The Black Art Of Data Recovery

Over the next several weeks we are going to take an in depth look at how data recovery in all of its phases is applied to the Microsoft NTFS file system. You may consider this a class in the data recovery of an NTFS file system as well as a mini course in hard drive design repair.

The knowledge that I will impart over the next several weeks is not for the faint of heart. Although I will use plain language, as well as diagrams where needed, the application of the information is meant for technicians and software engineers. However, everyone I am sure will come away with a better understanding of the NTFS file system.

The following are the topics that will be covered on a week by week basis. Hopefully, I will be able to maintain the weekly schedule, however if life and my work get in the way, some weeks I may have to skip until the following week.

Week 1:

Boot Up Sequence: This will include how the BIOS determines a boot device. Once a boot device is determined how the BIOS hands over the boot sequence to the Master Boot Record. The layout of the Master Boot Record and how the boot code determines the boot partition. What can go wrong during the boot sequence and some ways you can fix those problems.

Week 2:

Continuing the Boot Sequence: This will cover how the Master Boot Record hands over the booting of the operating system to the OS Boot Record. This will include the layout of the BIOS Parameter Block, and how its data elements relate to data storage. A brief explanation of the NTLDR. I will also cover the problems that can arise during the OS boot and how you can possibly repair the problem.

Week 3:

Data Storage Part I: Understanding how data is stored is critical if you want to have even a remote chance of file recovery. Discussion on clusters, why they are used, how they are allocated. How the operating system stores the data on the physical media. Logical and physical sector addressing arithmetic will be explained. Fragmentation, the enemy of data recovery will also be explored.

Week 4:

Data Storage Part II: Once we have covered how the data is stored, we will need to then understand how NTFS handles keeping track of file and folder placement. The Master File Table will be discussed in great detail. Where it is placed, many of the components of the record will be discussed and how they relate to what we see translated into the file explorer.

Week 5:

Data Storage Part III: This week will be totally dedicated to run lists. This component is the key to breaking down how the clusters are stored. The method that Microsoft uses to track clusters is very complicated so I want to give this subject a full week.

Week 6:

Data Storage Part IV: Now that we have all of the theory of the MFT, this week we will cover how to recover data using a damaged MFT.

Week 7:

Hard drive theory: This will be a brief overview of hard drive design from a data recovery specialist’s point of view. Sector mapping, system area design. Permanent Defect tables. Growing Defect tables. Bad sectors, and how that relates to performance. How the operating system reacts to a bad sector. S.M.A.R.T early warning technology.

Week 8:

JPEG File recovery: The JFIF file format and how that relates to raw data recovery. Data mining, file carving and techniques used to extract data from a totally destroyed file system.

Week 9:

MP3 File recovery: The MPEG III file format will be covered and how that relates to file recovery. How data mining and file carving techniques may be used to recover the file. The ID3 data tag format and how that can be used to recover a more complete MP3 file.

Week 10:

Scenario: Hard drive has been fdisked, how do I recover?

Week 11:

Scenario: Hard drive has been formatted, how do I recover?

Week 12:

Scenario: Files have been deleted, how do I recover?

Week 13:

Scenario: I used the restore function from the manufacturer, how do I recover?

Week 14:

Scenario: Multiple partitioned drive made into single partition, how do I recover second partition?

Week 15:

Scenario: USB hard drive cannot be addressed, how do I recover?

Week 16:

Scenario: I lost all of my Canon CR2 Raw format pictures, how do I Recover from the flash chip?

Week 17:

Scenario: Hard Drive has reached maximum capacity and file system as well as the operating system have become inoperable. How do I recover?

Week 18:

Scenario: Malware virus attack on the Master Boot Record, or the operating system boot record. How do I get my operating system online?

Week 19:

Scenario: Drive has been formatted, and the operating reloaded. How do I recover data from the drive?

Week 20:

Scenario: Deleted email from my Outlook Express mail handler. How do I recover the deleted emails?

Week 21:

Scenario: Outlook PST file has exceeded the two gigabyte limit. How do I recover my email file without damaging all of my data?

Week 22:

Scenario: Reloaded Windows over the top of an existing Windows setup and lost my access Documents and Settings folder. How do I gain access to the folder?

Week 23:

Scenario: Hard drive has exhibited symptoms of possible bad sectors. How do I safely recover my data without compromising the physical attributes of the hard drive?

Week 24:

The future of data storage and what is needed in order to safeguard the data on your system. I am going to cover a great deal of material in the next six months. As I reveal each secret hopefully that information will help you recover and safe guard your data. If you have any questions please feel free to call or drop me an email.

  1. andy butler says:

    FAO Dick Correa


    I have found your site to be very interesting and informative and just wondered if you would be following up on these data recovery resource pages?.

    In particular Week 24 (the future of Data Storage)

    My team has developed in the last year into one of the UK’s most successful data recovery labs with a full clinic of services from electronics faults and logical data recovery to full cleaning of hard drives, rebuild and recovery of RAID 0,1,5,6,10 ETC inc recently an 8 drive RAID 5 that had been “looked at” and 2 of the drives inadvertantly mixed. We recover RAID configurations even where there are seized spindles on enterprise drives SCSI 15k but that is not my question.

    I would be interested to see if you have an answer to the Western Digital problem, because I see no mention of it on your site.

    Andy abc Data Recovery Ltd

