Professional development

Top 30 data recovery interview questions and answers for 2019

Data recovery has become more important throughout the years as businesses and individuals have flocked to digital platforms for productivity and personal use. Because of this, there are countless documents, photos, applications and other forms of data on hard drives around the world. All of this data holds value for their owners, whether it’s monetary, sentimental or otherwise.

It is for this reason that when a hardware failure or accidental deletion takes place, data recovery professionals are normally the first port of call for desperate users. And data recovery is no walk in the park: it requires technical knowledge, practical experience and logical thinking at all times.

Cybersecurity interview guide

Ace your next interview with tips from our free ebook, “How to stand out, get hired and advance your career.”

Download Now

We have put together a list of 30 sample interview questions for you to practice with if you are in the market for a job in this challenging but exciting field. We will look at three different levels of experience for working as a data recovery professional, and each will have questions that interviewers might use when trying to gauge your knowledge and suitability for the role.

Level 1 — Data recovery consultant

When you are starting out in data recovery, you will almost certainly have some kind of IT background, perhaps as a technician or as a PC system builder. Most Certified Data Recovery Professionals (CDRP) have hardware and file system knowledge that has been built over several years’ worth of experience.

Here are some typical questions that you might find for an entry-level position such as this, but don’t let the fact that it is an entry-level role fool you. This is a challenging field that requires serious hard drive and file system structure knowledge from the get-go.

1. What experience do you have with data recovery?

The interviewer has probably already deduced from your resume or CV exactly what level of experience you have, but now you can elaborate a bit on what you have done in the past. This is an opportunity to mention some of the software tools that you have used, what environments you have worked in and how much hands-on experience you’ve had with the hardware end of the spectrum when dealing with hard drives.

2. Are you familiar with clean room protocols?

This isn’t necessarily a fair question if you have never actually worked within a clean room environment, but it doesn’t hurt to familiarize yourself with some best practices of working with hard drives in a clean environment before the interview. Read a little bit about donning and doffing procedures, as well as the basics for various clean room standards if you haven’t had the chance to work in such environments just yet.

(Fun fact: if you attend the InfoSec Institute CDRP Boot Camp, you will have your chance to work in a clean room. Courses that teach data recovery without a clean room are suspect, to say the least.)

3. Why do we need clean environments to work on hard drives?

These questions are there to weed out candidates that do not fully understand how the internal operation of a hard drive works, so don’t be surprised if these types of simple questions crop up. The likelihood of this line of questioning being asked is not very high, but you should be prepared for the odd curveball in any interview.

You can go into basic details about how the tolerances inside a hard drive are precise enough to be disrupted by smoke and dust particles, or even skin cells. A clean room filters out air particulates, while gowns keep potential personal biological contaminants from entering the equation.

4. What happens to a file when it is deleted on a hard drive? Where does it go?

You can assume that they are asking you this question with regards to a traditional, mechanical hard drives and not SSD drives, as flash memory works very differently.

This is a trick question, so don’t answer “The recycle bin?” Your answer should mention that files are not actually moved anywhere when they are deleted, but rather that the pointer that references the file is marked as empty. This allows the hard drive to overwrite that sector of the hard drive as though there was nothing there.

5. Do you know what RAID is?

Again, don’t be surprised by seemingly simple questions in any interview. The interviewer may be trying to gauge your comfort levels with certain lines of questioning, so be ready for anything.

You can answer that RAID is an acronym for Redundant Array of Independent Disks and that there are different levels. RAID 0 is striping, RAID 1 is mirroring and RAID 5 offers distributed parity. RAID arrays are notoriously difficult to recover data from if they fail catastrophically, so a prospective employer is probably interested in your knowledge of this technology if they offer RAID recovery services.

6. Why can’t a Windows computer read a Linux hard drive?

Here you can mention that Windows uses a different file system format to what Linux does, and because of this Windows has no way to interpret the file structure of the hard drive. There are third-party tools that can help Windows computers to read Linux drives such as Ext2Fsd, which is a driver for Windows that allows it to read Ext2, Ext3 and Ext4 file systems.

7. What is a P-List?

You can expect a few technical questions coming your way, especially if you are going to be working directly with faulty customer hard drives.

