As vice president of development at Renew Data, an electronic evidence and data recovery services provider, Dan Gardner played the leading role in the development of the company’s proprietary forensic and data recovery software. Gardner recently spoke with Computerworld’s Lucas Mearian about data recovery best practices, how Renew Data restores lost data and how administrators can minimise the risk of data loss.
Q: What should administrators do when faced with a storage media failure?
Our advice is if the hard drive is making a noise or a tape is stopping, don’t try to fix it yourself. Once the media starts to fail, it’s got a pretty limited lifetime. I recommend pulling the plug. Powering down can take time and cause further damage. Don’t be hasty to try things that may cause further damage, or don’t try things that may cause logical damage or data loss. It doesn’t cost much to call and just get a quick assessment of whether or not there is a data recovery scenario involved.
Q: What can IT do to protect against the most common causes of data loss?
One point that gets overlooked in policies and procedures for disaster recovery is testing. There’s an old saying, “One test is worth a thousand opinions.”
Q: Which types of problems are the toughest to remedy?
By far, the physical damage. These types of things involve taking it into a clean room and trying to attempt a repair of what’s repairable and then attempting to read what’s readable. It’s very labour-intensive and requires the skill of someone who knows what they’re doing in order to manipulate the hardware into a readable state.
Q: At what point do you decide that data is unrecoverable?
Generally speaking, we don’t give up. There are obviously clear situations, like when all the magnetic substrate is scrapped off platters, when it’s obvious. As long as there’s an outside chance of getting something, we continue.
Q: What other types of media can you recover?
Things like flash cards from the digital cameras, SmartMedia, Memory Sticks, [and] all forms and manner of removable storage, such as floppies, optical drives, Zip drives, Ditto drives, CD and DVD media.
Q: What can administrators do to reduce vulnerability to media failures?
Given the fact that there is a certain failure rate among all backup media, you need to audit that media. Make sure it works. Make sure you backed up what you think you backed up. Make sure you can restore what you’ve backed up. We’ve seen backup tapes come in under the assumption that they’ve backed something up but never actually did.
That’s a really tough thing to tell customers. They send in a tape for data recovery because they can’t restore a certain file, and we tell them we can’t either because it wasn’t there in the first place.
Q: If forensic evidence needs to be preserved, what do you do that IT can’t with a forensic disk-imaging software package?
That revolves not so much around capability but around legal conditions. We bring in an objective third party if we’re talking about evidence, because there’s a real credibility issue there. There are chain-of-custody issues that require someone being a witness. From a technology point of view, EnCase is the standard in the forensics area and therefore it’s used by investigators. But our people are also very well trained on the whole chain-of-custody issue, which generally IT people aren’t.
Q: What were some of your more unusual successes?
We’ve had tapes that were in the bottom of a Dumpster swimming in Dumpster juice. That was gross, but it was a good recovery.
Some of the most challenging recoveries we’ve done involved proprietary systems, like GE’s MRI systems, where from a computer point of view, it’s not in the mainstream [and] there’s a pretty hefty amount of work involved in determining how to get data off the media.
Q: How quickly can you restore my data?
There are a number of possible scenarios. If we’re talking about single hard drives, first we have to assess if there’s anything physically wrong. If the magnetic media on the platter has been damaged and completely scraped off, that’s an unrecoverable scenario.
Generally, it’s one day for the initial process of reading the data, and then it’s another day for processing the data, and then it’s another day for restoration of data on return media.
Q: What’s it going to cost me to get my data back?
The most common scenario is a single hard drive and that depends on the type of failure, whether it’s a logical failure or a severe physical failure.