±Forensic Focus Partners
New Today: 0
New Yesterday: 6
±Follow Forensic Focus
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
· FT Cyber Security Summit 2014 – Recap
· Why Offender Profiling is Changing Thanks to Mobile Forensics and Increasingly ‘Social’ Criminal Activity
· Understanding Cyber Bullying – Notes for Digital Forensics Examiners
· Investigating the Dark Web – The Challenges of Online Anonymity for Digital Forensics Examiners
· The Complete Workflow of Forensic Image and Video Analysis
· Browser Anti Forensics
· Coming apart at the SIEMs …
independent data recoveryBack to top Back to main Skip to menu
Recovering unrecoverable data - the need for drive-independent data recovery
When a hard disk drive containing valuable data no longer responds, the user's last hope is to send the drive to a data recovery company that specializes in drive hardware failures. There is a general perception that data recovery companies have "magic machines" for retrieving data in almost any situation. The reality is less glamorous. The most sophisticated, commercially successful recovery techniques involve careful part-replacement, in a cleanroom environment, of the heads, the spindle motor and base casting, the electronics board, and/or the drive's firmware and parameter tables. Part-replacement has historically been successful for data recovery about 40 to 60% of the time. Claimed data recovery success rates are much higher. While they may, in fact, approach 100% for some drive models, for other models and failure modes the success rate is near zero. Drive-independent data recovery methods are needed now to read these drives. Furthermore, as the data density of hard disk drives continues to increase the number of unrecoverable drives is expected to grow.
In the field, a drive may acquire defects due to corrosion, handling, or other causes. These are typically identified in a table of exceptions (sometimes called the P-list and the G-list, for primary defects and grown defects, respectively). This table, the table of parameters, and the firmware are typically stored on the disk itself in the outermost tracks. These tracks are referred to as the system area, maintenance tracks, diskware, negative cylinders, etc. However, some drive models store the table in non-volatile memory on the printed circuit board. Clearly this table of exceptions is uniquely linked to the media in a particular drive. The table for one drive will not, in general, be the same for the media from another drive.
Inside a modern HDD, a user's data is encoded about 5 times before being written to the disk. This is done to 1) Ensure no incorrect data is provided to the user, 2) Correct as many errors that may occur in detection as possible, and 3) Improve the quality of detection by improving timing recovery and by mitigating the effects of certain error-prone patterns. Because of these levels of encoding, the user's data itself is not written to the disk. Instead it is the encoded user data that is stored. Even if a tool such as PRMLproTM is used to recover the data, it is actually detecting the encoded data. To yield useful information that can be reassembled into files, the various encoding steps must be decoded.
In a failed hard disk drive, the disk surface may or may not be damaged. If the disk is not physically damaged, the user's data is still there, unless it has been overwritten. If the disk is physically damaged, there is no data left wherever the magnetic material of the disk is removed. The magnetic layer that contains the data is only about a microinch thick. So any scratch is likely to have completely removed the magnetic material in that area. The heads do not scratch the disk in normal operation because they are actually flying over the surface although the flight is at a spacing of less than 1 microinch! If the disk is bent so that the heads can no longer fly, there is no documented method for commercially viable recovery.
The most advanced, commercially viable technique for recovering data from a hardware-failed disk drive is careful replacement of the failed parts. If the part to be replaced in inside the head/disk assembly (HDA), the replacement should be performed in a clean environment. Remember that the head must fly about a microinch above the surface of the disk, so a greasy fingerprint or a stuck particle can cause the repaired drive to crash. This is likely to result in even more damage to the data on the disk. For part-replacement to be successful, spare parts must be available for the specific drive. Drive companies and their component suppliers do not supply spare parts. The parts must come from new donor drives of the same type. However, the tight matching of the head with the disk and the hyper-tuning of the system parameters means that it is less likely that a similar drive's parts will work. The parts must come from the same drive model.