Back to FAQ and Technical Articles

Software recovery: Regular and Raw recovery

Compare ‘Regular’ and ‘Raw recovered’ files:

Regular Recovery: file recovered by regular way	Raw Recovered file (good)	Raw Recovered file (bad)
Original file name and Path to file recovered as well: ..\Documents and Settings \ All Users \ Documents \ My Pictures \ Sample Pictures\ Water lilies.jpg	Recovered files are saved in artificital folders, under artificial names: ..\ Dir.JPG \ file0001.jpg ..\ Dir.JPG \ file0002.jpg

Software recovery.

Last step in data recovery process is a software recovery.

Regular Software Recovery. If the retrieved binary information from the drive's platters is enough to recreate damaged/corrupted partition, operating system and file structure, all recovered data will be organized in files and folders in the same original logical order, as they were before drive crashed.

Raw Data Recovery. This recovery uses a binary file signature and hence it is not possible to recover original names of the files and no folder names available as well.

The Raw Recovery method allows us to scan severely corrupted partitions for files using a file signature search algorithm. Using this method, we recover files from a partition with damaged directory structures. Normally, we use Raw Recovery as a last resort in recovering data from severely corrupted partitions. Also, we use Raw Recovery as a forensic data recovery, and when other software recovery tools could not recover needed files (missing files in folders).

The Raw Recovery tools read all sectors on the disk sequentially (sector-by-sector) looking for specific file header signatures. Typically, using this method, we can recover files that are stored in one cluster or larger files stored in consecutive clusters on the disk, and the degree of fragmentation present on the partition before the corruption occurred will compromise the effectiveness of this method. Fragmentation occurs naturally when you use a disk frequently, creating, deleting and modifying files. If you have recently run a disk defragmenter utility on your partition, your chances of recovery are much improved.
WARNING: DO NOT defragment your hard drive if any data recovery needed. Doing so will likely remove all remnants of the file you are trying to recover.

How Raw Data Recovery works:
Raw Recovery method avoids any partition (FAT/NTFS/MAC) and directory entries entirely. Say you have a JPG image that has been deleted, and for some reason you do not have any directory entries available. What can we do? Well, we cannot look for any starting cluster entries or file names/sizes to help us out, so instead we have to work on the raw data of the drive. All JPG images have a unique header inside that tells us: there is an image file of this format. The standard JPG file headers are as follows:

As you can see, both types of JPG start with the same bytes FFD8FF. So if we wanted to scan the entire hard drive for any and all JPG images, we can tell a piece of software to scan for any occurrences of the string of hexadecimal characters FFD8FF. Once it has located this, we can tell it to go to the section which supplies the JPG image file size (where it says "nnnn(nn)" in the table above) and copy out that much data after the located header.
This data is then saved as a binary file. Some artificial name will be assigned to this JPG file.
All recovered files will be saved under one "JPG" folder.

If the file was not fragmented, we will successfully recover an image file from.
Of course, some JPGs will be corrupted: When you browser them, they can only appeared as half an image, or with blocky bands of weird color in it. This indicates that the file was fragmented in some way and the recovery process therefore missed the other clusters that were elsewhere on the drive.
Some other file types also have unique footers, and we can do a similar thing but only carve out the data found between the header and footer.

So, the likelihood of file recovery is dependant upon a number of conditions.
Firstly, you want the partition to have as little fragmentation as possible. This will increase the likelihood that all the used clusters are sequential. This may be a reason enough for you to schedule a regular defrag on your drive.

Secondly, you want the drive to be used as little as possible after the data loss, preferably not at all. The more you move files around or create data, the greater the likelihood that you will overwrite some of the data you want to recover. It does not matter how much you use the drive beforehand, but make sure you stop using it once you have suffered a loss of data.