Data recovery book

This book is a comprehensive and thorough logical data recovery guide for beginners in data recovery, as well as a desktop reference for professionals already working in data recovery field. Our data recovery manual provides information about basics of storing and recovering data illustrated by numerous examples. In this data recovery textbook we discuss logical causes of data loss and software data recovery solutions. This data recovery book focuses on partition recovery, filesystem recovery, and RAID recovery.

Additionally, in the book, you can find exhaustive list of filesystem and partition table structures. Note that the book does not cover mechanical damage and repairs. For the full table of content click here.

Table of contents

  • 1.1 Target audience
  • 1.2 Contents at a glance
  • 1.3 Difference between data recovery and forensics
  • 2.1 Simple storage devices
    • 2.1.1 Traditional mechanical hard disks
    • 2.1.2 SSD and USB flash
    • 2.1.3 Recovery of overwritten data
  • 2.2 Composite Storage Devices
    • 2.2.1 Hardware RAID and RAID controllers
    • 2.2.2 Network Attached Storage (NAS)
    • 2.2.3 SSD cache and tiered storage
  • 3.1 Mechanical Damage
    • 3.1.1 TVS diodes
    • 3.1.2 Disks with zero or incorrect size
      • 3.1.2.1 Compatibility issue
      • 3.1.2.2 Artificial limitation
      • 3.1.2.3 Firmware problems
  • 3.2 Logical failures
    • 3.2.1 Operator errors
      • 3.2.1.1 Restoring image onto a wrong drive
      • 3.2.1.2 Factory restore or Windows reinstallation
      • 3.2.1.3 Accidental deletion
      • 3.2.1.4 Formatting by mistake
      • 3.2.1.5 The difference between formatting and deleting
    • 3.2.2 Unfinished write
    • 3.2.3 Filesystem, hardware driver, or firmware bugs
    • 3.2.4 Transient hardware errors
  • 4.1 Sector size
    • 4.1.1 512 and 4096 bytes per sector
    • 4.1.2 Physical and logical sector size
    • 4.1.3 Incorrect sector size
      • 4.1.3.1 How to determine sector size
  • 4.2 Data encoding basics
    • 4.2.1 Encoding of numbers – little-endian vs. big-endian
      • 4.2.1.1 Flags
      • 4.2.1.2 GUIDs and UUIDs
    • 4.2.2 Encoding of text strings
  • 4.3 Filesystem basics
    • 4.3.1 What is a filesystem
    • 4.3.2 Volume as an area on the disk
    • 4.3.3 Filesystems with fixed or floating metadata location
    • 4.3.4 Clusters (blocks) and cluster numbers (LCNs)
    • 4.3.5 File
    • 4.3.6 Files and virtual cluster numbers (VCN)
    • 4.3.7 Extents and fragments
    • 4.3.8 B-tree and B+tree
    • 4.3.9 Metadata and file attributes
      • 4.3.8.1 Stat
    • 4.3.10 Inode
    • 4.3.11 Multiple data streams, forks, and extended attributes
    • 4.3.12 File name case sensitivity and upcase table
    • 4.3.13 Folders (directories)
    • 4.3.14 Identification of files, folders, and building the folder tree
    • 4.3.15 Journaling
      • 4.3.15.1 Transactions
      • 4.3.15.2 Journaling implementation
    • 4.3.16 Why the correct folder tree does not mean correctly recovered content
  • 4.4 Partitioning basics
    • 4.4.1 What is a partition
    • 4.4.2 The most simple partition tool - Windows Disk Management
    • 4.4.3 Simple and complex partitioning
  • 4.5 RAID basics
    • 4.5.1 RAID terms
    • 4.5.2 RAID reliability
      • 4.5.2.1 RAID fault tolerance characteristics
      • 4.5.2.2 Hot spare
    • 4.5.3 RAID levels
      • 4.5.3.1 JBOD, Just a Bunch Of Disks
      • 4.5.3.2 RAID0
      • 4.5.3.3 RAID1
