MediaCache On Seagate drives – A Potential Problem For Digital Forensics

Imagine a situation where a police unit is preparing for the arrest of a
person who committed a fraud with credit cards over the internet. He is
using his laptop at the moment and filling the Excel file with the CC
numbers.

Police officers break the door and when they are about to put on the hand
cuffs, the felon smashes his laptop with something or drop it on the
floor. It is especially dangerous if he is having the Seagate Yarra or
Seagate Rosewood hard drive families in the laptop. These drives have a
construction that can make a problem for forensics.

A special problem is the improvement implemented by Seagate in order to
speed up the drives – MediaCache.What is the MediaCache?

In order to speed up access to the most commonly used data stored on the HDD like MFT table* (NTFS file system), parts of the operating system or some other user data, there is a need for fast drives that still have enough capacity to meet the current user requirements.

MediaCache is a technology that is used to speed up access to the most commonly used data on a drive. The principle is similar to SSHD drives, only it does not use fast NAND memory, but space on the hard drive platter itself.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.


Seagate Rosewood drive

There is a difference in the speed of reading or writing data stored on the outer edge and close to the center of the platters.

The speed is higher on the outer edge of the platters and this place is reserved for caching the data.

As such, MediaCache technology is highly exposed to environmental influences. From small quakes to strong strikes (crashes), the first to strike is MediaCache.


A notification during the initialization of MediaCache

[image]
System file (hexadecimal)

Now let’s go back to our story from the beginning – the drive inside the laptop was working and the file critical for investigation was opened when the user smashed the device.

The heads that read/write the data can be located just above the outer edge surface of the platters (cache area) at the moment of a strike. This will cause damage to the platters in the form of bad sectors or even scratches.

Firmware of the hard drive is programmed to try to hide these damage, i.e. to reallocate data from damaged parts to some other location and allow normal use of the hard drive.

In most cases, these damage is too high so FW attempts to disguise the damage and totally ‘’forget’’ about the priorities (access to user data). For the regular user this will look like the drive is not functional anymore.

Even when the heads are completely defective (cannot read or even physically deformed) due to a severe crash and require a head replacement, the data about the damage remains in the drive firmware.

After replacing the head, there is a new problem. Donor heads can have bad reading and write inaccurate information. In that case, the contents of the MediaCache may be corrupted.

The firmware tries to solve the problem by running the MediaCache recovery mechanism (reinitialization), but if the heads are writing incorrect information, data loss is inevitable.

These losses can range from several MB to several tens of GB, depending on how long the hard drive, or firmware, has been trying to “repair” itself.

The lost files may be crucial digital evidence for the court and our felon from the beginning of the story can avoid being prosecuted.

If such or similar scenario happens, the best advice for forensic unit is to contact data recovery experts who will recognize the problem and prevent additional data loss.

Follow HddSurgery on Facebook.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles