Today’s data recovery tools had come a long way compared to the simple “undelete” of two decades ago. Instead of relying solely on the file system, today’s data recovery tools implement extremely complex algorithms allowing them to successfully recover files from raw volumes. A “raw” volume means that some disk system structures such as the master boot record (MBR) or the file system are damaged, empty or missing entirely. This article describes algorithms that are used recover files from raw disks volumes.
Finding Disk Volumes
Before we begin looking for individual files, it is essential to locate all partitions (disk volumes) stored on the hard drive. Normally, information about the volumes is stored at the beginning of the disk in a record called Partition Table. Windows maintains one or more partition tables detailing the location of each partition. Partition tables contain information about the beginning and end of the volume as well as its type.
Sometimes, however, the hard drive is corrupted so badly that individual disk volumes (partitions) are not available. If this is the case, it is essential to locate the volumes on the disk in order to find the location of their file systems.
Finding the File System
The easiest way to locate disk volumes is detecting the presence of the file system, a structure that’s normally stored at the beginning of the volume. When recovering information from a volume, partition recovery tools normally assume that each volume has a file system. If the partition table is damaged or no longer available, the tool has to scan the disk looking for available file system (or multiple file systems if the disk contained multiple partitions).
Many file systems have fixed signatures making them relatively easy to find. For example, the FAT file system contains values of 0x55 and 0xAA located in 510’th and 511’th bytes of the first sector of the volume. These signatures are used to detect the presence of the file system. Other file systems (e.g. ext2/3, NTFS, HPFS and so on) have different persistent signatures and different detection algorithms, but general principle remains the same. Additional checks are performed after encountering these signatures. If, after all the checks, the algorithm confirms the presence of a file system, the tool can then determine the beginning of a volume.
Scanning the Volume
After successfully locating all volumes, we can choose a single partition to extract information from. It is important to realize that raw hard disks may contain damaged, corrupted, empty or inconsistent file system records; therefore a good data recovery tool may not rely solely on information stored in the file systems. However, ignoring such information completely would not be a good idea, as the file system contains records pointing to many types of files that cannot be discovered otherwise.
Detailed information on file system analysis is available in the following article.