Raw Disk Data Recovery: Bit-by-Bit Imaging, Sector Copying and Carving

Quick answer: Raw disk data recovery is the approach of copying the entire surface of a failing disk sector by sector, bit by bit (imaging) and then working on that safe copy, instead of copying files one by one. The reason is simple: a failing disk dies a little more with every read, so it is touched as little as possible, a complete copy is taken first, the original disk is shelved and all recovery work is done on the copy. If the file system is corrupt or deleted, the technique that scans files out of the image by their signatures (file headers and footers) is called carving. Throughout this process, hash (MD5/SHA-256) verification is used to prove the image taken has not changed; this is mandatory for both recovery safety and forensic validity.

The most critical rule in data recovery is to make the least possible intervention on a failing disk. So a professional lab does not say "let us take your files off the disk"; it first extracts a raw copy of the whole disk. We explained why this is vital and why "writing to the same disk" is a fatal mistake in why writing to the same disk with recovery software is fatal. If the disk shows RAW and will not open, that is, the file system is not recognized, we addressed it in disk became RAW, will not open, formatless recovery; this article focuses on the technical backbone, the raw image and carving process.

The difference between file copying and raw imaging

Ordinary copying asks the file system: "where is that file?" and if the file system answers, it takes that file. But if the file system is corrupt, deleted or the disk shows RAW, this method fails, because the "map" is broken. Raw imaging ignores the file system entirely; it copies every byte from the first sector to the last, empty or full, deleted or intact, exactly as is. So we end up with a frozen, complete snapshot of the disk. The data of deleted files, even if the file system considers them "gone," is in this image as long as it physically remains on the disk.

The second benefit of this approach is safety. A failing disk tolerates a limited number of reads; each attempt wears it further. Once the raw image is taken and the original disk is shelved, all subsequent analysis, recovery attempts and risk of error fall on the safe copy, not the original disk. The original disk is preserved.

Fault-tolerant imaging: ddrescue and hardware imagers

Imaging a healthy disk is easy, but data recovery usually deals with disks that have bad sectors. Here an ordinary copying tool gets stuck on the first bad sector and stops, or hammers that sector repeatedly and kills the disk. Fault-tolerant imaging solves this problem.

The open-source GNU ddrescue is the standard software tool for this. Its logic is smart: it first quickly copies the easily read, healthy regions of the disk, marks and skips the bad regions, then in second and third passes retries only the skipped problem regions, from different directions and more patiently. So the most data is recovered with the least load on the disk. ddrescue keeps a map (mapfile); even if the operation is interrupted, it resumes where it left off.

For serious hardware failures, software is not enough and hardware imagers come in. Systems like PC-3000 and DeepSpar control the read timeout, retry count and head selection at the hardware level, working more precisely than ddrescue can. We covered these devices and their differences in what is PC-3000 and DeepSpar disk imager bad-sector cloning. If there is mechanical failure (clicking, head damage), repair in a cleanroom is needed first; see what is a cleanroom.

Carving: recovering files without a file system

After the image is taken, in the ideal case the file system (NTFS, exFAT, ext4) is read and files are extracted with their structure. But if the file system table is corrupt or the disk was formatted, there is no "map." This is where carving comes in.

Carving scans the raw image from start to finish without looking at the file system at all, and searches for the characteristic signatures of files. Most file types have a specific header (magic number) and often an end marker: a JPEG begins with certain bytes, a PDF begins with "%PDF", a ZIP begins with "PK". The carving tool finds these signatures and reconstructs the data in between as a file. The open-source PhotoRec is the best-known tool for this, which we covered in TestDisk PhotoRec free data recovery guide.

Carving is powerful but limited. It usually cannot recover file names and folder structure, because this information is kept in the file system, not inside the file. Also, a file stored fragmented on the disk, that is, physically scattered in pieces, may come out incomplete or corrupt with carving. So when possible, file system repair is tried first and carving is used as a last resort.

Method When Recovers Limit
File system read If file system is healthy File + name + folder Fails on corrupt table
File system repair If table is partly corrupt Mostly the structure Severe damage unrecoverable
Carving If no table / format File content No name/folder, fragmented-file risk

Hash verification: proof of integrity

When the raw image is taken, it must be proven that the image is identical to the original disk and has not changed since. The way to do this is to compute a cryptographic digest (hash). While imaging, the MD5 or SHA-256 digest of both the original disk and the image is computed; if they match, the copy is identical. If any later analysis had changed the image, the digest would not match. We explained how hash verification works and why even a single-bit change completely changes the digest in what is hash verification, MD5 SHA-1 SHA-256.

This step is good practice even in ordinary recovery, but it is mandatory in digital forensics. For evidence to be valid in court, it must be proven with a hash that it has not changed since the moment of seizure, and the chain of custody must be preserved. We addressed this legal framework in the digital forensics process, KVKK and chain of custody. For the standards of forensic imaging, NIST SP 800-86 is the reference.

A typical raw recovery flow

  1. Assessment: The disk's failure is identified; if there is mechanical damage, repair is done in a cleanroom first.
  2. One-to-one image: The disk is copied bit by bit, read-only, with a fault-tolerant tool (ddrescue or a hardware imager); a map file is kept.
  3. Hash: The image's digest is computed and recorded; integrity is proven.
  4. Original disk shelved: From then on all work is done on the copy, the original disk is not touched.
  5. File system: When possible, the file system is repaired and files are extracted with their structure.
  6. Carving: If there is no file system, the image is scanned by signatures and files are recovered.
  7. Verification and delivery: The recovered files are opened and checked for integrity, then delivered to a separate medium.

Frequently Asked Questions

What is the difference between a raw image and file copying? File copying trusts the file system and takes only visible files; raw imaging ignores the file system and copies every byte of the disk, so deleted and hidden data is also included in the copy.

Does carving recover deleted files? It usually recovers the file content, but generally cannot recover the file name and folder structure; fragmented files may come out incomplete.

Why image and not touch the original disk? A failing disk degrades a little with every read; taking a safe copy once and shelving the original moves the risk of all remaining attempts to the copy and preserves the original data.

Why is a hash needed? It mathematically proves the image is identical to the original disk and has not changed since; it is mandatory for evidence to be valid in court during a forensic process.

Sources

For professional recovery of a failing or RAW disk with raw imaging and carving, contact DSET.