Layer

[Selek Br.]

Hello

There is this particular situation I am stuck with:

I have a SATA drive, backup files form win2003 server were stored on.

There was a system crash and most of the data we managed to get back,
but not some 500MB+ of data which was overwritten by backup software.

So, I am wondering, is it possible to recover the previous layer of
data that was overwritten once?

If so, what software do you suggest?

I really want to keep the drive out of data recovery labs...

thank you

s.

 

[CJT]

Hello

There is this particular situation I am stuck with:

I have a SATA drive, backup files form win2003 server were stored on.

There was a system crash and most of the data we managed to get back,
but not some 500MB+ of data which was overwritten by backup software.

So, I am wondering, is it possible to recover the previous layer of
data that was overwritten once?

If so, what software do you suggest?

I really want to keep the drive out of data recovery labs...

thank you

s.

forget it

 

[Rod Speed]

There is this particular situation I am stuck with:

I have a SATA drive, backup files form win2003 server were stored on.

There was a system crash and most of the data we managed to get back,
but not some 500MB+ of data which was overwritten by backup software.

So, I am wondering, is it possible to recover the
previous layer of data that was overwritten once?
Nope.

If so, what software do you suggest?

I really want to keep the drive out of data recovery labs...

Even they cant do it.

 

[Selek Br.]

Nope.

Oh, shit.

Even they cant do it.

Why not?
If they can get data back form a formatted drive, why not form
overwritten one?

I don't understand.

 

[Rod Speed]

Oh, shit.

Why not?

Basically because it isnt possible.

If they can get data back form a formatted drive,
why not form overwritten one?

With a formatted drive, the directorys etc are over written
and not even fully overwritten, much of the time a flag is
set in the file name, with the first character being lost only.

So it isnt that hard to reverse.

Even if the directory structures are completely wiped,
its quite possible to scan the drive for headers of files.
The files themselves arent actually overwritten with
a format, only with a security wipe.

 

[Arno Wagner]

Hello

There is this particular situation I am stuck with:

I have a SATA drive, backup files form win2003 server were stored on.

There was a system crash and most of the data we managed to get back,
but not some 500MB+ of data which was overwritten by backup software.

So, I am wondering, is it possible to recover the previous layer of
data that was overwritten once?

If so, what software do you suggest?

I really want to keep the drive out of data recovery labs...

It is impossible to do in software if it was really overwritten.

There are rumours that intelligence agencies of large countries
may be able to recover a layer or two, but with modern drives the
surface physics do not really support the hypothesis that you
actually can store twice the amount (or more) of data on them
than the HDDs do (which you could do if recovery of one older
layer was possible). In fact it seems very unlikely. In addition
the German computer magazine c't (very competent people) tried
last year to get a single once-overwritten file recoverd by
several well-known professional data recovery outfits. All of
them claimed this was impossible for modern drives and that
they could not do it. I would still not rule out that a single
overwrite can be recoverd from at high cost, but it is unlikely
the people that can do this will even admit that to you.

I think the idea of this being possible dates back to the
floppy or before to magnetic tape. To give you an example,
with better servo mechanisms (e.g. a laser-cut servo track)
you can store 20MB on an ordinary 1.44MB floppy. It is
plausible that if only 1.44MB is on the disk, older information
would still be there. Also for floppies each drive has a slightly
differend head offset, so that reading a bit besides a track
can give you a reasonably strong signal of an earlier write.

For older HDDs the limit was also not the surface coating, but
the heads and the reading amplifier. There are credible (IMO)
stories about people that managed to use better elecronics,
better heads, multiple reads and signal processing software
to recover data that was overwritten once.

Arno

 

[Arno Wagner]

Oh, shit.

Why not?
If they can get data back form a formatted drive, why not form
overwritten one?

HDD "formatting" does not overwrite. It is really just filesystem
creation (end called that e.g. in Linux) and only writes the
management information. Floppy formatting is true formatting and
different, although MS manages to call formatting and filesystem
creation for floppies just "formatting".

Arno

 

[Selek Br.]

Tnx guys.

Oh crap...

It is impossible to do in software if it was really overwritten.

There are rumours that intelligence agencies of large countries
may be able to recover a layer or two, but with modern drives the
surface physics do not really support the hypothesis that you
actually can store twice the amount (or more) of data on them
than the HDDs do (which you could do if recovery of one older
layer was possible). In fact it seems very unlikely. In addition
the German computer magazine c't (very competent people) tried
last year to get a single once-overwritten file recoverd by
several well-known professional data recovery outfits. All of
them claimed this was impossible for modern drives and that
they could not do it. I would still not rule out that a single
overwrite can be recoverd from at high cost, but it is unlikely
the people that can do this will even admit that to you.

Yes, I understand now.
Thank you.

