Research on Recovery of Computer Data based on Windows System

Abstract： This paper researches the computer data recovery in FAT Windows file system， analyzed the storage format and file data operations （such as formatting， partition and delete）， specific to the data processing and the data recovery， summarizes the method of data recovery and commonly used software tools， and gives the specific data recovery examples.

Keywords： Hard disk； data recovery； FAT；

0 Introductions

With the rapid development of computers， people's work and life more and more cannot do without a computer， it brings convenience to people， but also may be due to various reasons， causing the computer data loss， damage， may make the years of painstaking efforts to the flowing water， the so-called. A hard disk has a price， data is priceless. Data loss make people vexed extremely， but in fact， in most cases， computer data is not lost， it may be hidden in a corner， waiting for people to carefully explore， that is to say， the data can be recovered in most cases. Data recovery is to suffer damage， or due to hardware defects in inaccessible or unavailable， or because the virus， misuse and other various reasons lead to loss of data into normal data.

Data recovery artificially recover data that disappeared or are not readable data extracted from the storage medium through some equipment and software， and changes into a process can read data. Methods usually data recovery from means divided into two types， one is the recovery storage medium physical level is based on operation， we call it. Hard recovery： This data needs to be opened the hard disk data recovery equipment， through the specialized analysis of magnetic signal on the disc， and then through a special software for recovery. Storage medium is the file system format， delete operation after recovery， generally need to use some software， we call it Soft recovery. In general we call data recovery means that Soft recovery.

1 Cause of damage data

Computer data lost is various； it usually divided into two types： hard fault and soft fault. Among them， the hard disk failure is due to a natural disaster or man-made factors are causing data cannot be read normally physical injury. Such as hard disk read / write head due to severe vibration damage does not recognize the hard disk interface， power supply， fault of hard disk； disk motherboard circuit board burned fault； the hard disk motor drive chip damage caused spindle motor does not rotate； the hard disk has physical bad sectors hard disk firmware is lost or damaged. In addition， the cache hard drive failures lead to hard not to be identified， garbled， hard on the motherboard BIOS abnormal result in misidentification， does not recognize the hard disk.

Soft fault refers to the hard disk physical performance intact， just because the data user error operation or due to a virus and human operation error loss， common are： mistakenly formatted partition or error， error cloning， mistakenly delete or overwrite accidentally， electromagnetic interference， hacker intrusion， network user environment vulnerability virus infection， zero track damaged， damaged， the master boot program FAT damage， DBR fault and hard logic lock etc.. Can cause data loss and damage， the operating system cannot start， cannot find the required files， file not open or open the document， the hard disk partition， not garbled or suggesting a hard disk partition is not formatted a system error or paralysis and other specific characteristics.

2 Analysis of the data storage structure

The data recovery， first of all， we must understand the structure of data storage. Unused disk can use through low-level formatting， partition， format. Low level format is on the hard disk partition tracks and sectors， as shown in Figure 1， and therefore it is also called the physical format； the physical hard disk partition is logically divided into multiple regions to achieve multiple operating system management to manage hard disk， hard disk data. Advanced format is the role of the partition space into the data storage according to certain rules， for the FAT file system， is divided into system boot sector， FAT， file allocation table file directory table FDT and the data area. This logic in the hard disk has been established in the master boot sector， operating system guide the five sector， FAT， file allocation table file directory table FDT and the data area， as shown in Figure 2.

The first sector of the hard disk （0 trace 0 head of sector 1） was retained as the boot sector. It includes： the master boot record of hard disk partition table MBR and DPT. The master boot record is a section of program code， its main function is to the operating system on a hard disk installation guide； the hard disk partition table is stored in the hard disk partition information， using 80H or 00H marked at the beginning， to mark 55AAH to end， a total of 64 bytes， the most at the end of this sector.

Operating system boot sector usually occupy the first sector of partition of a total of 512 bytes， which mainly includes the operating system boot record DBR and the partition parameter block （BPB）. DBR's main task is to judge the root directory of the two documents if or not right when the MBR control system to it. Operating system boot file， if it is loaded into memory. BPB records the starting sector， the ending sector of the partition， file storage format， hard disk media descriptor， the size of the root directory， the FAT number， the allocation unit size and other important parameters.

When the system starts， MBR is the first to be from the hard disk loading program segment， then directed to the DBR implementation of the program， the system file is loaded into memory. The first cluster storage in FDT and file stored file directory names and cluster number and other information in the data area， file allocation table FAT is a linked list， other storage cluster number given file. The system is based on the information of the file access.

3 The principle of data recovery

Data recovery， the premise condition is that data is actually not removed or covered file data in hard disk. In fact we partition， format， accidentally deleted lost data， and not really clear all data， just by the operating system to hide it， so long as we understand and analyze these really hard to deal with， through some methods and tools can restore most of the data.

3.1 initialization processing analysis

Initialization is low-level formatting. To use disk initialization， most software will reset all sectors， and even re partition sector number sequence， so the original data is unrecoverable. But in the use of fast low， only to the 0 road 0 heads and 1 sector （i.e. the MBR sector） write code， while the partition table data region cleared the last two bytes written sign 55AA. This also means that the file still exists， data recovery may. So hard disk display is not initialized， if the storage medium partition table is normal， but the boot code is destroyed， or. 55AA. Signs of damage caused， is not low， you can restore all data on the hard disk.