The P in P-List stands for primary. This is a value that is stored on the hard drive’s board electronics and tells the drive which sectors to avoid. Even brand-new hard drives have bad sectors that need to be avoided, so each brand-new drive needs to be programmed so that these areas of the hard drive can be safely ignored.

8. What is a G-List?

The G in G-List stands for growing. This is list of unreliable sectors that your hard drive will fill in over the course of its life as it encounters bad sectors that begin to fail.

9. What is the first thing you should do with a hard drive that is being forensically inspected?

Certified Data Recovery Professionals don’t only need to know how to recover lost data and repair faulty hard drives when they are on the job. Forensics and data preservation also form part of the work, so you can expect a few data forensics questions in some cases, especially if the company that you are interviewing at is a large one.

The answer is to clone the drive. All forensic work needs to be carried out on a forensic clone or image of the drive and not on the hard drive itself.

10. What is a write blocker?

A write blocker is a piece of hardware that prevents any data from being written to the target hard drive. This means that you can access the data on a hard drive without contaminating it with stray writes, Trojans or viruses. Write blockers are sometimes used when the target hard drive is being cloned so that the forensic chain of data fidelity can be maintained as no changes can be made to the original hard drive.

Level 2 — Data recovery expert

Candidates that apply for this more senior role should have at least five years’ experience in a data recovery role, with strong practical experience and theoretical knowledge. The line of questioning that you receive will vary from company to company, as some companies focus on home users while others are more interested in advanced storage models for enterprise clients. Some companies offer forensic assistance while others do not handle them, so your experience will be different in some way. These are still good practice examples regardless of what you encounter in the interview, so be sure to go through them all.

11. What is the best way to replace an SMT/SMD component on a logic board?

You never want to use a soldering iron with tiny surface mount components because the work is just too precise and too delicate. The right tool for the job is a flow station, as it melts the solder in a uniform way and at the correct temperatures.

12. When recovering individual files, why would you need a hex editor?

Computer files that can still be accessed on a working drive will have header information that identifies them as a specific file type. By finding this information, recovery experts can then copy all of the data from the header to the end of the file and export it as a specific file type. An example of this would be a jpeg file that starts with a header of FF D8 FF and ends with FF D9. This means that all the values between the header and the footer can be saved so that a jpeg file can be restored.

Don’t worry about learning a whole lot of common headers and trailer values, but you should thoroughly understand how they work and what their significance is so that you can explain the process of individual file recovery at a hex level.

13. What parts of a mechanical hard drive are generally replaceable?

This is a very basic question that could be asked, but the process of replacing the parts themselves is certainly no simple matter. Parts that are generally replaceable are the read/write heads, the spindle, the actuator and the logic board. You might get follow-up questions regarding tools, methods and scenarios where replacement is the best course of action when given a certain scenario.

14. How can you recover corrupt firmware on a hard drive?

This question is looking to test your knowledge of how a hard drive works, and more specifically, if you are aware of the system area of a hard drive. Explain how the data in this area is needed for the hard drive to perform various tasks, and that it is the first place that a hard drive looks at when preparing to read or write data. Some data in this area is necessary to repair other parts of the firmware, which means that if this area of the drive sustains damage then the entire drive could fail.

Mention that if the SA area of the drive is still functioning, then there are some recovery tools that can repair this damage so that the drive will initialize long enough for it to be cloned or scanned for recovery data

15. How can you tell if firmware on a hard drive is corrupt or missing?

Each hard drive manufacturer will experience a failed firmware instance differently, but the below examples are pretty universal on mechanical hard drives.

This is quite difficult to diagnose because the symptoms are similar to a physically damaged hard drive. The drive might not even initialize if the firmware is missing, or you will hear the drive clicking just like a spindle error. Sometimes the drive will show up on the testing rig as being the wrong size, or the data on the drive will be completely unreadable.

16. If a user deletes an important file on a Windows computer, where could a copy of that file be found?

If the system administrator has set up the VSS (Volume Snapshot copy Service) then this is the first place to look, as it does not require any special tools or applications to access. Simply right-click on the affected folder and select “previous version.” You should then see a list of folders that are sorted by date. Each of these folders contain a snapshot of that day’s work, which can then be restored.