      • 4.5.3.4 RAID10
      • 4.5.3.5 RAID1E
      • 4.5.3.6 RAID5
      • 4.5.3.7 RAID6
  • 5.1 Data recovery preparations
    • 5.1.1 Hardware preparation
      • 5.1.1.1 Connection ports and speeds
      • 5.1.1.2 PSU
      • 5.1.1.3 USB
      • 5.1.1.4 How to select motherboard and disk controllers
      • 5.1.1.5 Write blockers
    • 5.1.2 Disk images and clones
      • 5.1.2.1 The difference between disk image and disk clone
      • 5.1.2.2 To image or not to image?
  • 5.2 Data recovery from a simple storage device
    • 5.2.1 Determining partition boundaries
      • 5.2.1.1 Requirements for determining the boundaries of a partition
      • 5.2.1.2 Methods for determining the partition boundaries
    • 5.2.2 Determining a filesystem type if possible
    • 5.2.3 Scanning the partition
    • 5.2.4 Copying data and evaluation of results
    • 5.2.5 What you should do if some important files are missing
  • 5.3 Data recovery from a composite device
  • 6.1 Simple Partitioning Schemes
    • 6.1.1 Master Boot Record (MBR)
    • 6.1.2 GUID Partition Table (GPT)
    • 6.1.3 Apple Partition Map (APM)
  • 6.2 Complex partitioning schemes
    • 6.2.1 LDM (Windows Dynamic Disk)
    • 6.2.2 md-raid 92
      • 6.2.2.1 md-raid version 1.x superblock
      • 6.2.2.2 md-raid version 0.9 superblock
    • 6.2.3 LVM
      • 6.2.3.1 LVM text-based metadata
  • 7.1 General principles of filesystem recovery
    • 7.1.1 The difference between manual and automatic recovery
    • 7.1.2 Determining the filesystem parameters
      • 7.1.2.1 Starting sector and cluster size
      • 7.1.2.2 Obtaining filesystem parameters from filesystem metadata
      • 7.1.2.3 Obtaining filesystem parameters from a similar filesystem
      • 7.1.2.4 Obtaining filesystem parameters from the filesystem content
    • 7.1.3 Disk image files and filesystem recovery
    • 7.1.4 Filesystem scanning in data recovery software. Deep scan vs. Quick scan
      • 7.1.4.1 Reading only filesystem data (quick scan)
      • 7.1.4.2 Reading all data (deep scan)
  • 7.2 Windows filesystems
    • 7.2.1 FAT - FAT12, FAT16, FAT32
      • 7.2.1.1 FAT16 and FAT32 boot sectors
      • 7.2.1.2 FAT tables and cluster numbers
      • 7.2.1.3 Directories
      • 7.2.1.4 The long names
    • 7.2.2 exFAT
      • 7.2.2.1 exFAT boot sector
      • 7.2.2.2 exFAT tables
      • 7.2.2.3 exFAT directories
    • 7.2.3 NTFS
      • 7.2.3.1 Basic components
      • 7.2.3.2 Generation number
      • 7.2.3.3 Boot sector
      • 7.2.3.4 MFT records
      • 7.2.3.5 Difficulties you may encounter when recovering an NTFS volume
      • 7.2.3.6 SpotFix
  • 7.3 Apple filesystems
    • 7.3.1 HFS
    • 7.3.2 HFS+
      • 7.3.2.1 HFS+ volume header
      • 7.3.2.2 ForkData structure
      • 7.3.2.3 HFS+ B-trees
      • 7.3.2.4 Catalog node ID (CNID)
      • 7.3.2.5 Catalog file
      • 7.3.2.6 Extents overflow file
    • 7.3.3 APFS
      • APFS features
      • Main metadata structures
      • Main superblock
      • Volume superblock
      • Table conception
      • Catalog B-Tree
      • Extent B-Tree
      • APFS data recovery specifics
  • 7.4 Linux filesystems
    • 7.4.1 Direct blocks, indirect blocks, and fragments
    • 7.4.2 EXT
      • 7.4.2.1 General filesystem structure
      • 7.4.2.2 Superblocks
      • 7.4.2.3 Sparse superblocks
      • 7.4.2.4 Group descriptor table
      • 7.4.2.5 EXT inode
      • 7.4.2.6 EXT2, EXT3, and EXT4 directories
    • 7.4.3 XFS
