SecureState Blog

Read SecureState's award winning blog.

SERVICE: Incident Response

INDUSTRY: Professional Services


Engagement Background

An accounting firm recently contacted us requesting help recovering corrupt files on a formatted flash drive.  There was sensitive and private information stored on the disk and its recovery was imperative.  Our Incident Response practice was asked to examine the drive and potentially recover the corrupt data files.  We determined that a methodology known as data “carving” would be the best way to solve this problem.  The act of data carving is a familiar practice used in digital forensics.  Data files have certain identifiers in their coding structure; as do text files, video files, etc.  By carving through the lost pieces of data on a flash drive, we can find common signatures in order to reassemble the files.


Why It’s Interesting

Data becomes damaged or corrupt when it is no longer able to be read, written, stored, or processed.  In an event such as data corruption, there usually are two deciding factors.  The first factor is a physical failure of the disk caused by extreme use, wear, or abuse.  This issue represents 10% of overall data recovery, yet roughly 80% of the total cost.  The other factor is due to a logical failure mainly caused by malware, viruses, or power surges.  Logical failures represent 90% of data recovery cases, but only 20% of the total cost.  What’s interesting to note is the fact that while a logical failure is the most common way for data to become lost or corrupt, it is the most inexpensive to fix.  It is important to understand which kind of failure is at hand in order to reasonably recover the data.  With the help of our digital forensics experts, the accounting firm was able to move forward, their critical and private data recovered.  We were able to recover unknown files for the client as well.


What The Consultants Had to Say

The process of data carving is similar to searching for a home with a ripped-up map.  “The house is’t going anywhere and neither is the data”.  Corrupt data on a flash drive is nothing more than scattered fragments of information without the proper set of instructions for assembly.  “Our job was to reconstruct the lost data using a ripped-up map”.  A major factor when carving data is the element of time.  “We had a list of 25 critical files to recover with about 10,000 fragments to choose from.”  Depending on the storage capacity of the disk and the size of the corrupt data files, the completion time can vary.  “By carving the data, we managed to organize the fragments of data using the signatures in their coding structure and piece the files back together into the form as originally created and stored”.