Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

After a hack: The process of restoring once-lost data

Brandon Butler | Aug. 23, 2012
Mat Honan, a reporter with Wired magazine, thought almost his entire digital life had been lost, but a team of recovery engineers were able to restore most of it by diving deep into his compromised laptop. Here's how they did it.

The wipe began by deleting index data and installing a new operating system but, luckily for Honan, it didn't get all the way through the wipe before it was stopped. Upon Honan realizing his accounts were being compromised, he turned off his home router, disconnecting his laptop from the Internet, a move that Bross believes may have ultimately saved his data. Still, when Honan later turned his laptop back on after the attack, none of his files were there. Even the recovery experts initially were worried the data may be lost. "We saw a lot of zeros when we first started scanning the drive," Bross says.

In reality though, the hack had only gotten about a quarter the way through the disk, meaning that about 60GB of the 250GB drive had been affected. This included the logical layer of the disk, which organizes all of the media into files, which is why it appeared to Honan upon an initial review that all his files had been lost.

Bross compares it to having a several-hundred page book. When Honan and the engineers first turned on the computer and looked for the files, the table of contents and the first dozens of pages of the book had been wiped and were blank. The deeper they got into the book though, the more data they began to find. Underlying hex data that makes up those files was still on the disk, which DriveSavers engineers were able to leverage for the recovery. "As soon as we started seeing that raw hex data, we knew we were going to be able to recover at least some files," Bross says.

If Honan had been delayed by just 10 or 20 minutes, Bross believes, the wipe could have been complete and it's possible the entire drive could have cleaned, with even the hex data zeroed out. Instead, engineers were able to recreate the files.

Even with the hex data though, recovery is a delicate process. SSDs have a feature named Garbage Collection, which is an automatic maintenance feature by which the drive cleans itself to maintain optimal performance. Engineers have to be careful when recovering data to not have that information be automatically cleaned up by the GC once it's restored.

The process of actually restoring Honan's data involved combing through millions of blocks of raw hex data and finding clues to piece the files back together. Each file has a signature attached to it identifying it as a photo, video, document or some other type of media. Engineers examined every block of hex data looking for these signatures identifying Honan's photos, videos and documents. The end of each object has a file marker, allowing the engineers to find what they believed was the complete hex data that made up each file.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.