What is data recovery?

Causes of data loss

Data recovery is needed to combat data loss events. Data loss is the inability to access valuable business data when it is required to conduct normal business operations. Traditional data loss was mainly traced to human error or malfunctioning storage hardware. Today, however, data loss can be caused by various issues extending beyond conventional factors, including the following:

• Human error. Humans make mistakes, and data can be lost due to accidental deletion, relocation or movement to physical storage locations that enterprise applications are not configured to access. In other cases, data might be locked or encrypted using passwords that humans forget, rendering the file, folder or volume inaccessible.
• Hardware malfunctions. Data is stored on storage devices, mainly traditional magnetic hard disk drives (HDDs), various solid-state drive (SSD) forms, and even older media such as optical discs and tape. Although these storage devices are regarded as proven and reliable, they are not immune to failures due to physical wear and electronic malfunction. When a storage device fails, its data is wholly or partly inaccessible and must be restored to a replacement hardware device.
• Data corruption. Data corruption is a range of issues that can adversely affect data integrity on a storage device. For example, bad sectors on an HDD or wear in solid-state memory cells can damage an important file, folder or volume. Logical failures, such as bad sectors, can often be repaired, and the data can be recovered from a backup. More serious or recurring failures require replacing the storage device before data can be restored.
• Theft or destruction. If a storage device is physically stolen or destroyed, its data becomes inaccessible. Theft can be due to deliberate malfeasance, such as intercepting a data storage device or subsystem shipped from one location to another. Natural disasters -- including fires, floods and catastrophic building failures caused by earthquakes -- can also destroy storage devices.
• Malware. Malicious software often targets business data integrity and availability. For example, ransomware can lock out data until a ransom is paid to the attacker. Other malware might seek to steal or gather enough information to access data without the organization's knowledge -- or destroy data outright to disrupt business operations. Detecting and mitigating malware is a central part of cybersecurity efforts. The proper response to data recovery after a malware incident can vary depending on the attack's type and effect.
• Misconfiguration. Modern businesses exchange data across complex storage infrastructures, servers and networks, and it usually traverses varied services such as firewalls and load balancers. Every element of these complex infrastructures must be configured correctly to operate as expected and support data accessibility by users and applications. Any unexpected change to the configuration of any element can make data inaccessible even though no actual data loss has occurred. Detailed analysis and troubleshooting are needed to identify and correct configuration issues, and modern businesses often implement detailed change management frameworks to prevent and identify unwanted configuration changes within the infrastructure.
• AI data management issues. Modern businesses increasingly depend on AI platforms to manage and secure sensitive data. AI technologies are attractive because they can ingest and analyze vast amounts of system information and behavioral details, and then make dynamic real-time decisions about what data applications can access data and how. However, AI is imperfect; it can make mistakes that might leave crucial data inaccessible or vulnerable to theft. These systems require constant oversight and detailed logs for human troubleshooting and data access remediation.

It's important to highlight the difference between the terms data loss and data breach. The two are sometimes used interchangeably in security circles, but they represent different problems for the business. Data loss occurs when data becomes damaged or inaccessible. Data breach occurs when data is accessed or misused by an unauthorized party, such as stolen by a malicious outside actor. A data breach rarely leaves business data inaccessible, and some unprepared businesses might not detect a data breach for days, weeks or even months after it occurs, though operations continue normally.

Types of data recovery

Data recovery can be discussed in various ways depending on the circumstances. Most data recovery can be broadly categorized as logical or physical.

Logical data recovery

Logical data recovery is appropriate when the storage device is functional, but its data has become inaccessible due to software-related problems. This can include corruption, deletion or soft damage to the storage device, such as a failed solid-state storage cell. Software tools can effectively correct logical data storage issues, and data recovery techniques can typically restore affected data without replacing physical storage devices. Logical data recovery can emphasize several areas, including the following:

• File recovery. This seeks to rescue or restore specific files, such as documents or images.
• Email recovery. This specialized form of file recovery focuses on recovering or restoring messages within a business email system.
• Folder recovery. Folder recovery seeks to rescue or restore one or more folders on a storage device. A folder might relate to an application or various collections of essential data.
• Partition or volume recovery. Physical storage devices rely on logical segmentation to support storage operations through operating systems (OSes). Such segmentation uses partitions -- such as creating a logical C drive -- to create volumes that act as storage cabinets for vast assortments of folders, applications and data types. Unfortunately, partitions or volumes are defined by placing logical information on the physical storage device. Suppose this partition information is lost or corrupted. In that case, all the data on the storage device might be rendered inaccessible and generally cannot be recovered by simply restoring the partition information.

