±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35144
New Yesterday: 1 Visitors: 150

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Reading disk areas backwards - does it help?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Reading disk areas backwards - does it help?

Post Posted: Sun Jul 28, 2013 6:33 pm

I often read that reading a disk backwards gives good results - eg a quote from jaclaz "Such data recovery imaging tools have the capability of attempting reading areas "backwards" which often gives good results".

I want to understand this as I think the reason is different.

In my experience of imaging 'failing disks' it is very common for the main working area to be failing more than other areas. On a Mac disk, it is common for sector 0x6402a to have failed, along with a lot of the Cat area after this sector. However, the end of the disk can be in good shape. Similar results with NTFS, problems around 0x60003F or 0x60800, start of $MFT, while the end of the disk is OK.

I therefore sometimes image the end first, and work back to the problem areas. (I incrementally build up a DD image file).

If I imaged the disk backwards, this would have the same effect, but simply because I would hit the good areas first, and then the problem areas.

OR

Does imaging backwards actually help with reading problem sectors?

With my software, when I hit a problem sector, I set the software to read a single sector at a time, rather than maybe 64K at a time. I also allow skipping of sectors after a number of errors.


Am I missing a trick by only reading forwards, or does reading backwards actually recover sectors that reading forwards will not read?
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

mscotgrove
Senior Member
 
 
  

Re: Reading disk areas backwards - does it help?

Post Posted: Mon Jul 29, 2013 1:59 am

You dont mention what software you are using. i am familiar with how X-Ways does reverse imaging, so ill speak to that a bit.

i believe reading backwards, at least with X-Ways, disables CRC checks and whatnot when reading sectors

from the X-Ways manual:

In conjunction with simultaneous I/O you may also have WinHex copy the sectors of a disk in reverse direction, backwards from the end of the source disk. Useful if the source disk has severe physical defects that for example cause a disk imaging program or your entire computer to freeze or crash when reaching a certain sector. In such a case you can additionally create an image in reverse order, by reading sectors from the disk backwards one by one, or better, you can even automatically complete an existing incomplete unsegmented conventional ("forward") raw image from the rear end to get an image that is as complete as possible, filled from both ends, with ideally only a small zeroed gap in the middle that represents the unreadable damaged spot on the source hard disk. For that you simply select an incomplete raw image file that you already have as a destination file, and you will be asked whether you wish to complete it instead of overwrite. WinHex will do the rest, e.g. allocate the missing sectors in the image file (zeroed out) so that it has the complete size of the source disk and then fill the file backwards as much as possible. Be sure to create reverse images on NTFS volumes, not FAT32. The source start sector to specify for reverse imaging is the same as for conventional forward images, i.e. usually 0 when imaging a complete hard disk.


so in general thats the idea with reverse imaging.

i know X-ways does some different things when it comes to imaging disks in general and it is one of, if not the only, tool out there that does reverse imaging automatically  

EricZimmerman
Senior Member
 
 
  

Re: Reading disk areas backwards - does it help?

Post Posted: Mon Jul 29, 2013 7:15 am

We were reading disks backwards 20 years ago for DR purposes. The main benefits were

* skipping damage at the beginning of a failing disk - i.e. getting all the good sectors before going for the bad ones and potentially causing damage to the read write heads. Our tools allowed us to take images of multiple portions of the disk and then patch them together.

* reading a disk with faulty logic backwards also had the advantage of effectively flushing the read ahead cache. i.e. if you do a single sector read of sector 100 then the disk logic would cache subsequent sectors, potentially with dodgy data (on a drive with failing cache logic), if you followed this read with a read of a lower numbered sector the cache would be cleared. This did mean reading disks a sector at a time which could take many days. Not sure how useful/sucessful this would be on a modern drive.
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 

PaulSanderson
Senior Member
 
 
  

Re: Reading disk areas backwards - does it help?

Post Posted: Mon Jul 29, 2013 9:53 am

As far as I understand the theory, BOTH the effects talked about happen.

I would add that for some forms of hardware issues with the heads arm (stickyness or however issues in the actual bearing of the arm or with the coil actuator) may possibly being mitigated by moving it "the other way".

Once set apart theory, in practice and in several occasions, I have managed to recover data from areas that I was not able to read "in the normal direction" by imaging/copying them "backwards".

If you prefer a same area of the disk was not readable "forward" but it was readable "backwards".

One of the tools I mentioned on the originally quoted (but unreferenced) post:
www.forensicfocus.com/...3/#6568343
the dd_rescue:
www.garloff.de/kurt/linux/ddrescue/
includes a script called dd_rhelp:
www.kalysto.org/utilit...ex.en.html
which explains in detail the "theory of operation" in the hope to gather the most Data.

"Plain" disk imagers tend to be written in the hypothesis that the "source" drive is "fully operational" and tend (not all of course) to "bang" over and over on bad sectors, attempting to read them, which is NOT a good thing for two reasons (IMHO):
  1. attempt after attempt the disk heats up noticeably
  2. if the bad sector area is originated by a head crash there is - at last in theory - the risk that "insisting" on it the heads get damaged (or more damaged than what they already are)

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Reading disk areas backwards - does it help?

Post Posted: Mon Jul 29, 2013 10:11 am

The issue re coil actuators moving a different way is probably not relevant as a modern drive has embedded servo so the heads 'know' where they are.

Re the heating up issue - this is probably due to hysteresis as the drive logic causes the heads to recalibrate (by seeking to track 0 - you can usually hear this on a failing drive) after x failed reads.
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 

PaulSanderson
Senior Member
 
 
  

Re: Reading disk areas backwards - does it help?

Post Posted: Mon Jul 29, 2013 11:29 am

- PaulSanderson
The issue re coil actuators moving a different way is probably not relevant as a modern drive has embedded servo so the heads 'know' where they are.

Yes, but at least in theory it is possible that the head will *somehow* get "there" more "exactly".
Only seemingly OT, but until a few years ago the usage of high precision measuring instruments (such as theodolites):
en.wikipedia.org/wiki/Theodolite
implied (when higher precision of measurement was required) to do what in Italian is called "giri di strumento", cannot say the exact English translation, it would be equivalent to "instrument turns", you (besides doing the "normal" 180° "reverse" reading) turned the instrument 360° two times, approaching the needed angle (or targeting the actual reference) once "from the left" and "from the right" in order to correct the (possible) "collimation error", due to (very minimal) possible differences in the way you "approach" the desired position.

The same mechanical principle may apply to a pivoting heads arm.

- PaulSanderson

Re the heating up issue - this is probably due to hysteresis as the drive logic causes the heads to recalibrate (by seeking to track 0 - you can usually hear this on a failing drive) after x failed reads.

Not only Shocked , as I see it, if we take as "general reference" some 3 hours to image a 500 Gb hard disk (perfectly functional) we are essentially "stress testing" it for continuously reads for 3 hours.
This cannot be considered "normal" activity for a hard disk, that in the same three hours of use may sleep a bit, read some data, write some other, run idle a bit (before going to sleep), etc., I would define it "intensive" activity.

What happens with a "dumb" imaging program that will insist on the same area over and over (and still read not properly the data)?
The same "stress test" will be prolonged for several hours or days, which is not a good thing as it makes more probable that *something* may fail (of course it greatly depends on the nature of the "initial" reason for the bad area(s), but still) it makes more sense to stress the least the poor little thing and though there is not a definite correlation between (over) heating and disk failures the available data suggest that to be on a "safer" side it is better if the disk is kept within a not-to-hot and not-too-cold temperature range.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 1 of 1