File control	Server control	Security solution
Major target	IT firms, accounting/tax/law firms, financial institutions, etc.	Help desk, corporate IT department	Corporate system and planning departments, Internet data centers, etc.
When is it necessary?	Accidental deletion Intentional deletion by insiders Deletion by virus and hacking Needed recovery of discarded data	File deletion through network Recovery of data stored just before system crash Rapid recovery of selected files Recovery of data from remote site through network	Recover files deleted by external attack Detect hackers by log file analysis Recover copied trace of confidential data Recover customer database/program source Initiate investigation

The Concept of Data Recovery

Data-preserving mechanism
File-writing process

The Microsoft® Windows® operating system preserves file system information-including file size, the first cluster number in the directory entry, data position information in FAT, and data itself-in the data area.

File-reading process

The Windows® operating system reads files in a two-step process:
(1) It reads file system information, such as file name, file size, renewed date, and the first cluster number from the directory entry.
(2) It connects clusters preserving specific data, using the first cluster number and FAT area, and reads the data scattered about the data area.

An illustration of file reading and writing in the Windows® operating system.

Data loss

Data loss due to damaged FAT and directory entry information. The Microsoft® Windows® operating system manages files in the following sequence:

1. Read data in directory entry
2. Read FAT information
3. Read data in data area

When directory and FAT information is damaged, the Windows® operating system cannot read files, even though the information is still available in the data area. In other words, damage by file deletion or formatting results in data loss, but only according to the FAT and directory information-the data itself still exists. Users, however, think they've lost data because their operating system can't find it. Finding this data becomes the equivalent of finding a needle in a haystack.

Damage to data

Is it possible to recover data that is actually damaged, not simply "lost" to damaged directory and FAT information? Let's start by looking at what causes damage to data:

• Physical damage to the disk
• Viruses or other invaders that attack and destroy data
• Overwriting that changes the dates of specific clusters

Complete data recovery is impossible under these circumstances. It is possible, however, to recover some of the data-that which remains in the data area.

Data recovery

FinalData recovers data by directly scanning the data area.

The proven FinalData recovery process works in a variety of situations:

1. The most common situation is the deletion of directory entry information along with the files. In these cases, even though files are deleted, the data itself remains in the data area. But because the file is marked "deleted" in the directory entry, the Microsoft® Windows® operating system cannot read it. FinalData is able to recover the data by scanning the data area directly.

2. When information disappears in the FAT and root directory areas, the quick disk format deletes all directory entry information in the FAT and root directory. The Windows® operating system cannot read files-but, again, FinalData overcomes these problems by scanning the data area directly.

Caution in your daily work can increase your chances for data recovery.

The small amount of time needed to follow these steps can pay huge dividends:

1. Do not save important files in the root directory.

Directory entries are written in the root directory, so files saved right under root directory are more susceptible to loss by a quick format. When the directory entry is damaged, file names and file size disappear-a key reason not to save important files here. If the data is not in the root directory, it can be recovered more quickly. Be cautious with any directory, because these entries contain the critical file information, including name, extender, property, creation/renewal dates, first cluster number, and size.

2. Defragment the hard drive regularly.

Data will be saved in consecutive clusters if the disk has reasonably empty space; repeated saving and deletion operations tend to fragment files.

Example:

A disk contains files (1), (2), (3), (4), (5), (6), and (7). When data is deleted from the disk, new data can be recorded in the same area. If the new data is larger than the old data, it is not recorded in the consecutive area, but in the fragmented space.

This means if files (1), (3), (5), and (6) are deleted, saving a larger file (8) may result in a file sequence that reads (8) (2) (8) (4) (8) (8) (7). When reading this fragmented data, the hard disk head follows the "seek (designated track)" command. The fragmented arrangement decreases the speed of data access, so it must be rearranged to make the disk more efficient.

Another way to describe fragmentation is to say that the data in FAT is scattered. Defragmenting rearranges the scattered data in FAT in a sequential order. Regular defragmentation results in an orderly arrangement of the data in our sample cluster area: (8) (8) (8) (8) (2) (4) (7).

Regularly defragmenting a disk increases the efficiency of data recovery if the FAT is initialized by a quick format or virus. When FAT information is initialized, data recovery requires an analysis of the mixture of consecutive and fragmented data. If a lot of consecutive data is present, simply knowing the position of the first cluster and file size makes it possible to recover data quickly.

Notice: Performing disk defragmentation after mistaken data deletion will decrease the rate of data recovery because new data will be saved over the cluster where the deleted data existed.

