Cis 294 Module One Part One

EDMONDS COMMUNITY COLLEGE
INFORMATION SECURITY AND DIGITAL FORENSICS APPLIED

TECHNOLOGY LAB

CIS 294 ADVANCED DATA RECOVERY
MODULE 1 PART ONE
2011

THESE MATERIALS ARE PROVIDED FOR STUDENT USE ONLY, AND ARE NOT TO BE DISTRIBUTED
OUTSIDE OF THE CLASSROOM.

USE OF THESE MATERIALS FOR EDUCATION PURPOSES HAS BEEN LICENSED FROM SCOTT
MOULTON - MHDD.
CIS 294 ADVANCED DATA RECOVERY MODULE 1 2011

1

CIS 294 ADVANCED DATA RECOVERY - MATERIALS LICENSED FROM MHDD 2009 MHDD
1
ADVANCED DATA RECOVERY
MODULE ONE


2

2
Course Content Overview
1. History, Terms, Re-learn Imaging
Errors and Status Flags
2. Physical Functions of Drives, Labs
3. Logical Corrupted Data Recovery
4. Theory, System Area, Fundamentals
5. 2.5 Drive Lab, Solid State, Extras


3

3
What is Data Recovery?

Data recovery is necessary when source material fails and where no good backup exists, either
Physical or Logical. What this means is that time is not on your side. If there was a backup that
had been done 24 hours ago, you should consider restoring that backup. Doing a data recovery
is going to require quite a bit of time, so you dont want to delay getting the asset back up and
running. However, you do want to protect the content that is on that drive or array and keep it
from getting overwritten.

In addition, what you will get back may not always be in as pristine shape as the backup. So you
should always advise a client to do what needs to be done to get back in business and address
recovery secondary. There may still be valuable files that need to be recovered that were
changed or written within that 24 hours; however, it may take you a week to get these files,
especially if the server or drive is substantial in size, or depending on the condition of the media.

If there is no backup, the data you have will be very valuable. However it does have a lifespan.
For example, doing a recovery may take several weeks, and during that time frame, the client
might have to start re-creating their content. If they get done before you do, it is likely they will
no longer need what you have. In the business model the data recovery companies run under,
in most cases this means the client does not need the data and generally the client will not pay
you for your work if they no longer need the data.

Forensic data recovery is generally completely different. Your data will generally be valuable
whenever you complete the job. There are still some time considerations, but in most cases it
can take several months, and there will still be some value.


4

4
What is Forensics?

Wikipedia: Forensics is the application of sciences for the use of or to answer questions for a
legal system.

Reference for Photo:
This is a picture from the Wikimedia Commons. The description on its description page there
is shown below.Commons is a freely licensed media file repository.
Description Skulls on a Beach: "Currents carry many dead things to Punuk Island
making it the graveyard of the Bering Sea."
Date July 1977
Source http://www.photolib.noaa.gov/htmls/line0179.htm
Author Captain Budd Christman, NOAA Corps
Permission public domain This image is in the public domain because it contains materials
that originally came from the U.S. National Oceanic and Atmospheric Administration, taken or
made during the course of an employee's official duties.


5

5
Forensics Data Recovery
What this class is about, or rather not about
Differences: I am covering only unique items
File Systems and Complements
Opposite Terms: Clone vs. Image
Goals and Automation
Changes to the hard drives Forensics vs. Data
Recovery
Mac / Linux / Windows / Solid State Drive
users, and all would find something useful

These are the details you need to know about what is different from the Data Recovery world to
the Forensic world. This class is meant to be a complement to the classes you have already
taken, and we do not delve into walking though the files system structure itself. We will cover
the items that are unusual or that make the data recovery world different.

There are times when you are making modifications to the drive in order to copy the
data. HPA, etc. Bad sectors, pad with zeros.
In forensics = Image: An image in data recovery is typically a DD image. A clone is a
copy of the drive. In data recovery its backwards.
Our goal in Data Recovery is automation. In Data Recovery they just want their
pictures back. In Forensics, you are delving into OS/Timeline reconstruction. If you
get 25 drives a week for Data Recovery, its all about automation.


