Signature Search for Information Recovery

Unlocking lost or deleted data is essential in many scenarios. In this article, we delve into the world of information recovery with signature search, unveiling powerful techniques for uncovering hidden data. Whether you’re a digital forensics expert or a curious tech enthusiast, understanding signature search can help you recover valuable information. Explore the secrets of information recovery with signature search!

Signature Search for Information Recovery

Those who read our previous article “Why Deleted Files Can Be Recovered” will undoubtedly question those magic capabilities. Indeed, classic data recovery tools base their efforts on scanning the file system, detecting records pointing to deleted files or folders, and determining the exact location of the deleted files by analyzing existing file system records. Note that the file system record about a file must at least exist on the disk in order to be detected, located and analyzed.

But what if there is no such record? What if the file was deleted a long time ago and the corresponding record was overwritten with another one? Or what if the entire file system was erased (by formatting the disk), corrupted or destroyed after a system failure? If this is the case, classic file recovery tools will fail to locate any meaningful information on the disk.

Go to view
How to Recover Data After Formatting, Deleting or Creating Partitions in 2020 📁🔥⚕️

How to Recover Data After Formatting, Deleting or Creating Partitions in 2020 📁🔥⚕️

Signature Search

Signature search was a technology that was developed and released at the same time by several different companies. There are multiple trade names used to describe the technology. Different companies name it “Power Search”, “Content-Aware Analysis”, “Smart Scan”, and no doubt there are other names for this technology. Under the hood, however, all these algorithms use the same underlying principle.

How Signature Search Works

1. Detecting Files

Signature search borrowed its main operating principle from anti-virus programs. Anti-virus tools will read the entire file, scanning its content for known signatures in order to identify viruses. Similarly, signature search will read the entire contents of the hard disk or the whole volume or partition, analyzing every sector for characteristic signatures that could belong to known file types. There’s no miracle, as many files do have some very characteristic signatures that will make them easy to identify. In addition, most such signatures are located at the very beginning of each sector, making the analysis even faster and more reliable. Examples of such signatures are “JFIF” for JPEG, “PK” followed by certain binary information for ZIP archives, “%PDF-“ for Adobe PDF files, and so on.

Some files do not a characteristic signature, but can still be located. This includes text and HTML files that only use a certain subset of encoded data from ASCII character table.

Go to view
How to Recover Data from an Unallocated Area in a Hard Disk, USB Pen Drive or Memory Card 👨‍🔧🛠️🖥️

How to Recover Data from an Unallocated Area in a Hard Disk, USB Pen Drive or Memory Card 👨‍🔧🛠️🖥️

2. Determining File Length

After locating the beginning of a file, the signature search algorithm will perform further analysis in order to calculate the file’s length. The length of *.zip, *.jpeg, *.avi, *.psd, *.pst, *.rar, *.tiff files can be often derived from the file’s header. Sometimes, the tool will have to continue reading subsequent disk sectors in order to locate a marker defining the end of the file, and sometimes (as is the case with text and HTML files) the end of the file is determined by the appearance of a certain number of non-ACSII symbols.

After detecting the beginning and length of a file, signature search can attempt the recovery.

3. Limitations of Signature Search Algorithms

Signature search does no magic. There are cases where even the best algorithm can’t recover a file. Obviously, if disk space occupied by the original file is partially overwritten with other data, the file will be only partially recoverable at best. However, things such as disk fragmentation play a more important role in limiting the usefulness of signature search. Larger files (e.g. movie clips) are often stored on the disk in multiple fragments scattered around the disk surface. This often occurs when there is not enough consecutive free space available on the disk to store the file in one chunk. Such files can’t be recovered correctly with signature search.

Go to view
How to Defragment Your PC's Hard Drive on Windows 10 🛠️🗄️⏲️

How to Defragment Your PC's Hard Drive on Windows 10 🛠️🗄️⏲️

4. Hybrid Algorithms

Some of the limitations of signature search can be lifted by applying hybrid analysis approach. Hybrid algorithms will analyze the file system and then scan the disk surface, getting the best of the two worlds and achieving the best possible recovery rates. Most data recovery tools on the market today are using the hybrid approach.

Feature Hetman Partition Recovery Hetman RAID Recovery
Recovery Types Recovery of lost and deleted partitions, recovery of data from damaged or formatted partitions Recovery of data from damaged RAID arrays, recovery of RAID metadata, and recovery of data after disk failure in RAID
RAID Support Does not support RAID Supports all RAID levels (RAID 0, RAID 1, RAID 5, RAID 10, etc.)
File System Types FAT/exFAT, NTFS/ReFS, APFS/HFS+, Ext2/3/4/ReiserFS, XFS/UFS/ZFS/Btrfs/VMFS/HikvisionFS FAT/exFAT, NTFS/ReFS, APFS/HFS+, Ext2/3/4/ReiserFS, XFS/UFS/ZFS/Btrfs/VMFS/HikvisionFS
Recovery after Formatting Yes Yes
Data Recovery from Damaged Disks Yes Yes
Virtual Machine Support Yes Yes
Preview of Recovered Data Yes Yes
Operating System Support Windows, Linux, macOS Windows, Linux, macOS
Oleg Afonin

Author: , Technical Writer

Oleg Afonin is an expert in mobile forensics, data recovery and computer systems. He often attends large data security conferences, and writes several blogs for such resources as xaker.ru, Elcomsoft and Habr. In addition to his online activities, Oleg’s articles are also published in professional magazines. Also, Oleg Afonin is the co-author of a well-known book, Mobile Forensics - Advanced Investigative Strategies.

Vladimir Artiukh

Editor: , Technical Writer

Vladimir Artiukh is a technical writer for Hetman Software, as well as the voice and face of their English-speaking YouTube channel, Hetman Software: Data Recovery for Windows. He handles tutorials, how-tos, and detailed reviews on how the company’s tools work with all kinds of data storage devices.

Recommended For You

Hello! This is AI-based Hetman Software virtual assistant, and it will answer any of your questions right away.
Start Chat