In this data recovery case, our client had Faronics Deep Freeze software installed on several workstations. While uninstalling the Deep Freeze software from four workstations, somebody in their IT department accidentally deleted the ThawSpace partitions created by the software. The deleted ThawSpace partitions contained user-created data. The next time the affected users sat down at their desks, their critical files were all missing.
Drive Capacity: 4 Seagate laptop hard drives (3 250GB drives and 1 500GB drive)
Operating System: Windows
Virtualization Software: Faronics Deep Freeze Enterprise
Situation: Deleted ThawSpace virtual partitions on four computers
Data Recovered: Contents of Deleted ThawSpace Partitions
Binary Read: 100%
Case Rating: 6
What is a ThawSpace?
The Faronics Deep Freeze software takes a snapshot of the user’s machine, “freezing” it at that point in time. Every time the machine is rebooted, it reverts to its frozen state—none of the changes to the disk made since the snapshot was taken are carried over, with the exception of user-created files. Any files the user creates or modifies while using Faronics Deep Freeze that they would like to preserve for the next time they reboot their machine must be stored in a “ThawSpace”. This ThawSpace alone is unaffected when the machine reboots and is rolled back to its frozen state.
Intro to Virtualization
On a machine running Faronics Deep Freeze, the ThawSpace is a virtual partition acting as a container for the user’s critical files. A virtual partition is simply an image of a hard disk. You can make a virtual image of a CD, DVD, floppy disk, or any other kind of data storage device. This image contains all of the device’s contents in a single giant file. For example, a CD-ROM can be contained in an ISO file. Then you can play the ISO on your computer whenever you want as long as you have the right tools.
Virtual hard disks, or VHDs, work the same way. To the computer’s operating system and the end user, a virtual partition behaves exactly like a physical disk. It’s not much different in practice than making a new partition on your hard drive, or plugging in a USB flash drive or external hard drive into your computer and seeing an E:\ or G:\ drive pop up. But under the hood, the source of that partition is not any physical device, but rather a single enormous file.
You can even install an operating system onto a virtual disk and boot your machine up from it, giving yourself a whole “virtual machine” to play with. Or you can do what Faronics does with their Deep Freeze software and have the virtual disk just act a container for your files.
There is one unfortunate quirk of virtualization that can lead to you having to send your drive to our data recovery lab. When you go into Windows Disk Manager to “detach” or unmount the virtual hard disk, the resulting Windows dialogue box gives you an option to delete the actual VHD or VMDK file.
Likewise, when Faronics Deep Freeze was being uninstalled from the client’s workstations, the uninstaller wizard gave the option to delete the ThawSpace file. In the Deep Freeze uninstallation wizard, the option to delete those virtual partition files just happened to be checked by default. The IT technician responsible didn’t notice until after having uninstalled the software from four machines. There are some occasions when you might want to delete a virtual hard disk altogether once you are finished with it. This, though, was not such an occasion.
Recovering a Deleted ThawSpace
Greg Andrzejewski, our Director of Research and Development, handled the task of recovering the data from the deleted ThawSpace partitions. Recovering the virtual partitions themselves followed the same process as a typical data recovery case in which files have been deleted.
When a file is deleted from a hard drive, it isn’t gone forever—at least, not at first. The hard drive in a typical computer keeps a record of which clusters of sectors on the drive are in use and which are not. In a hard drive formatted NTFS for Windows, this record is known as the bitmap. When a file is deleted, or the Recycle Bin is emptied, the bitmap marks the clusters containing the file as “unused” instead of used. The file is still on the disk, albeit inaccessible via normal means.
In a typical data recovery case where files have been deleted from a hard drive, our logical data recovery engineers first make a 100% image of the drive. Then, a logical data recovery technician takes a look at all of the clusters the Bitmap says aren’t being used. In this case, Greg was looking to see if there were any big VHD-shaped empty spots anywhere on the client’s affected hard drives.
For this case, the data recovery process for these deleted ThawSpace VHD files required the same type of analysis from our engineers as a typical deleted file data recovery case, with an added twist. Once the deleted virtual partitions were recovered, the next step was to take a peek inside them to assess the condition of the data.
The job of a logical data recovery engineer is not only to recover the data that has been lost due to deleted files or a reformatted hard drive, but to assess if any corruption of the data has ensued, and if so, how much.
Once a portion of a hard drive is no longer flagged as used, that space becomes free game for any new data written to the drive. In the instant those ThawSpaces were deleted, the hard drive said, “Oh, good! I have hundreds of gigabytes of new free space now!” However, the actual data comprising those virtual partitions was still there on the disk. Any data written to the drives since the ThawSpaces had been deleted could have overwritten portions of the virtual partitions, in turn affecting the files and filesystems contained therein.
After the virtual partitions themselves had been located and isolated, Greg could mount them on one of our data recovery machines and comb through them to check the integrity of the data just as if they were real, physical (and perfectly healthy) hard drives. If a portion of a file is overwritten, the file could be partially recovered, but be partially or even completely non-functional. Fortunately, there appeared to be very little corruption of the data recovered from the client’s deleted ThawSpace virtual partitions.
We were able to successfully recover a great deal of the contents of the Faronics ThawSpaces from two of the client’s hard drives. Two of the hard drives’ ThawSpaces were filled with user-created data. As for the other two drives, their ThawSpaces appeared to contain very little data. We could not be totally certain if this was because a massive amount of the deleted data had been overwritten, or if those two ThawSpaces in particular simply had not seen much use to begin with.
Although we rated this case a 6 on our ten-point scale, the client was very pleased with the results of the logical data recovery of their deleted ThawSpace virtual partitions. To our client, this case was a great success.