6

6
Two Types of Recovery (1)
1. Physical: i.e. Drive Failure, Controller Failure,
or Corruption, or Passwords, etc.
This is the type of data recovery when there is
damage to the media and the pre-existing data
needs to be retrieved
This will usually require the media to be repaired. In
most cases this is where the majority of the work is
It will generally require one or more donor drives or
other hardware to repair it back to working condition

There are two types of data recovery. The first type is related to drive failure and is physical,
such as the controller failure or some kind of corruption. It generally means that you will be
fixing some sort of media or performing some manual work in order to repair the content. In
many cases youre going to have to acquire whats called a donor drive. Its very similar to an
organ transplant, and not unlike an operation. The donor drive in many cases has to almost
exactly match the original drive. There are a number of tools involved, and you will be dealing
with very small parts and exchanging them. Not every drive can be rebuilt and it is a difficult
task, however it is possible. You will be taking apart and rebuilding several drives this quarter.
This class is about process, and teaching you what you can do, with practice, after you leave
this class.

There are a couple items that might also fit into this category, one being passwords on hard
drives. When a hard drive is password-protected, using the computers bios to enter the
password, and someone takes the drive and plugs it into a USB connector, the drive will exhibit
an error that looks like an abort error. It will not allow you to copy even one sector of data. The
client doesnt know this, and in many cases they will not even remember there was a password
on the drive.


7

7
Two Types of Recovery (2)
2. Logical: i.e. Deletion, Purposeful or Accidental
The second type of data recovery is when files were
purposely or accidently deleted, or locked by passwords.
With this type of data recovery there is usually no
damage to the media and standard software can be used
to recover the data. This is the process that most data
recovery software performs
Because most software relies on calls and functions from
the operating system for input, and it has no control over
error correction or any hard drive functions that the
operating system , very few software programs
understand damaged media

The second type of data recovery is Logical. Whether deletion is on purpose or accidental, it is
still considered data recovery. From time to time, you might get someone who was writing a
book and accidentally saved over it, not realizing what they had done. You will be called on to
recover the content. Or another instance where this might happen is when HFS+ on a Mac hard
drive cant see its own data when its plugged in. This might be a type of partition corruption or
maybe catalog corruption, but whatever the reason the person just wants their data back.

Now, this is where things get more complicated. Lets assume that you have the drive in for
recovery, and you hook it up and see that the drive is password protected. In many cases you
might think thats what the recovery actually is, getting the data back bypassing the password.
So you bypass the password, see the files, copy them, and give it back to the client. Next thing
you know, they call and complain that the files that they are looking for are not there. Then you
find out the files were deleted, and they did not even remember they had a password on the
drive. You wont hear the story until after you have already done the job. So I would say if you
see a situation like this, you have two choices. Clear the password and the data recovery of
deleted files, or call the client and ask them the situation.


8

8
Five Phases of Data Recovery
1. Diagnostics of the drive is the first step. If the drive can be
imaged go to step 3, otherwise continue with step 2
2. Repair the hard drive so it is running in some form, usually
requiring hardware or special equipment
3. Image, Copy, or Recover the physical drive and sectors primarily
by bit stream imaging. If the drive is functioning, it is possible to
do this with software; however, there are some hardware
solutions that work very well with damaged drives
4. Perform Logical Recovery of files, partition structures, or
necessary items; usually this is by software and is the most
common type of application sold
5. Repair files that might be corrupt or have existed in damaged space
or sectors to recover what is possible. This is usually the
requirement in Forensics, to be able to re-assemble data to display
what was there, whether full or partial data is present

Depending on the type of data recovery, you will have five phases. You can diagnose the
problem many ways, but one of the easiest is to attempt to image the drive using hardware or
software. There are some pieces of software that can talk to the drive and help you diagnose
the type of problem before continuing. About 15% of the time the second step is going to be
repairing a damaged hard drive. The other 85% will be imaging the drive in step three in some
capacity. Until you have done this you generally will not see any data and that prevents you
from doing the other steps. In essence, if you cannot repair the hard drive, that is the end of
your job.

