Logical Data Recovery

The data stored on a computer’s hard disk drivecan become inaccessible due to two factors – mechanical failure or logical failure. Mechanical failure relates to defective or damaged hardware. In this,components like controller cards, spindle motor, bearings, read / write headand platters may develop snags due to short-circuiting, electric surges,physical trauma, water or fire damage and normal wear and tear
In logical failure, all components of the storage device work fine but the software content it stores gets damaged. The user may accidentally delete the data, the hard disk may be reformatted or wiped clean, the file system and partition may get corrupted or there may be a virus attack that makes data unreadable. The storage media in such cases stops responding tor equests for data access. This is where the process of data recovery steps in.
Causes of Logical Data Failure
Logical data failure usually results from file system corruption. It is far more prevalent than mechanical failure, either by user error or system error. The following are common reasons for logical data failure:
Power outages that abruptly halt the storage device midway when it is writing data
Sabotage by disgruntled employees
Hard disk reformatting
Operating system malfunction due to deletion or corruption of key components
Electrostatic discharge
Amalicious virus attack
Corrupt software
Deleted partitions
Corruptfile system structure (FAT, NTFS or HFS)
Accidental deletion of files by the user
Cross-linked files which share the same allocation in the FAT file system
If a hard drive has failed due to logical errors, the computer will recognize the drive but will be unable to boot from it. In mechanical failure, the system usually does not recognize the drive at all. Common user errors like accidental deletion of files or formatting of the hard disk can be taken care of by running off-the-shelf data recovery software. In casesof serious logical errors, the services of data-recovery professionals may be needed.
Logical Data Recovery
In logical data recovery, the damaged files have to be reconstructed from scratch or the file system corruption has to be repaired. There are two main methods used in logical data recovery:
Checking for Consistency – This process is used by utilities that come loaded with operating systems (like Check Disk for Windows) to check for and repair minor logical errors present on the disk. In this, the software undertakes a scan of the disksurface (or its image) to read the logical structure and ensure its consistency. This is done by ensuring that all files present on the disk have properspecifications, that is, they have their own individual directory entries as well as entries that point to their parent directory. The programme corrects the specification of each file so that the logical structure of the disk becomes consistent. This method of correcting logical errors is not of much use if the logical structure has been heavily damaged.
Building Files From Ground Up – This is the only alternative for files that cannot be recovered by merely doing a consistency check. In this, the software scans theparts of the logical structure that are intact. By studying the file system structures, it painstakingly tries to deduce what the missing parts or clusters should look like (taking into considering the allocation of other files) and builds the damaged files step by step. This method is thorough and time-consuming, but the only practical way to recover files that have been damaged heavily.
However, logical data recovery is not a magic wand. There are certain cases in which the data may be permanently lost or the recovery becomes very difficult.
Fragmentation: A small data file on a disk is spread across a single cluster or several consecutive ones. Many of these clusters mayget damaged due to a logical error, thus making the file unreadable. The data recovery software assumes or guesses many of these clusters to rebuild the file.If the file size becomes too large, its clusters get spread all over the disk surface and the data gets fragmented. The larger and more fragmented a file, the more difficult its recovery. Small files that do not exceed a single cluster can be perfectly recovered, but large and fragmented ones, though they exist on thedisk, cannot be reconstructed by the data recovery software. Keeping the file size small and regularly running the disk fragmentation utility provided with Windows can greatly increase chances of data recovery in these cases.
Overwriting: When you delete a file on your computer, the disk clusters taken by it are freed by the operating system foruse by other data. If you create and save another file and these clusters get overwritten by the new data, there is no practical way the data recovery software can rebuild the previous file. To prevent the lost file’s allocation being overwritten by new data, you should cease work immediately on the computer. Even browsing the Internet can download data and overwrite clusters crucial for file recovery. This is why it is recommended that the data recovery software should be run directly from its CD and not loaded on the hard disk so as to avert the risk of the disk clusters being overwritten or destroyed. Most data can be recovered in Forensic investigations.