Home > Articles > Hardware > Upgrading & Repairing

Data Protection and Recovery Techniques Part 2: Preventing and Recovering from Data Storage Disasters using Common Utility Programs

  • Jul 1, 2002

Data Protection and Recovery Techniques Part 2: Preventing and Recovering from Data Storage Disasters using Common Utility Programs

In part one of this series, you learned how to protect your system from disaster by using backup programs under the guidance of a sound backup policy. However, backups alone cant stop disaster from happening, or prevent you from spending hours rebuilding your system. In Part 2, youll learn how to use popular system features and utility software to reverse common data disasters in a fraction of the time a complete system restore might require. In Part 3, youll learn how to evaluate and use professional data recovery programs and services. In Part 4, youll learn how to use the Norton Disk Editor to perform manual drive structure repair and data recovery.

If you are not familiar with file systems and disk storage, I recommend you read Chapter 25, File Systems and Data Recovery of my book Upgrading and Repairing PCs, 13th Edition for background information.

Understanding When Data Recovery Is Possible

Some may not understand that there is a difference between the file system data about a file, and the file itself. These are different things stored in different areas of the disk. The file system can be considered the table of contents, which the operating system uses to locate the actual files on the disk. If you damage the file system, it may seem as if your files are gone, but in reality they can still be intact and in perfect condition.

Although some situations can present more of a problem than others, data recovery is always (and only) possible if the actual file still exists and is readable on the drive. What this means is that even though the file system may be damaged, or the directory entry or FAT (file allocation table) entries for the file are damaged or missing, if the actual file data still resides in readable sectors on the disk, then it can be recovered. Data recovery isn't really recovering data, it is merely finding data that still exists. From there it's a matter of either rebuilding the file system links to that file (recreating the boot sectors, directory and FAT entries for example) or simply copying the actual sectors in which the file is stored to other media.

Data recovery is NOT possible if the file does not exist on the drive. This means that if the sectors containing the data have been overwritten, corrupted or physically damaged, then recovering that data is impossible. The bottom line is: if the data is still on the drive, then it can be found, if the data has been overwritten or corrupted, then forget about it. Data recovery is really the art of finding data which exists on the drive, but which is lost (file system links damaged or broken).

In cases where the actual file data is corrupted or overwritten, we may still be able to retrieve some of the sectors containing the file. Unfortunately, in most cases that won't be helpful, as most programs need a file to be complete before they will process it. Rebuilding partially damaged files is another area of data recovery, but that requires specialized knowledge about the particular file types one is dealing with.

For normal data recovery operations, there are utilities that can help find lost data and rebuild file system links so that the lost data can re-appear as a file. Youll need 3rd-party software for most tasks, but unless your drive is physically damaged, you wont need to pay huge sums of money to get back your data.

How to Install Software to Help You Get Back Lost Data - Safely

The worst thing you can do if you have lost a valuable file you dont have backed up is to save additional files to the drive or install software on the drive. Heres why: every time you store additional information on a drive with a lost file, the disk areas where that file are stored could be overwritten by the new files you are storing on the drive. If that happens, recovery becomes impossible.

If you need to install software to help you locate lost information, install the software on a different drive. If you are using a Windows-based data recovery tool, take an old hard drive out of storage (I keep several drives that are too small for everyday use around for emergencies). Disconnect the drive with the lost data, install the drive into the system as the Primary Master, and install a minimal installation of the same version of Windows you use on the drive with lost information. Then, install the data recovery software on the new drive. Only then should you reconnect the drive with lost data to the system.

Professional data recovery operations never work live on the actual drive with lost data. Instead they perform a mirror (sector by sector) copy to a replacement drive, and do all of the work on the replacement. If you have the resources and your data is important, you may consider doing the same.

If the computer with the lost data is no longer usable, use a computer that has the same BIOS and hard disk controller type. The reason being that computers with different BIOSes and controller types might not be able to read the data from your drive, even though its still present. Heres a good rule of thumb if you need to move the drive to another computer: if the drive with the lost data is not detected at full capacity by the other computers BIOS, dont use that computer. If the BIOS prevents your drive from being accessed properly, low-cost data recovery tools wont work, and you might wind up paying for professional data recovery services you really didnt need. In general a newer BIOS or operating system will be able to read any older drives.

Data Recovery 101 - Undeleting a File

The simplest type of data recovery is undeletion of a deleted file. You can use a Windows-based program such as Norton Unerase to retrieve the file if it wasnt sent to the Recycle Bin, or has been deleted from the Recycle Bin. This is possible because when the operating system (in this case, Windows), deletes a file, it actually does two things:

  • Changes the first character in the name of the file in the directory listing to a "s" (lowercase sigma) character
  • Writes zeros to the cluster chain entries in the FAT (file allocation table) to indicate that the clusters (allocation units) formerly used by the file are now available

If you used a physical-level software program such as Norton Disk Editor to view the directory entry, the first letter of an erased file appears as a lowercase sigma to indicate its erased status. Norton Unerase and similar programs from other vendors can look at the directory and, unlike the Windows Explorer, which ignores erased filenames, can see the file entry and correct it. This is accomplished by replacing the lowercase sigma with a standard character that you indicate, as well as rebuilding the cluster chain in the FAT. If you use the Norton Enhanced Recycle Bin, you might not even need to supply the first letter of the filename in many cases during the restore process, since the Enhanced Recycle Bin stores the entire filename.

Retrieving Data from a Crashed Program

What can you do if the data was never saved on the drive? Users of Windows 9x/Me in particular know that, all too often, systems freeze up after long periods of use or when many program windows are open. If the mouse pointer or keyboard is frozen, you have no alternative but to shut down the system and restart it, even if your document or graphics file was never saved. Of course, you should never get into the too busy to save the file mindset, but it can happen.

While you may not think there is any hope, you just may be in luck, since some applications perform temporary saves of working data as you use them. Many applications do this in one of two ways:

  • Most Windows applications create temporary files (files ending in .tmp) in the default Windows temporary file folder (the standard location is C:\Windows\Temp).
  • Some programs can be configured to store work-in-progress periodically.

How can you use this to recover lost information? First, before you restart the program (which creates new temporary files that might overwrite your data), open the default temporary files folder on your system. Typically, you will see the following:

  • Folders created by program installers
  • Files created by Windows or software updates (.EXE, .CAB, .ZIP, .DLL)
  • Files with names beginning with a tilde (~) and ending with the .tmp extension. If you dont see the extension, right-click the file, select Properties, and look at the file type. If the File Type is TMP, this is a temporary file.

Files in the third category that are larger than 0 (zero) bytes may have the information youre looking for. If you have a file viewer such as Jasc QuickView Plus, right-click on the file and select the option to view the file. If the file viewer can display the contents of the file, see if the file has the information youre looking for. Whether it be QuickView or some other utility, a file viewer is a most useful tool for looking for lost files. While Microsoft no longer provides QuickView as part of Windows (which doesnt handle many of the newer file formats), file viewers are part of many desktop utility programs. See the Links section at the end of this document for commercial, shareware, and free file viewers.

However, if you dont have a file viewer, there are other ways to see if a particular file contains the data you need. If you are trying to retrieve a Microsoft Word document, look at the files properties sheet. If you see a temporary file with a properties sheet listing Summary, Statistics, Contents, and Custom tabs, it was probably created by Microsoft Word.

To retrieve the file into Word to see if you can read it:

1.      Create a copy of the file with Windows Explorer

2.      Rename the copy of the file from .tmp to .doc

3.      Start Microsoft Word and retrieve the file

While this example is specific to Word, if the file in question is from a different application this process is the same. Just replace the .doc extension with the appropriate extension for your application and then use that application to open the file.

