[ale] Drive recovery

Michael B. Trausch fd0man at gmail.com
Wed Jun 8 12:14:17 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Mark Wright wrote:
> 
> I have seen advertisments that claim to recover any drive but the
> cost is incredible.  Maybe the data security issue is a bit in the
> paranoid camp.  It is better to err on the side of caution but does
> this "king have no clothes"?
> 

Any one of us can recover data, assuming that we have the time to sit
and work on it.

Let's take, for example, an FAT16 formatted drive.  I say FAT16 because
that's the easiest to figure out.  Let's assume you screw up and replace
it's boot sector with something else... rendering the filesystem
useless.  But you don't know that's all that you've done.  You'd start
looking at the system, and you'd probably want to use a program if you
could find one, or write a small one yourself, to look at the disk and
make a guess.

FAT16 is layed out such that you have the Boot Sector, which is 512
bytes.  FAT relies on data to be present in the boot sector for it to be
able to be read by an operating system or FAT driver, rather.

So the FATs (usually 2) and then the root directory and then the data area.

There are different parts of them that you can "scan" for and attempt to
find the filesystem.  If you can find the file-system, then you can find
data.  And if you can find subdirectories in the root directory, you can
find more file tables and information that will get you to a file.

Can *I* do all of this?  Not without a *very* large hunk of dedicated
time.  And only with FAT perhaps.  Sometimes it really isn't that "easy"
for someone to recover data, unless they've built the tools to do it.

Then you also have a new tool that Linux provides in the kernel:
Something called "IDE Taskfile" access, which supposedly goes beyond the
driver and reads the raw disk structure.

Point being that it can be done... perhaps not by everyone, but it's not
that "hard," really.  All of the specifications to develop tool programs
to run with are out there, and with the UNIX "treat everything as a
file" philosophy, it's very easy to write programs in higher-level
languages that can work with the filesystem if you have root access to a
box, because you can just read the filesystem from the hard disk node.

	Later,
	Mike

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCpxatPXInbkqM7nwRA2RtAJwNl6x4nGeMyxkDqYovjRQAAL/DEQCfTRzm
AASw2+X8LhhNP8pVSZ/qIOk=
=tmTf
-----END PGP SIGNATURE-----



More information about the Ale mailing list