On Пнд, 2006-01-30 at 17:03 -0800, Grant wrote: > I've heard that data can be recovered from a formatted hard > disk. Lucky for me I don't have any interest in actually doing this, > but I got in an argue\ment with a buddy last night about whether or > not it was possible. I'm sure I've read that the government and other > well-funded institutions have this capability. Is it true?
What a long thread, full of myths. But there are no miracles :) Short answer for your question is... No. It's not true. Having some experience in field of data recovery I'm not going to dive into my real stories. I'll better give some general hints. Answer on your question depends on how hard drive was formatted or how it was crashed. If you do `dd if=/dev/zero of=/dev/hdd then there is no chances you'll get you data. Why? Because all byte and bits on your hard drive became 0. dot. If you heard about remanence or that 0 is a bit 1 and that some big craft apparatus can read such data, think about hard drive manufacturers. They spend big efforts to make hard drive a bit more capacious. So why they leave free space for additional information on your hard drive, which you have when you think about space between tracks or under-rotation of magnetic domains? But than you may ask. What does data recovery companies can do? Well. The best they can do is to read files from you hard drive when it contains them! So suppose you have deleted file. This operation only removes entry in you directory table, but not the file itself. Or you did format you hard drive. That will rebuild only file structure on you hard drive. Normally that means that you overwrite about 5% of you drive. All other data is intact. Just read it. But what I mean by reading deleted file? You may get filling about that with grep. Actually grep is the first utility to do data recovery. It's very easy to use but very powerful if you know what are you looking for. just try: # grep "/etc/fstab: static file system information" -B1 -A10 /dev/hda and you will find you fstab on hard drive even after you remove it. If you grep for "PDF-1." you will find some pdf files. There are special programs for data recovery, that know many different patterns, but internally work like grep. Of course, there are problems if, fex, file is big enough and it is not written in consequent blocks of hard drive or if some parts of file are overwritten... But what about big machines??? What they are for? You may find some of them searching in google, fex, on data recovery sites. Well they are used in a situation when hard drive was broken mechanically or internal hard drive logic is broken (fex, due to bad blocks). If you hard drive is broken mechanically, you have to find another identical (see serial number...) hard drive and then you should open them and move disks from hard drive with broken mechanics into new one. After that hard drive is broken. You can not just plug in and use because unique, hard drive specific information like where to look for zero track is lost. But that machine allows you to "control" heads, you have possibility to read that hard drive. After that use grep to search for your files in the raw stream of data. You may find some interesting information about data recovery in google. But as I told you. No miracles. Sorry. =) HTH, Peter.
signature.asc
Description: This is a digitally signed message part
