Updated: February 2007
Despite the other types of services with the computer, I find data recovery and forensic data analysis to be the most intensive and time consuming to do. Most computer repair related projects deals with a clean install of Windows which entails this type of data recovery services. For instance, after the evaluation phase of receiving a computer for repairs and determining whether a clean install of Windows is needed the client’s data is then backed up.
The types of tools I use to successfully backup client data are:
Pre Recovery
- Was Symantec Norton Ghost (DOS) now Acronis True Image
- Was a PCMCIA network adaptor (if laptop used) now a USB network adaptor
- Was a PCI network adaptor now no longer used.
- Was a custom net-boot CD (containing DOS network drivers and other utility tools) now I just use the Acronis True Image
- boot disk unless problems occur – which I fallback to my old net-boot CD.
Recovery
- Was Symantec Norton Ghost Explorer (Windows) now Acronis True Image, Image Explorer
- Linux Server/Box (configured with Samba services… which receives client data)
- Was F-Secure F-Prot Linux edition (Anti-Virus software) now not needed since all the data is stored in a contained read-only image.
- Was a custom Perl script (removes .exe, .dll, and temp files from client data) now no longer used.
Post Recovery
- Was ETrust™ PestPatrol (Anti-Spyware) today it’s called CA Internet Security Suite
- Was Symantec Norton Anti-Virus now AVG Anti-Virus
There are 5 phases of data recovery services I follow to have a successful backup and restore of client data.
Phase 1:
This phase generally evolves evaluating the client’s computer to determine if data recovery services are required. Majority of client computers I receive required recovery services due to developed viruses, spy-ware, mal-ware, ad-ware and other related malicious things. It’s simply a timing factor and the end result when delivering the computer back to the client. Simply fixing a clients intermediate problem on there computer now-a-days just doesn’t do it in the long run. Many times fixing an intermediate problem of what was asked by client later on causes more problems and more time/cost. So generally speaking the computer must be tip-top-shape in order to fix just intermediate problems (e.g. runs without an error, no pop-ups, contains up-2-date anti-virus software, firewall… simply clear judgment if the computer has been taken care of or have not). Otherwise, backing up the data, a clean install of Windows, and then restore.
Phase 2:
At phase 2 I call “pre recovery”, entails establishing the client computer to a network. The computer must contain at least a floppy drive or, preferred, CD/DVD-ROM drive to establish the necessary drivers for network communication. I typically use the Acronis True Image boot CD, which contains a hundreds of common network drivers and the software to backup client data. At times however, I have to reconfigure the computer’s BIOS (CMOS) to accept booting from CD-ROM’s or floppy disks.
With little luck the client computer obtains an IP address and mounts the appropriated network map to the Linux server. I use a Linux environment because the majority of viruses and malicious things are Windows based. In other words, the Linux server is immune to 99% of all viruses.
Phase 3:
Time to start recovering data - the “recovery” phase! On severe hard drives that produce ‘cling-king’ noises I expect trouble and hours of waiting. First, if the hard drive isn’t detected in BIOS, subsequently I’m in major trouble as my tools in software would be useless without a drive present. Second, severe drives typically mean less than 1, 2 maybe 3 tries to recover the data. After the attempts of trying, my luck I once had starts to diminish. Hard drives (a.k.a. hard disks) have mechanical parts like cars that over time by natural wear-and-tear breakdown. Third, power failures - what a bad experience! Trip over the power cord, summer-wide power failure, or most commonly thunder storms are the absolute worst nightmares. The most critical and most delicate stage of a hard drive is when it first spins-up (the power-on). If the drive can’t spin-up, the data can’t be read! (Learning the hard way) All client computer’s are located far from tripping and properly connected to a battery backup (UPS battery backup w/ AVR).
Assuming the hard drive is detected in the BIOS, the computer’s power is protected and is my first attempt to start recovering data. Access a program by Acronis called True Image. True Image is a type of disk imaging software typically used for making backups of computer data. I find True Image extremely useful in recovering data - even with severe hard disk failures. Using this software I push a backup of the client’s data to the Linux server as disk images. Usually this process takes 1-2 hours, on severe drives could take 8-10 or longer.
After watching a movie and having some popcorn I run-off to my Windows box and launch Acronis True Image, Image Explorer. The feature Image Explorer allows mounting the drive in either read or read/write mode as a drive letter in My Computer. This feature then allows copying folders and files to the client computer directly – but not just yet.
Phase 4:
Hurray-we’re almost done! Installing a clean copy of Windows and drivers typically takes 1-3 hours to do… even more so when certain dinosaur computer drivers are not easily found on the web. Although in short, after the installation of Windows XP SP2 (as of Feb 2007) driver installation such as NVidia’s NForce or ViaTech’s 4-in-1 driver sets have to be installed-at least on non-brand name computers. On brand name computers chipset drivers can be quite cumbersome and not easily able to find as some computer brand name web sites have horrible driver support downloads.
If adequate space is available I usually transfer the disk image files and the restored client data for backup purposes. On occasion, the restored client data excludes certain documents in events where massive disk corruption is found. So I include the disk images for added copies of anything that could possibly be missing. This allows the client or walking the client through the process of how to extract any missed restored files.
Phase 5:
At the “post recovery” phase I install and run the defense mechanisms of CA Internet Security and AVG Anti-Virus software. CA Internet Security is a program with the intention of removing spy-ware, mal-ware, and ad-ware-which the program calls it pests. These malicious things that are removed can be as damaging as viruses and can leave a client locked out of there own computer. And of course AVG Anti-Virus like the name itself removes all the rest of the so called pests i.e. viruses, trojans, worms etc.
The entire process from Phase 1 to Phase 5 takes on average 2-3 days. What’s more important to know is this type of service “data recovery” typically is not part of a traditional computer repair which makes my service to clients unique.