The third phase of data recovery is imaging. Not all data recovery companies image their drives.
I generally find it to be very valuable to image the drive and work from the working copy. This
allows me to maintain the state of the original drive without making changes to it, because as
most of you know, making changes to the original drive is a bad thing. Lets say I have a bad
drive that came from a Mac, and I hook it up to the Macintosh, and run a tool like disk warrior
against it. Now, if disk warrior tries to make changes to catalog, you will have no resource to go
back to, and in many cases you will not know what type of damage you have to the drive until it
is too late. In some cases, if the drive is damaged you might just get the one shot, so you have
to be very cautious not to waste your one shot.

I believe that you should make a physical image or clone of the drive before you proceed to the
third step, logical recovery. There are several tools specifically for dealing with damaged media.
You might consider using software-based tools on Linux such as dd_rescue (use with dd_rhelp
script) or ddrescue (dd_rescue and ddrescue are two different tools). These tools have a special
feature that allows them to image backward (understanding why you need to image backwards

9

is very important in data recovery). There is also some excellent hardware for doing imaging
from physically damaged hard drives ,such as the DeepSpar Disk Imager.
And then the third step is the logical recovery portion where youre repairing partition structures
or corruption and software. This is what the most common types of data recovery software do.
This is what the most common types of data recovery software do. They work by talking to the
operating system ,making requests and expecting a response. In most cases, they have no idea
how to talk to damaged media or corrupted files and can cause them to fail. Most of the
software in this category is defined by how good the headers are in the application. Most of
them began by scanning the hard drive from beginning to end, examining header information
and trying to determine what applications or data files are on the drive. Some can parse the
MFT or fat table or whatever catalog the operating system of the damaged drive is, but others
only scans for file headers or partitions structures. We will cover some of the most common
applications and what your options are for repairing some of this corruption. Most of this focus
will be on automation primarily, because in a data recovery lab youre handling dozens of drives
a week and just would not have the time to do everyone by hand. So this is about performance.
And again keep in mind, they could still take weeks to run through just this portion of the
recovery and validate the results.

So the fourth phase to data recovery is after you have recovered the files. In many cases,
especially if you had to repair the media, or there were bad sectors and damage to the drive,
there may be corrupt files after you have recovered them. This is typically where I look for tools
which I call one offs. Generally that means for whatever type of file it is , as time goes on
particular tools get better at recovery or new tools appear on the scene. In most cases this
means that the same tool that I used six month ago may not currently be the best tool to use to
recover that file. In some cases it may be even possible, just use a hex editor and cut out the
information that you want. But generally speaking, this is just whatever the tool of the day is. We
will cover much of what that is in this class because our focuses on the media can image and
doing logical recovery (reword for clarity. The confusion starts at the focuses on the media
and continues through the remainder of the sentence. Repairing individual files is something
that you have to take on one at a time.

This is also applied in data recovery for corrupt Word and Excel documents.


10

9
Your Goal
In data recovery, your goal is to
recover content that the client
deems valuable from their own
hard drive/equipment, and then
provide them their data back

In Forensics your goal is usually to find the smoking gun. In data recovery your goal is to have
some valuable data to sell back to the client. Everything you do from this point on in data
recovery should reflect this statement.

The reason is because you might be able to recover data from the drive, but if you get the
Windows System folder, that will not be valuable to them. However, if you recover a picture of
their kid being born, or a picture of someone's grandmother that passed away you will be seen
as a data hero. Even just one photo recovered could be the difference between getting paid for
the job or spending days working on a drive you never see a dollar for.

Because of this process, many of you might consider different pricing/charging models with
regards to data recovery. The obvious question is "How do you prevent working for nothing?
One way is to focus directly on getting back at least one piece of important data that the client
wants or needs.


11

10
What to Get First in a
Recovery
When starting to do a logical recovery, it is important to
go after user data first and ignore certain things like
system files and programs
Certain programs, like Intuit Tax, Quicken & QuickBooks
applications, may keep their data in unexpected folders,
such as Program Files. It is important to identify and
locate these files
Most often, the important data will be in the Documents
and Settings folders, but some data is hidden in folders
like Local Settings, Application Data, or All Users

If for some reason you cannot image the drive first, or you are working under constraints, then
you might have to do a logical recovery directly on the original drive. That is not a great choice,
but sometimes it is the only choice. So if you are going to do that, you need to be quick about
what content you are going to target and recover. It is important to have a good idea about
where the layout of the files are in advances. For instance, you might need to recover
Quickbooks files from the All Users data folders.

