1 |
On Пнд, 2006-01-30 at 17:03 -0800, Grant wrote: |
2 |
> I've heard that data can be recovered from a formatted hard |
3 |
> disk. Lucky for me I don't have any interest in actually doing this, |
4 |
> but I got in an argue\ment with a buddy last night about whether or |
5 |
> not it was possible. I'm sure I've read that the government and other |
6 |
> well-funded institutions have this capability. Is it true? |
7 |
|
8 |
What a long thread, full of myths. But there are no miracles :) |
9 |
|
10 |
Short answer for your question is... No. It's not true. |
11 |
|
12 |
Having some experience in field of data recovery I'm not going to dive |
13 |
into my real stories. I'll better give some general hints. |
14 |
|
15 |
Answer on your question depends on how hard drive was formatted or how |
16 |
it was crashed. If you do `dd if=/dev/zero of=/dev/hdd then there is no |
17 |
chances you'll get you data. Why? Because all byte and bits on your hard |
18 |
drive became 0. dot. If you heard about remanence or that 0 is a bit 1 |
19 |
and that some big craft apparatus can read such data, think about hard |
20 |
drive manufacturers. They spend big efforts to make hard drive a bit |
21 |
more capacious. So why they leave free space for additional information |
22 |
on your hard drive, which you have when you think about space between |
23 |
tracks or under-rotation of magnetic domains? |
24 |
|
25 |
But than you may ask. What does data recovery companies can do? |
26 |
|
27 |
Well. The best they can do is to read files from you hard drive when it |
28 |
contains them! So suppose you have deleted file. This operation only |
29 |
removes entry in you directory table, but not the file itself. Or you |
30 |
did format you hard drive. That will rebuild only file structure on you |
31 |
hard drive. Normally that means that you overwrite about 5% of you |
32 |
drive. All other data is intact. Just read it. |
33 |
|
34 |
But what I mean by reading deleted file? You may get filling about that |
35 |
with grep. Actually grep is the first utility to do data recovery. It's |
36 |
very easy to use but very powerful if you know what are you looking for. |
37 |
just try: |
38 |
# grep "/etc/fstab: static file system information" -B1 -A10 /dev/hda |
39 |
and you will find you fstab on hard drive even after you remove it. If |
40 |
you grep for "PDF-1." you will find some pdf files. There are special |
41 |
programs for data recovery, that know many different patterns, but |
42 |
internally work like grep. Of course, there are problems if, fex, file |
43 |
is big enough and it is not written in consequent blocks of hard drive |
44 |
or if some parts of file are overwritten... |
45 |
|
46 |
But what about big machines??? What they are for? You may find some of |
47 |
them searching in google, fex, on data recovery sites. Well they are |
48 |
used in a situation when hard drive was broken mechanically or internal |
49 |
hard drive logic is broken (fex, due to bad blocks). If you hard drive |
50 |
is broken mechanically, you have to find another identical (see serial |
51 |
number...) hard drive and then you should open them and move disks from |
52 |
hard drive with broken mechanics into new one. After that hard drive is |
53 |
broken. You can not just plug in and use because unique, hard drive |
54 |
specific information like where to look for zero track is lost. But that |
55 |
machine allows you to "control" heads, you have possibility to read that |
56 |
hard drive. After that use grep to search for your files in the raw |
57 |
stream of data. |
58 |
|
59 |
You may find some interesting information about data recovery in google. |
60 |
But as I told you. No miracles. Sorry. =) |
61 |
|
62 |
HTH, |
63 |
Peter. |