      • 7.4.3.1 XFS superblocks
      • 7.4.3.2 XFS extents
      • 7.4.3.3 XFS inodes and inode numbering
      • 7.4.3.4 Inode B+trees
      • 7.4.3.5 Extent B+trees
      • 7.4.3.6 Directories
      • 7.4.3.7 Translating cluster numbers to sector numbers in XFS
  • 8.1 RAID configuration and what RAID recovery means
    • 8.1.1 Start offset and block size in block RAIDs
    • 8.1.2 Number of disks and disk order
    • 8.1.3 Parity
    • 8.1.4 Left and right, synchronous and asynchronous layouts, and delayed parity
  • 8.2 Automatic RAID recovery
    • 8.2.1 RAID0
    • 8.2.2 RAID1
    • 8.2.3 RAID1E
    • 8.2.4 RAID10
    • 8.2.5 JBOD
    • 8.2.6 RAID5
    • 8.2.7 RAID5E
    • 8.2.8 RAID6
  • 8.3 Manual RAID recovery
    • 8.3.1 How to determine disk order, block size, and start offset
      • 8.3.1.1 Determining disk order based on the numbered metadata
      • 8.3.1.2 Determining disk order based on the content of a particular file
    • 8.3.2 Practical aspects of manual RAID recovery in RAID0, RAID10, and RAID1E
      • 8.3.2.1 RAID0
      • 8.3.2.2 RAID10
      • 8.3.2.3 RAID1E
      • 8.3.2.4 RAID1 and JBOD
      • 8.3.2.5 How to distinguish between RAID0, RAID1, and JBOD
    • 8.3.3 Parity-based RAIDs
      • 8.3.3.1 Theory of parity and its consequences
      • 8.3.3.2 How to identify parity and disk order in a RAID5 by looking at the data
      • 8.3.3.3 How to identify parity position, block size, and disk order in parity-based RAIDs using entropy analysis
      • 8.3.3.4 RAID5 failure scenarios
  • 8.4 Using tiered storage SSD caches in RAID recovery
    • 8.4.1 Read-only cache of a tiered storage
    • 8.4.2 Write cache of a tiered storage
    • 8.4.3 Searching the cache for filesystem structures
  • 9.1 How NAS is organized
  • 9.2 Common failures in NASes
Chapter 10 - Raw Recovery, Page 232
  • 11.1 Do not run several data recovery tools on the same disk simultaneously
  • 11.2 Can one determine if data recovery was attempted on the storage?
  • 11.3 Difference between RAID recovery and data recovery
  • 12.1 References
  • 12.2 List of figures
  • 12.3 List of tables
  • 12.4 Index
    • ADS
    • Advanced Format
    • allocation group
    • Alternate Data Stream
    • APM
    • Apple Partition Map
    • ASCII
    • asymmetric data layout
    • asynchronous data layout
    • atomicity of a transaction
    • attributes file
    • backward parity layout
    • Battery Backup Unit
    • BBU
    • big-endian
    • bit flag
    • block
    • block group
    • block RAID
    • block size
    • boot sector
    • B-tree
    • B-tree node
    • cache retention time
    • careful write
    • case sensitivity
    • catalog file
    • Catalog Node ID
    • checkerboard data layout
    • cluster
    • cluster number
    • cluster size
    • CNID
    • coercion
    • column
    • complete format
    • component
    • composite storage device
    • copyback
    • DATA attribute
    • deep scan
    • delayed parity
    • delayed write data
    • Digital Record Object Identification
    • direct block
    • directory
    • dirty bit
    • disk clone
    • disk image
    • file formats
    • disk order
    • double-indirect block
    • DRIOD
    • dynamic disk
    • Electron Microscopy
    • entropy
    • exFAT
    • extended attributes
    • extended partition
    • extent
    • extents overflow file
    • FAT
    • FAT table
    • file
    • file attributes
    • file carving
    • file mode
    • file record
