Part II — Data Recovery
"The file system swears the files are gone; the platter knows better. Recovery is the art of learning whose word to trust — and getting the data back before the drive has the last word."
Part I taught you to read the machine: bits, sectors, and clusters (Chapter 2), the physical media that hold them (Chapter 3), the file systems that organize them (Chapter 4), and the disciplined process that keeps your work defensible (Chapter 5). Now you put that knowledge to work on the question every client actually asks, in plainer words than any of yours: Can you get it back? Part II is the recovery half of the book — eight chapters that carry you from a single deleted file someone needs un-deleted, to a drive that no longer spins, from one laptop to a collapsed RAID array, from a phone that will not unlock to an entire network frozen by ransomware.
The part is built like a ladder, and you climb down it rung by rung, from the gentlest intervention to the most invasive. You begin where the data is easiest to reach and the file system is still mostly intact, then descend — chapter by chapter — toward cases where the file system has been overwritten, the media is physically dead, the array is scrambled, or the device is locked tight. At every rung you ask the same two questions a professional always asks first: Is the original safe? and Is recovery even possible? Image first, verify with hashes, work on the copy. That discipline is not bureaucratic ceremony here — it is survival, because the failing drive in your hand may not live through a second attempt. In recovery there is often no undo, and the most expensive mistake in this entire part is the one you make on the original.
Two of the book's anchor cases live in these chapters. The deleted wedding photos — ten years of a family's life on a drive that was accidentally reformatted — run through Chapters 6 and 7, where you will first recover what the file system still remembers, then carve back what it has forgotten. The ransomware recovery — a small business with no current backup — anchors Chapter 12, and it delivers the hardest lesson in the part: sometimes the honest, professional answer is "most of it, but not all." Recovery is where you learn, in your hands and not just in theory, that "deleted" almost never means "destroyed." It is also where you learn the limits of that hope. Knowing when to keep going and knowing when to stop turn out to be the same skill.
What you will learn
- Chapter 6 — Logical Recovery. Recover deleted files, reformatted volumes, and corrupted partitions by reading what the file system still records in its MFT and inode tables — the surgical, least-invasive first resort.
- Chapter 7 — File Carving. When the file system itself is gone, scan the raw bytes for headers and footers and rebuild files from their signatures alone, with no directory left to guide you.
- Chapter 8 — Hard Drive Recovery. Diagnose mechanical failure — heads, motors, and PCBs — and understand the clean-room work that brings a dead platter back to a state you can finally image.
- Chapter 9 — SSD and Flash Recovery. Confront the controller, the flash translation layer, and wear-leveling — and the brutal reality of TRIM, which can render deleted data genuinely unrecoverable.
- Chapter 10 — RAID Recovery. Reconstruct a broken array — stripe size, parity, and disk order — because not a single file comes off the set until the array is rebuilt correctly.
- Chapter 11 — Mobile Device Recovery. Pull data off phones that are locked, encrypted, and proprietary by design — the hardest consumer recovery there is, and a preview of mobile forensics.
- Chapter 12 — Ransomware Recovery. Treat recovery as crisis response: hunt for shadow copies, carve unencrypted slack, evaluate stale backups, and work through the pay-or-don't-pay decision honestly.
- Chapter 13 — The Data Recovery Business. Turn the craft into a profession — pricing, lab economics, liability, ethics, and the underrated discipline of knowing when to say no.
Why this part matters
Every chapter here is one application of a single foundational truth: deletion removes the pointer, not the data, and the data persists until something overwrites it. That is what makes logical recovery and carving possible at all — and it is the very same truth a forensic examiner leans on in Part III. The techniques are nearly identical; only the purpose differs. Which is exactly why recovery work demands forensic habits even when no court is anywhere in sight: hash before and after, document what you touched, and never assume a routine job will not one day become evidence. The MSP rebuilding a partner's laptop and the examiner imaging a suspect's drive are running the same playbook from opposite ends of the same idea.
Part II is also where this book is most honest about its own limits. Technology turns over faster here than anywhere else — spinning platters give way to NAND, single disks to arrays, laptops to locked handsets — yet the method never changes: understand the medium, protect the original, work systematically, recover what you can, and document all of it. And behind every job is a person. The bride who lost the photographs. The owner watching payroll get encrypted in real time. The family hoping the phone of someone they have lost will still open one more time. The skills you build in these chapters are coldly technical; the stakes are entirely human, and the best practitioners never lose sight of the second fact while mastering the first.
For your learning path
💾 Data Recovery practitioners are home: this part is your core curriculum, so linger on all eight chapters and work every lab. 🛡️ Incident Response readers should slow down most for Chapter 12 — ransomware recovery is your crisis to manage — and for the image-first discipline that opens the part. 🔍 Forensic Examiners will recognize Chapters 6 and 7 as the bedrock of evidence recovery and should study them closely; you can move more briskly through the hardware mechanics of Chapters 8–10, but circle back for Chapter 11, because the locks that stop mobile recovery are the same ones you will wrestle in mobile forensics. 📜 Legal and eDiscovery professionals can skim the clean-room and controller internals, but do not skip the through-line of the part: what is technically recoverable defines what is legally discoverable — and failing to preserve it is what becomes spoliation. Whatever your path, read Chapter 13, because it names the ethics, pricing, and judgment the rest of the part quietly assumes.
The first rung is the gentlest one. Turn the page — a file system that swears its files are gone is about to tell you the truth.
Chapters in This Part
- Chapter 6: Logical Recovery — Deleted Files, Formatted Drives, and Corrupted Partitions
- Chapter 7: File Carving — Recovering Files Without File System Metadata
- Chapter 8: Hard Drive Recovery — Mechanical Failures, Head Crashes, and the Clean Room
- Chapter 9: SSD and Flash Recovery — The Unique Challenges of Solid-State Storage
- Chapter 10: RAID Recovery — Rebuilding Arrays and Recovering from Multi-Disk Failures
- Chapter 11: Mobile Device Recovery — Smartphones, Tablets, and the Data You Can't Reach Through the Screen
- Chapter 12: Ransomware Recovery — When Your Files Are Encrypted by Criminals
- Chapter 13: The Data Recovery Business — Pricing, Customer Management, and Building a Recovery Practice