Physical data recovery

Physical data recovery is required when a fault or failure is detected in the storage device. For example, a traditional magnetic HDD experiences a failure in the spindle motor or read/write heads, or physical damage to the magnetic media platters. Recovering data from physical failure can be complicated, often requiring specialized tools and skills, which are increasingly rare. In most cases, the failed device is replaced, and data is restored to the new storage device from a recent backup.

How data recovery works

Data restoration is perhaps the easiest form of data recovery, which fundamentally involves copying data from its most recent backup to the active production storage device. Data can be restored from the following:

• Traditional media such as tape. Tape and optical discs are still used in environments requiring vast archival storage.
• Active storage media. Data can be restored from backups on other storage devices or the public cloud.
• USB media. USB devices such as thumb drives or large disks with USB interfaces can sometimes be used as limited backups and are popular with individual users for PCs.
• Redundant disks. Data can be duplicated to redundant disks in real time, enabling the redundant disk to continue working and supporting production while the failed disk is replaced. Once the failed disk is replaced and prepared, data can be restored from the redundant disk.
• Redundant array of independent disks (RAID). Data can be spread across multiple disks in a set, enabling a failed disk to be replaced and restored based on the data contained across the remaining disks in the array.

A more granular and complex approach to data recovery involves analyzing the failed storage device to locate and extract undamaged data for relocation to another storage device. However, this approach is rarely used because it requires specialized tools and skills. It is mainly reserved for recovering critical data from storage devices without proper backup.

The data recovery process varies depending on the data loss circumstances, the data recovery software used to create the backup and the backup target media. For example, many desktop and laptop backup software platforms enable users to restore lost files. Restoring a corrupted database from a tape backup is a more complicated process that requires IT intervention. Data recovery services can also retrieve files that are not backed up and were accidentally deleted from a computer's file system, but remain in fragments on the hard disk.

Data recovery is possible because a file and the information about that file are stored in different places. For example, the Windows OS uses the File Allocation Table (FAT) to track which files are on the hard drive and where they are stored. The FAT is like a book's table of contents, while the hard drive files are like the book's pages.

The FAT can be recovered if the hard drive and its files are still functioning, but are not damaged or encrypted. If files are damaged, missing or encrypted, there are other ways of recovering them. If the hard drive is physically damaged, its files can still be reconstructed. Many applications, such as Microsoft Office, put uniform headers at the beginning of files to designate that they belong to that application. Some utilities can be used to reconstruct the file headers manually, so at least some of the file can be recovered.

Most data recovery processes combine technologies, so organizations aren't solely recovering data from tape backups. Recovering core applications and data from tape takes time and can hinder immediate data access after a disaster. Transporting tapes also involves risks.

In addition, not all production data at a remote location might be needed to resume operations. Therefore, it's wise to identify what can be left behind and what data must be recovered immediately.

Data recovery techniques

Data recovery techniques are intended to regain access to lost, damaged or inaccessible data from storage devices or systems. Just as types of data recovery can be classified as logical or physical, data recovery techniques can be classified similarly.

Logical data recovery techniques

Logical data recovery uses software tools to analyze and correct the organization of data on a storage device -- such as after a minor file system corruption -- or to restore lost data to the same or a different storage device using backup and recovery tools. Logical data recovery techniques include the following:

• Data backup and recovery software. By far the most common and broadly used recovery technique, this software tool creates timely data backups as needed and then restores them to target storage devices. If the storage device fails or is unreliable, the restoration can occur once the problematic device is replaced.
• File system software. File system tools are designed to examine directory structures and other logical elements of data distribution on a storage device. Such analysis can reveal -- and sometimes restore -- common failures like broken directory links or lost clusters. This can often repair damaged or inaccessible data in limited or targeted areas.
• File carving tools. File or data carving circumvents the traditional file system used on a storage device, enabling the tool to search for file signatures and re-create or rebuild damaged files even when the storage device's logical structures are interrupted. However, these are considered advanced tools and require time and expertise to use effectively.
• System repair tools. These are a small class of specialized tools -- such as the traditional Windows chkdsk utility -- that can scan and rebuild a damaged file system or FAT. This can restore access to stored data, but the results are not guaranteed.

Ultimately, general-purpose backup and recovery tools offer the best protection against data loss. Modern techniques, such as continuous data protection or point-in-time recovery, offer an almost zero recovery point objective (RPO), and the recovery time objective (RTO) can be small depending on the amount of data restored.

