An Introduction to the Use of a Hex Editor in Hard Drive Data Recovery:

There are occasions when it can be useful to examine the raw contents of a hard drive. These circumstances can include:

-Simply to establish if the drive has had its data erased or if there is still information stored on it.

-The drive won’t boot normally, but the correct model and capacity are reported in BIOS.

-The directory/file contents of the drive cannot be seen and are shown as “raw”. This is often accompanied by the option to re-format the drive (incidentally, never re-format a drive if it is your aim to recover lost data from it, a re-format simply overwrites the existing file table with a new, empty file table).

-You may be unsure of what is on a hard drive and find that the operating system which you are using to investigate it is not reporting any data present.

-Hex editors pay a key role in the task of accurately delineating and subsequently re-building failed RAID storage volumes.

As always with any data recovery procedure from a failed hard disk, the first step must be the precautionary one of cloning the original drive.  This means you always have the original drive available in its original state regardless of what might happen during any analysis you carry out, it is also vital in that it minimises the further deterioration of the original disk.

What is a Hex Editor?

It is a piece of software which will display the contents of the hard drive sector by sector in both hexadecimal (hence the name) and ASCII. The ”content” in this context refers to the binary 0’s and 1’s which computers use when storing data. This is best illustrated by reference to an example.

The screenshot below shows the hex editor view of a single sector on a hard drive:

Hex editor view of the start of a hard drive

 

Each sector holds 512 bytes of information (this is not the case for some very recent drives, however let’s not over-complicate things). Each byte is 8 bits of data (i.e. 8 x binary 0’s and 1’s). The sector view shows an array of 32 columns and 16 rows. Each entry in the matrix represents 8 bits or 1 byte of binary data. In order to avoid presenting a frankly bewildering string of 0’s and 1’s, these 8 bits are split into 2 x 4 bits. Each group of 4 bits is then converted in a hexadecimal number (base 16). These hex number pairs are shown as a matrix of 32 rows by 16 columns.  This data (under columns 0 to 15) is the “raw data” which your computer reads and writes on your hard drive.

The single, wider column to the right of the raw data shows the ASCII translation for each hexadecimal pair. While the binary information is meaningful to your computer, it is less so to us mere humans and so it is necessary to convert it into a form that has meaning to us. For example if you want to send an email to friend arranging where to meet, “Outside the pub at 6” is slightly more helpful than “100010110011000”. The ASCII table is a universally defined means of converting the hex figures into characters that we use. For more on ASCII translation have a look at this wiki page.

Bear in mind that the picture above is a single sector. A 1TB hard drive will consist of approximately 2,000,000,000 such sectors.

There are many hex editors available for download, arguably the best known is Winhex which is an excellent program, it is extremely easy to use as well as offering a huge range of features for more advanced requirements.

What can You Determine by Looking at the Hard Drive Content with a Hex Editor?

An almost infinite number of things, but here are some of the more basic and useful things:

It can verify if there is still data on the drive:

A hard drive which has been erased:

A raw hex view of an erased hard drive This hard drive has been “zero-wiped”.

 

A hard drive which still holds some kind of information:

A raw hex view of random data on a hard drive This drive still clearly contains something.

 

It can tell you what file systems are in use on the hard drive. Sector 0 on the drive is usually the one referred to as the MBR (Master Boot Record).  It can directly define up to 4 partitions on the hard drive. The file system for each partition is indicated by the characters outlined in red below:

Using a hex editor to determine partition and file system information on a hard drive Determining the file system(s) from the MBR.

 

The most commonly encountered file system indicators are:

07: NTFS

0B or 0C: FAT32

83: Linux

EE: EFI GPT partition (commonly used for Mac HFS+)

In the example above, the drive consists of 2 partitions, both are NTFS.

The example below is from a memory stick formatted as a single FAT32 partition:

Raw hex view of the start of a memory stick The hex editor view of a FAT32 (“0B”) memory stick.

 

The sizes and starting point of each partition can also be read from the MBR and a good hex editor will typically include a function to display this information.

Hex editors are invaluable for more advanced operations such as file carving. In instances where the file table has been corrupted or otherwise lost it can still be possible to locate individual files by searching for their characteristic raw structure. For example a typical JPEG photograph file will have a characteristic header or beginning to the file (highlighted in red below):

Characteristic raw hex view of a JPEG photo header JPEG photo characteristic raw hex view of start of file.

 

This introduction barely scratches the surface regarding the use of hex editors in data recovery, it is intended purely as an introduction to the ideas involved.

{ 0 comments }

Once you have sent in your hard drive what will happen next?

 

It will of course depend upon exactly what the problem with the drive is, however there is a common set of procedures.

Step one will always be to clone the client drive. All subsequent recovery will then be carried out on the clone created.

Why clone the drive?

This is an essential step in the recovery process (and one that separates the dedicated data recovery specialist companies from those who will simply run recovery software on your drive and hope for the best).

The client’s original drive is the only copy of this vital data in existence and it is held on a device that may fail at any moment, it is essential therefore that the contents are copied to a healthy hard drive which can then be subjected to the rigors of scanning and file extraction. If these procedures are carried out directly on the original drive there is a strong likelihood that the drive will terminally fail during the recovery work leaving nowhere for the recovery effort to go from there.

Obtaining the Clone

Sometimes the client data has been lost because the file system has been corrupted or perhaps a drive has been accidentally reformatted, in such cases the cloning process is typically a fairly straightforward process. More often there is either no or only limited access to the hard drive and in these circumstances there will be a need for remedial work to be carried out before the drive can be cloned.