17. Can a RAID 5 array be recovered if it fails?

It is difficult to answer this definitively, as each failure is unique, and the causes could be completely different from case to case. However, it is certainly possible to recover data from a failed array. RAID 5 is able to rebuild a single failed drive; data does become unrecoverable after a second failure.

18. What is the easiest way to recover a RAID 5 array if it fails?

On the surface this question doesn’t make much sense because the problem is so diverse. What the interviewer is looking for here is the thought process that you might follow if you were troubleshooting a fault like this.

There are no set methods for performing a specific set of recovery operations for any given scenario, but there are some universal principles that apply to data recovery when RAID arrays are involved. The first step is to shut down the server and power down the drives until you can ascertain the level of damage that has occurred. Each drive must be labelled according to the drive bay that it was installed into, for later analysis and array reconstruction. You can also explain the troubleshooting process and how you would determine the exact fault: it could be the RAID controller, it could be multiple drives, it could even be a fault on the server that the RAID array is connected to. All of these factors would determine the approach that would be taken to repair the issue, and each would have its own varying degrees of difficulty.

19. What is the best way to deal with data loss?

The best way to deal with data loss is to avoid it entirely. Backups are essential for all businesses, no matter how big or small they are.

20. What are some of your favorite things about data recovery?

This is a little too specific to give an answer that will resonate with every interviewer but think about the things that you enjoy about this line of work. The technical challenges, the feeling of accomplishment after recovering data that was said to be irretrievable, the continuous learning curve that comes with each new technology and any other positives that you can think of from your own personal experience.

Level 3 — Senior data recovery engineer

At this level of data recovery job roles, there are many additional technical and procedural questions that you may be asked. A senior data recovery engineer is the star player on the team and will be called on when other methods have not worked or a custom solution for recovering data needs to be created. This might involve writing special tools for recovering data or creating a hardware solution to obtain data from a damaged device.

There are also less dramatic roles that such a role requires from the individual, such as coordinating junior techs, mentoring, assisting with internal training and helping with the creation of procedures and operational guides for specific recovery scenarios. There might also be some managerial skills required of you, depending on the size and structure of the organization. All of these factors could determine what questions are asked of you in the interview, so these practice examples should help when you are preparing for a big interview.

21. Is data from a crypto-ransomware infection recoverable?

There are many different variants of crypto-ransomware out there and each one has its own modus operandi. Having said that, you should show the interviewer not only your understanding of the process that ransomware uses when encrypting your data, but also your understanding of the potential fixes for some of the most common forms of ransomware.

The truth is that it is truly dependent on the details of each individual case. These include the variant of the malware infection, the encryption that it uses and the what steps have already been tried prior to the drive coming in for assessment. If the crypto-strain has a known cipher that has been used to break the encryption, then the process is relatively straightforward. If, however, the strain has not been successfully decrypted, then the chances of recovery are not good at all.

22. What are some of the most advanced data recovery cases that you have worked on?

This is a great question for you to show what experience you have out in the field. Think about the toughest data recovery tasks that you have had to either perform or assist with in the past. This must be your own experience, so try not to embellish on what you have actually done unless you have physically completed the work yourself.

23. What are some of the encryption technologies that you are familiar with?

A senior data recovery engineer will be familiar with most, if not all proprietary hard-drive encryption technologies for both enterprise- and consumer-grade storage devices. Obviously, you can’t possibly know them all, but the most commonly sought-after skills from people in senior data recovery roles are: safe boot, PGP, point-sec, Bitlocker and TrueCrypt.

Be sure that you have a working knowledge of these technologies, as you will probably be asked to elaborate on them and explain how you have interacted with them.

24. What databases have you recovered and worked with?

This line of questioning is good because it shows your knowledge of both data recovery and SQL. While you won’t need to have DBA experience, a working knowledge of database queries would definitely be an advantage. Speak about MSSQL, Oracle or any other DB technologies that you have worked with, as well as the tools that are necessary to help recover lost data from a database. Data recovery isn’t only necessary when hardware failures occur; sometimes a stray query can drop a database. Specialized database recovery tools and software can sometimes help get this data back if it has not been overwritten.