I think the idea of this being possible dates back to the
floppy or before to magnetic tape. To give you an example,
with better servo mechanisms (e.g. a laser-cut servo track)
you can store 20MB on an ordinary 1.44MB floppy. It is
plausible that if only 1.44MB is on the disk, older information
would still be there. Also for floppies each drive has a slightly
differend head offset, so that reading a bit besides a track
can give you a reasonably strong signal of an earlier write.

For older HDDs the limit was also not the surface coating, but
the heads and the reading amplifier. There are credible (IMO)
stories about people that managed to use better elecronics,
better heads, multiple reads and signal processing software
to recover data that was overwritten once.

Well, my data is gone.
<deep sigh>
;-(

 

[Folkert Rienstra]

HDD "formatting" does not overwrite.

Yes it does. Evry sector is initialized.
Partition (File System) formatting does not.

It is really just filesystem creation (end called that e.g. in Linux)
and only writes the management information.

Floppy formatting is true formatting

Not in a quick format it isn't.

 

[Joep]

Yes it does. Evry sector is initialized.
Partition (File System) formatting does not.

It's bloody obvious that's what he meant frusto. He explains a file sytem is
created.

 

[Joep]

I would still not rule out that a single
overwrite can be recoverd from at high cost, but it is unlikely
the people that can do this will even admit that to you.

Make that "can be *partially* recovered at high cost" ... Series of zeros
and ones, encoded data. Next step is making sense of the recovered data.

 

[Arno Wagner]

Make that "can be *partially* recovered at high cost" ... Series of zeros
and ones, encoded data. Next step is making sense of the recovered data.

I agree. Some bits will be easier, some harder, some impossible. That
will make interpretation very hard, or even impossible, especially for
compressed files or partitions.

Arno

 

[Folkert Rienstra]

It's bloody

obvious

No need to explain then, so why are you.

that's what he meant frusto.

When explaining, do it properly so that someone else doesn't have to
explain your explanation. If you can't explain something, then leave it.

He explains a file sytem is created.

And he also said that HDD "formatting" does not overwrite.
It does.

If that's *not* what he means, when he feels an insurmountable urge to
explain something, when others already explained it before him, then he should *not* write that.

You either explain something or shutup.

 

[Folkert Rienstra]

Make that "can be *partially* recovered at high cost" ... Series of zeros
and ones, encoded data. Next step is making sense of the recovered data.

Which is easy, obviously. That is what harddrives do all the time.
Just feed "the encoded data" through the HD electronics.

Oh, wait: it has gone through that already.

It's not the encoding. The problem is the reliability of the 'residue' that
is 'supposed' to be the previous data. It could also be the pre-previous
data, or a combination of both, depending on how you arrive at that residue:
by out of band reading or derived from difference comparison with feed
back of a perfect(-ed) signal. And even the previous data was a combination
of data and pre-that data residue.

 

[Joep]

You either explain something or shutup.

If you'd live by that rule we'd be seeing a lot less of you.

 

[Joep]

Which is easy, obviously. That is what harddrives do all the time.
Just feed "the encoded data" through the HD electronics.

Oh, wait: it has gone through that already.

Bij de handje

It's not the encoding. The problem is the reliability of the 'residue' that
is 'supposed' to be the previous data. It could also be the pre-previous
data, or a combination of both, depending on how you arrive at that residue:
by out of band reading or derived from difference comparison with feed
back of a perfect(-ed) signal. And even the previous data was a combination
of data and pre-that data residue.

I did not just mean RLL decoding. I meant decoding in a broader perspective,
decoding, reconstructing, and decoding after you managed to extract
supposedly previous data: I mentioned we already had the zeros and ones. And
those zeros and ones can be user data but also for example a sync mark. And
I also meant decoding as making sense of the data: file recovery isn't
probably even an option.

 

[Arno Wagner]

Bij de handje

I did not just mean RLL decoding. I meant decoding in a broader perspective,
decoding, reconstructing, and decoding after you managed to extract
supposedly previous data: I mentioned we already had the zeros and ones. And
those zeros and ones can be user data but also for example a sync mark. And
I also meant decoding as making sense of the data: file recovery isn't
probably even an option.

I think this would be the easy part, since automated tools can help a
lot here. Getting the bits is the hard (and possibly infeasible) part.

Arno

 

[Joep]

I think this would be the easy part, since automated tools can help a
lot here. Getting the bits is the hard (and possibly infeasible) part.

Arno

I fear this is not easy at all. At best you will get chunks of zeros and
ones, and as Folkert suggested these maybe zeros and ones from the current
layer or previous layers. Zeros and ones that could be user data or
preambles or sync marks. So at that point you're a long way from intact
files. Probably readable text can be recovered after descrambling and
decoding.