Hello,
I'm considering taking the leap into CF, but one of the things that interests me more than, say, going up in front of a jury, is the actual data recovery process itself. So I'm on the fence about whether to do data recovery work as a way into CF (or perhaps instead of CF).
Trouble is, I CANNOT find any resources online for straight data recovery at all, whether it's webboards like this one, textbooks on Amazon (they have nothing of substance that I could find), training classes, etc. All I found was a cert class from Infosec. Not sure I'd qualify to take it just yet.
Would one of you know of any resources like these online purely for data recovery work?
Thanks in advance,
MrP
e-evidence.info is a good place to start……….from there you will find white papers from some of the best CF experts around the world, links for other sites, listing of books, etc…..from there, dig deeper for books at syngress.com and amazon, there are looks out there from the same authors found on e-evidence….best of luck with endevors…Bob
Sadly the data recovery field is a lot more closed than forensics. We are quite open about what we find and how to achieve certain goals. If you look on forums such as HDDGuru.com you'll find that people will share limited information but hardly ever give you the answers.
I think your best bet is to buy PC-3000 and find somewhere that does a training course on that.
Alternatively you could find out when/where Scott Moulton is doing his next training over at myharddrivedied.com. Scott also has a few presentations and videos that might be worth your time.
Thanks very much guys. The Scott Moulton stuff was exactly what I was looking for, but had not heard about him before. I'll be checking out the other links as well.
Data recovery is largely in two sections
1) Is physically reading data from damaged or dead drives
2) It recoverying files from corrupted, deleted, as as in case 1 above, partial images of disks.
PC-3000 is really a tool to help extract data from disk drives that have damaged firmware. It is probably one of the best tools for this, but my 'wild' guess is that this is only 10% of data recovery jobs. Head failure and motor failure/seizing is probably more significant. I have never evaulated PC-3000 data extractor, so cannot comment on this.
For 2 above, there is a large crossover between this and forensic examination. Detailed knowledge of both file structures and file systems is essential, as well as the ability to work in Hex.
Have fun!
Sadly the data recovery field is a lot more closed than forensics. We are quite open about what we find and how to achieve certain goals. If you look on forums such as HDDGuru.com you'll find that people will share limited information but hardly ever give you the answers.
So I had a look over there. Wow were you right! I was amazed at the outright hostility some of the "gurus" had towards the "newbies". Unbelievably insecure. I don't have time for that. Really disappointing.
My previous field (audio) is ultra-competitive, but people are usually willing to share information, tips, tricks, etc. And I've personally trained so many people, it's unreal. If you're good at what you do, and people like working with you, they'll come back to you – which I'd guess is also true in CF.
Unfortunately, I don't have a spare $10,000 for a PC3K right now. But we'll see what happens.
Unfortunately, I don't have a spare $10,000 for a PC3K right now. But we'll see what happens.
Did you ask for a quote to ACE Lab?
Should be around US$4.000/5.000 AFAIK.
I mean still an awful lot of money, but 1/2 of what you stated! 😯
It seems to me that the different types of "data recovery" has to be cleared.
There are two main *kinds* of DATA recovery business, one on working hardware and one on failed hardware.
The first part (and yes AFAIK it is the large majority of cases) is usually due to some software crash and/or mistake made by the user, and is solvable by the same tools commonly used in computer forensics (software).
The second part is to be IMHO sub-divided into several "branches"
- easy-peasy hardware <- A shot TVS diode, a burned chip on the HD board, and the like, basically something that any expert elctronic repairman/enfgineer can solve with basic tools, solder iron, multimeter, oscilloscope and the like.
- easy-peasy firmware <- something that can be solved with still very basic tools like freely available software and very simple electronic devices, such as a RS232->TTL converter or Nokia C42 cable, etc. PROVIDED that you can find somewhere the needed info, an example is the known Seagate 7200.11 hiccup, see stickies here
- not-so-easy firmware <- something that can be solved ONLY by using some dedicated tool, like the PC-3000.
- actual hardware problem <- besides the fact that most of the info around about "clean-rooms" is b*llsh*t, doing "internal work" on a hard disk requires besides some very specific (and often model specific hardware tools, like platter clamps, head immobilizers and the like) also some (please read as much) experience and manual abilities.
http//
A PC-3000 (by itself) will ONLY help in solving this latter "category", what you really buy (in the sense of the real value) from the good Russian guys is not the actual (professionally made) hardware but rather the actual knowledge as they have procedures for practically each and every HD around and are usually very fast in updating this info and or modify the software as soon as a new HD model is made available or a new issue arises on known models.
But there are also cheaper tools like (example) SEDIV, which should be able to help in fixing most Seagate drives.
And also the AFAIK Chinese guys of Salvation Data that have tools similar to the PC-3000 at a more affordable price.
IF the actual info somehow gets "leaked" or discovered independently and made public, this kind of problem automatically goes in the previous category.
Very few of the "so-called" data recovery companies do have the knowledge, tools and abilities to do this kind of work and, from what I can get, most companies sub-contract most of these jobs to "real" specialists
[/listo]
Besides Scott Moulton's site, there is a Russian guy "Robin" aka Artem V. Makarov, see here
http//
which has a nice approach and actually (unlike most of his colleagues) actually often shares useful info.
So, of the above "categories", types #1 or #2 are the most amount of work, say 60% (of the lesser part, i.e. recovery on failed media) and the actual easy part, #3 is an intermediate, say 30%, and #4 is a fraction of the work, and the very difficult (and costly) one.
The skills for each of them are different
#1 is mostly electric/electronic engineering
#2 is mostly "computer science" related
#3 is still mostly "computer science" related
#4 s the sum of the three above + mechanical engineering
BTW, there is now an entirely new "market" about Flash sticks and more generally "solid state media", example tool
http//
http//
jaclaz
I would like to give my view on the apparent hostility of recovery world rather than forensic worlds.
A lot of the recovery world is commercially based, where as a lot of the forensic world is LE based. I know if I go to a F3 event, the majority of people I talk to are, or have been in the police.
The commerical world want to make money, and keep their secrets secret to help make money. When I spent many years working on computer tapes the big secret was how to read past the end of tape mark. Despite buying one of the world experts dinner on a few occasions, I never got a hint of how it was done on DLTs, or LTOs etc. I think he can still charge several thousand dollars for the work.
If you are offering a service then a lot of what you are selling is your knowledge. A forensic investigation has a different objective, and so people may be happier to share their techniques.
@jaclaz
Thanks for the breakdown. That perfectly summed up what I had been thinking might be the differences and distinctions but wasn't quite sure. Does something like Scott Moulton's courses address all these types of issues or is he mainly focused on dead hardware, clean rooms, etc.?
@Michael
Totally agree that those "world expert" types are loathe to give it up to a colleague. I tried it too, with the same results. And I agree with you that they need to protect that knowledge to make a living. I'm sure we're all guilty of that to an extent.
But what I read on that board were things like, "You're a Newbie - No one helped me when I started out, why should I help you? Spend the money, spend the years, starve like I did, and then once you've reinvented the wheel 10 different ways, maybe I shall grant you an audience." Just very insecure and needless. Or maybe I'm reading it wrong - I hope.