    • FILE_NAME attribute
    • filesystem
    • fixup
    • flag
    • flash memory
    • Flash Translation Layer
    • folder
    • folder record
    • footer
    • fork
    • ForkData
    • forward parity layout
    • fragment
    • FTL
    • generation number
    • GPT
    • group descriptor
    • GUID
    • GUID Partition Table
    • hardware RAID
    • header
    • header node
    • HFS+
    • HFSX
    • Host Protected Area
    • hot spare
    • HP SmartArray
    • HPA
    • indirect block
    • inode
    • Intel Matrix RAID
    • intention log
    • JBOD
    • journaling
    • LCN
    • LDM
    • LDM data layout
    • left parity order
    • LFN
    • little-endian
    • Logical Disk Manager
    • logical drive
    • logical volume
    • Logical Volume Manager
    • long file name
    • LV
    • LVM
    • Magnetic Force Microscopy
    • Marvell
    • Master Boot Record
    • Master File Table
    • MBR
    • md-raid
    • mechanical hard disk
    • metadata
    • MFM
    • MFT
    • MFT file attributes
    • MFT record
    • missing disk
    • MTBDL
    • MTBF
    • multiple data streams
    • NAND
    • NAS
    • Network Attached Storage
    • NTFS
    • number of disks
    • object identifier
    • overwritten data
    • parity
    • parity-based RAID
    • partition
    • physical volume
    • power supply
    • PRIVHEAD
    • PRONOM
    • protective MBR
    • PSU
    • PV
    • quick format
    • quick scan
    • RAID
    • RAID controller
    • RAID level
    • RAID parameter set
    • RAID recovery
    • RAID reliability
    • RAID0
    • RAID1
    • RAID10
    • RAID1E
    • RAID5
    • RAID5E
    • RAID5EE
    • RAID6
    • raw recovery
    • raw scan
    • right parity order
    • role
    • rotational hard disk
    • runlist
    • sector size
    • SFN
    • shadow
    • short file name
    • shortform directory
    • simple storage device
    • SmartArray
    • software RAID
    • sparse file
    • sparse superblocks
    • SpotFix
    • SSD cache
    • standard data layout
    • STANDARD_INFORMATION attribute
    • start offset
    • starting sector, determining
    • stat
    • string encoding
    • stripe size
    • superblock
    • superfloppy
    • symmetric data layout
    • synchronous data layout
    • TexFAT
    • thread record
    • tiered storage
    • torn write
    • transaction
    • triple-indirect block
    • TVS
    • unfinished write
    • upcase table
    • USB-to-SATA converters
    • UTF-16
    • UTF-8
    • UUID
    • wide pace, in entropy analysis
    • write blocker
    • XAGF XFS superblock
    • XAGI XFS superblock
    • XD2B XFS directory
    • XD2D XFS directory
    • XFS
    • XFSB XFS superblock
    • XOR

Buy Logical Data Recovery book

Buy Logical Data Recovery book

Hardcover: 248 pages, Language: English,
Product Dimensions: 8.07 x 11.41 inches,
Publication date: 7/10/2014,
Interior Ink: full color,
Free shipping worldwide

Shipping details

The Logical Data Recovery is printed on demand so it would take minimum 8 days to print it and more days (1-2 business days for USA location and 3-4 for Europe) to ship it to your location. When ordering, please provide a correct location to which we will ship the book.

Before ordering

Since the book is not a refundable item, before ordering, we strongly recommend you examine more carefully the table of contents listed above and should you have any questions relating to the book send them via the support page.