When you finally see data, you need to go directly after the important data right away; do not
assume you will be able to image the drive or that it is easier to click to copy the root of the
drive. Many times the drive will die in the process. If you are able to see data at all, do not
unplug or move the drive thinking you will be able to start it over on a different machine. There
will be many times you will not be able to get back to where you were again.


12

11
11
History and Terminology
Directly as it Relates to
Data Recovery


13

12
12
Striving for greater areal density has been
the driving force behind all developments
for the hard drive

All of the advancements that have been made in hard drives have been because of our need to
increase the areal density. We all want larger amounts of space on which to store our data.
Generally speaking, I would also state that the second most important factor in design of hard
drives has been size of the physical dimensions of the drive. There has been a great movement
to everyone having portability, and thats what allows you to use those laptops.

If you really think of all the leaps that weve had in hard drive technology in the last 50 years, it
has been phenomenal. Our areal density has increased by a factor of over 6 million. That says a
lot about the state of our technology. Lets think back a couple years, say the middle of 2006,
using the laptop hard drives as an example. The largest capacity drive we had for laptops was
about 100 gigs. Now less than two years later, I have a laptop that has a 500 gig hard drive in.
The same is true of desktop hard drives. In June 2006, the largest hard drive we had was 500
gigs. Due to some changes in technology in 2006, switching hard drives to perpendicular
technology, we have now exceeded 500 gigs, and at this time a single drive of 2 TB has been
announced.


14

13
Mechatronics
The scientific name for the type of
engineering that makes up direct access
storage devices (DASD)
The integration of mechanical engineering
combined with electronic engineering
This term was coined in the 70s in
Japanese manufacturing

Mechatronics is a term that was coined in the 1970s and is now an established science. It is a
science of integration. As you are probably well aware, a hard drive is not only a mechanical
device but is also has an enormous amount of electronics. Mechatronics is not just connecting
the mechanical and electronics together, it is a complete integration of mechanical components
with electronics. So this is the type of science that makes up hard drives.


15

14
History of the Hard Drive (1)
1956: IBM produced the first hard drive. The slider touched the platter. The
1
st
drive contained 50 disks, each 24 inches in diameter and could store a
total of 5 MB of data at 1200 RPMs.
1961: IBM produced the first disk that had floating heads using a technology
called air bearing surface.
1963: IBM designed the first removable disk packs.
1973: IBM introduced a head with a slider based on ferrite. Storage capacity
was about 35 megs for a drive with two platters and they were 14 inches in
diameter. This is one of the first drives called a Winchester drive.
1982: in the early 80s the 1
st
drive that was introduced by a commercial
entity was called the ST 506 series made by Shugart Technology now known
as Seagate. It was the first non-IBM hard drive made and was the first
commercial desktop hard drive.

In 1956 IBM produced what we know of as the first hard drive. At that time, the slider
mechanism the heads are mounted on touched the platters. Because of this, the platters had
constant wear and would eventually cause so much damage they would wear out. IBM had to
build redundancy into many of their systems and many had to contain a pair of disk packs
running in them maintaining the same data. When one would fail the other could continue until
the IBM technician could get there with his oscilloscope and replace the damaged part and
realign the heads. At that time we had something called a linear stepping motor, which made
the heads move back and forth instead of any radial arc like we have today.

In 1961 IBM came out with their first disks where the heads floated over the platters. The
technology they used was called air bearing surface. This is the same technology that we use
today on current hard drives with the obvious exception of solid-state drives. This was probably
one of the most crucial developments because it minimized wear and tear on the drive, giving it
a much longer lifespan.

Then in 1963 IBM made those disks removable. It had a handle and would allow you to unscrew
the disk pack and remove it and replace it with another. My first job out of high school in 1986
was working at a four-color cataloging company, and it was my responsibility to back up the disk
packs. I have a lot of experience with packs very similar to these.

