Hi all.
I wanted to know what are the procedures when imaging a hard drive on a laptop which can no longer be turned on? Is it possible to do so?
Basically the laptop had a power problem and the power jack at the back has melted so badly that it no longer recognizes the charger therefore laptop does not turn on anymore as needs to be charged to work. Was just wondering whether the data can still be recovered or not? And if so how does the data recovery work? e.g how would one carry out this?
I know there are data recovery specialist companies out there but just wanted to know the actual steps one would take?
I have used ftk imager before and have encase and ftk aswell so just wondered if this is how data recovery companies carry out their solutions? or do they use other software/hardware?
Thanks in advance
If you're just looking to image the hard drive, extract it from the laptop (you can very often find instructions online) and connect the drive to a write blocker. If you hear/feel the drive spin up, you may be in luck.
As to whether data can be recovered or not, that depends. From what you said, the power supply had an issue…do you know if that affected anything beyond the power supply, such as the motherboard or the drive controller? If you extract the hard drive from the laptop, do you find any indication of damage to the drive or the drive controller?
HTH
Thanks for the prompt reply.
When it happened there was a slight burning smell occuring, but no smoke.
But the motherboard is my main concern.
Haven't had time to actually remove the hard drive yet from the laptop but will try it to see if further damage has been done. Hopefully this isn't the case.
Cheers again
Smoke??? hmmmm Stop… Drop… Roll my friend.
Quit putzing (techie term) with the d@mn laptop
Remove the drive from the laptop as Harlan suggested.
If it is evidence, write block it and connect it to an examination machine and get an image right away
If you are just trying to recover data, it is still a good idea to write block but not necessary. Also still a good idea to get an image before you start extracting files.
At times you get ONE SHOT - make the most of it.
Have all your equipment ready to go. Nothing worse than having a drive boot to find out you are not ready and when you are ready the drive craps out on you.
Good luck!
Art
Also…
Putting the hard drive somewhere cool (refrigirator or even a freezer) before you acquire it helps. Whilst you have power applied to the hard drive, have a fan blowing on to it too.
Image it using the fastest process you have (to reduce the heat). Basically, attach your HD to a SATA write blocker which is attached via SATA to the imaging machine, turn it on, image the drive, bug out ASAP. As 4n6art said, consider this to be a one-time shot.
Trust me, this works occasionally, though it should only be applied in desperate circumstances.
The likelihood of success is small but all of the techniques in the previous posts (and this one) give you the best chance with the kit you have. If it fails… give it to someone with better kit (and knowledge wink )
Good luck,
Paul
Also…
Putting the hard drive somewhere cool (refrigirator or even a freezer) before you acquire it helps.
This is poor advice, unless it is a last ditch effort and you are willing to accept the risk of causing further damage to a drive and possibly rendering the drive completely unrecoverable.
Start with removing the drive from the laptop. Then remove the PCB and visually inspect it to ensure that there are no obvious signs of blown chips. If everything looks okay, clone it as fast as possible. If you run into issues, drive does not detect or a lot of CRC errors, it might be wise to stop and get the drive assessed by a data recovery pro before further damage is caused.
This is poor advice
OK, I'm working from anecdotal evidence. Here's my background… Between 2005 and 2010 I imaged at least 1000+ hard drives. In this time I burnt 1 HD out. The 1 I burnt out, I never cooled. After that, whenever I had a problem (odd noises or excessive heating) I would always revert to the cooling method I expounded earlier. Most of the time the drive would image - no problem. I have lost count of the times I've done this. I have no evidence to show how many of those drives I cooled would have failed - perhaps none of them.
The number of drives in this period I was unable to image notwithstanding the measures I applied? About 6, if memory serves me right. All of them were referred to experts and in only 2 cases could they get any data back.
After 2010 we employed an individual to specifically create images so I only acted in an advisory capacity. My experience after this date tails off somewhat.
You say my advice was poor but provide very little by way of scientific reference for this. I admit I have none myself other than my anecdotal evidence.
You, yourself say that the drive should be cloned (poor terminology [unless you are using dd or similar]) as quickly as possible. Why on earth would you need to clone it quickly if heat were not the problem? Starting from as cold a base temperature as is possible and trying to keep it there is no problem surely? Are you worried the drive may feel the cold? wink
For all you budding analysts at university, a reasonable topic for a BSc or MSc dissertation?
Paul
At first glance it seems that the OP is not familiar with forensic imaging, also he didn't indicate that there was anything wrong with the drive, just the burnt up power supply. Assuming that the drive is still functional and simply stated
1)
2)
3) Export your files
Also…
Putting the hard drive somewhere cool (refrigirator or even a freezer) before you acquire it helps.
No it doesn't
This is just homeopathy for hard drives.
Laptop hard drives are typically quite cool anyway.
It is best for a drive to run at a constant temperature, maybe 30-35C. Changes of temperature cause problems .
Older 3.5" drives do require cooling by a fan