Laminar Flow Cabinets And Data Recovery

In the previous article we wrote about Laminar Flow Cabinets and their basic definition.

We also introduced our product – HDDS Horizontal Laminar Flow Cabinet M.

The laminar cabinet engine draws air from the environment and directs it to the space where the filter is, which can be HEPA or ULPA. These filters have efficiency for stopping the particles with a diameter greater than 3 microns.

Laminarity, i.e. the rectilinear parallel air flow at all points is provided by the perforated sheet that lies in front of the filter.Parallel air movement ensures that each particle that is eventually found in the work space is ejected outside the chamber.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Working space, i.e. the area in which the analysis is performed or the operation of the object is in a state of elevated pressure (overpressure) and the air is in constant laminar motion, so the retention of particles is impossible.

The air velocity that is optimal for hard drives and which provides laminarity is from 0.3 to 0.5 meters per second.

How is Laminar cabinet used in data recovery?

The platters on which the data is entered are very sensitive to dust and general contact.

Magnetic writing / reading requires a little distance between the head (for writing and reading) and the surface used for the arrangement of magnetic particles. This “little distance” is 60-100 nanometers when the hard drive works.

It should not be forgotten that the platters rotate at a speed of 5400, 7200, and more than 10,000 rpm.

The particle of the diameter of the micron is still very big for the head that floats on a distance of nanometer.

It is true that many particles will be removed from the surface when the disc is rotated, but there are also those which are sticky and magnetic, so there is a danger that they could land on the platter surface.

Therefore, for any intervention where a hard disc drive needs to be opened, it is necessary to minimize the risk of contamination of the platters by using Clean rooms and laminar flow cabinets.

In order to prove this, we’ve examined a hard drive while working in both clean environment and a regular one.

At first, we counted the bad sectors on closed hard drive:

[image]

Then, we opened the same hard drive inside the Cabinet:

[image]

In the end, we opened that hard drive in our office, where the regular air is:

[image]

As expected, the analysis showed rapid increase of bad sectors in the case when the hard was opened outside the clean area.

Full report can be read here.

Special offer from HddSurgery

Since the release (and even before), our HDDS Horizontal Laminar Flow Cabinet M has been a great success and a lot of DR companies wanted to have it in their offices.

As we understand the importance of having a clean cabinet in every lab, we decided to give a special discount for August 2017.

Each customer who contact us from Forensic Focus will receive 20% discount for our Laminar Cabinet.

[image]

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...