In 1973, IBM introduced a drive called the Winchester drive. The important addition that this
drive had was that it was based on ferrite for its slider. This is important because we still use
ferrite in hard drives today. Ferrite shields data from being interfered with via the super-
paramagnetic effect (when content changes to do environmental issues).


16

1982 was a big year, primarily because the first commercial drive was made by someone other
than IBM. Originally Alan Shugart and Finis Connor started a company called Shugart
Associates. After the company was sold in 1977 to Xerox, the two created a new company now
known as Seagate Technologies. Finis Connor went on to create Connor Peripherals in 1986,
and he gave us one of our most important advancements yet, the voice coil. Eventually Seagate
came back and bought Conner Peripherals 10 years later.


17

15
History of the Hard Drive (2)
1983: the first 3 hard drive was introduced by Rodime
1985: the first IDE hard drive was introduced by Quantum Corp
1986: the first Voice Coil Introduced by Connor Peripherals
1988: First 2 inch hard drive is introduced by PrairieTek and
had one of the first parking mechanisms to park the heads in a
ramp
1991: The first drives with MR (AMR) heads released by IBM
1997: IBM introduces the First GMR head
2006: Perpendicular changed some of this, because the Aluminum
interferes with the magnetic qualities, so they switched to Ceramic
Platters to avoid this

Now just to back up a little bit, no pun intended, in 1983 the first 3 inch hard drive was
introduced by Rodime PLC. There is a very interesting story about what happened to each of
these companies. After 1985 Rodime was in the red, and its only possible source of income
was to pursue patent infringements against Quantum and Seagate. After a number of years,
Rodime was unsuccessful in its litigation. In 2000 Rodime PLC took over a gaming company,
called Littlewoods (named after a football pool founded in 1923). This company was a gaming
and betting company that has since changed Rodimes business dramatically. They eventually
changed the name to Sportech PLC, which still exists today.

In 1985, Quantum Corporation released the first IDE hard drive. Quantum was started by a
bunch of guys who left Shugart Associates and IBM after coming up with an idea for the new
hard drive.

Over time, many of the developers for hard drives came from the same place, same ideas, or
purchased each others (reword for clarity). So there was a major merging of technologies. This
is why today most of the hard drives are so similar, allowing us to do some of the same
functions with the drive. There are a lot of smaller details that are not the same, but after 30 or
40 years the functionality of the hard drive is almost identical for each manufacturer.

In 1988 PrairieTek invented one of the first commercially available 2 inch hard drives with a
unique parking mechanism that is very similar to what IBM has today.

Then in 1991, IBM introduced the first MR head. This is the head that was prevalent throughout
the 90s. Following that, in1997 IBM introduced the first GMR heads. However, many
manufacturers did not start adding GMR heads until the end of 1999. The GMR head is the

18

primary current head used in most drives, with the exceptions that were made for perpendicular
drives in 2006. Any drive larger than 500 gigs is most likely perpendicular. We will cover all of
those things in this class when you understand the differences.


19

16
Rodime The First 3.5

This is the first 3.5 Drive and was produced by Rodime. This is the drive that set the standard
for the rest of all 3.5 drives.


20

17
PrairieTek The First 2.5

This is the first 2.5 Drive and was produced by PrairieTek. This is the drive that set the
standard for the rest of all 2.5 drives.


21

18
History of Stiction

Stiction is something that affected most of the older drives and from time to time, affects newer
drives. The head originally did not move to a park location. The head would rest against the
platter wherever it landed when the disk stopped spinning. Sometimes the lubrication would dry
and the head would stick to the platter. When the power was applied, again the friction caused
by the head sticking to the platter would keep the platter and the motor from turning. The way
this problem was fixed many times was either to bang on the side of the computer or to take the
disk out of the system, put it on a table, and spin it in the opposite direction the disk spins,
thereby breaking the stiction. Today it can still occur. I have seen this issue on many 80 gig
laptop hard drives, as well as 1.8 ZIF drives.

