not recognize the fact that the data is still residing within the memory. These signs, called "pointers", are the indicators that data is present within the structure of the computer.

Deleted information can be recovered even when the pointers are erased, but the chances of success are massively eroded as time passes. As the compact flash writes new data, it will use free space and possibly overwrite stored data that has been previously marked for deletion.

Did you think solid state drives were infallible?

Well they're not. There are plenty of components that can degrade and data recovery tools are still in their infancy!

Performing data recovery on solid-state drives

There are fewer data recovery tools generally available for solid-state devices; however we have been working on our own proprietary tools to overcome vendor specific solid-state drive designs and built-in encryption technologies. We can now boast data extraction tools for almost every solid-state controller. As a result, this last month has seen a record for successful solid-state drive data recoveries!

When they were originally introduced, solid state drives SSD were noticable for both speed and reliability. It was generally thought that because an SSD has no mechanical parts failure rates were negligable. Mechanical components cannot wearing down over time - as there are none! Nevertheless, they still have to worry about electronic components degrading. Capacitors, power supplies and controller chips are all prone to failure.

Can I use S.M.A.R.T. on SSDs?

Many S.M.A.R.T. utilities were designed for hard disk drives so be sure you select a utility that is compatible with SSDs!

Can I use S.M.A.R.T. on SSDs...

S.M.A.R.T. which stands for Self-Monitoring Analysis and Reporting Technology is a fantastic tool for anticipating hardware errors on hard disk drives. The utility can test for bad sectors and some software can even test for temperature, core speed and system fan speed anomalies. When S.M.A.R.T. software indicates an imminent hard drive failure, the user is notified so that data can be backed up and data loss avoided. These hard drive diagnostic programs are widely used on mechanical hard disk drives and RAID, but how reliable are they on solid state drives SSDs?

Checks include electrical and mechanical performance and read/write error rates. Electrical tests include RAM and read/write circuitry. Mechanical tests seek servo information on data tracks, scanning for bad sectors across the entire disk surface. However solid state drives are constructed very differently, although flash media does develop errors over time – normally bad flash blocks in the NAND memory chips. Just like traditional hard disk drives, the controller manages these bad blocks and re-maps them to ‘extra’ blocks. Eventually the drive will run out of ‘extra’ blocks and S.M.A.R.T. is quick to identify this.

Practical RAID 5 Recovery and XOR Mathematics in NTFS 5 (Part 2)

The last installment of this particular blog offered the basics of RAID 5 recovery technology and used a very simple truth table to illustrate the four (4) states of XOR mathematics. This week we will dig a little deeper into the technology and hopefully offer a clearer understanding of how the normal end user can in fact do RAID 5 recovery.

Once again, XOR mathematics offers four actions that work on a bitwise truth table. This truth table when used properly can in fact help one to not only recover their lost RAID data but find out critical facts like, drive order, stripe size, offset calculations, and RAID 5 symmetry. Let’s first take a look at what XOR math will do on actual live data. In order to do that, we must understand how data is stored on the computer in its most primitive state and how viewing that data in a certain way offers us a method for recovery.

We are going to start with a simple ASCII table which defines certain characters in an eight bit environment. Eight bit of course meaning the size of the data type. So each character has its own eight bit value and can be illustrated in several ways. As an example, let’s take the letter ‘A’. In the ACSII table the letter ‘A’ is represented by the decimal number 65. In binary, displaying all bits, the letter ‘A’ is represented by 01000001. Let’s now take the letter ‘Z’ and its ASCII table representation which is signified by the decimal number 90.  The ‘Z’ in binary is expressed as 01011010. So, to explain this further, when the computer sees the number 65 it translates it into an ‘A’, and when it sees a 90, it translates that into a ‘Z’.

Now that we have the binary representation of the letter ‘A’, and the letter ‘Z’, let’s perform XOR operations on all eight bits and see what happens. Please refer to the previous blog on the XOR operation to see how the result was achieved.

Page 2 of 47

Get Help Now

Thank you for contacting us.
Your Private Investigator will call you shortly.