It's getting dark outside; do you know where your data is?
Although various operating systems handle file allocation and directory organization differently, they all pretty much do the same thing when it comes to erasing data. To keep the process simple and fast when a file is "erased", the name is usually modified and the portion of the drive where the content is actually stored is simply made available to store new information on.
In other words, your data is not "gone" when you erase a file. Similarly, when you format a drive or even perform a full system recovery, data can still exist on the drive where new information has not been copied.
Data Recovery programs vary in their sophistication, from something as simple as un-erasing deleted files to scanning the "unused" data space for recognizable data. In either case, the program can only work as long as nothing has overwritten the information you are trying to recover.
Software programs such as RecoverSoft Data Rescue PC (Prosoft Engineering, Inc.), Recover My Files (Get Data) and Search and Recover (Iolo), typically have simple un-erase capability if the drive is partitioned as FAT, or can scan a drive looking for data still hiding in unused data areas.
Prosoft Engineering has a Mac and a Windows version of their Data Rescue software. Although, in some cases, the utility may not even need to recognize or specifically support the operating system, allowing it to find information on Linux, Macintosh, Windows, or other partition types.
[caption id="attachment_316" align="aligncenter" width="300" caption="Iolo Search and Recover 3 includes tools to make exact image copies of your drive and to perform quick or intensive file recovery of a drive."][/caption]
If the drive is physically damaged such as where the electronics have failed or the motor no longer spins, then these software programs cannot help at all. Under these circumstances, your only real alternative is to send the drive off to a company that can try things like replacing or repairing the defective electronics.
If you have the money and the need, they can go to the extreme, and physically remove the data platters from your drive and place them in an functioning unit to access the data. This type of clean-room recovery is usually very expensive, but may be worthwhile if your information is truly irreplaceable.
[caption id="attachment_318" align="aligncenter" width="300" caption="Physical damage to the drive platters makes it difficult to recover any data, even if the platters were to be moved to a functional drive mechanism. The damaged platters are likely to immediately destroy the heads in the new drive, and make the surface damage even worse."][/caption]
Physical damage to the drive platters makes it difficult to recover any data, even if the platters were to be moved to a functional drive mechanism. The damaged platters are likely to immediately destroy the heads in the new drive, and make the surface damage even worse.
It's not unusual for a drive platter transplant to cost users $1500-$2000 to recover their critical corporate data. If a head crashed and physically damaged the disk, it may not matter how much money you are willing to spend... damaged platters are generally a lost cause for recovery.
Some conditions can make it difficult for full recovery. What can you do to make recovery more successful or at least can minimize the degree of loss?:
- Stop saving to the drive. The most important condition is that no new data be saved on the drive until you can run a recovery program. Once your old data has been overwritten with new information, recovery is no longer really an option.
- Defragment your drive regularly. Depending on the type of file system and how large your files and drive are, fragmentation of your data could result in only partial recovery or of corrupted content. Performing a regular defragmentation of your hard drive keeps the data in your files contiguous on the disk, and therefore, much easier to recover.
- Don't encrypt files, or keep unencrypted backups of critical data.
File encryption may protect your data from prying eyes, but it scrambles the contents of the data file, this would probably reduce your chances of recovery, at least where the application tries to identify file types by scanning for specific data headers.
Tips to improve your chances of recovering a file:
- Attempt recovery as quickly as possible. The longer a file goes unrecovered, the more chance that some other data will be saved over the top.
- Don't install, create, or copy anything new to a formatted or re-imaged drive.
- Recommended: If you have software like Symantec Ghost, or Acronis True Image, make an exact image copy (sometimes called a forensic copy) to an identical or larger drive. This gives you an additional backup to work with if things don't go well with the original drive. (Recovery programs should not alter the content of the source drive; having an exact copy provides some insurance against Murphy...)
- Have a spare drive or enough free space: recovery of your data will need to be to a target drive of equal or larger capacity. Some recovery programs will scan the source drive and give you an estimate of required space for the files.
- When all else fails - restore a backup (you DO have a backup, right?)
Is your privacy at risk?
The first time you successfully perform a data recovery on a drive and save data you were sure were gone, it can be a great relief. At least right up until the moment it sinks in that anyone with one of these products might be able to access your files, pictures, and other personal information on any drive you left in an old computer.
I already mentioned that formatting a drive or even restoring a factory system image only overwrites only a small portion of the data on the disk. Any unused space on the drive may hold data that can be rediscovered, and copied off for good, malicious, or just voyeuristic reasons.
If it's so easy to recover files you thought lost or erased, what about securing data on hard drives you might have in old computers or external enclosures or even flash drives? There are several different ways to approach securing your old data drives.
