If you’ve ever wondered what tools a technical data recovery engineer might use on a daily basis, then here are my top five tools, although they may not be quite what you’re expecting.
If you think that data recovery is just about running a bunch of software tools on hard disks or RAIDs or data from backup tapes then for a professional technical company, this is far from the truth. As a data recovery expert my job at Altirium involves interrogating raw data and writing software to solve often complex problems. This is one thing that I think sets us apart from some of the other companies in the data recovery industry. Yes we use “off the shelf” recovery software where it’s appropriate but often they are found lacking and don’t give the best results or properly report their findings. Therefore to recover data where there are no tools available, we develop them in-house.
Some of the achievements we’ve delivered in the past 12 months, using my top five tools include:
- Reverse engineering the MS SQL Server data structures and written software to recover data from dropped tables, where off the shelf tools failed.
- Extending our Tivoli Storage Manager recovery software capabilities, adding extractors for more data sources and software compressed data.
- Identifying and implementing the processing of many undocumented structures in the Microsoft Tape Format, used in software such as Symantec BackupExec.
- Reverse engineering Atempo Time Navigator backup format including processing of software compressed data.
All of this has contributed to solving genuine data recovery issues and has saved the companies that have come to us, thousands of pounds in lost revenue, many hours of support time and countless terabytes of potentially “unrecoverable” data.
Here are the top five tools that I use pretty much every day during the course of my job.
Many off-the-shelf Microsoft SQL Recovery tools state that they can recover from corrupt files, deleted data and some claim to recover from dropped tables, so the recent arrival of an MSSQL Recovery into the lab (all of the tables within the database had been dropped) gave us the ideal opportunity to undertake some tests. From looking at the MDF file of the database, the data was still present, yet out of the 4 or so packages we tried “NONE” of them could retrieve any of the dropped tables, yet we were still able recover the required data for our client.
Read the rest of this entry »
I’ve often heard it said, “the RAID has been rebuilt – the data cannot be recovered” and often this is the case. With RAID5, if the configuration is changed, and new parity is calculated, then there will be a significant loss of any data that was previously stored on the RAID.
As Hamlet so eloquently put it “There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy.”, just because something is outside of our normal experience does not mean that it is not possible.
Read the rest of this entry »
Tivoli Storage Manager (“TSM”) provides a sophisticated heterogeneous data storage environment within which large volumes of data can be held. These might include email backups, user documents and SQL database, in fact all of the information that might be just a little bit useful in a computer forensic investigation or a tape data discovery exercise.
So, you are an investigator who has been handed a case containing 25 LTO4 cartridges from a TSM archive, now what?
Read the rest of this entry »
(With apologies to Mark Twain)
The release of LTO5 by Quantum Corporation brings 1.5TB native/3TB compressed tape to the market, and it is a sure fire bet that IBM and HP will shortly follow with their own offerings, which means that for the past 20 years or so, a technology many said was going the way of the Dodo, has managed to more than keep pace with competing technologies, and seen quite a few off (remember how optical disk was the future of storage back in the late 1980′s?).
When attempting a data recovery from a Microsoft Exchange email server after a catastrophic failure, and when I say catastrophic I mean, no backup to restore from and file system corruption or file deletion that has rendered the Exchange information store files inaccessible, one of the tools in Altirium’s data recovery arsenal was to trawl the entire disk or RAID volume and identify pages of Exchange data and rebuild the information store from the ashes. However when Microsoft engineers decided to change their page error correction method so that they could correct a single bit error in a page this seemingly minor ‘upgrade’ had dramatic effect in the ability to identify Exchange page data.
The popularity of Network Attached Storage (NAS) RAID units has never been higher. For a small outlay a low powered, easy maintenance, storage device of 1TB or higher can be plugged in and used where once an expensive server with disk storage would have been the only option. Whilst RAID5 gives a high degree of reliance against the failure of any one disk in the NAS unit, other problems can result in an apparent total loss of data and a requirement for a NAS Data Recovery.
A NAS storage device in need of recovery was delivered to us last week. The customer had been using the device and on Friday evening all data was present and correct, but when the customer went to access the device on the Monday morning it was operational but there was no data present. So where had it gone and could a data recovery be achieved?
TK50 was a major player in tape backup on VAX/VMS systems several years ago. Being fundamentally ½” (half inch) tape of the type used in open reel drives, but housed as DLT style cartridge, it suffers from the same long term storage problems as some brands of 1/2″ media. TK50 drives could store 70MB of data, and took quite a long time to fill, so have long since ceased to be a viable backup option even if you can find drives and media. But, there are a surprising number of tapes out there with data on them and recent weeks seem to have brought forth a flurry of requests to get data from them, and in one case to copy some. In a high proportion of these cases the data transfer operation has ended up being a data recovery exercise involving considerable work in the lab.
Past failure cannot be taken as a signpost for the way things will be in the future, so the inability of the US and UK financial regulatory authorities to spot the credit bubble from 20 paces, or the world’s largest Ponzi scheme even when pointed out to them in neon lighting, should not be taken as a sign that regulation can be ignored.
What is almost certain is that these regulatory paper tigers are about to be forced to become real, and with it will come new zeal for enforcing regulatory compliance leading to an increase in eDiscovery and eDisclosure requests.
When I first started in the data recovery industry back in 1995 data recovery was very much a specialist area of expertise. There were no ‘off the shelf’ data recovery software tools. We had to develop our own methods and techniques to get the job done. These days however the data recovery market place is flooded with companies offering such services, so how do you know who to choose?