Computer Forensics

General Information about hard drives and recovery


A head crash is a hard disk failure that occurs when a read-write head of a hard disk drive comes in contact with its rotating platter, resulting in permanent and usually fatal damage to the magnetic media on the platter surface (see Hard disk platter). A head normally rides on a thin film of moving air entrapped at the surface of its platter (some drives of the mid-1990s used a thin liquid layer instead). The topmost layer of the platter is made of a Teflon-like material that acts like a lubricant. Underneath is a layer of sputtered carbon. These two layers protect the magnetic layer (data storage area) from most accidental touches of the read-write head.[citation needed] The disk read-and-write head is made using thin film techniques that include materials hard enough to scratch through the protective layers. A head crash can be initiated by a force that puts enough pressure on the platters from the heads to scratch through to the magnetic storage layer. A tiny particle of dirt or other detritus, excessive shock or vibration, or accidentally dropping a running drive can cause a head to bounce against its disk, destroying the thin magnetic coating on the area the heads come in contact with, and often damaging the heads in the process. After this initial crash, countless numbers of fine particles from the damaged area can land onto other areas and can cause more head crashes when the heads move over those particles, quickly causing significant damage and data loss, and rendering the drive useless. Modern hard disks incorporate free fall sensors[citation needed] to offer protection against head crashes caused by accidentally dropping the drive. Since most modern drives spin at rates between 5 400 and 15 000 RPM, the damage caused to the magnetic coating can be extensive. At 7 200 RPM the edge of the platter is traveling at over 120 kilometres per hour (75 mph), as the crashed head drags over the platter surface the read-write head generally overheats, making the drive or at least parts of it unusable until the heads cool. Data Recovery Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. The most common "data recovery" scenario involves an operating system (OS) failure (typically on a single-disk, single-partition, single-OS system), in which case the goal is simply to copy all wanted files to another disk. This can be easily accomplished with a Live CD, most of which provide a means to mount the system drive and backup disks or removable media, and to move the files from the system disk to the backup media with a file manager or optical disc authoring software. Such cases can often be mitigated by disk partitioning and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files. Another scenario involves a disk-level failure, such as a compromised file system or disk partition or a hard disk failure. In any of these cases, the data cannot be easily read. Depending on the situation, solutions involve repairing the file system, partition table or master boot record, or hard disk recovery techniques ranging from software-based recovery of corrupted data to hardware replacement on a physically damaged disk. If hard disk recovery is necessary, the disk itself has typically failed permanently, and the focus is rather on a one-time recovery, salvaging whatever data can be read. In a third scenario, files have been "deleted" from a storage medium. Typically, deleted files are not erased immediately; instead, references to them in the directory structure are removed, and the space they occupy is made available for later overwriting. In the meantime, the original file may be restored. Although there is some confusion over the term, "data recovery" it may also be used in the context of forensic applications or espionage. ________________________________________