Regular and Raw Data Recovery
There is nothing unclear in the regular successful recovery. Regular recovery means high quality result for data in the normal format: exactly same files, exactly same folders, everything is the same, normal and regular.
Yet, not all recovery cases are the same. Despite the fact that the best recovery technology is applied for every failed device that comes to Data Lab some of them cannot be fully recovered. Sometimes the specialist has to deal with so badly abused or overused in the previous recovery attempts hard drives (before they reach the lab’s clean room), that there are no much readable data left on the disks.
With the little data leftovers, the raw recovery method might be the last option to pull off of the drive whatever is possible.
About Raw Recovery
In the situation with the excessive physical damage to data medium, when technical capability of digital restoration is significantly reduced, the raw recovery method may help to retrieve some types of files by their unique identifying signatures.
Normally, the Raw Data Recovery method gives the satisfactory result only for certain well-identifiable types of files like images, photos, documents, such as jpeg, pdf, doc, xls files. Some of these file types (e.g. JPG) can be automatically verified by recovery software, others need to be open one by one for its integrity check. Technically, many files might be identical to the original ones, but … There are no real names. No folder trees. No-name raw-recovered files are grouped and stored into few folders by its file-extensions type.
Another question about raw recovery result which was a good point brought up by the client: How do we determine if the result of the RAW recovery is satisfactory? For example: What if a lot of the RAW data is corrupted and unusable, will they still be charged?
Do not expect from raw recovery too much. As this is the last effort in the data restoration for the badly damaged data media device - after the file system is gone and some portion of the drive is unreadable or unrecoverable (for example – physically scratched disk surface at the location with critical LBA sectors).
Raw recovery is always partial recovery. That means that some portion of data was unreadable; other portion might be corrupted and not usable at all too. Obviously, a better chance to be fully recovered will have the smaller size files; another factor is the disk fragmentation degree at the moment when it crashed. The less fragmented drive - the better raw recovery results. Raw recovery success rates are varied from case to case from 30 to 80 percent of recoverable files.
Note that many partially-corrupted files are still usable or can be fixed by user (pictures - in any image editing software).
The result of actual recovered cases by this method may be hundreds of thousands in raw-recovered files. Of course, we apply some filters to remove detectable unusable files and test few dozens of files to make sure the raw recovery result contains the user data. However it is all at data owner expense to spend their time checking every file and sort out the good from the bad ones. The data owner makes their own decision to accept or decline the recovery result according to the amount of bulk data generated by raw recovery tools and based on understanding of basic principles of this method described in this article.
Examples of Raw-recovered files
A raw-recovered picture below has all restored sectors comprising the file. As in this example, the rescued copy can be completely identical to original. With the only difference: it has no name, no path to no folder, and no system date when it was created or modified. That info was gone, and that is why these files are raw-recovered.
Next picture with visible traces of corruption is a typical partially recovered file. Particularly from this picture we removed 50% of sectors (replaced them with blanks x00) to imitate unrecoverable sectors included in the body of picture-file.
When few recovery methods must be used for the same case
Technically, all recovery cases can be classified in few groups by outcome result:
- 1Successful. All files and all sectors were retrieved with no corruption. Image of the drive can be transferred to new clone HDD. A cloned hard drive can be ordered for using as original bootable hard disk on the original computer.
- Successful. All files were recovered, but system data was damaged beyond its repairing.
- Partial. Not all of files were recoverable; some of the missed files could be still restored when extra raw-recovery method is applied.
- Raw Recovery: Only this method can be used to trace for any remainders of files on the drive.
- Failure. No data can be recovered.
Regular versus Raw in details
To understand what Raw Recovery is, let's compare few pictures as result of different recovery results.
A regular successful recovery retrieves copies of lost files identical to original ones, including all attributes, names, and location on the hard drive:
C:\Users\Owner Profile\Documents\My Pictures\My picture 001.jpg
Raw-recovered picture, when 100% successfully retrieved information from sectors belonging to the original file, has also identical content and has no differences compare to the file if it would be recovered a regular way. The only loss here - the original name and chain of folders (path) where that file was located. Some order number will be assigned to every raw-recovered file and saved inside some type-distinctive folder:
C:\Raw Recovery\JPG Pictures\pic001.jpg
Some or many files are corrupted due to the technical nature of raw recovery method. Some of those partially recovered files are still usable or can be repaired; others are trash, thus have to be wiped out.
Regular Recovery (Normal data format in result)
If the retrieved binary information from the drive's platters is enough to recreate damaged/corrupted partition, operating system and file structure, all recovered data will be organized in files and folders in the same original logical order, as they were before drive's crash.
Raw Data Recovery Technique
This recovery method uses a file signature search to locate the starting point for file reading. Luckily, almost all well-known software applications mark their data files with some unique binary code.
With Raw Recovery, all sectors on the disk are reading sequentially (sector-by-sector) to find specific file header signature as a beginning of file.
Typically, satisfactorily result can be achieved if lost files were stored in one cluster. However, even large-sized files can be successfully recovered by this method only if they have been stored in the consecutive clusters on the disk, otherwise, the integrity of the recovered file will be compromised due to the disruptions and overlapping of data chains. Such ‘tampered’ file will appear as corrupted, because some piece of its body has gotten blanks, garbage code, or parts of other files.
Naturally, better result will be achieved by raw recovery method, if the drive has not been much fragmented before the disaster happened. The fragmentation occurs naturally when you use a disk frequently, each time you create, delete, or modify the file. That is why using Disk Defragmenter on regular basis giving much more chances for fuller results by Raw Recovery.
How Raw Data Recovery works
As already mentioned above, the method is based on sequential reading recoverable sectors and detecting the existence of header signature for any known file type. The found signature is considered as a beginning of the file.
Raw Recovery method does not use any partition (FAT/NTFS/MAC) and directory entries entirely. Suppose you had a JPG image on the hard drive, but all records about this file (name and path) on the disk were scratched, destroyed, corrupted, or erased. But the body of this file can still be intact. Signature search help to locate the coordinates of sectors on the drive that comprise the file.
Fortunately, all JPEG images begin with the same set of binary values. Hexadecimal view of starting string gives even more information about found candidate for the picture, as shown below on the examples for the standard JPEG file headers:
| File Type | Header in Hexadecimal | Notes |
|---|---|---|
| Standard JPG | FFD8FFE0nnnn4A464946 | nnnn varies depending on the file size |
| EXIF JPG | FFD8FFnnnnnn45786966 | nnnnnn varies depending on the file size |
As you can see from this table, all types of JPEG files are starting with the same set of bytes, shown as a string of hexadecimal characters FF D8 FF. Specifically designed software can scan the disk volume for any occurrences of the header string. Once it's been located, the appropriate sequence of sectors will be saved as the counterpart file (JPG picture in our example). Some random name will be assigned to the recovered file, since there is no way to trace the real name for such file. The name of the recovered file is to be, something like ‘file0055.jpg’, and all raw-recovered JPEG images will be grouped in one folder, named by the file's extension: 'Folder-JPEGs'.
Losing original names is not the last problem with the raw-recovery. The software may generate together with useful files also false or defective ones, if they not verifiable on the fly (must be verified manually, therefore cannot be sorted out automatically). That happens not only due to fragmentation or physical damage on disks. When you move or delete a file, its header will remain at old place until the moment it will be overwritten by some other file. But the raw recovery grabs all headers without distinction and all debris of deleted files will be saved as though they were real files.
The example of corrupted file (broken picture) is demonstrated above.