|
|
Data Recovery Course Outline
I General File System Overview
A. What is a file system?
B. Attributes of a file system
C. Detriments of a file system
D. Microsoft operating systems
1. DOS 3.3 (FAT12)
2. DOS 5.0 (FAT16)
3. Windows 3.1 (FAT16)
4. Windows 95 (FAT32 OSR 2)
5. Windows 98/ME (FAT32)
6. Windows NT/2K/XP (FAT32 NTFS)
7. Longhorn (NTFS)
II General Hard Disk Drive Overview as a storage device
A. Brief hardware description
1. Platter
2. Heads
3. Circuit board
a. SCSI (Small Computer System Interface) embedded BIOS
b. IDE (Integrated Drive Electronics) IO only
B. BIOS
1. C-H-S Addressing
2. LBA Logical Block Addressing
III File System On-Disk format
A. Master Boot Record/Partition Sector
1. On-disk placement (STANDARD)
2. Boot Code
a. Other operating systems
i. Linux
ii. MAC
iii. Third party boot handlers
x. Ontracks Disk Manager
3. Partition record
a. General Description
B. OS Boot Record
1. On-disk placement
a. Standard
b. Virtual
2. Boot Code
a. FAT
b. NTLDR
i. Multi-boot handler
3. BIOS Parameter Block
a. General Description
4. Built in data recovery
a. Backup boot records
5. Correlation between MBR and OS Boot Record
C. Indexing Methods
1. FAT16
a. Attributes
i. 16 bit addressing
ii. Max drive size
b. Placement
c. Backup
d. File Entry Tables
2. FAT32
a. Attributes
i. 28 bit addressing
ii. Max drive size
b. Placement
c. Backup
d. File Entry Tables
3. NTFS
a. Attributes
i. Master File Table (MFT)
ii. Database type indexing
iii. Max Drive size
b. Placement
c. Backup
d. INDX Records
e. NTFS 4/5
D. Data Area
1. FAT16
a. Root Directory (Static)
b. Data Area (Static)
2. FAT32
a. Root Directory (Virtual)
b Data Area (Virtual)
3. NTFS
a. MFT (Virtual)
b. INDX (Virtual)
c. Data Area (Virtual)
IV File System Weaknesses
A. General
1. Corrupt MBR
a. Possible causes
i. Virus
ii. Operating System anomaly
iii. Hardware anomaly
iv. Improper use of operating system tools (Fdisk)
b. Effects
i. Invalid logical drive sizes and types
ii. Lost logical drives
iii. System will not boot
iv. Resident low level boot virus
2. Corrupt OS Boot Record
a. Possible causes
i. Virus
ii. Operating System anomaly
iii. Hardware anomaly
iv. Improper use of OS tools (Format)
b. Effects
i. Invalid logical drive size and types
ii. System will not boot
iii. FAT32
x. Root directory cluster pointer destroyed
iv. NTFS
x. MFT cluster pointer destroyed
B. Corrupt FAT
1. Entire logical drive data indexing is maintained by the FAT
2. Data may be unrecoverable or at least corrupted
3. Although a backup is maintained it usually is corrupted.
C. Corrupt MFT
1. Entire logical drive data indexing is maintained by the MFT
2. Data may be unrecoverable or at least corrupted
V. Scenarios & data recovery of the following:
A. Operating system will not boot
1. MBR corrupted or missing
a. BIOS boot strap code
2. OS boot record corrupted or missing
a. OS boot strap code
b. BPB miss-aligned
3. OS Start up files missing or corrupted
a. command.com
b. NTLDR
4. Virus pre-empting operating system load
a. Boot virus shifting memory markers
5. Hardware
a. Hard drive, memory, motherboard
B. Directory listing not displaying properly
1. FAT or MFT corrupt
a. EOF markers and links invalid
2. OS boot record corrupted
a. Cluster alignment
b. MFT or FAT start cluster pointers
3. Virus corrupting display
a. Memory
4. Hardware
a. Memory, Hard disk
C. Data corrupted
1. FAT or MFT corrupt
a. Links or run list corrupted
2. OS Boot record corrupted
a. Cluster alignment
b. MFT and FAT start cluster pointers
3. Virus corrupted data
a. Writing random area across drive
4. Hardware
a. Memory, Hard disk
VI Data Recovery Tools
A. Recovery It All Professional
B. Fast File RAW File Extractor
C. Fast File Undelete
D. winhex
E. ScanPST
F. Digital Picture Recovery
G. E-Recovery for Outlook express
VII RAID (Redundant Array of Independent Drives)
A. RAID 0
1. Striped
B. RAID 1
1. Mirrored
C. RAID 1+0
1. Striped mirror
D. RAID 5
1. Striped with parity
E. What is Parity?
1. XOR mathematics
F. Recovery
1. Header Size
2. Stripe Size
3. Parity progression
4. Software vs. Hardware
5. De-striping techniques
VII Hands on
A. Recover a deleted file after a simple delete
B. Recover all excel files after a simple delete
C. Recover PST file after fdisk.
D. Recover PST file after format
E. Recover file system after Partition Magic
F. Recover Outlook Express after quick restore
G. Recover deleted emails.
H. Recover formatted media card
I. Recover all JPEGS after MFT destroyed |
|
狗仔卡
提升卡
置顶卡
喧嚣卡
变色卡
显身卡
北京某高级数据恢复系列教程
SeaTools for Windows(中文版)
【新手看老鸟闪】西数模块定义直观图
硬盘维修以及数据恢复合集
真正希捷F3批量维修程序 同时操作6个盘 可
58GrenadaBP2家族三角板盘1ERxx系列硬砍0头
WD 28(PST)模块简要说明
电子产品结构与导热材料解决方案
硬盘坏道维修色块全去! 希捷F3去色块又一
发个西数固件11g