Among the more common faults to be fixed before cloning can be completed are:

–          The drive doesn’t spin-up at all. This will typically be the result of either electrical problems or can be caused by a mechanical shock to the drive.

–          The drive spins-up but there is no access to the user files and a repetitive clicking sound is heard. This is commonly due to failed read /write heads but does have other potential causes which should be eliminated first. For more information on the range of noises made by faulty hard disks have a look at this article which includes a selection of recordings made from various hard drives.

–          The drive has limited, or intermittent access. This is one of the most common forms of failure. It typically affects older and heavily used drives but even brand new disks are not immune. The problem is the degradation of the chemical coating covering the platters which spin inside the drive and which hold the user files.  As this coating ages and breaks down, parts of the drive become unreadable. Once this process starts it can quickly avalanche and so early action is essential. Specialist equipment capable of cloning a drive sector by sector is required in order to work around the unreadable areas of the drive and build-up as complete a copy as is possible.

Once the clone has been completed the drive is manually analysed, usually using a hex editor (a program which looks at the raw content of the hard drive). This allows us to determine how the hard drive has been configured in terms of partitioning, which file system(s) have been used and which operating system(s). This information is used in order to select the best approach for scanning the clone in order to ensure that all recoverable data is identified.

Once this scanning has been completed the user files can be extracted to a second location.

The last stage is that of confirming that the files recovered are intact. Sadly a simple file list is no guarantee that the files to which the list refers are usable. The list is analogous to the index of a book; you can recover the full index but still have lots of pages missing from the book itself. It is worth keeping in mind that if a single sector in a typical JPEG photograph is corrupted then the photo can be barely recognisable (a typical photo will consists of hundreds of thousands of sectors).

The same photo with 1 corrupted sector

Verifying the data is therefore essential (never trust a file list alone as proof of recovery- it is almost meaningless on its own). The only sure way to test a file is to open it with the appropriate application. Where the number of recovered files is small this is easily done, however the vast majority of hard disks will hold tens if not hundreds of thousands of files. In these cases extensive sampling is required. It is essential that the end user be allowed to request to see screenshots of files which are critical to them, this offer should always be made before recovered data is approved and paid for.

So in summary:

Step 1– Initial testing will reveal whether or not the drive is mechanically intact- if it is then the drive will be cloned. If it is not then the appropriate remedial action is taken in order to obtain the clone.

Step 2– The clone will be analysed to determine the partitioning, file system and operating system in use on the drive. The clone will then be scanned appropriately.

Step 3– The user data will be extracted from the clone.

Step 4– The extracted user files will be then verified and file lists along with screenshots will be produced for the client in order to demonstrate that the files have indeed been recovered in an intact condition.

Step 5– Finally the user data is transferred to a memory stick or external hard drive for supply to the client. As you would expect the data can be shipped encrypted at no charge if required.

We keep both the original client drive clone as well as a copy of the extracted user data for 10 days after shipping. This allows us to re-visit any part of the recovery process should the need arise.

{ 0 comments }

No Signs of Life From a Hard Drive When Power is Applied

By far the most common reason that a drive might appear totally lifeless when switched on (no sounds can be heard and no vibration is detected) is electrical damage to the printed circuit board (PCB), this is discussed in more detail in this article. However there is an alternative cause that also results in this […]

Read the full article →

The Symptoms of Hard Drive Electrical Damage

One of the more common causes of failure in hard drives is the result of a spike on the power supply line. Sometimes this is the outcome when someone plugs-in the wrong cable (or the right cable but the wrong way round), sometimes it is due to a failing power supply within the computer or […]

Read the full article →

Why Does My 1TB Hard Drive Offer only 931GB of Space?

The good news is that there is nothing wrong with either your hard drive or your computer. This apparently reduced size is both normal and will apply regardless of which brand of hard drive you buy, which computer you install it in and which operating system you use. The reason is fairly straight forward (if […]

Read the full article →

My Hard Drive Won’t Spin-up, the Role of the Platter-Swap Procedure in Data Recovery

What is a Seized Platter Motor? One of the more common problems a hard drive can be subjected to is a seized platter motor. On the application of power the drive does not spin-up. The platters within the hard drive do not spin and consequently of course there is no access to any of the […]

Read the full article →

Should I Try Swapping the Printed Circuit Board on My Failed Hard Drive?

Many peoples’ first response to a drive which they can no longer access is to try and replace the printed circuit board (PCB). The logic is clear enough, they have no idea what is actually wrong but here is something that can be tried easily and relatively cheaply, simply purchase another hard drive with the […]

Read the full article →

The File Table in Windows and its Role in Data Recovery

The purpose of this short article is to explain the basic structure and use of the file table with regard to recovering lost files from a hard disk that has been accidentally reformatted or has simply suffered system corruption. Why is it so Important for Recovering my Documents? The file table tells the Operating System […]

Read the full article →

The Sounds Made By Failed Hard Drives and What They Mean for Hard Drive Recovery

When you have lost access to your data one of the first and most useful steps you can take towards determining the cause of the hard drive failure is to listen to your hard drive. The sounds that it makes when power is first applied may provide a great deal of information regarding what has […]

Read the full article →

How to Rescue Files From a Drive with Electrical Problems

We received a call from an IT company for whom we routinely carry out hard disk recovery work. They had a very worried client who had some irreplaceable files on a laptop hard drive. In this case a Toshiba model MK2546GSX, which is a 250GB S-ATA. Both the client and the IT company had carried […]

Read the full article →