Reference: From WikiPedia:
Stiction is an informal portmanteau of the term "static friction" (s), perhaps also influenced by
the verb "stick. Two solid objects pressing against each other (but not sliding) will require some
threshold of force parallel to the surface of contact in order to overcome static cohesion. Stiction
is a threshold, not a continuous force.

http://en.wikipedia.org/wiki/Stiction


22

19
50 Years Ago

The amazing thing about a hard drive is that up until 2006, mainly just the size and storage
capacity has changed. A lot of small changes have occurred but mainly the process has
evolved based on the same basic principle. Functionally they are all very similar to this massive
hard drive.

REF: http://uk.gizmodo.com/2007/09/13/new_hard_drive_sensors_to_incr.html


23

20
Drive Differences in 50+ Years
In 50+ years a disk went from 50x 24disks to hold
5 megs and had a deep orange color due to the iron
oxide particles vs. single platters that are now glass
mixed with ceramic, or aluminum coated.
Stepping Motors vs. Voice Coils
North and South Poles stored longitudinal vs.
Perpendicular
Lateral Movement Heads vs. current Radial Arc

However, there have been a few changes. One of the primary changes is the types of materials
that are used. For instance, platters were once coated with magnetic iron oxide particles, which
gave them that orange color. Today, the primary materials used to make platters are glass
mixed with ceramic or aluminum.

There have also been a few other changes. For instance, we no longer use a stepping motor,
we now use voice coils for the movement of the actuator arm. This has forced us to make a
number of changes to the content stored on the platters. Where we once used north and south
magnetic poles written to the platter in whats called longitudinal format, in the last two years
weve switched to perpendicular format. We also switched the focus to read and write and to
being separate components.


24

21
Original Drive Size Comparison

The Orange drive that you see in the picture here is a 24 inch disk, similar to what IBM used in
1956. Next to it you can see what are currently the conventional discs. The one on the left is a 3
inch disk made by Micropolis. Just to the right of the Orange drive, is one of the last drives
ever made with a stepping motor by Seagate. And to the right of that is the 5 inch Quantum
Bigfoot drive.


25

22
Original 24 Drive Sliders

This is a photo of the original heads of the hard drive in the previous slide. This is a view of what
the sliders looked like on the original 24 disk assembly from the top and then from the sides.
This orange drive was manufactured around the disk pack technology, and although this one
could drive/pack not be unscrewed, the entire assembly was made to come apart so that an
engineer could recalibrate the entire drive. This drive has what is called a linear stepping motor,
which would cause the heads to move up and down laterally (towards and away from the
center, the heads always pointed towards the center hub), instead of a radial arc like they are
today.


26

23
Radial Arc Technology

This is an example of what a current hard drive looks like when it moves the heads back and
forth in whats called the radial arc. The radial arc is very important because of another
technology that is designed around the movement of the actuator arm, called the Servo
Information. Servo information is like GPS information for the drive and tells the head the
location of the track and data that is at that location.


27

24
Stepping Motors (1)

This is what a stepping motor looks like. This is one of the last models made in 1989. Following
this we went to the voice coil. This is a 3 inch disk and you can see the motor on the right-
hand side. What is important about a stepping motor is that when it moves, the stepping motor
moves in tracks. The drive knows how to move in increments to get to a specific track. This way
when you step the motor 18 times, it moves to track 18. Because we no longer use a stepping
motor and have switched to a voice coil, a new design had to be derived to know where the
head is over the platter. That is what the Servo information is for. The stepping motor and the
process used prior to the voice coil helps someone understand the newer technology.

Also notice that even though this is a stepping motor, by the time this drive was manufactured
the heads no longer moved laterally but now moved in a radical arc more like modern hard
drives.


28

25
Stepping Motors (2)

On this drive, when you look at it closely, its still possible to see with the naked eye the marks
that the slider makes as the heads settle on the platter. There are grooves on each side of the
slider that dig small ditches to direct where they come to rest. This was before we had a unique
parking position for drives.


29

26
Tracks from the Sliders

This is a more defined view of this head and platter. You can easily see the ferrite and the wire
connecting to the head. The ferrite is the black box square that is touching the platters. The
heads and the wire are mounted on this slider. Along the edge of the platter you should also be
able to see the grooves made by the slider touching the platters.


