MediaCache On Seagate drives – A Potential Problem For Digital Forensics

Imagine a situation where a police unit is preparing for the arrest of a
person who committed a fraud with credit cards over the internet. He is
using his laptop at the moment and filling the Excel file with the CC
numbers.

Police officers break the door and when they are about to put on the hand
cuffs, the felon smashes his laptop with something or drop it on the
floor. It is especially dangerous if he is having the Seagate Yarra or
Seagate Rosewood hard drive families in the laptop. These drives have a
construction that can make a problem for forensics.

A special problem is the improvement implemented by Seagate in order to
speed up the drives – MediaCache.What is the MediaCache?

In order to speed up access to the most commonly used data stored on the HDD like MFT table* (NTFS file system), parts of the operating system or some other user data, there is a need for fast drives that still have enough capacity to meet the current user requirements.

MediaCache is a technology that is used to speed up access to the most commonly used data on a drive. The principle is similar to SSHD drives, only it does not use fast NAND memory, but space on the hard drive platter itself.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.



Seagate Rosewood drive

There is a difference in the speed of reading or writing data stored on the outer edge and close to the center of the platters.

The speed is higher on the outer edge of the platters and this place is reserved for caching the data.

As such, MediaCache technology is highly exposed to environmental influences. From small quakes to strong strikes (crashes), the first to strike is MediaCache.


A notification during the initialization of MediaCache

[image]
System file (hexadecimal)

Now let’s go back to our story from the beginning – the drive inside the laptop was working and the file critical for investigation was opened when the user smashed the device.

The heads that read/write the data can be located just above the outer edge surface of the platters (cache area) at the moment of a strike. This will cause damage to the platters in the form of bad sectors or even scratches.

Firmware of the hard drive is programmed to try to hide these damage, i.e. to reallocate data from damaged parts to some other location and allow normal use of the hard drive.

In most cases, these damage is too high so FW attempts to disguise the damage and totally ‘’forget’’ about the priorities (access to user data). For the regular user this will look like the drive is not functional anymore.

Even when the heads are completely defective (cannot read or even physically deformed) due to a severe crash and require a head replacement, the data about the damage remains in the drive firmware.

After replacing the head, there is a new problem. Donor heads can have bad reading and write inaccurate information. In that case, the contents of the MediaCache may be corrupted.

The firmware tries to solve the problem by running the MediaCache recovery mechanism (reinitialization), but if the heads are writing incorrect information, data loss is inevitable.

These losses can range from several MB to several tens of GB, depending on how long the hard drive, or firmware, has been trying to “repair” itself.

The lost files may be crucial digital evidence for the court and our felon from the beginning of the story can avoid being prosecuted.

If such or similar scenario happens, the best advice for forensic unit is to contact data recovery experts who will recognize the problem and prevent additional data loss.

Follow HddSurgery on Facebook.

Leave a Comment