Physical data recovery techniques

Physical data recovery focuses on repairing a damaged storage device or implementing physical storage techniques to mitigate storage device failures. Common physical data recovery techniques include the following:

• RAID recovery. RAID protects against individual disk failures by spreading data across multiple disks in the array, with each portion of the data including a set of error correction codes. If a physical disk fails within the RAID array, it can be replaced, and the RAID array can recover or re-create the data contained on the failed disk by processing the error correction codes across the remaining disks. However, RAID recovery can take considerable time because all the data on the remaining disks must be read and processed.
• Disk mirroring. Disk mirroring, imaging or cloning is a simple form of RAID where data is duplicated across two identical storage devices. If one device fails, the other can support users and applications until the failed storage device is replaced. Once replaced, the mirrored disk can restore its complete data set to the replacement disk, and the two remain synchronized. While disk mirroring is often a dynamic technique where both disks can be accessed, disk cloning is typically a more static technique where the duplicated disk is simply a real-time backup and cannot be accessed directly.
• Clean room recovery. The rarest and most expensive data recovery techniques can involve opening a sealed storage device in a suitable clean room environment and performing physical work on the mechanism. Work can include replacing faulty components or analyzing magnetic disk contents with powerful microscopes to determine the data contained on the disk. This specialized technique requires extraordinary expertise and is reserved as a last-ditch fix to mission-critical data recovery problems where no backups are available.

Data recovery tools

There are countless data recovery tools offering capabilities ranging from broad general-purpose to specific utilities. A busy enterprise generally will possess several tools to serve a set of potential data backup and recovery needs. Recovery tools can offer a standard set of recovery mode features, including the following:

• Deleted file recovery. The tool can recover files that have been accidentally deleted, but not yet overwritten by other files. An example is the Windows Recycle Bin.
• Partition recovery. The tool can find and recover data on a storage device's lost, damaged or deleted logical partitions.
• Formatted drive recovery. The tool can recover data from a storage device that has been formatted, but where new data has not yet been written.
• Corrupted drive recovery. Some tools can locate and recover data from drives that have become logically corrupted or physically damaged, such as a head crash onto a magnetic platter.

Beyond various recovery modes, recovery tools can provide advanced features, including the following:

• File system support. The tool should support various popular file system formats, including Windows FAT12, FAT16, FAT32, Extended FAT, the NT file system or NTFS, the Mac Hierarchical File System or HFS Plus, the Apple File System, and Linux Ext2, Ext2 and Ext4.
• Device support. The tool should support various storage devices, including internal and external devices such as HDDs, SSDs, USB drives, memory cards and optical devices.
• Disk image creation. Some tools can create a logical image of the problematic drive first, enabling more comprehensive study, analysis and detailed recovery attempts without working with the troubled storage device.
• Recovery previews. The tool lets technicians see and check recovered data to be examined and validated before it is restored.
• Searching. Tools can provide filtered search features, enabling technicians to locate specific files or file types.

Integrating data recovery into a DRP

Data recovery is a significant part of any disaster recovery plan (DRP). An enterprise must have a comprehensive understanding of its essential or sensitive data assets, including the following:

• The data required for regular operations.
• Where that data is located.
• How that data is stored.
• Which applications or users need that data.
• How that data is protected and should be recovered if disaster strikes.

An organization's DRP should then encompass an assortment of data recovery details, including the following:

• Identify who in the organization will be responsible for recovering data.
• Provide a strategy for how data will be recovered.
• Document acceptable RPOs and RTOs.
• Include the detailed steps to recover and validate data before restoring applications.

For example, if a building is inoperable, affected business units must be advised to prepare to relocate to an alternate location. If hardware systems have been damaged or destroyed, processes must be activated to recover damaged hardware. Processes to recover damaged software should also be part of the DRP.

Some resources worth reviewing include the National Institute of Standards and Technology SP 800-34 standard and the International Organization for Standardization ISO/IEC 27031 standard.

A business impact analysis or strategic risk analysis can help an organization understand its data requirements and identify the minimum amount of time needed to recover data to its previous state. One challenge to data loss and recovery is handling the unstructured data stored on various devices.

But some steps can mitigate the damage. Start by classifying data based on sensitivity and determine which classifications must be secured. Then, determine how much data must be compromised to affect the organization. Undertake a risk assessment to determine what controls are required to protect sensitive data. Finally, put systems in place to store and protect that content.

Healthcare organizations store vast amounts of sensitive data, making them a prime target for ransomware attacks. Learn how these attacks affect operations, data security and integrity.