Data recovery disasters: Kroll Ontrack on how it helps enterprises bounce back

Data recovery expert Kroll Ontrack provides a behind-the-scenes look at the challenges enterprises and consumers face getting their files and information back when disaster strikes

Back when the Intel 386DX processor reigned supreme, a friend asked if it was possible to recover an Iomega zip drive containing some important files that were worth a bit of money, but not valuable enough to bother spending a large sum on recovering the data.

The recovery process stalled due to a lack of understanding about how to approach it, but the company keeps the drive to one side in the hope that its contents could be recovered one day.

With this situation in mind, Computer Weekly paid to a visit to the premises of data recovery firm Kroll Ontrack, which describes these ‘DIYers’ as the worst type of client.

The company frequently has to repair not only the damage done by the DIYers, but also the repair shops that offer to have a go at recovering the lost data themselves at bargain-basement prices.

The fact is that sometimes there are data loss incidents that even the specialists cant fix, because it all depends on how much of the magnetic residue remains intact.

From hard disks to devices

When the term data recovery is bandied about, people naturally think of hard drives, but the process is increasingly being applied to mobile devices, prompting Kroll to open a dedicated lab to deal with tablets and phones.

According to Michael, who ran the tour, most companies that send in tablets only do so for devices belonging to members of the senior management team, rather than rank and file employees.

Smartphones are also considered to be more difficult to recover than hard disks, thanks to the ever-tightening security used to protect them.

Apple vs Android

The upshot of this is that mobile data recovery is usually done by repairing the phone or device, rather than trying to extract the data.

Getting data out of a modern Apple phone is almost impossible (as the FBI know), it is claimed, and if any of a series of critical chips are damaged, there is no chance of recovery.

This is because several key components store a checksum and if any one of these components is changed, the checksum for the entire phone fails, the device will not boot and the information remains forever encrypted.

Older Android phones can usually have the data extracted, as it is possible to pull a memory chip directly from the phone using a special (and horrendously expensive) workstation to melt the solder and glue on the memory chip. These are then mounted on special, SD card-like readers that import the contents of the RAM chip.

Backing up your Apple or Android device is easy enough and – with a little bit of configuration – can be set to do so automatically, so there really are no excuses for not doing so.

Recovering from encryption

Full disk encryption on PC and server disks is just as bad. Simply put, if you can’t mount the volume because the boot partition or some other key encryption location is corrupted or destroyed, it becomes impossible to recover the underlying data.  

Also, when full disk encryption is used, it becomes impossible to tell the slack/empty space from the real data on the disk.

Fortunately, most encryption systems have multiple copies of critical files spread across the disk. Bitlocker, for example, keeps several copies of the information required to decrypt a volume on identifiable areas of the disk.

The only place a user may get a break on data recovery is when the underlying new technology file system is familiar to the recovery expert overseeing the procedure.

One of the recovery specialists Computer Weekly spoke with at Kroll Ontrack likened the process to the scene from The Matrix where the lines of hex code become instantly recognisable.

Interestingly, the clients Kroll Ontrack deals with are evenly split between business and consumers, with one of the most unusual data recovery cases the company has been involved with centring on a save game of Football Manager.

In that instance, the team were asked to help recover 17 years’ worth of save game data, which they succeeded in doing.

Categorising failure

Failure comes in two types: logical and physical. Those that can be cloned are imaged as a first step, while the physically damaged devices and disks go straight to the clean room for further analysis.

Human error and hardware failures account for the vast majority of recovery work carried out by the Kroll Ontrack team.

Of the problems it sees, admins pulling the wrong disk out is a perennial favourite, along with accidental formatting or deletion of files.

Recovering from a wrong disk pull/disk swap is relatively straightforward but extremely time-consuming, as each disk needs imaging. It then needs to be re-examined in reverse time order to see where the writes were made, before the code is manually changed to rectify the issue. Even after all that effort, there is no guarantee the data will be recovered.

Read more about disaster recovery

With larger storage area network (SAN) failures, the entire set of disks is shipped to the site, before each disk is individually and manually imaged. A technician will then scan each disk and import the image. At this point it comes down to rebuilding the array with the virtual disks.

Gluing the virtualised array back together is done with some pretty expensive software. There are some off-the-shelf tools like EnCase that can do the trick, but Kroll builds the vast majority of its data recovery tools in-house.

These tools then present the rebuilt array for inspection in a huge purpose-built storage array. At this point the technicians can work on the recovery process.

Large-scale data recovery

Admittedly these big SAN recoveries are not all that common, as the majority of the work Kroll Ontrack carries out tends to involve lost PC drives, SD cards and external removable drives. 

Even so, they occur frequently enough for the company to employ several specialists that not only do the recoveries but spend a lot of their time on the theory of large data recovery.

SAN recovery does not come cheap, and it is not unheard of for data recovery invoices to total north of $1m, as the impact of billable hours kicks in.

In the case of most large SAN failures, there is no need to ship the entire array to the recovery company, except when the data at risk is installed on the actual SAN hardware itself, rather than the disks.

So what happens when all these damaged or corrupted disks arrive? Obviously, some are charred or broken and sent directly to the clean room.

Assuming the disk is mechanically sound, the drives are low-level imaged at the block level and imported into a very large storage system, where a dozen disks being imaged at once isn’t uncommon.

From this point, the process becomes very geeky as the technicians load the disks and attempt to root out the lost files or disks.

The technicians have tools to do this but, when you are paying big bucks, the techies tend to do it by hand.

If the disk is physically damaged, the clean room will open the disks and diagnose the faults. Fixes can often include new controller boards, though – with manufacturers now storing a lot more critical information on the chips in the board itself – swapping them out to recover data is becoming less and less useful.

Hard drive density and recovery

The impact the ever-increasing density of hard drives is having on the data recovery industry is another area Computer Weekly quizzed the Kroll Ontrack team about, with regard to how it deals with helium-filled devices and the like.

According to Kroll senior research and development engineer Robin England, opening a helium drive in the clean room is not an issue because the heads can still float over the platters with normal air but ride too high to be able to write. In short, an opened shingle/helium drive becomes read-only when opened.

Having a good working relationship with the disk manufacturer community is centrally important to the work Kroll does, adds England, as solid-state disk suppliers, for example, frequently change how the printed circuit boards are laid out and what chips are used inside. Understanding the impact of these changes means close cooperation is needed.

As to the all-important question of what can be recovered, there are no guarantees. If the magnetic disk traces are gone, there is nothing to read. Assuming the disk is physically sound, the disks can be imaged, paving the way for low-level reconstruction.

It is also possible to rebuild master file tables in NTFS for example, and there are multiple copies across the disk.

This, in turn, makes it possible to extract all the data from the drive (minus any physically damaged parts) and reconstruct the tables and the data from around the damaged area.

What happens in cases where the disks are really badly damaged? Depending on how much money the organisations want to spend, once the platters have been transferred to a solid working drive and the data around the gouge has been read, a specialist will patch together the data that still exists.

That leads to the question of data integrity. It is possible – and frequently happens – when Kroll recover half a database and rebuild it. Sometimes to ensure the data is good the team will look at old database backups for information on schemas, tables and so on, and manually rebuild them as needed, importing the recovered data into a database. Believe it or not, half a database can be worth the money, depending on the data it contains and how business-critical it is.

So if you have no backup and need to use data recovery, Kroll’s advice is to power down the device and resist fiddling with it, as the chances are whatever situation has occurred will be made much worse by tampering. And, in all honesty, it really is easier to have a good backup.

This was last published in April 2018

Read more on Datacentre backup power and power distribution

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close