Join Us!

Cleanroom Technique...
 
Notifications
Clear all

Cleanroom Techniques  

Page 1 / 3
  RSS
jeffcaplan
(@jeffcaplan)
Member

Hello All,

Love the forum so far, can't wait for more user participation than there is now. Though I do have one bit of advice…make the area on top a tad smaller, as it is, it's taking 3/4 of my screen at 1024x768 res.

Onto my question…I'm very familar with computer forensic techniques and data recovery techniques (manual, not just automated)…however…

I really have no idea how someone recovers data from a physically damaged (ie. fire, flood, smashed, etc.) hard drive, though I do have some ideas.

I know that there are a couple of techniques such as removing the platters and putting them in a hard of exact make/model, but when that option is not available, exactly what kind of equipment and techniques are used to recover data? I'm looking for a whitepaper or book reference, not some marketing-type overview.

If anyone knows of where I can find this specific info, I'd love to know. I've done a search on the net already with no sucess…I'm guessing the next stop will be a bookstore.

Thanks everyone.

Jeff Caplan

Quote
Posted : 20/01/2005 5:50 am
Andy
 Andy
(@andy)
Active Member

Hi Jeff, clean room techniques are beyond me, but I will try to answer or contribute as best I can. Perhaps we have a clean room technician/specialist on the forum?

Anyhow - I have previously recovered data from a laptop drive where the machine itself had been smashed several times on the floor, then kicked into a nearby river by the suspect. The machine was a write off, but the drive, other than a couple of scratches and dents – when dried off – worked perfectly. Enough to convict him of possession of indecent and obscene images of children (I hate the term C/P or child porn).

I have also some small success in changing the controller card on an identical drive (where the controller card had been damaged-in similar circumstances).

I have heard many different ideas about recovering data from drives that are on their last legs, such as placing them in a fridge and cooling them right down before one last recovery attempt. I suspect this is an ‘urban myth’ type thingy…..

I have never removed platters and placed them into another drive. This is rather a specialist area, and fraught with danger (if you don’t know what your doing), as one particle of dust entering the hermetically sealed unit could cause a head crash – something which you would be hard pressed to recover from. This is the realm of the clean room technicians who do this type of work day in day out.

I did a Google and found this discussion on drive failure: http://www.tek-tips.com/viewthread.cfm?qid=398225&page=1

Andy

ReplyQuote
Posted : 21/01/2005 6:32 pm
ccutpd
(@ccutpd)
New Member

Hello,

The hard drive in the fridge trick sounds like an ubran myth, but I have used it successfully quite a few times. I'd say it has about a 50% success rate (for me). Generally hard drives fail because they have been banged around, and for some reason the read-write heads can no longer function because they are too far or too close to the platters. If you stick the hard drive in the freezer (not the fridge) and leave it in there long enough for it to become pretty cold (a few hours), the molecules in the metal will contract and thus the metal will contract and may allow the read-write heads to read data again for a short period of time (until the drive returns to room temperature and begins to expand again to a non-operating state).

I think "the freezing method" is a common practice among most computer forensic experts. However, something that I have not seen any literature on, is the opposite of this. My lieutenant had his work computer hard drive fail on him, and had the city's computer people look at it, and they turned it over to me. The hard drive wasn't being recognized and you could hear that the drive had something physically wrong with it. I tried the freezing method, but did not have any luck. Trying to think of what else I might do, it occurred to me that heating the drive might work for the same reasons the freezing method does. The metal in the drive would expand and bring the read-write heads closer to the platters enabling it to be read. So I stuck some evidence tape on the drive, and stuck it in the front window of my locked truck in the Florida summer sunshine. Needless to say, it was hot to the touch in less than 10 minutes. I took it back into the office, it read fine, and I got back the data that he wanted to save. Retrieving the data on the hard drive of someone who approves your purchase requests can be a very good thing!!

Anyway that was mostly off this topic, but I thought it was interesting enough to share.

As far as cleanroom techniques are concerned, I am no expert, but I believe that yes - they can take out the platters and stick them into a drive of the same make/model. However, if the platters are damaged or if they are looking for "shadow data", they have an electron microscope that they can use that will read the magnetic charges off of the platters (that can be read) and store them onto another media for review.

Jason Wallace
Tallahassee Police Department

ReplyQuote
Posted : 21/01/2005 9:14 pm
Jamie
(@jamie)
Community Legend

I'm just going to pop in here and say hi to Jeff and Jason (welcome to Forensic Focus) and congratulate Jason on the most unusual data recovery method I've come across this year 🙂

Spending most of my time in the UK and the Netherlands it's probably not one I'm going to be getting the chance to use any time soon 🙁

Kind regards,

Jamie

ReplyQuote
Posted : 21/01/2005 11:03 pm
jeffcaplan
(@jeffcaplan)
Member

Thanks for the welcome Jamie.

As far as cleanroom techniques are concerned, I am no expert, but I believe that yes - they can take out the platters and stick them into a drive of the same make/model. However, if the platters are damaged or if they are looking for "shadow data", they have an electron microscope that they can use that will read the magnetic charges off of the platters (that can be read) and store them onto another media for review.

