Data recovery services

There is always hope.

We can recover full or partial data:

  • accidentally or intentionally deleted (see below)
  • from failed or no longer accessible NAS devices
  • from proprietary, commercial filesystems
  • from failed RAID (software/hardware, all levels)
  • from failed drives and memory cards (see below)
  • after ransomware attack (see below)
  • from incomplete/broken data dumps (see below)

Rule #1: TURN OFF THE DEVICE ASAP. Then contact us.

So, what to do now?

1. Turn off the device as soon as possible (but try to remember some details regarding the problem, and write them down for us, in your own words).

2. Open the device and remove hard drive(s). Pack them shock-safely and send to this address:

Klim Baron Business Solutions Sp. z o.o.
ul. Swiety Marcin 29/8
61-806 Poznan, POLAND

Make sure to attach the paper with your invoice data, and address, where to send back the drive(s) after analysis.

3. In some cases, instead of shipping physical drive(s), it is enough to make the full image(s) of each drive/partition and send us only the image files. But contact us first to discuss your case.

4. We will let you know, what can we do in your particular case, and after payment, we will send you the encrypted archive with recovered files through Dropbox.
Accidental or intentional deletion - possibilities
When you delete a file, it isn't really erased – it still exists on the hard drive, but its contents are marked as free space. Depending on the operating system version and filesystem type, this particular free space may be reused sooner or later (when there is no other available free space - so possibly deleted file can "live" for years since deletion, if there is plenty of other free space).

So, if the deleted file hasn't been overwritten before deletion, there are great chances to restore it.

There is malicious software, which overwrites only parts of files (eg. the first 1024 bytes of each file, to save time and do as much damage as possible before the user notices, what's going on). Most often this is enough to make such files unusable. However, in many special cases, data can be recovered, eg.:
  • JPG photos often contain multiple image sizes in a single file, starting from the smallest, up to the largest - so, the largest image can be often restored by properly rebuilding JPG header
  • ZIP archives contain multiple packed files, with the contents list at the end of the file - by rebulding ZIP header, most files can be unpacked
  • the same applies for self-executable archives of any format (ZIP, RAR, 7z etc.), where the only damaged part is the extracting program, while the contents are untouched
Data lost in ransomware attack - possibilities
Most ransomware loop over all directories, where the logged in user has write permissions, and:
  • make an encrypted copy of given file
  • delete the original file
  • proceed with another one

Depending on the operating system version, filesystem type, and the percentage of free space, there is smaller or bigger chance, that some of deleted original files still "live" on hard drive.

Some ransomware only encrypt the initial part of the file (mostly 512 or 1024 bytes), to save time and damage as many files as possible, before user notices and breaks the encryption process. In such cases, many types of files can be either rebuilt (eg. by recreating photo headers) or unpacked (eg. ZIP archives).

Many ransomware types skip certain files and directories:
  • files with unusual extensions, to save time and/or prevent causing visible damage before encrypting everything else
  • files that are often locked by other applications (eg. Outlook profiles, SQL Server databases), to prevent showing strange error messages to the user
  • several cache directories containing recently opened or changed documents, browser history etc., again to prevent causing visible damage before encrypting everything else
  • directories, where the virus didn't have write permissions (eg. on different Windows account)
  • Shadow Copy backups, containing previous versions of recently changed files

Analyzing all such files and directories, it's also possible to recover lots of valuable data.
Failed or inaccessible NAS devices - possibilities
From storage point of view, most NAS devices for home and small companies (QNAP, Synology, Seagate BlackArmor, Asustor, Iomega, Netgear etc.) are normal desktop-grade computers running Linux, with software RAID and LVM2, standard drives, drive connectors etc.

The main difference between such devices and "normal" Linux is that they use a slightly modified version of ext3/ext4 Linux filesystem. Modified only to prevent connecting drives from such devices to any other computer, mostly by increasing sizes of various internal filesystem structures, to make such filesystem incompatible by original Linux kernel.

However, it's very easy to extract 100% of data from drives used in these devices, assuming that the drives are not physically damaged.
Failed RAID - limitations
The difficulty level of recovering failed RAID depends on 2 factors:
  • RAID level (eg. RAID5 is something completely different from RAID0)
  • software or hardware RAID (there are hundreds of hardware RAID controllers, with many different algorithms of splitting data across disks)

In case of hardware RAID, it is absolutely essential to provide us the exact model and version of the RAID controller card (along with clear, high resolution photos of it), along with the order of the connected drives. In some cases, we will also need the controller card itself (but send us photos first).
Failed drives and memory cards - limitations
In most cases, it is possible to recover more or less data from damaged drives. However, this process is mostly difficult and often requires "transplanting" electronic/mechanical parts from identical drive. Typical cost range is $150-$2500 per failed drive.

Note that sending physically damaged drives, eg. containing loosened mechanical parts inside, may easily lead to further increasing the damage.

Therefore it is more appropriate to seek for the most local company equipped with PC-3000 devices by ACELab (these devices are standard in data recovery business) and to carry the damaged drives to them.
Incomplete/broken data dumps - possibilities
Many file formats (documents, databases, archives, photos, music, movies etc.) are designed to allow at least partial data recovery from damaged or incomplete files. For some of them, recovery might be easy and even fully-automatic using provided tools, while others can require having some domain knowledge and/or non-public tools.

However, in most such cases there is a great chance to recover at least parts of the original data.