Note that very small files (under 10KB) with a multi-tabbed properties sheet like those found in Word are probably not document files, but are other types of work files that the application has left behind. However, it never hurts to try to open a temporary file, especially if youre faced with a long reconstruction process as an alternative.

If you have configured your programs to save work in progress, check the folder where this information is stored. For example, Microsoft Word calls this option AutoRecover Files, and stores them by default in C:\WINDOWS\Application Data\Microsoft\Word

A Microsoft Word AutoBackup file has a name similar to:

~WRA3610.wbk

Retrieve any files you find in this folder into the original application and save them if they contain useful data. While programs such as Microsoft Word and Corel WordPerfect can often reload a backup file automatically, I prefer to look for the backups myself to avoid having the application mistakenly delete a backup that I need.

If a search of the temporary folder or the work-in-progress folder with Windows Explorer is fruitless, try using an undelete tool to locate temporary files which have been deleted but might still be intact on your system.

Recovering from an Accidentally Formatted Drive

As you can see, its relatively simple to retrieve deleted files and locate lost work in temporary files from within Windows. However, if you format the drive, the root directory and file allocation table (FAT) used by Windows and Windows-dependent utilities to locate files will no longer be present. During the format process, the drives root directory and FAT structures are zeroed out, losing the record of where files are located on the drive. However, unless you use the Full Format option with a floppy disk (which rewrites the entire disk surface), the data can still be retrieved. When you use the Format command on a hard disk, even though the root directory and FATs are zeroed out, the data on the rest of the drive is still intact and can be retrieved. Since the subdirectories (folders) are stored as files in the data area, they will still be on the drive, and contain a record of all files stored within them. Finding this subdirectory data makes recovering the files possible.

Because the directory and FAT is how the Windows Explorer and unerase tools locate files, you cant use these tools to find your file. Instead, you must use a program which can recreate the files without using the now-lost directory system filenames, locations, and sizes.

Unformat programs are the oldest example of these types of programs. Unformat programs recreate the directory and FAT on a formatted drive by searching through the data area of the drive to locate subdirectories (folders), which are actually stored as files in the data area. Once these are found (they have a standard header which makes them easy to recognize), they will find that they contain entries for all of the files listed within them. Each directory entry lists the name, size and starting cluster location for the file. The unformat program can then use this information to recreate and rewrite the cluster chain entries for this file in the FAT, assuming that the file was contiguous on the disk.

This process will work extremely well if your files are not fragmented, as the unformat software must assume all files are contiguous. As such any file fragments are likely to be lost after an unformat like this has taken place. That is because the program will have to assume that all of the clusters following the starting cluster belong to the same file, as any cluster jumps that were originally listed in the FAT will be gone.

Because recovery of contiguous files is much more likely to be successful than with fragmented files, I highly recommend running a good defragmenting program at least once a week, and also immediately after any backups. The defragmenter utility built into Windows is acceptable but unfortunately very slow. For a much easier to use, faster and more powerful defragmenter, I recommend the Vopt utility from Golden Bow Systems http://www.vopt.com. You can download a free trial version from their website to see if you like it before committing to a purchase.

Because unformat programs must understand the file system used when the disk was created, you must use an unformat program designed for your file system. For example, most of the features in Norton Utilities 2002 support both Windows 98/Me (which use the FAT16 or FAT32 file systems) and Windows 2000 and XP (which use the NTFS file system). However, the DOS-based Norton Unformat program, which can be run from the bootable Norton Utilities or Norton System Works CD-ROM, wont work on a drive formatted with the NTFS file system. Fortunately, it normally works very well on FAT16 and FAT32-formatted drives.

