In computing, data recovery is a process of salvaging (retrieving) inaccessible, lost, corrupted, damaged or formatted data from storage media such as NAND flash devices, SSD, HDD, Tapes, and other block level storage. While the term Data Recovery itself is frequently used within computer forensic recovery, the term can be applied for all forms of recovering data from damaged media or even functional media for later archival and usage within a disk or rom image.
The most common data recovery scenario involves an operating system failure, malfunction of a storage device, logical failure of storage devices, accidental damage or deletion, etc. (typically, on a single-drive, single-partition, single-OS system), in which case the ultimate goal is simply to copy all important files from the damaged media to another new drive. This can be easily accomplished using a Live CD, many of which provide a means to mount the system drive and backup drives or removable media, and to move the files from the system drive to the backup media with a file manager or optical disc authoring software. Such cases can often be mitigated by disk partitioning and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.
Exploring a Drive Image with Autopsy in Kali Linux
In another scenario, files have been accidentally “deleted” from a storage medium by the users. Typically, the contents of deleted files are not removed immediately from the physical drive; instead, references to them in the directory structure are removed, and thereafter space the deleted data occupy is made available for later data overwriting. In the mind of end users, deleted files are irrecoverable through a standard file manager, however the deleted data still technically exists on the physical drive. In the meantime, the original file contents remain, often in a number of disconnected fragments, and may be recoverable if not overwritten by other data files.
Investigating a Flash Drive
Methods of preventing recovery
Two types of methods can be used to prevent recovery of data. The first is to securely shred your documents instead of sending them to the “Recycle bin”/“Trash”. While this method is about 99.9% accurate for a live running storage device. Further methods are required when retiring the storage medium.
The second method is best applied when retiring a storage medium and that is to completely ensure that the physical device is destroyed beyond any form of access.