3. Don't save important information on a low-capacity disk.

The recovery rate decreases if disk capacity drops to zero while saving data. Save important data on a reasonably empty disk whenever possible. The lower a hard disk's capacity, the higher its risk of fragmentation.

4. Defragment floppy disks regularly.

Floppy disks have a high risk of fragmentation. When saving data in a floppy disk, save it in a subdirectory with several subdivisions, then defragment the disk. Saving files in several subdirectories remarkably improves the data recovery rate. But, even when saved in a subdirectory, only 7 or 8 files per folder will be recoverable if there are many fragmented files. Disk defragmenting will save more files from the subdirectory. When files are saved right under the root directory, and the directory information in the root directory area still remains, it is possible to recover them even when disk defragmenting has not been performed.

5. Turn off temporary file creation in Microsoft® Windows®.

In normal operation, Windows® is set to create temporary files on the hard disk drive. Turn off this function by un-checking the box marked "Remember each folder's view settings" in the Folder Options control panel.

Where to find and turn off "Remember each folder's view settings" in Microsoft® Windows®.

6. Don't perform any operation on a disk drive that contains data in need of recovery.

If a disk drive contains data in need of recovery, installing or using other recovery utilities on the disk may overwrite data and decrease the rate of recovery. Avoid performing any operation on the drive, including other programs such as Microsoft® Windows®, if at all possible to avoid further damage to important deleted data. Likewise, never save any files to a disk containing data in need of recovery. You should designate a location on another drive for saving files that you want to put back on the original drive after recovery.

Warning: Saving new data to a disk with limited capacity will damage important data in need of recovery and could prevent data recovery.

Notice: If you attempt to save recovered files to the same drive you are recovering them from, the data you want to recover will be overwritten. If the disk with deleted data is shared with a network drive, it is possible to recover and save the data in the shared disk. Be careful-the deleted data can also be overwritten in this case.

The cause and phenomenon of data loss

What is the meaning of data loss, data crash, and deleted data?
There are four possibilities:
1. When the operating system is not working
2. When data is not perceived in the operating system while the operating system is working
3. When the operating system can perceive data, but a file can't be opened
4. When files open, but data is changed into other letters or files have no contents

1. When the operating system is not working After turning on the computer and seeing POST or BIOS, one of the following has occurred:
A. Non-system disk, disk error, or invalid system disk-press a key to reboot when you see these error messages.
B. The cursor is flashing and the operating system is not working.
C. The system boots to MS-DOS® but not Microsoft® Windows®.

A. Non-system disk, disk error, or invalid system disk-press a key to reboot when you see these error messages.
There is a boot sector in all logical drives, such as hard disks and floppy disks. There is a disk that cannot be booted. The boot disk contains information regarding disk partition and saved data, as well as a small program called a boot program that is used to load MS-DOS® system files. Without MS-DOS® system files, the boot program shows messages like "non-system disk," "disk error," or "invalid system disk."

Follow these steps in the above cases:

1. If a floppy disk is in the disk drive, verify that it contains no system files, then eject it and push the Enter key. The operating system should then boot.
2. Verify the BIOS setup. Push the Delete key or F2 key to load the BIOS screen after turning on the computer, then check the following four items:
1) Verify that the disk drive (Drive A) shows "3.5 inch, 1.44 MB." If not, change it by using the Page Up and Page Down keys.
2) Designate the BIOS booting drive as "A THEN C."
3) Primary Drive 0 is presented as "Hard Drive" or parameter is displayed in the right side of "Auto" (IDE hard disk drives only).
4) When "Unknown Devices" is shown or parameter is not shown, it can be the result of hardware failure.

3. Reboot after performing a disk scan.

4. Reboot after transporting system files by using the booting disk (made separately when the operating system was working) in preparation for the deletion of the hidden files (IO.SYS and MSDOS.SYS). 1) Insert a booting disk (floppy disk) made by the same operating system and turn on the computer.
2) Put in the following commands after seeing "A:>":
A:>FDISK/MBR [ENTER]
A:>SYS C: [ENTER]
3) Turn the computer on again after ejecting the floppy disk from the drive.

5. After installing FinalData into the other hard disk via Microsoft® Windows® and designating the hard disk with the problem as the slave, you can begin recovering important data by selecting and scanning the physical drive. If you cannot recover data this way, the problem could be the result of physical damage. You will then need to ask for assistance from a service center. If you want to recover important data from your hard disk, ask for recovery service from a professional data recovery center.

