I suggest you send it to someone who specializes in recovering data from damaged hard drives…such as Ontrack. I am sure they deal with HDDs that were in water and fires all the time.
FYI Dehumidifiers work awesome at drying out wet electronic components. Remove the HDD cover and place next to a dehumifier and let it dry out. Works well for wet cell phones.
well, cellphones are pretty different since they don't contain any mecanic component.
the HDDs are mecanics and if the inside components get dirty they become unusable.
As far as preserving the drive as evidence, I saw a presentation at Defcon 2007 from a data recovery specialist who said that your primary objective when doing a physical drive recovery should be to get an image. After that, you can always explain to the court that the hard drive has been in serious contact with water and the physical evidence is not working anymore.
What are your opinions on that?
The problem is that you need to establish that the procedure that you followed was either an industry standard or industry accepted practice.
The fact is that there are firms that do this very thing (many less expensive than Kroll/Ontrack). They can point to tens if not hundreds of cases where they have partially or totally recovered water damaged drives.
Do you really want to have to explain why you attempted a recovery, yourself, when there are outfits out there who have demonstrated expertise in this very thing.
I fully understand what is possible. I certainly understand, being part of a small business forensics outfit, a reluctance to outsource work that could be done in house.
The question you have to ask yourself is "Do you feel lucky?" or, more importantly, do you want to take responsibility for potential destruction of evidence if you make the wrong move? Sending the drive to a firm which specializes in these kinds of recovery will not only absolve you of responsibility for a bad outcome (as long as it is a reputable company), it will also establish you as an investigator who recognizes when the need arises to call in a specialist.
You can still do the forensics on whatever was the recovered image, without taking the risk of destroying the evidence in the process.
There is always a first time for everything. You don't not do something just because you have never done it before.
There is always a first time for everything. You don't not do something just because you have never done it before.
Absolutely. However, the 2006 revisions to the Federal Rules of Evidence reduce the "safe harbor" provisions for both parties and experts. If it can be shown in court that
1. You were apprehensive or unsure about the process for restoring a damaged drive ("produce all correspondance, including blogs, bulletin boards and newsgroups where you have discussed restoration of wet drives").
2. You had no prior experience in the methodology that you followed or the methodology that you followed was not accepted by your peers.
3. You had been advised by some of your peers to use the services of an experienced data recovery firm (i.e., the forum to which you posted your inquiry).
4. As a result of your actions, the drive was damaged to the point where forensic recovery was questionable.
You could be guilty of spoliation of evidence. The court could order adverse inference against your client and/or you could be sued for malpratice.
I'm a neurologist and I've done neurosurgical procedures but I'd never do a procedure that I had never done, before, and without supervision or training. It would be malpractice, independent of the outcome. I certainly would't go to the Internet and ask a panel of colleagues how to repair a basilar artery aneurysm and, having gotten conflicting opinions, proceeded to try one of the recommended strategies on a real patient.
Working with real data is not the time to learn a new skill, especially if the result of that process is destruction of evidence. If you want to acquire such skills, then by all means, take some inconsequential drives, hit 'em with a fire hose and then attempt recovery. But don't make your first attempt on evidence.
Presumably the OP has accepted a fee to perform a service, namely, recovery of the data on the drive. As professionals we owe our clients not only our best efforts when we are performing a task, but also the obligation to refer the clients to a specialist when the task exceeds our capabilities or experience.
The old cynical salt was "See one, do one, teach one." As cynical as this is, there is at least one action before "do one".
We experiment on dummy data or copies of real data but never on the evidence, itself, unless it cannot be avoided. And we always have to weigh the potential impact of our experimentation on the evidence, itself.
@jaclaz What is the point of using an aquarium as a cleanroom, if it contains air that's not clean? )
I gave for implied that you need to sanitize the air inside the aquarium.
Nothing more than a vacuum cleaner and some tissues are needed.
Mind you I never said that the above is advised, nor that having fully qualified technicians working in a certified clean room is a bad thing or is it not better.
Only that there are poorman's way "good enough".
Same goes for BGA, x-rays and infrared heaters.
They are good, but if the problem is just a small BGA, there are poorman's ways to reflow it
http//
http//
http//
jaclaz
So is it safe to say that the main issue with water damaged drives is not the PCB or any other electrical component, but whether or not there is debris or other contaminates on the platters? I know removing the cover off of a hard drive is not advisable for novices, but it seems like pulling the cover off and soaking it in clean water is the only way to be able to tell if the platters are in good enough shape to test.
So is it safe to say that the main issue with water damaged drives is not the PCB or any other electrical component, but whether or not there is debris or other contaminates on the platters? I know removing the cover off of a hard drive is not advisable for novices, but it seems like pulling the cover off and soaking it in clean water is the only way to be able to tell if the platters are in good enough shape to test.
Partially.
The *water* that has come into contact with an electronic device is very rarely "water", in the sense of H2O, it will be containing any kind of chemical substances, salts, acids, whatever, which could actually, if left drying on the electronics, create shorts both at signal or actually "power" parts.
Thus the general idea is to WASH with distilled water all the electronics and let them dry COMPLETELY, anyway.
About the actuall innards of the HD, it's not the same thing in all cases
- if a drive has been completely submersed, the liquid entered it, no doubt.
- if a drive has only been "sprayed" or "poured over" it is very likely that no *water* has entered it.
Some drives are more "airtight" than other models, it's not easy to use a "general rule", the actual holes in them are protected by a sort of "filter" that may have been enough to stop the liquid if this was somewhat viscous, etc. etc.
As said, while actually disassembling the inner parts of a HD is a NO-NO unless special conditions are met and a previous experience has been gathered, simply opening the cover and inspecting the innards, and if needed washing them with distilled water is feasible also with a DIY job - obviously with a number of precautions, there has been some kind of "terrorism" about "clean rooms" and the absolute need for them.
The following is a test anyone can perform, with at the most the loss of any GOOD oldish hard disk (and quite a lot of time).
Test the disk with it's manufacturer utility.
Open it in a "poor man's" clean room, visually inspect it, then reassemble it.
Test the disk again with it's manufacturer utility.
See if there is any problem found that wasn't there before.
Open it again in the "poor man's" clean room, visually inspect it, wash it's innards with distilled water, let it dry thoroughfully, then reassemble it.
Test the disk again with it's manufacturer utility.
See if there is any problem found that wasn't there before.
After all, and mind you I am talking of Data Recovery, NOT forensics, and specifically Data Recovery of something that is NOT worth the few K$ a "Professional Data Recovery Firm", you don't have to re-assemble a drive and certify it to work under warranty for the next three years, you are going to reassemble it in order to have it working for 1 or 2 hours at the most, the strict time needed to image it.
jaclaz