DAVORY:
Data Recovery
Supervised By:
Prepared By:
Dr. Lo'ai Tawalbeh
Ibrahim Al-Shurbaji
DATA RECOVERY
Data Recovery
Data recovery is the act of salvaging data stored
on damaged media, such as magnetic disks and
tapes. There are a number of companies and
software products that can help recover data
damaged by a disk crash or virus. Of course, not
all data is recoverable, but data recovery
specialists can often restore a surprisingly high
percentage of the data on damaged media.
DATA RECOVERY cont.
Data recovery cases can be divided up into two main
categories:
Common Recoveries – Involves floppies and hard drives that
are usually from single-user personal computers.
Complex Recoveries – Involves hard drives, RAID arrays,
tape and optical media or corrupted databases and file
systems usually from multi-user, business systems. Data
storage at the high end has become a very complex field. In
the case of these complex systems data recovery can be
seen as "troubleshooting data storage."
Whether common or complex, each data recovery case is
unique and the process can be very resource extensive and
exceedingly technical.
DATA LOSS
• What is Data Loss?
• Typical Characteristics of a Common Data Loss
Situation:
• Accidental deletion of data
• The sudden inability to access data from a previously
functioning computer system or backup
• Accidental re-forming of partitions
• Hard disk crash or hard disk component failure
• Ticking or grinding noises coming from the system unit
where the hard drive is located while powering up or
trying to access files. This symptom almost always
indicates a failing hard drive and is often accompanied
by some of the other symptoms.
DATA LOSS cont.
• Consider these facts:
• More data is being stored in smaller spaces –
Today’s hard drives store 500 times the data
stored on the drives of a decade ago. Increasing
storage capacities amplify the impact of data
loss, making mechanical precision more critical.
A slight nudge, a power surge, or a contaminant
introduced into the drive may cause the head to
touch the platter resulting in a head crash.
DATA LOSS cont.
•
Data has become more mission-critical – Users today
store more data on their desktops and networks that is
mission-critical to their organizations and to their
personal lives. Loss of mission-critical data, by
definition, causes major business processes to stop.
•
Backup technology and practices have failed to
adequately protect data – Many users back up their
data only to find their backups useless at that crucial
moment when they need to restore from them.
DATA LOSS cont.
•
They fail because the systems are designed
with a set of requirements that rely on a
combination of technology and human
intervention for success. Taped, tape drives
and cartridges do not always work properly,
due to their dependence on mechanical
perfection.
Backup software can become corrupted. Users
accidentally back up corrupted or incorrect
information
WHAT TO DO?
What to do
 In cases where files have been deleted or
overwritten, it is important for the best chance of
recovering the files not to write any new data to the
disk they were stored on, because the old data will
only exist until such time as the space it occupied
on the disk gets used for something else. If the files
were on the main drive of the computer you're using
now, this means that you should turn off the
computer right now, and use another computer to
search for a solution to recover your data. You may
even need to consider putting your computer's hard
disk in another computer to do the data recovery,
because installing the software on your own
computer could overwrite the data you want to
recover.
WHAT TO DO? cont.

We understand that this may not
be easy or convenient to do. So
it's your decision. It depends on
how important these lost files
really are to you. Continuing to
use your computer, and
installing software on it, won't
necessarily overwrite the data
you want to recover. But it could.
It's up to you.
DATA RECOVERY
METHOD
• Choosing the data recovery method
• Choosing the right method to use to recover your data isn't
easy. There are many different recovery tools on the
market. Some are better at recovering deleted files, others
are better at restoring overwritten files, or recovering
files from damaged disks. Some are specialized for
recovering photo images, or Microsoft Word or Excel
document files, because they know what these files look
like, and can retrieve their data even when all other clues to
its existence have disappeared. One tool may succeed at
recovering your files, even if another failed.
DAVORY
 DAVORY SOFTWARE
 by X-Ways Software Technology AG.
 X-Ways Software Technology AG is a stock corporation
incorporated under the laws of the Federal Republic of
Germany.
 The following operating systems are supported:

• Windows 95/98/Me

• Windows NT 4.0
 • Windows 2000

• Windows XP
 Homepage: http://www.x-ways.net
DAVORY
 HOW TO USE
 There are two ways how to recover data
using Davory. Both require that you select
the disk to recover from.
 1) Automatic recovery of files with given
filenames. Preferred method.
 2) Automatic recovery of files of a certain
type. Try if 1) is not available or if you are
not satisfied with the results. Does not
require a healthy file system)
DAVORY
 Important: At any rate, do not use the drive that you
wish to recover from for writing data any more! You
may inadvertently overwrite lost files, making them
unrecoverable. This includes not booting Windows
from such a drive any more, as booting involves
numerous write operations as well. Davory can be run
directly from a floppy disk or CD, and does not require
a real installation using the setup program. Davory
does not recover files "in place", on the original drive,
but it recreates them on a different drive, so there is
no danger of inadvertently making the data loss
situation even worse. The original drive is not touched
except for reading.
DAVORY
Selecting the Disk 
DAVORY
 Select the disk that contained the files you have lost.
 Preferably, select a logical drive (also called a "drive
letter" or "volume"). In that case WinHex relies on
Windows being able to access the drive. Selecting a
physical disk (also called "raw device") on the other
hand, means opening the entire medium, as it is
attached to the computer, e.g. a hard disk including
all partitions. If the disk is not properly formatted,
damaged, or if its file system is unknown to Windows,
so Windows is unable to make it accessible as a drive
letter, select the physical disk instead. When you
select a physical hard disk, it is recommended to open
one of the partitions separately. Note that File
Recovery by Name can only be applied to a logical
drive or a single partition.
DAVORY
 If you notice that Davory does not detect
the size of your disk correctly, you could
either enable the option "Check for last
accessible sector" in the case of a physical
disk when selecting the disk, or use Disk
Parameters later. Please note that searching
the last accessible sector may cause very
long delays, strange behavior or even
damage on some systems.
DAVORY
 Limitations:
 • Under Windows NT, 2000, and XP administrator
rights are needed to access hard disks.
 • Davory cannot operate on remote (network) drives.
 File Recovery by Name
 Works on FAT12, FAT16, FAT32, and NTFS logical
drives/partitions. You may specify one or more
filename patterns that cover all the files you wish to
retrieve, e.g.:

Letter to Mr. Smith.doc

Invoice*.pdf

m*.xls

Image*.gif

*.tif
DAVORY


Please note that files that were moved to the recycle bin
prior to permanent deletion are internally renamed by
Windows, where only the filename extension remains the
same. So if you wish to undelete files that were in the
recycle bin before, specify only an asterisk before the dot
(e.g. "*.jpg", not "mypicture.jpg").
Optionally WinHex only recovers files that are explicitly
marked as deleted in the file system. It may be wise not to
use that option if you are looking for files that got lost other
than by normal deletion, e.g. due to file system corruption.
In that case you can even switch to files that are not
marked as deleted. With that setting you will recover only
those files that existed at the time when the corruption
occurred and no duplicates (like previously existing working
copies, temporary files etc.) that were deleted because they
were no longer needed.
DAVORY
 If you deselect "Use file allocation table where
possible", Davory will always rely on files not being
fragmented, recovering them as a continuous stream
of consecutive clusters.
 Check “Intercept invalid filenames” to prevent a failure
of the recovery because of filenames with characters
considered as invalid by the file system. Useful for
example if you wish to recover files that had
filenames in a non-western language with a westernlanguage Windows version. This option will rename
such a file if necessary to ensure that it can be
recreated.
DAVORY
 If you enable "Recover from one folder only", Davory
will not search for the files on the entire drive, but
only within the specified folder and optionally its
subfolders (if traces of these subfolders can still be
found). Only with both of these options (folder tree
and subfolders) enabled, Davory will recreate the
original folder tree within the output folder and will
place recovered files into their respective subfolders.
Not available for NTFS drives.
 On an NTFS drive, if the file you are looking for
cannot be found, it may help to enable the "thorough"
search. It is not enabled by default because it takes
significantly more time.
DAVORY
 You also specify an output folder where Davory should
recreate the original file(s). Important: make sure this
folder is on a different drive. Specifying a folder on
the same drive where you are recovering from could
easily overwrite disk space where deleted files reside
that you still wish to recover! That way they would be
lost forever. It might also lead to a loop, if Davory
repeatedly "recovers" files that it has just recreated.
 Unlike File Recovery by Type, "File Recovery by Name"
will also restore the file date & time and its attributes.
DAVORY
DAVORY

File Recovery by Type

A data recovery function that searches for files that can be
recognized by a certain "signature". Many file types have
such a signature. Choose one more more file types from the
list. To select multiple file types, hold the Ctrl key on your
keyboard while clicking list items. More than 30 file types
are pre-defined.
Davory tries to detect the original correct size of JPEG, GIF,
PNG, BMP, TIFF, AVI, WAV, ZIP, HTML, RTF, and MS Office
files automatically. If this fails, or for other file types, the
files are recovered the fixed maximum size that you specify.
Usually it does no harm to recover with a "too big" size
(unlike "too small"), since the programs that deal with
these files can tell from the file format where the actual end
of file is. So be "generous" when specifying the size.

DAVORY
 The resulting files are named according to a pattern
you provide (e.g. ~~~~ will result in files like
0001.jpg, 0002.jpg, and so on). A log file is written to
the output directory as well. Optionally, files of each
type will be put into their own subfolder, i.e. .jpg files
into to the subfolder "jpg", .html files into the
subfolder "html", and so on.
 By default, all files found on the disk (existing or
deleted) are recovered. Optionally you can limit the
recovery to files that are found in unused parts of the
disk, that is to presumably lost or deleted files. Please
note that this recovery mechanism does not produce
sound results in the case of files that were stored in a
fragmented way (in discontiguous clusters).
DAVORY
 You also specify an output folder where
Davory should recreate the original file(s).
Important: make sure this folder is on a
different drive. Specifying a folder on the
same drive where you are recovering from
could easily overwrite disk space where
deleted files reside that you still wish to
recover! That way they would be lost
forever. It might also lead to a loop, if
Davory repeatedly "recovers" files that it
has just recreated.