25. What are some of the biggest mistakes that you have made when performing a data recovery? How did you learn from them?

You are bound to come across this question sooner or later, and if you do, then you are actually doing quite well in the interview. Sometimes the interviewer will only ask this question if they are happy with your answers so far and are looking to get to know you a bit better. They are specifically looking for problem ownership and how well you deal with potential failures.

If you are able to, relate a story about how you made a mistake and recovered from it while taking responsibility at the same time. By doing this, you are already going to be a better candidate than somebody that replies by telling the interviewer that they have never made a mistake ever in their career, and that any issues are normally somebody else’s fault. Those kinds of responses normally set off alarm bells for interviewers, so be mindful of that.

Have an example or two ready that you are comfortable with sharing in the interview before you attend. This question can catch a person off guard in the interview, and the last thing you want to do is overshare or say that you don’t think that you have ever made a mistake.

26. In NTFS file systems, what is an orphan file as it relates to data recovery?

These types of questions are important for technical interviews, as they show your experience and theoretical knowledge of how NTFS file systems handles data corruption when a drive fails.

An orphan file is a file that doesn’t have a parent folder anymore. This happens because the file no longer has any references for where it belongs. A classic example of this is when you see a folder with an identical name sitting in a directory. Usually this would not be possible as the system would have merged or overwritten such a folder, but because the MFT information has been deleted or corrupted, this is now a problem.

27. What are sparse files?

NTFS treats files differently to save space. It will allocate disk clusters only to data that has been explicitly referred to by the application, and it will return this data exactly in the same way that it was stored. This can be thought of as a form of compression, as it finds all of the zeros within the data and removes them. When this data is restored, it then adds those zeros back.

28. Do you have a preference between hardware repair-focused recoveries or software recovery solutions?

It is okay to have a preference, but at this level of the game you should be comfortable with both aspects of the job. Just bear in mind that the role that you are applying for might have a focus on either one of these areas or possibly both. That means that your answer should not make you look weak in one of the areas in favor of the other, unless it will help you to win over the interviewer and land the job.

Your experience will vary depending on how much you have worked with software or hardware on your way to becoming a senior data recovery engineer, but the odds are pretty good that you would have an almost 50/50 split between the two. This means that you are probably just as comfortable soldering a PCB as you are with writing custom software tools for recovering data.

29. What are some of the strengths that you think you would bring to the team?

As a senior data recovery engineer, you already know that your skills and knowledge coupled with years of experience will benefit the team from a technical perspective. Mention how well you work with a team, and that you are always looking to learn new things and upskill.

Mention how you are always researching new techniques and methods for data recovery as technologies change and become more advanced and difficult to work on. This shows that you not only possess all of the technical skills and abilities for the role, but it also demonstrates your willingness to continue learning while bringing value to the organization with new methods of recovery, as well as additional techniques.

30. Are you able to delegate tasks or do you prefer to get involved with all aspects of a recovery?

This is quite an important question, and there are a few reasons for this. Even though you have the skills and knowledge to perform most, if not all repairs and recoveries that will come through the door, you might not always be the best person to do them. There are certain jobs that should be handled by junior techs and supervised by yourself, while there are some jobs that a more intermediate team member should be able to carry out.

Your time and skills are valuable to the company, so being able to delegate tasks to other members of the team will not only help to add value to the company but will also show that you have the right characteristics to evolve into a managerial candidate or team lead if that is something that you are looking for. You also don’t want to come across as somebody that hardly does any physical work yourself, so make sure that you balance your answer out to match your own experience.

Conclusion

No matter how many interviews you have, there is probably always going to be an element of excitement and nervousness that inevitably results in you having butterflies in the stomach. It is completely normal and is usually a good sign because it means that you are taking it seriously enough to possibly nail the interview and walk away with a great new job.

Remember that the more questions you practice with, the more chance you have of carrying yourself confidently in the interview. There are many more questions that you can practice with than these thirty examples! We recommend that you take a look at Skillset.com, which has more than a hundred thousand practice questions related to various certifications. The list of cert-related questions includes is vast, with PMP, CISSP, CEH, CHFI, Network+ and Security+ being just a few examples of what you can expect to find before your next big interview.

Stay focused, relax, and good luck!