±Forensic Focus Partners
New Today: 0
New Yesterday: 0
±Follow Forensic Focus
· Extracting data from dump of mobile devices running Android operating system
· Development of Digital Forensic Tools on Mobile Device, a Potential Area to Consider?
· Can You Get That License Plate?
· How To Decrypt WeChat EnMicroMsg.db Database?
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
· FT Cyber Security Summit 2014 – Recap
· Why Offender Profiling is Changing Thanks to Mobile Forensics and Increasingly ‘Social’ Criminal Activity
· Understanding Cyber Bullying – Notes for Digital Forensics Examiners
ReviewsBack to top Back to main Skip to menu
Scott Moulton’s “5-Day Data Recovery Expert Certification” Course
Just about every individual who is immersed in the Information Technology field has either personally experienced it, or knows someone who has: The hard drive “click of death”. For most, this sound is the start of a downward spiral of doom and depression and eventually a large bill from a data recovery company. For some, however, this is the beginning of a new field of interest in technology. There is only one problem: The field of hard drive data recovery is one that is still shrouded in secrecy and misinformation. How can someone break into an industry where advice is doled out in hushed tones and newcomers are shunned and told to seek professional (read:$$$) help?
Scott Moulton has been trying to change that, and is one of the few individuals teaching a vendor-neutral data recovery class to the public. I attended one of Scott’s 5 day training classes in 2009, and have kept up with him as the course has grown. In an effort to assist other individuals in deciding if this course is worth taking, I opted to write this review. Please note that while my personal attendance of the course was in 2009, I routinely volunteer to assist in these courses (for free) when they come to my geographic area of Washington DC, so this information is current as of May of 2011. Also, while the term “hard drive” has now become the catch-all term, the course material covers recovery of both traditional mechanical hard drives and touches on the latest recovery technologies for flash based devices like USB thumb drives and Solid-State Drives (SSD).
This class is appropriate for any individuals who have a solid understanding of computer forensics and filesystems and want to take their knowledge to the next level in terms of understanding exactly how data is stored on the drive, how the device works, and how it can be recovered when conventional imaging techniques fail. This was my primary reason for attending the course. The class is also appropriate for any individual who wants to approach data recovery as a means to expand their computer-support business and wants to add DR (data recovery) as an additional service.
In the world of DR, recoveries can be grouped into two different types, logical and physical. In a logical recovery, the fault lies somewhere within the filesystem and therefore can usually be solved with software tools, but which one? The course covers a myriad of software tools and under which instances each tool excels over the other. I felt that this research and advice into software data recovery software tools alone had likely saved me months of research and lab testing.
In a physical recovery, the fault lies somewhere within the physical structure of the drive (circuit board failures, broken read/write heads, etc). To that end, students in the class are taught the various parts of a drive, how they work, and an entire day is devoted to putting data on a hard drive, physically disassembling the drive (both desktop and laptop drives), re-assembly and attempting to read the data. Both 3.5 inch (desktop) and 2.5 inch (laptop) drives are used for this lab. Mr. Moulton also covers the various hardware-based DR tools from a variety of vendors and brings a large number of these tools to the class and demonstrates and lectures on their uses and features as well.
There have been several improvements to both the course material and the in-class labs over the years. For one, the size of the course manual has grown three-fold, an improvement that can only speak to the instructor’s dedication at updating the material, especially since the original manual was already almost 2 inches thick. What you receive now is nothing short of an encyclopedia volume in terms of size and information. The second improvement has been the addition of the “DeepSpar Disk Imager” or “DDI” to the physical recovery labs in the class. The DDI is a hardware device that is designed to copy data from a hard drive using a variety of reading methods. The abilities and features of the DDI warrant its own review, but suffice to say it is a specialized piece of data recovery hardware designed to read and image information from repaired and failing drives that costs roughly $5,000 USD. In 2009, the DDI was part of a lecture-lab where its features were demonstrated to the class. Today’s class includes a hands-on lab and a DDI for every 2 students, and depending on class size, sometimes every student.
Unlike other courses I have attended which contained a sizeable portion of marketing material and other “filler”, I found this course to be full of useful information and I found myself taking many notes on the variety of topics covered. In an effort to maximize the amount of time each student is in class, Mr. Moulton provides his students with drinks and snacks and feeds them lunch as part of the class. He also speaks very quickly and freely admits he does this both to make sure he can cover all the material and because it is his natural speaking style. I only found myself asking him to slow down and repeat himself twice during the entire week, and both times were due to the concepts being presented and needing just a few more seconds to process and understand the information. Class days also start early in the morning (8:30am) and can run to 6pm in the evening depending on the number of questions and how long students take to finish the labs. Mr. Moulton’s dedication to his students during the course can only be described as “above and beyond” as he historically invites anyone in the class to join him for dinner at least once or twice during the week. This gives anyone in the class the opportunity to get some additional one-on-one time with the instructor and ask any questions that s/he may not have felt comfortable asking in the classroom.
At the end of the course, students are provided with login instructions for taking an online exam through an independent testing agency. If passed, the exam grants the student the qualification of “Certified Data Recovery Expert” or “CDRE”.
Post-course support is available through a variety of means. During the course, Mr. Moulton provides his students with a URL where he routinely posts updated class material. These updates are provided free of charge. Also, in order to foster discussion and create a community of DR professionals, there is a mailing list powered by Google Groups where people post their challenges and success stories. Almost all questions asked are answered by someone in the group and Mr. Moulton routinely participates. Mr. Moulton also has over 100 hours of videos online via YouTube wherein he posts all his talks and presentations at the various security conferences in which he participates. Lastly if you are really stuck, you can email the instructor directly and he will do his best to reply to you.
While there are other courses out there, it was interesting to learn that Mr. Moulton also wrote the DR course taught by the SANS institute as well as the DR course offered through the “InfoSec Instititute”, but only the SANS and courses offered through his own company have been kept regularly updated.
Overall I found the course to be very well organized and Mr. Moulton is clearly a dedicated professional in his field. For those individuals looking to get more information on these classes, updated information can be found at http://www.myharddrivedied.com/data-recovery-training
For those looking to see some of the videos provided by Mr. Moulton on DR and hard drive repair: http://www.youtube.com/user/SuperFlyFlippingA
For more information on the DeepSpar Disk Imager (DDI): http://www.deepspar.com/products-ds-disk-imager.html
This review can be discussed here.
Karlo Arozqueta, CISSP, EnCE, CDRE is a Senior Incident Responder by day, in charge of overseeing a 24/7 team of Incident Responders and Network Traffic Analysts. By night he runs Vicious Data Recovery Services LLC and sometimes he even gets to see the other people who live in his house (pretty sure he's married to one and related by blood to the other). In his free time he tries to sleep. You can follow him on Twitter @ViciousData, or drop him a note through the contact form at www.viciousdata.com