30

27
Today's Voice Coil

This is a view of the voice coil. This replaced the stepping motor. After removing the voice coil
This is the view you will see in class after removing the voice coil magnets and completely
removing the head stack from the drive chassis. This is something you will deal with often in
rebuilding hard drives from donor parts.


31

28
Quantum Plus Hardcard

Between the 80s and early 90s there was much conflict between hard drives and controller
cards. Quantum came out with this to try in solve that. ATA spec evolved after that. This is an
example of one of the early hard drives called a hard card. This particular one was made by
Quantum in the late 80s early 90s. One of the primary reasons for its creation was to eliminate
problems and incompatibilities between controllers and hard drives by including the controller
card with the drive. The integration of the controller with the drive eliminated some of the
problems with compatibility that was eventually merged into the drive and then unified with the
ATA specs.


32

29
29
Myths about Hard Drives
Directly as it relates to
Data Recovery


33

30
Myths about Hard Drives (1)
Freezing a Drive can help you
recover the data.
True & False

True because there are occasions that it does work, false because it can further damage the
drive making it unrecoverable.

While it is not the best method and it is likely to further damage a hard drive, there are
occasions where it does work. While no one has made a complete and clear statement as to
why it works, it is obvious the heat affects hard drives in a very negative manner.

Most drives have adaptives (custom algorithms that change the drive according to
environmental or other characteristics) and this could cause some of the changes that bring a
drive to a working condition when exposed to cold or hot air. Some drives can actually be fixed
by heating up the processor.

It is possible that the cold temperature causes the metal and electronic parts to contract in
creating better contacts, or reversing some of the deformations caused by heat. On occasion,
freezing the drive does work, however, I do not recommend this. The condensation caused by
changes in temperature can cause a lot more damage to the platters. Therefore, I do
recommend trying to control the temperature of the drive by using other methods of cooling,
such as Peltier ceramic coolers, fans, and heat sinks during the process of recovery.


34

31
Frozen Drives

A frozen drive is the last ditch effort. It will harm the drive to do this, and as you can see from
this picture, there is quite a lot of condensation caused by freezing it.


35

32
A drive is hermetically sealed.
False

The drive is not hermetically sealed. Hermetically sealed would mean that there was no
exchange with air from the outside world to the inside. That obviously is not true. If the drive
were sealed in such a manner, there would be no way for water or other liquids to enter your
drive. We all have heard stories about laptops falling into pools or lakes. Water does get inside
the drive.

Additionally, it is important for the balance of air pressure that it not be hermetically sealed. As
we briefly discussed, there is a mechanism in the drive called an air bearing, which causes the
heads to float over the platter, called the flying height. This requires air flow to create a balance
between the outside air pressure and the inside air pressure. This is why, when youre in high
altitudes, it can cause problems with your hard drive, and they seemingly crash for no reason. In
addition, if the platters cannot create air bearing surfaces, then in many cases the locking
mechanism for the actuator arm will not unlock, allowing the heads to move over the platters.


36

33
Breather Holes in Drives

This is an example of breather holes that exist in hard drives. This appears on the bottom of
some drives. Since there are holes on the lid that allow air to filter in, there has to be holes
somewhere else to allow the air to escape and balance air pressure.


37

34
The manufacturer will help you
with the problem.
False

Manufacturers will not help you with your hard drive problem. They will not go look in a back
room for a matching hard drive or go find a ROM file that matches the version you have.
Sometimes the best you can get from the manufacturer is the date code for the drive and if it is
under warranty. I have had several people e-mail me in disgust because the manufacturer
would not provide them with the part they needed. When having difficulty getting a donor drive,
several people asked me if I have contacted Seagate to ask them. In some cases, as with
Seagate, they own their own data recovery company and of course would like you to send your
drive to them.

The manufacturer will NOT help you find firmware, Printed Circuit Boards or any
other type of equipment or replacement parts.
They do not respond to threats with regards to action against them for a major
problem with a drive or firmware issue.
Some manufacturers own data recovery companies and want you to fail and give up
so they get the business.


