Data Recovery Training :
Find out more:
DTIData is proud to now
offer data recovery training. With over 25 years of experience
recovering data DTIData can offer a full and comprehensive training
course. There is automated software in the world that can
recover from every situation. There are times when a manual
approach must be taken. We teach you the knowledge needed
to do just that. The course also covers working with Raid's
like the professionals. Most Raid recoveries are not from
physical damage, they are from logical issues that cannot be fixed
with automated tools.
All students will receive
our Power Pack and three free logical recoveries performed by DTIData.
You will also become a preferred data recovery partner which grants
you discounts on physical recoveries.
For more information on
this training class please call Jon Moxley at 866-438-6932 or
727-345-9665.
Data Recovery Course Outline
I General File System Overview
A.
What is a file system?
B. Attributes
of a file system
C. Detriments
of a file system
D. Microsoft
operating systems
1. DOS 3.3 (FAT12)
2. DOS 5.0 (FAT16)
3. Windows 3.1 (FAT16)
4. Windows 95 (FAT32 OSR 2)
5. Windows 98/ME (FAT32)
6. Windows NT/2K/XP (FAT32 NTFS)
7. Longhorn (NTFS)
II General Hard Disk Drive Overview as a storage device
A.
Brief hardware description
1. Platter
2. Heads
3. Circuit board
a. SCSI (Small Computer System Interface) embedded BIOS
b. IDE (Integrated Drive Electronics) IO only
B. BIOS
1. C-H-S Addressing
2. LBA Logical Block Addressing
III File System On-Disk format
A.
Master Boot Record/Partition Sector
1. On-disk placement (STANDARD)
2. Boot Code
a. Other operating systems
i. Linux
ii. MAC
iii. Third party boot handlers
x. Ontracks Disk Manager
3. Partition record
a. General Description
B. OS Boot
Record
1. On-disk placement
a. Standard
b. Virtual
2. Boot Code
a. FAT
b. NTLDR
i. Multi-boot handler
3. BIOS Parameter Block
a. General Description
4. Built in data recovery
a. Backup boot records
5. Correlation between MBR and OS Boot Record
C. Indexing
Methods
1. FAT16
a. Attributes
i. 16 bit addressing
ii. Max drive size
b. Placement
c. Backup
d. File Entry Tables
2. FAT32
a. Attributes
i. 28 bit addressing
ii. Max drive size
b. Placement
c. Backup
d. File Entry Tables
3. NTFS
a. Attributes
i. Master File Table (MFT)
ii. Database type indexing
iii. Max Drive size
b. Placement
c. Backup
d. INDX Records
e. NTFS 4/5
D. Data
Area
1. FAT16
a. Root Directory (Static)
b. Data Area (Static)
2. FAT32
a. Root Directory (Virtual)
b Data Area (Virtual)
3. NTFS
a. MFT (Virtual)
b. INDX (Virtual)
c. Data Area (Virtual)
IV File System Weaknesses
A.
General
1. Corrupt MBR
a. Possible causes
i. Virus
ii. Operating System anomaly
iii. Hardware anomaly
iv. Improper use of operating system tools (Fdisk)
b. Effects
i. Invalid logical drive sizes and types
ii. Lost logical drives
iii. System will not boot
iv. Resident low level boot virus
2. Corrupt OS Boot Record
a. Possible causes
i. Virus
ii. Operating System anomaly
iii. Hardware anomaly
iv. Improper use of OS tools (Format)
b. Effects
i. Invalid logical drive size and types
ii. System will not boot
iii. FAT32
x. Root directory cluster pointer destroyed
iv. NTFS
x. MFT cluster pointer destroyed
B. Corrupt
FAT
1. Entire logical drive data indexing is maintained by the FAT
2. Data may be unrecoverable or at least corrupted
3. Although a backup is maintained it usually is corrupted.
C. Corrupt
MFT
1. Entire logical drive data indexing is maintained by the MFT
2. Data may be unrecoverable or at least corrupted
V. Scenarios & data recovery of the following:
A. Operating
system will not boot
1. MBR corrupted or missing
a. BIOS boot strap code
2. OS boot record corrupted or missing
a. OS boot strap code
b. BPB miss-aligned
3. OS Start up files missing or corrupted
a. command.com
b. NTLDR
4. Virus pre-empting operating system load
a. Boot virus shifting memory markers
5. Hardware
a. Hard drive, memory, motherboard
B. Directory
listing not displaying properly
1. FAT or MFT corrupt
a. EOF markers and links invalid
2. OS boot record corrupted
a. Cluster alignment
b. MFT or FAT start cluster pointers
3. Virus corrupting display
a. Memory
4. Hardware
a. Memory, Hard disk
C. Data corrupted
1. FAT or MFT corrupt
a. Links or run list corrupted
2. OS Boot record corrupted
a. Cluster alignment
b. MFT and FAT start cluster pointers
3. Virus corrupted data
a. Writing random area across drive
4. Hardware
a. Memory, Hard disk
VI Data Recovery Tools
A.
Recovery It All Professional
B. Fast File
RAW File Extractor
C. Fast File
Undelete
D. WinHex
E. ScanPST
F. Digital
Picture Recovery
G. E-Recovery
for Outlook express
VII RAID (Redundant Array of Independent Drives)
A.
RAID 0
1. Striped
B. RAID 1
1. Mirrored
C. RAID 1+0
1. Striped mirror
D. RAID 5
1. Striped with parity
E. What is
Parity?
1. XOR mathematics
F. Recovery
1. Header Size
2. Stripe Size
3. Parity progression
4. Software vs. Hardware
5. De-striping techniques
VII Hands on
A. Recover
a deleted file after a simple delete
B. Recover
all Excel files after a simple delete
C. Recover
PST file after fdisk.
D. Recover
PST file after format
E. Recover
file system after Partition Magic
F. Recover
Outlook Express after quick restore
G. Recover
deleted emails.
H. Recover
formatted media card
I. Recover
all JPEGS after MFT destroyed
|
MAIN MENU : 
TRAINING : 