To see how Norton Unformat copes with a formatted drive under Windows 98, I copied a bunch of folders containing graphics files onto a 650MB logical drive, then added a few text and word-processing files to the root directory. I formatted the drive using the Quick (erase) format, which deletes the FAT. I booted the computer with the Norton System Works CD-ROM, ran the unformat utility, and it rebuilt my drive, including the files in the root directory. At first I was concerned because the restored drive had two folders in the root directory (I had copied only one into the root directory). Dir0 was named _restore{DE902507-CA59-41C0-AC9D-50F363A94284}, and contained folders with names such as Rp0 and files with names such as change.log.9. Where was my data? It was stored in a folder called Dir1. Norton Unformat had recreated my entire folder structure in this folder, retrieving all my files and folders with the correct names and even retrieved the files in the original root directory. So, what was Dir0? It was Nortons attempt to rebuild the Recycle Bin.

Uses and Limitations of Norton Image

If you use Norton Utilities or Norton System Works, note that a typical Norton installation configures the Norton Image program to create a file (image.dat), which stores the location of files and folders on the drive as of the date and time the image file was created. This is not the same as a PowerQuest DriveImage or Norton Ghost backup of the actual files on the drive.

Since Norton creates the image file at system startup by default, by the time you've completed any work on your system, this information will be out of date. You should create a new image file before you shut down your system to enable Norton to rebuild your drive with up-to-date information.

When you run Norton Unformat, it asks you if you have created an image file or a mirror file (a file created by a similar utility called MIRROR which was part of MS-DOS 5 the now discontinued Central Point PC Tools). If you say Yes, Norton will use your choice of the most recent image file or any backup you select. The image file can help rebuild your drive, but use this option only if you are certain it is 100% up-to-date (a warning will be displayed on-screen to remind you to think before you agree to use it). If you rebuild your drive using an out-of-date Norton Image file, you will lose part or all of your data. Despite Nortons advice to use an image file, you may have better results if you dont use one and just have Norton rebuild your drive from scratch.

Whats the best way to handle this type of problem? You wont know unless you practice unformatting drives first.

Practice, Practice, Practice!

Because Norton Unformat and the much more powerful Norton Disk Editor (which I will discuss in a later installment of this series) make changes to your disk, never use them for the first time on a disk that contains valuable information. Use some floppy disks or an old hard disk that you no longer need. Copy data to the drive, format the drive, and try different unformat processes to see what happens. As you discover what options work reliably and which ones dont work very well, youll prepare yourself for dealing with a real-life data emergency.

Limitations of Unformat-in-Place Data Recovery

One significant issue with programs such as Norton Unformat is they restore the files to the same drive they came from. If something goes wrong in this process, you probably wont have a second chance to get back your data because youve overwritten at least part of the data areas.

For this reason, unformat-in-place utilities are being replaced by programs that can retrieve your data and transfer it to another drive. Some of the hard drive utility suites sold at retail such as Ontrack System Suite 4.0, Fix-It Utilities 4.0, and Hard Disk Mechanic have this capability in a limited way, but you may need more powerful programs than these. In Part 3 of this series, you will learn more about using data recovery programs that can rebuild your data and directory structures on another drive.

File Viewers

Ontrack - viewers are integrated into Zip Magic 4.0, Ontrack System Suite 4.0, PowerDesk Pro 5.0, and Fix-It Utilities 4.0) http://www.ontrack.com

Jasc Software - QuickView Plus http://www.jasc.com; also bundled with some office suites

Spadix - Universal Explorer - shareware http://www.spadixbd.com/universal/index.htm

PCMagazine FileSnoop - freeware

http://www.pcmag.com

Disk Utilities

Norton Utilities 2002 (also included in Norton System Works 2002) http://www.symantec.com

Vopt disk defragmenter by Golden Bow Systems http://www.vopt.com

Ontrack Fix-It Utilities 4.0 (also included in Ontrack System Suite 4.0; includes data recovery features) http://www.ontrack.com

Higher Ground Diagnostics, Inc. Hard Drive Mechanic Gold (includes disk repair and data recovery features)
http://www.highergroundsoftware.com

Copyright©2002 Pearson Education. All rights reserved.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020