Jason Wallace
Tallahassee Police Department

And nice to meet you too Detective Wallace. I've been volunteering with the Orlando Police Dept. for the past year doing forensics with them and working with Orange County's very own Sgt. Kevin Stenger. I bet you get jealous by the fact that we've got the National Center for Forensics Sciences here in Orlando? 😉

Anyways…what you referring to about analyzing "shadow" data via an electron microscope…this is exactly the kind of thing I was referring to. They have an electron microscope at the NCFS, and this is one of the things I'm looking for literature on. Additionally, there are many shops out there which advertise that they can retrieve data from physically damaged hard drives, some of them advertise a fast enough turn-around time that it's not possible to execute the platter/drive swap technique every time because they can't possibly have every model hard drive available. And I know that they don't all own electron microscopes considering the cost of these is still very very expensive.

There has to be some other way that people can retrieve data directly from a hard drive platter…I just wish I knew where to look to start learning.

Thanks for the feedback so far guys, keep it coming.

Jeff Caplan

ReplyQuote
Posted : 22/01/2005 7:35 am
Jamie
(@jamie)
Community Legend

UniRecovery have offered to have a techie pop into the forums now and again to see if they can shed some light on technical matters. I've mailed them with a link to this thread so hopefully we should get some more info from a cleanroom pro next week…

Kind regards,

Jamie

ReplyQuote
Posted : 23/01/2005 5:05 pm
Jamie
(@jamie)
Community Legend

P.S.

They have an electron microscope at the NCFS, and this is one of the things I'm looking for literature on

This is a fairly old and well known paper but I'll mention it just in case you haven't come across it so far:

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

Cheers,

Jamie

ReplyQuote
Posted : 23/01/2005 5:12 pm
 Anonymous

I am going to be sharp as ever.
This is how things go.
These metodes of freazeing and heeting re VOODOO stories.
Ok I did it few times but only with MAXTOR 540-4k
There are two wayes to extract data from hddd with bad pcb.
1, repair damaged one ( I preffer)
2. find an exact model.
every famil of every manufacturer has a specific marks that have to be smo in orrder hdd to work.In meny cases only one flash on hdd pcb can make difference.
There are two wayes also to extart data from hdd with bad mehanic,
1.send it to lb
2. do it Your self

For this You have to have the knowlage.
First You have to know that in most case HDD doesnt need to be oppened at all.I m using a tehnici that extarcts data from badd hdds only bay rewriting it's firmware,(firmware is on platter)
In 90% of maxtor I can do it .SO the hda replacment is not so needed.
We do not have to do everything.
I have succefuly changed hads on only 2 drives.But making progress.
Nikola
ps:every hdd has it own common mailfunction so if You are in mater long time You know by model what is it .
Bay

ReplyQuote
Posted : 24/01/2005 2:20 am
 Anonymous

Please be advised of the following:

- Our colleague Nikola has suggested that -quote- "HDD doesnt need to be oppened at all.I m using a tehnici that extarcts data from badd hdds only bay rewriting it's firmware,(firmware is on platter) In 90% of maxtor I can do it .SO the hda replacment is not so needed."????????

I cannot understand how could the data be read without the head, if that is true then IBM along with all HDD manufacturers have missed that technology!!

- Cooling-off a head of a damaged HDD is only carried out under strictly controlled parameters, therefore putting a HDD in a freezer could easily
cause damage on the platters and the head, subsequently a permenant loss of data could be achieved.

- A steady decline in the temperture of a damaged head can be achieved by simply leaving the drive to cool off for 2 hours.
- To attempt to recover a damaged HDD in clean environment without any knowledge in the field of hardware engineering would be classified a recipe to disastor.

- If one requires to acquire such knowledge then text books are required in addition to intensive practice in the clean rooms. Therefore to pick up magic tips from the internet could be described as superficial as suggesting learning how to drive from gathering tips from the internet.
Learning is a slow curve and one has to cover many subjects to have an adequate understanding of hardware engineering.

ReplyQuote
Posted : 24/01/2005 3:06 pm
 Anonymous

OK now it is personal.
Lets say Maxtor 540-4d
in bios sayes maxtor romulus!Another pcb doesent do the trick
Explain how not specific just teoretical. how would You extarct data.
I promise that I would explain my metod then,
Nikola

ReplyQuote
Posted : 24/01/2005 5:13 pm
 Anonymous

Whay should I change the heads, we are talking about comon mailfunctions not Talibans and Airplaines, because the 99% disk dies in office conditions.
Nikola

ReplyQuote
Posted : 24/01/2005 5:17 pm
Jamie
(@jamie)
Community Legend

Welcome to our new members from London (UniRecovery) and Belgrade.

Nikola, let's be clear that these forums are not "personal" and we try to keep things professional, even when we disagree with each other. We're certainly interested to learn more about your techniques, feel free to outline your methods if you wish.

Kind regards,

Jamie

ReplyQuote
Posted : 25/01/2005 11:07 am
 Anonymous

I wiil as soon as the gentlmane explain to us !
When I get my answer.
Nikola

ReplyQuote
Posted : 25/01/2005 2:44 pm
jeffcaplan
(@jeffcaplan)
Member

I'm still curious to find some printed reference material which covers hard drive data recovery. Or maybe references to some kind of class, certificate or degree program which teaches this. Anything. There has to be something out there…

Jeff Caplan

ReplyQuote
Posted : 26/01/2005 7:52 am
armresl
(@armresl)
Senior Member

I can say that if you think Encase classes are expensive you will climb out of your skin when you see what the higher end labs use for software and hardware. Our system alone was 10k (that's 1 pc, 1 software license, etc)

Training is not included in that price, but there is great tech support.

Rani and I both use the same programs.

What I found interesting was that somewhere around 90% of the data labs i.e. ontrack, drivesavers, CBL, etc use the same equipment from the same company.

ReplyQuote
Posted : 31/01/2005 5:57 am
Page 1 / 3
Share: