First to introduce myself…
I have a love for computers in general. I went to possibly the worst school ever (ITT - Tech) but i gained my associates in Computer Network Systems there. As of right now i work desktop support for a company, im going through the MCSE and CCNA tracks to gain my certifications in those. My main passion how ever is in information security. Any aspect of InfoSec just keeps me curious and wanting to learn more. Computer Forensics has always been a intrest to me how ever i know little about it atm. Thus why im here… to learn! =)
onto the questions shall we?
This may or may not be able to be answered but we'll see. So i've always wondered how you can get a dead, or broken hd and still get data off of it? I can understand if its been formatted, or erased. But how do data recovery firms do it? How can they take a hard drive thats been physically damaged and still pull data off of it? This is what i would like to dive head first into.
I see alot of you use vmware as to not disturb your desktop, is there a reason vmware and not any other virtual machine such as say microsofts virtual pc?
Thanks in advance for any responses.
Personally, I find that VMWare is just a lot more responsive and easier/nicer to use than Microsoft's offering - that and I run Mac, Windows and Linux hosts - so transitioning a VM is much easier if you can use all the same -)
I've used MS, VMWare and Parallels quite a lot, and I honestly think that the VMWare solution is the best …
There are people here who are better qualified than me to answer the first part, but I think that you'll find that some go the the lengths of disassembling the damaged drive, and rebuilding it with functional components in a clean room environment.
Well done on your studies - keep at it -)
Wow thanks for such a quick response!!! And thank you. As i always tell people if it wasnt for computers i'd be about as dumb and useless as a rock hehe =p
As to the dead HD question, it depends on why it died. In some cases, the PCB is bad and can be replaced. The hardest cases is when the platters have to be moved to a new drive/head assembly. Requires a clean room and $$$. Many cases, the drive spins up OK and software is able to recover data with minimal trouble.
What if the platters themselfs are damaged? Would the hard drive then just be considered FUBAR or are there still ways to salvage something from damaged platters?
By damaged platters i mean cracked, chipped, slightly burnt, pretty much anything other than a shattered platter.
Again i appriciate such fast responses!!
I think, that so long as they can be made to spin, then data will be recoverable from the areas that are readable.
In a highly scientific lab, you could go as far a looking under an electron microscope, even at a shattered platter - however the more complex the recovery the more expensive it will be, and you had better _really_ need the data if you are willing to spend _that_ much 😉
It isn't the world's most reliable source of information, but this http//
Alright it seems at this point i have enough information to start playing with some new stuff =)
I have so many old hard drives, wiped hard drives, bad hard drives. Im sure i can get plenty of practice.
Now as far as software goes. From what i've gathered it seems its mostly preference and skill level? For somebody just beginning and learning. What would be the most user friendly of the software sets? Encase seemed a bit intimidating after reading up on it. Norton Ghost im familar with but im sure thats really low end. What would you guys suggest for something moderatly good but some what user friend?
Ah … You are running into a few issues here …
EnCase and FTK are flipping expensive - these aren't really good "starter" tools - although if you hang around long enough - you'll get there …
Ghost is useless, throw it away now. It only looks at files that it can see, it won't bother with unallocated things at all.
For analysis WinHex is pretty good, and also has a freely downloadable version.
You can get the FTK Imager from the FTK website to make disk images with, or you can have a go with dd.
Google should help you find them all -)
Have a look at the SleuthKit and Autopsy as well …
😉
… And take a look at the TestDisk - PhotoRec combo of apps.