Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael
Explanation Data recovery techniques are used to recover information that has been deleted or compromised. End users, companies, and government agencies may use data recovery for different reasons. Data recovery techniques are often a major part of computer forensics.
Background ● Data recovery techniques have been around for a long time ● Does not necessarily relate to computer systems ● Today, “data recovery” is most often related to computer systems
Common Misconception ● When data is removed from a system it is either deleted or overwritten. But there are ways to recover deleted data. ● Just because a file is deleted that does not mean the data is gone. The Operating System simply removes the pointer from the file, but the data is still there. ● Now new data can be written to this space.
Misconception cont. Data is recorded onto magnetic media by using ones and zeroes. When the data is overwritten, the disk will only detect the new data leaving only remnants of the old data. The time to read the remnants would be very time consuming and all the old data would not be read correctly. This would cause a very problematic and impossible puzzle to solve.
Reasons for End User ● Recover files deleted accidentally ● Recover files that have been compromised Hardware failure Malicious activity
Reasons for Companies ● Recover data from an ex-employee's computer ● Recover lost files Lost due to hardware failure Compromised or lost due to network problem
Reasons for Government Agencies ● Similar to companies Recover files from an ex-employee's computer Recover data after hardware or network failure ● Law Enforcement Agencies Recover evidence from a suspect's computer Search for particular information on the hard drive Establish motive for the crime Identify any accomplices Support forensic analysis of computers
Techniques ● Perform a forensic analysis of the computer ● Search for one file or a single file type ● Attack encryption methods ● Restore disk using an existing image ● Examine data in RAM
More Techniques ● Examine disk at the cluster or sector level ● Analyze data using hex editor ● Create hash of entire disk Export for use in another tool
Statistics Cause of Data Loss Hardware or System Malfunction Human Error Software Program Malfunction Viruses Natural Disasters Frequency of Occurrence 44% 32% 4% 7% 3%
Types of Damage Physical Damage Logical Damage
Physical Damage ● CD’s can suffer scratches ● Tapes can simply break ● Hard disks can suffer from mechanical problems
Logical Damage Logical damage is primarily caused by power outages that does not allow the file to be completely written to the storage device. Some Results are: ● File is left in an inconsistent state ● DATA totally lost ● Cause the system to crash ● Strange behavior ● Partial storage
Tools - Explanation Many different tools exist that make data recovery easier. Some tools are only meant for government or commercial use. Also, the cost of some tools is too high for them to be feasible for an end user.
Tools ● WinHex Very popular Available to End User ● Forensic Tool Kit (FTK) Used by some law enforcement agencies More oriented towards forensics ● Encase Also used by law enforcement agencies More oriented towards forensics
More Tools ● Many special-purpose tools Oriented towards End User Single function Typically very easy to use May not be as accurate or powerful Should not be considered forensically sound
Defeating Data Recovery Methods exist than can make data recovery very difficult or impossible. These methods should be used to secure financial information, medical records, or classified data. Most people are generally unaware that deleted data may still be recoverable for a long time.
Back Up File Back Up refers to the copying of data so that the additional copies may be restored after data is lost. Data Recovery is necessary when you lack the proper back up system.
Techniques to Prevent Recovery ● Write over deleted space with random data 1s and 0s Make space appear random Use a unique or uncommon algorithm Some recovery tools can reverse the algorithm and recover the data ● Use a tool to “wipe” data securely Automates process of covering up deleted data Tools are available to End User Sometimes included with security software suites
WinHex Screenshots
QUESTIONS?