B. The cursor is flashing and the operating system is not working.
There is a boot sector in all logical drives, such as hard disks and floppy disks. There is a disk that cannot be booted. The boot disk contains information regarding disk partition and saved data, as well as a small program called a boot program that is used to load MS-DOS® system files. When you cannot boot your computer because boot programs are damaged or a virus has damaged the boot sector, you have to decide how you will recover the boot sector.

You can do so manually, or by scanning a physical drive with FinalData after deleting partition by FDISK, a MS-DOS® command that initializes the boot sector and MBR.

C. The system boots to MS-DOS® but not Microsoft® Windows®.
System files in Windows are possibly damaged.
1) Verify MSDOS.SYS in C:/. If there is not MSDOS.SYS, reboot after copying C:/Windows/MSDOS.SYS to C:/, and designate C:/Windows to the directory where Windows is installed.
2) Reinstall Windows when the computer cannot by booted in the manner described in step 1.
3) After installing FinalData into the other hard disk via Windows and designating the hard disk with the problem as the slave, you can begin recovering important data by selecting and scanning the physical drive.

The cause and phenomenon of data loss

2. When data is not perceived in the operating system while the operating system is working
In these five cases, data does not appear when the operating system is booted:
a. When files are deleted
b. When the drive is formatted
c. When the partition is deleted by FDISK
d. When the disk has crashed
e. When files are damaged by reformatting or a virus

a. When files are deleted

When files are deleted, the deletion is marked in the first letter among the file names of directory entry information. The data itself remains in the real data area, but it is no longer seen by the operating system. This creates the risk that the operating system might overwrite the data area-and the data information it no longer sees-at any time. If the data area is overwritten, lost files are impossible to recover, and there is no other choice but to use backup data.

Directory entry information doesn't indicate a file's state of completed deletion when it was overwritten. If the disk is scanned, however, this can be determined by the files shown as possible to recover in the directory entry information. The FinalData demonstration version shows deleted files that remain in the real data area, but only the full version of FinalData offers the ability to recover that data.

b. When the drive is formatted

Microsoft® Windows® 95 and 98 operating systems have two format commands-one is a quick format, and the other is a general format. In either case, the format command initializes the Master Boot Record (MBR), FTA, and the root directory area as a high-level format.

To differentiate between the two formats:

• In a quick format, only the directory entry information in the root directory and the FAT information are initialized. The data itself is left in the data area, allowing this format to be done quickly.
• The standard format searches the data area and maps the bad sectors. Because this requires reading the header of each sector, it takes a very long time. If a bad sector is found, the clusters included in the sector are marked as "bad" in FAT, and the operating system does not use those clusters.

c. When the operating system can perceive data, but a file can't be opened

When files are infected by such viruses as WormExplorer and MiniZIP, the file size is sometimes reduced to zero. Once opened, this file is displayed as a plain white document with no content.

If this happens, change the file size to the appropriate value by clicking [File Information Alt+F2] from [File (F)] menu. If the original file size is larger than the appropriate value, it will not be displayed correctly. Try to restore the file to its original size by increasing the designated appropriate value.

Even if the file is restored to a larger size than the original, it will resume its original size once it is opened by an application and saved again.

d. When files open, but data is changed into other letters or the files have no contents

The possible causes of this sort of transmutation:
a. The restored file is a temporary file.
b. The application is not the one used to create the file.
c. The file is damaged.

e. When the application is different

When directory entry information is lost, the cluster scan restores it into the retrieval file as .DOC, and typical Microsoft applications like Microsoft® Word, Excel, PowerPoint®, Publisher, Visual Basic®, or Visio® take the form of Binary Interchange File Format (BIFF). Japanese word processing software called ICHITARO (no older than Version 7) as well as several Microsoft® Windows® applications like 3D Studio also take the form of BIFF. Since each of these file types has a common header, FinalData cannot differentiate each application individually from the file types. It then retrieves all of the files created in those applications and places them in folders of "retrieval files" with the extension code .DOC.

To correctly open and read these files after restoration, the extension code must be corrected to .XLS, .PPT, .PUB, .VSD, .VSS, .JTD, .MAX, etc., when the files are opened. Before attempting data recovery, users should determine the extension codes of the files that are saved on their hard disks.

Note: Be sure to change the extension codes. If the file was a Word document originally, no change is necessary. If a data file that was not originally a Word document is opened in Word, the text will appear transmuted. Once the extension codes are changed, check that each file is readable with its program.