Data Recovery Techniques

Florida State UniversityCIS 4360 – Computer Security

Fall 2006

December 6, 2006

Matthew AlbertiMCA05@fsu.edu

Horacesio CarmichaelHMC03c@fsu.edu

Explanation

Data recovery techniques are used to recover information that has been deleted or compromised. End users, companies, and government agencies may use data recovery for different reasons. Data recovery techniques are often a major part of computer forensics.

Background

● Data recovery techniques have been around for a long time

● Does not necessarily relate to computer systems

● Today, “data recovery” is most often related to computer systems

Common Misconception

● When data is removed from a system it is either deleted or overwritten. But there are ways to recover deleted data.

● Just because a file is deleted that does not mean the data is gone. The Operating System simply removes the pointer from the file, but the data is still there.

● Now new data can be written to this space.

Misconception cont.

Data is recorded onto magnetic media by using ones and zeroes. When the data is overwritten, the disk will only detect the new data leaving only remnants of the old data.

The time to read the remnants would be very time consuming and all the old data would not be read correctly. This would cause a very problematic and impossible puzzle to solve.

Reasons for End User

● Recover files deleted accidentally

● Recover files that have been compromised Hardware failure Malicious activity

Reasons for Companies

● Recover data from an ex-employee's computer

● Recover lost files Lost due to hardware failure Compromised or lost due to network problem

Reasons for Government Agencies

● Similar to companies Recover files from an ex-employee's computer Recover data after hardware or network failure

● Law Enforcement Agencies Recover evidence from a suspect's computer Search for particular information on the hard drive Establish motive for the crime Identify any accomplices Support forensic analysis of computers

Techniques

● Perform a forensic analysis of the computer

● Search for one file or a single file type

● Attack encryption methods

● Restore disk using an existing image

● Examine data in RAM

More Techniques

● Examine disk at the cluster or sector level

● Analyze data using hex editor

● Create hash of entire disk Export for use in another tool

Statistics

Cause of Data Loss

Hardware or System Malfunction

Human Error

Software Program Malfunction

Viruses

Natural Disasters

Frequency of Occurrence

44%

32%

4%

7%

3%

Types of Damage

Physical Damage

Logical Damage

Physical Damage

● CD’s can suffer scratches● Tapes can simply break● Hard disks can suffer from mechanical problems

Logical Damage

Logical damage is primarily caused by power outages that does not allow the file to be completely written to the storage device.

Some Results are:● File is left in an inconsistent state● DATA totally lost● Cause the system to crash● Strange behavior● Partial storage

Tools - Explanation

Many different tools exist that make data recovery easier. Some tools are only meant for government or commercial use. Also, the cost of some tools is too high for them to be feasible for an end user.

Tools

● WinHex Very popular Available to End User

● Forensic Tool Kit (FTK) Used by some law enforcement agencies More oriented towards forensics

● Encase Also used by law enforcement agencies More oriented towards forensics

More Tools

● Many special-purpose tools Oriented towards End User Single function Typically very easy to use May not be as accurate or powerful Should not be considered forensically sound

Defeating Data Recovery

Methods exist than can make data recovery very difficult or impossible. These methods should be used to secure financial information, medical records, or classified data. Most people are generally unaware that deleted data may still be recoverable for a long time.

Back Up File

Back Up refers to the copying of data so that the additional copies may be restored after data is lost.

Data Recovery is necessary when you lack the proper back up system.

Techniques to Prevent Recovery

● Write over deleted space with random data 1s and 0s Make space appear random Use a unique or uncommon algorithm Some recovery tools can reverse the algorithm and

recover the data

● Use a tool to “wipe” data securely Automates process of covering up deleted data Tools are available to End User Sometimes included with security software suites

WinHex Screenshots

WinHex Screenshots

WinHex Screenshots

QUESTIONS?