Beginning on Day three we will put away all the physical rebuild components and begin to focus on the imaging and logical corruption and repair. We now have the skills to physically repair drives and get them working again and need to deal with the content, acquire the data, and repair any corruption that might have occurred. We begin the day looking at standard ways of imaging content.

We will also have carefully crafted USB Memory Sticks that contain NTFS file systems and are corrupted exactly like you will see on drives in your lab. We then begin by using tools like FTK Imager, DriveImage XML and Medial Tools Pro,all of which have special advantages and disadvantages. After you have a clear understanding of the way software imaging looks, I will demonstrate a high-end data recovery tool like the Deepspar Forensics Disk Imager and show you the capabilities and what all the functions do. You'll learn how to do a repair on sectors and copy a damaged drive using this tool on a sample damaged hard drive. This will be followed by an example of Salvation Data's Data Compass and the functions it supplies on the fly, as well as the protection it offers for damaged hard drives.

We will close out the second phase of data recovery, drive imaging, and move into the third phase, which involves file systems and corruption after the image is made. Again we will use a carefully crafted USB memory stick, which will not properly mount NTFS, and we will step though how you can recover or repair and see the content in the MFT using tools and find the files you wish to recover. This will be accomplished through a combination of discussion and labs in which you will learn the advantages and disadvantages of each tool and what is special about them.

You'll engage in several labs that demonstrate how you can see and recover data from corrupt drives, which includes reviewing partition structures, including the GUID Partition Structure, recovering from NTFS when it won't mount. The labs will include the use of Disk Explorer for NTFS and its special qualities that make it a superb data recovery tool when used in parallel with GetDataBack for NTFS. We will also review a NTFS drive using Testdisk.