3.2 Analysis of the partition operation treatment

The partition is to master boot sector partition table area write the partition data information. At the same time allocated to the first sector of the partition of reset all data. The first sector of the partition is boot record sector （DBR sector） in partition. At this time， only one sector data are destroyed， the original file allocation table and file directory table is still hidden in the hard disk， so as to find the original partition information， can restore most of data partition.

3.3 formatting process analysis

Format refers to the establishment of file storage format in the partition， namely establish system file. Different file system to store the data format is not the same， windows system is used in FAT16， FAT32 and NTFS file system.

（1） FAT32 format

FAT32 partition structure is as shown in figure 3. Root directory to the root directory file， its size is not fixed， the location is not fixed， it is no longer the same number FAT16 512 file limit. The FAT32 format will be used for the following data processing on the partition.

（1） No. 0 sector write boot code， 1 sector write Fs info information， 2 sector write "55AA” Mark.

（2） The 3-5 sectors cleared， 6-8 sectors for the 0-2 sector for backup.

（3） Reserve other position clear.

（4） FAT reset， FAT1 and FAT2 starting sector write marker （F8FFFF0F）， the end of the 2 FAT table position settings file

Mark.

（6） Assigned to the cluster space clear root directory， such as setting the volume label， catalogue No. 0 position to build volume directory entry.

3.4 The analysis of deletion file

Delete the file processing system is very simple， the FAT file system rewrite the file's directory entry the first byte by E5 tag， the NTFS file system is two bytes in the MFT file recording head start from offset 0x16 to 00H （Delete file） or 02H （remove directory） mark， mark after that the file or folder has been deleted. At the same time will describe the distribution space of the corresponding FAT （FAT file system） or bitmap （NTFS file system） rewriting is not allocated， so that the space allocated to other files or directories to use. The delete operation， the real cluster space allocated to the file has not been any rewriting operation， may lose folder or attribute， the contents of the documents can be completely restored.

4 Data recovery methods and tools

Data recovery methods can be divided into recovery mode for hardware and software recovery mode.

Hardware recovery can be divided into alternative hardware， firmware， and repair disk reading three recovery modes. Alternative is replace the bad data recovery purposes to use new hardware， such as alternative， hard circuit board flash drive control chip replacement. The firmware is written on a hard disk drive program in the initialization program. Firmware restoration， is the use of hard disk special repair tools， such as PC3000， to repair the hard disk firmware， and hard drive data recovery. Disc read is on a hard disk in a super clean working class 100 room opened， remove the disk， and then use the special data recovery equipment for the scanning， read the data on the disk. Software recovery can be divided into system level recovery and file level. System level recovery is the operating system can not start， use file repair system repair software， and make the system work normally. The file level recovery is to restore the user data files on a disk is damaged or lost； the file level recovery generally available tools software or manual recovery data.

Currently used for data recovery software tools are EasyRecovery， FinalData， Winhex， DiskGenius， RecoverNT， Re-cover My Files， Norton， R-Studio， FinalRecovery， Disk， Recover etc.. Each tool has its advantages and disadvantages， recovery will also have certain difference.

FinalData has the characteristics of simple operation， rapid and wide coverage， in addition to the Windows operating system Microsoft outside， FinalData also supports the common UNIX system platform.

EasyRecovery is a powerful， in addition to the data recovery， but also can repair damaged Excel， Word， Access， PowerPoint， Zip and other types of documents， is by far the most popular data recovery tool.

Winhex a perfect partition management function and file management function， can automatically analyze partition chain and document cluster chain， be backed up in different ways to different degrees on the hard disk， or even clone entire hard disk， and can complete display and edit any file type binary content， any sector of the disk editor to edit the physical disk and the logical disk， memory editor to edit the memory directly， can be said to be the preferred tool to manually restore data.

5 The experience of data recovery

I have a notebook computer， the C， D， E， F four partition， 80G， wherein C area is the system of 10GB. Because computer poisoning， install the system by using Ghost software clone， a careless mistake enable entire hard disk into a partition， the D， E， F all user data are all gone， but my heart is still calm， cloning installation system mainly covers the data of original C region （Qi Wen is only a little more than 1 G）， the other partition data do not cover， the user data can be restored. The following is a recovery operation. First， no longer use the hard disk， so the original data is covered. Remove it into another computer； use EasyRecovery to hard disk data recovery. Select the hard disk partition loss / damage function， scanning to four partition information， choose three to restore the backup data to other hard disk partition. From the data recovery principle， the original hard disk except C outside the other partition DBR， FAT， FDT are still， as long as the original partition size re partition can be restored to all user data. So， decided to manually restore data. According to the hard disk partitions of DiskGenius software to record partition information， we re-install the system on the C disk cloning. Data recovery is completed within 20 minutes.

6 Conclusions

Although the partition， format， deleted files can be recovered， but it must immediately stop using the hard disk and write data on the hard disk ， protection of original data has not been breached two times， so as to maximize the recovery of the original appearance of the data. At present， the importance of data recovery is beingwidely concerned， data recovery technology development history in foreign countries more than thirty years， data recovery in Chinese will no doubt the rapid development.

Reference

[1] Liang Yuen， Shen Jiangang， Liang Qilai. Computer data recovery technology[M]. Xi'an， Xi'an Electronic and Science University press， 2009

[2] Wang Jinghui. Computer hard disk repair and data recovery [M]. Beijing. Higher education press， 2007

[3] Ma Lin， Windows data recovery technology limit analysis[M]， Tsinghua University press， 2011

[4] Marin， reproduction of data [M]， Tsinghua University press， 2009