- Encryption: If you actively use or need access to the information, data encryption may be the easiest. File level encryption may be tied to a user login under your operating system. But encryption is more useful when you can move and maintain the scrambled file between systems, drives, and even to optical media or flash drives. Stand alone-encryption programs use a password to scramble and unscramble your information on demand, as long as you have the program installed on the system with the data.
- Low level format: Another approach is to wipe or low-level format the drive.
- Physically destruction: The last and most permanent method is physical destruction of the drive media.
Encryption: A variety of options exist to encrypt files. Windows NT, 2000, and XP Pro all have built-in encryption, but this requires that the drive be formatted NTFS. It is limited in that the OS-level encryption is only in place as long as the files remain on the drive.
If you move or copy an encrypted file to another drive, floppy disk, flash disk or optical media, the operating system removes the encryption to perform the copy.
If you have a version of the OS that does not support Encryption, or you want to keep your files scrambled even if they move, then you usually need some sort of third-party encryption program. This will allow you to password protect files or create encrypted archives with multiple files.
Kubicki Turbo Encrypter and TrueCrypt (free on download.cnet.com) are just a couple of the titles available for stand-alone encryption. Encryption is generally overkill for most users, but concerns about private information getting into the wrong hands make such methods more desirable for some.
Secure Wiping: Programs that securely wipe data can help make sure it does not turn up again later. These promise security because they will specifically target the existing file on the drive and deliberately save null or random information over the top before deleting the file. There are degrees of security available with most of these programs; depending on how many times information is written.
Most wiping programs will either use a "government acceptable standard" of scrambling and rewriting the surface of the disk enough times, that not even spies in high-tech laboratories will be likely to guess what had been previously saved on the drive. This presumes that there really do exist high-tech methods that could be used to determine if the random characters of information found on a disk platter really used to be a 1 and not a 0, and putting enough of these back together to make something coherent.
Programs that can securely wipe your data before erasing include DriveScrubber and System Mechanic (Iolo); Older programs like Symantec System Works or Norton Utilities both contained a wipe-info tool; and a quick search of download.cnet.com will even turn up free apps like Blowfish or Simple File Shredder.
[caption id="attachment_320" align="aligncenter" width="300" caption="Iolo Drive Scrubber is a tool to securely erase all of a drive or just unused space where your personal data might still exist even after being erased or formatted."][/caption]
Low Level Format: For the average user, even a single pass recording of (random) information over your files will equal permanent loss in terms of software programs that an average user or even computer hacker might have access. One tool that can be found on many hard drive manufacturer sites is a low-level format utility or diagnostic utility that performs a similar function.
Low level formatting of a drive will write zeros to every sector of the target drive to verify there are no bad or unusable blocks. Some drive diagnostic programs may do the same thing, by destructive (loss of data) testing of every sector with multiple data patterns to make sure the data read matches what was written. Fujitsu, Western Digital, Seagate (Maxtor) all have some sort of low-level format tool or diagnostic you can download that are specific to their brand of drive.
Physical Destruction: If your drive failed, but at one time had private information on it, you won't be able to perform a secure wipe of the information or low-level format the drive. Under these circumstances, about the only way to guarantee that your data does not get out, is to physically destroy the drive.
Have fun! Bash it with a sledge hammer or drill holes through the platters. Some hard drive platters are made of glass rather than aluminum, and will shatter when you "execute" this type of abuse on them.
I usually just like to disassemble them into interesting or useful parts, pulling the platters and magnets out. (I also try to look for anything that might be artistic in appearance for use in a case mod or other project.) Check for local regulations on disposing of electronics and what may be considered hazardous waste in your state or area; this may limit your options a bit.
[caption id="attachment_321" align="aligncenter" width="300" caption="Some hard drive platters are glass, not metal. It's unlikely any data is coming back from the one on the left."][/caption]
Tips to protect your data and your privacy:
- Encrypt data you use or need to access regularly. Stand-alone encryption software is required to use the information on multiple systems, or to move it to different media such as flash drives or CD-ROM without losing the encryption.
- Securely Wipe individual files, wipe disks before disposal, wipe free space periodically to destroy old information.
- When disposing of old drives or systems with hard drives, disk wipe or low level format the drive before reimaging with the factory recovery.
- Share folders, not drives; restrict access with passwords; use read-only unless changes are needed
- Turn off WiFi routers when not in use and use the highest possible security to prevent easy access to your network.
- Use both Anti-Virus and Anti-Malware protection and keep your OS current with critical updates
- Data backup anything you cannot afford to lose. Keep copies of your backup media or drives in a secure location.