In this data recovery case, our client came to us with a logical matter. The client had a Samsung external hard drive formatted for use in their PC. When they had plugged it into their Mac, they accidentally allowed the Mac to reformat their drive. Fortunately, in the case of an accidental reformat, no data is immediately destroyed.
Modern Windows and Mac computers use the NTFS and HFS+ filesystem, respectively. Neither of them like to play with each other. HFS+ has a partition table set up so that Windows will actually see the drive as completely unformatted. NTFS-formatted hard drives will at least show up on a Mac, but only in read-only mode.
Recovery Type: External
Drive Capacity: 500GB
Model Name: Spinpoint
Model Number: ST500LM012
Operating System: Windows
Main Symptom: Accidental format from Windows to Mac
Type of Data Recovered: Video Files
Data Recovery Grade: 8+
Binary Read: 100%
Reformatting a hard drive doesn’t automatically destroy the data on the drive. It doesn’t even necessarily destroy all of the old partitioning geometry. This is great news for our clients (and for us).
Once a hard drive is formatted, the partition table on the disk is updated with the new partition information. But there is a good chance that most or all of the old partition information still exists on the disk and be excavated by our data recovery archaeologists.
The real danger in reformatted partition recovery scenarios is twofold. The new filesystem could trample over the old one in exactly the right way. Or enough new data could be written to cause damage to the drive’s old file definitions. Either, or both, can lead to data loss and corruption.
After the client reformatted their drive, their Mac computer started writing a Time Machine backup to the freshly-formatted hard drive. In total, it wrote approximately fourteen gigabytes of data to the client’s external hard drive. But even this was not a data recovery death sentence.
Recovering from an Accidental Reformat
Prior to the accidental reformat, the client’s hard drive contained an NTFS partition. The superblock for the partition was located at sector 2,048. The superblock is the sector that contains information about the length of the partition and where the file definitions are located, among other things. This was where the NTFS partition started. The old partition spanned the entire length of the disk.
After the accidental reformat, the new partition table pointed to a new HFS+ superblock. The new superblock was located at sector 409,640. This was where the HFS+ partition began. A small EFI partition had been created right in front of the main data partition as well. Fortunately, the new filesystem didn’t significantly overlap with the old one. There wasn’t much impeding our engineers from finding the old NTFS superblock and uncovering the drive’s former partitioning scheme. The real threat to the client’s data was the Time Machine backup.
The Apple Time Machine backup had written a lot of new data to the hard drive. Some of the fourteen gigabytes had settled into empty spaces on the disk. But some of the Time Machine backup data had landed right on top of the user’s data. When a sector gets overwritten, there’s no way to undo it. The user data the backup landed on was gone forever. As a result, some files were partially and wholly overwritten.
HOMBRE, our proprietary, in-house data recovery software, has a useful tool in its arsenal for dealing with data that has become partially overwritten. HOMBRE proves incredibly useful when data has been lost due to deletion or an accidental reformat.
Within HOMBRE is a catalog of thousands of commonly-seen file headers. File headers are the little bits in the front of every file’s first sector that identifies what kind of file it is and how it should be treated. If a file’s header is damaged, it will not function. The integrity of the file headers serves as a good litmus test for file corruption.
HOMBRE looks at the first sectors for the files it has recovered and scans their file headers. It determines which headers match what is in its catalog, and which do not. Files with corrupted headers will not be functional. When we show our clients lists of the recovered files in cases like this, we filter the list. This lets the client see which files still have valid headers and which do not. This gives our clients a better picture of how much of their recovered files are actually usable. The last thing we want our clients to do is pay for data that doesn’t actually work.
HOMBRE’s catalog of file headers also provides it with another powerful tool for logical file recovery. It can scan the raw binary sectors of a hard drive for common file headers. This tool turns up any files which have been “orphaned” from the filesystem. When new data was written to the drive, some of the extents pointing to the old data were erased. Without HOMBRE’s raw recovery tool, many of the affected files would have been out of our reach.
Our file recovery efforts for the customer’s vital video files and documents led to good results. There was only a minor amount of file corruption. Very little of it impacted the client’s video files. The majority of the user data was undisturbed and intact. We rated this reformatted hard drive data recovery case a high eight on our ten-point scale.