by Charles H. Sobey, Chief Scientist of ChannelScience

[Note from Jamie Morris, Forensic Focus - In February 2005 Nick Majors of ActionFront Data Recovery Labs Inc. happened to post a link in the Forensic Focus forums to a whitepaper commissioned by his company in April last year. With his kind permission I have reproduced a number of sections of this whitepaper below which I think will be of particular interest to our membership. I would encourage anyone interested in data recovery issues to read the entire paper at http://www.actionfront.com/ts_whitepaper.asp, it's very well written and covers a lot of ground, including details of ActionFront's SignalTraceâ„¢ technology.]

When a hard disk drive containing valuable data no longer responds, the user's last hope is to send the drive to a data recovery company that specializes in drive hardware failures. There is a general perception that data recovery companies have "magic machines" for retrieving data in almost any situation. The reality is less glamorous. The most sophisticated, commercially successful recovery techniques involve careful part-replacement, in a cleanroom environment, of the heads, the spindle motor and base casting, the electronics board, and/or the drive's firmware and parameter tables. Part-replacement has historically been successful for data recovery about 40 to 60% of the time. Claimed data recovery success rates are much higher. While they may, in fact, approach 100% for some drive models, for other models and failure modes the success rate is near zero. Drive-independent data recovery methods are needed now to read these drives. Furthermore, as the data density of hard disk drives continues to increase the number of unrecoverable drives is expected to grow.

The reason for this lack of successful recovery can be traced to the methods drive manufacturers must employ to achieve both high data density and high production yields. Specifically, current drives are hyper-tuned in the factory to optimize the performance of each section of each hard disk drive. The data format, head, disk, electronics, and firmware parameters are all optimized together. This means that it is less likely that a head stack or electronics board or parameter tables from one drive even of the same model will work well when used as a replacement in a failed drive. When drives cost thousands of dollars, drive repair was a lower priced alternative to purchasing a new HDD. Today, the most economical option for dealing with a malfunctioning drive is to replace it with a new one. For criminal investigations requiring data forensic analysis, there is no substitute for the drive in question. It must yield its information even if it has been intentionally destroyed.

In the field, a drive may acquire defects due to corrosion, handling, or other causes. These are typically identified in a table of exceptions (sometimes called the P-list and the G-list, for primary defects and grown defects, respectively). This table, the table of parameters, and the firmware are typically stored on the disk itself in the outermost tracks. These tracks are referred to as the system area, maintenance tracks, diskware, negative cylinders, etc. However, some drive models store the table in non-volatile memory on the printed circuit board. Clearly this table of exceptions is uniquely linked to the media in a particular drive. The table for one drive will not, in general, be the same for the media from another drive.

Inside a modern HDD, a user's data is encoded about 5 times before being written to the disk. This is done to 1) Ensure no incorrect data is provided to the user, 2) Correct as many errors that may occur in detection as possible, and 3) Improve the quality of detection by improving timing recovery and by mitigating the effects of certain error-prone patterns. Because of these levels of encoding, the user's data itself is not written to the disk. Instead it is the encoded user data that is stored. Even if a tool such as PRMLproTM is used to recover the data, it is actually detecting the encoded data. To yield useful information that can be reassembled into files, the various encoding steps must be decoded.

In a failed hard disk drive, the disk surface may or may not be damaged. If the disk is not physically damaged, the user's data is still there, unless it has been overwritten. If the disk is physically damaged, there is no data left wherever the magnetic material of the disk is removed. The magnetic layer that contains the data is only about a microinch thick. So any scratch is likely to have completely removed the magnetic material in that area. The heads do not scratch the disk in normal operation because they are actually flying over the surface although the flight is at a spacing of less than 1 microinch! If the disk is bent so that the heads can no longer fly, there is no documented method for commercially viable recovery.

The most advanced, commercially viable technique for recovering data from a hardware-failed disk drive is careful replacement of the failed parts. If the part to be replaced in inside the head/disk assembly (HDA), the replacement should be performed in a clean environment. Remember that the head must fly about a microinch above the surface of the disk, so a greasy fingerprint or a stuck particle can cause the repaired drive to crash. This is likely to result in even more damage to the data on the disk. For part-replacement to be successful, spare parts must be available for the specific drive. Drive companies and their component suppliers do not supply spare parts. The parts must come from new donor drives of the same type. However, the tight matching of the head with the disk and the hyper-tuning of the system parameters means that it is less likely that a similar drive's parts will work. The parts must come from the same drive model.