Dan has been a data recovery engineer at Dataquest International Ltd for over 8 years. When not recovering data, Dan can often be found writing articles, maintaining this website, or riding his old bicycle around Portsmouth.
Last week we wrote about the Thai floods affecting hard drive manufacturer Western Digital. It now appears that the floods are causing problems for Seagate. Although not directly affecting their own manufacturing plants, the floods are causing problems in the supply chain, which could cause delays and shortages getting their drives to market.
Working inside a broken hard drive today we came across some of the most damaged read / write heads we have ever seen. First, below is an example of how the heads should look. Notice how straight they are at the ends. Then below are the damaged heads. They are at 90 degrees to the discs (tomb stoning) and would have been scraping the inner disc surfaces to pieces. Bad times!
If you ever hear scraping, scratching or screeching noises from your hard drive, turn it off as soon as possible. If left too long, it could scrape all of the magnetic coating off the discs until there’s nothing left to recover.
The Register today reported of expected supply problems for Western Digital, due to the severe flooding in Thailand at the moment. We are already having problems getting hold of certain hard drives, and this is sure to make the situation worse.
Raw data is what we get when we recover files without their folder and file names. Instead of a My Documents folder, with photos and documents arranged into separate folders, what we get is a folder named JPEG for example, with thousands of consecutively numbered jpg files. The same with office documents, you would get a folder with thousands of doc, xls, docx or xlsx files.
These raw files will be fully usable and contain all the same info that they did originally. You will still be able to open them, edit them and save them, they are just unnamed.
Why is this data in RAW format?
When we recover data, we always prefer to get it back in the original structured form. When data has been deleted from a Mac, or when a hard drive has been reformatted and then partially overwritten, it can be impossible to rebuild all of the data in structured form, as the structure has been overwritten or damaged. This is when we opt for RAW files.
With a RAW recovery, what we are basically doing is searching the whole hard drive for files in known formats. This means we usually get a lot of office documents, jpg images, photoshop psd files and some others. If we need to find an unusual file type then we need a few sample files to be able to generate the correct scan info. RAW recovery is not always possible for every type of file. An example is Apple Garageband project files, which are actually just folders with the name .band on the end. On the mac, these folders are treated as packages, with folders and files inside that you don’t usually see, (If you right click one and choose ‘Show Package Contents’ you will see what I mean,) but for the purposes of RAW recovery we cannot get back those files. (We would however get back the RAW AIFF files and recordings from within the projects. It’s not ideal but may be better than nothing.)
What to do with the RAW files
If there is only a small number of files, then you can manually open them all up, see what’s inside and then rename them to something useful. Luckily, for certain file types, there are other ways to make sense of them. It’s called meta data, meta tags or EXIF data.
This meta information is stored inside the files, so even if the file and folder names are lost, we still have the tags.
A brilliant piece of software called Amok EXIF sorter will plough through thousands of jpg files, read their date tags and then place them in dated folders. It can also do other fancy things with tags, but default setting will create a decent structure.
For music, iTunes or any other music manager will usually rename the files in the library based on the artist and album tags. In iTunes, just make sure it is set to: ‘Keep iTunes media folder organised.’
Document files such as doc, docx, xls and xlsx also have some useful tags that we can use to make sense of the masses of numbered files.
In Windows, set the View to ‘Details’ and you should see a series of headings such as Name, Date Modified, Type, and Size. Date modified will show the date that the files were recovered so is useless for this task, however if you right click on this heading you will see other available columns, with ticks beside a few of them. The ‘More…‘ option at the bottom contains loads of tags that we can use to sort the data.
Good headings for office documents are Author and Date last saved. You can experiment and see if any of the other tags are more useful to your specific data.
Good headings for jpg files are Date taken (Date picture taken) and Camera model. Again, there are others which may be useful.
We would like to pay tribute to Steve Jobs. Apple have a photo on their homepage today which links to a remembering Steve Jobs page with a written tribute to the great man. This comes only weeks since he stepped down as Apple CEO.
His legacy will live on, but his vision will be greatly missed. Who knows what the next game-changing Apple product may have been.
Slashdot had an interesting article today about how to destroy hard drives. It’s a commonly asked question, but deserves a bit of time every once in a while. Of course there are the usual physical destruction options, from the humble hammer and screwdriver, to more exotic (and dangerous) techniques like a propane furnace.
For most purposes we still advise that a simple zeroing of the whole disk is a pretty safe bet. *
Failing that, then as long as you totally destroy the platters, you are good to go. That means taking the disk apart and grinding, bending and scraping the disks to bits.
* During normal use, a hard drive will get occasional bad sectors, which are then mapped out and prevented from being used. When that same sector is requested again, a new spare sector is used from another part of the disk. With the right knowledge, it is possible to access this list of remapped / bad sectors and see if there is any useful data within them. The chances of finding anything useful in these sectors is slim, but you never know.
Cult of Mac have warned of an exploit in the Skype app which allows hackers to execute code on your device simply by sending a chat message. iPhone and iPod Touch are both affected. Skype is apparently aware of the problem and will be fixing it soon. Meanwhile be careful!
Today’s large SATA drives shouldn’t be used in 4 drive RAID 5 arrays due to the high likelihood of a read error after a drive failure, which will abort the RAID rebuild.
It is a common misconception that if you run a RAID system then you can avoid keeping backups. Although fault tolerant to a point, there are plenty of issues with RAIDs that can at best cause lengthy downtime and at worst prevent any recovery at all.