38

35
A drive knows when it has a
problem and can go into safe
mode.
True

Some drives have something called safe mode, and in that case not every, but some, do know
when they have a physical problem and go into safe mode. In safe mode the drive bypasses its
own firmware and waits for firmware to be uploaded to ram. The RAM code is called the loader
and will start the drive operations. It is possible for the hard drive to go into safe mode all by
itself if it detects a problem or if jumpers are set. You will never know this is happening unless
you have some special diagnostic hardware or software.

On some drives like Seagate, you can use a serial cable specially made for Seagate drives and
a terminal application to talk to the drive itself and get this information. There are some
hardware tools like a PC3000 that can tell you if a drive is in safe mode. You will never be able
to recover data until this problem is solved and it is not running in safe mode. When it is running
in safe mode it will sound like the Click of Death. It will generally click three times, power down,
reset and start all over again. However, in 2 drives it might just power down and shut off after
resetting due to power saving features, depending on the manufacture.

A drive has a Safe Mode. The drive can detect a problem and go into safe mode
similar to Windows safe mode.
When in safe mode the drive does not load the ROM code and does not allow the
drive to function or operate until the problem is solved.
The drive has diagnostic software for the vendor to troubleshoot, but we may not
have access to it at all.


39

36
SMART BAD STATUS

When you have a drive that is going bad and SMART is intelligent enough to catch it, it will
report it to you on the boot screen. This is a sample display as to how it will look when you have
a warning status coming from the BIOS during a reboot.

SMART
Smart can affect a number of things that happen to the drive. When a SMART table is updated
on a drive, in some cases there are many logs that are updated in other locations that can
cause the drive to fail on startup. The drive is running a piece of code, just like any other
program, and when it reads in data and gets corrupt information, many times the program
crashes, just like any other application. The SMART logs are not necessary to the function of
the drive and contain worthless data unnecessary to keep the drive working, however, they can
stop the drive from working or functioning at all. Knowing that they can be the root of the
problem, if possible you can just clear the SMART logs without consequence. This is one of the
reasons to use a function to turn off the reallocation and the SMART Table Updates, which will
also stop updating the other logs.

Adaptives
Each drive has different physics applied. Some drives have different adaptives. In many cases
the drive itself can modify how it operates, depending on environmental characteristics. To
protect the drive, your goal is to minimize the Read Timeouts on the drive. When a sector fails
to read, it causes the drive to try a number of different processes to recover that data.
Sometimes these processes are detrimental to the drives.


40

37
You need a special program to
wipe your drive.
False

You do not need a special program to wipe your hard drive. Since 2001 there is the special
command built into the motherboard (ATA command set or controller) and your hard drive.
Basically, it does use software to initiate a call to the ATA controller to start the process,
however, after the call it no longer is relying on the software and will execute in the processor of
the drive itself. All the functions are happening internally between the motherboard (ATA
controller) and the hard drive. This function is called secure erase. There are two versions of the
firmware code that exist between the motherboard and the hard drives. One from 2001 to the
end of 2004, and another from 2005 to the present.

The Secure ATA delete command that wipes drives is in the controller on your
motherboard and built in to your hard drive since 2001!
You do not need special software like dban (Dariks Boot and Nuke www.dban.org) to
wipe your hard drive. The government built it into the drive and your controller for
you!
Once the command is initiated it does not need software to run, it runs internally on
the drive itself.


41

38
Secure Erase (1)

This is an example of what the software looks like that executes the command.

This is an agreement between the drive manufacturer and the motherboard, and
sends the command.
Once the command is sent, its done with the software. The processor on the printed
circuit board on the hard drive will wipe it all, including the bad block list.

A link to the tool: http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml


42

39
Secure Erase (2)
The Center for Magnetic Recording Research (CMRR) is
headed by Gordon Hughes, Associate Director of CMRR,
USSD on the Secure Erase Initiative.
Secure Erase is an ANSI disk drive Standard.
Erase using the DoD 5220 (Standard for Sanitation). The
current ATA specification for Normal Erase mode states
that the SECURITY ERASE UNIT command shall write
binary zeroes to all user data areas.
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

This process was introduced from the center for magnetic recording, which was headed by
Gordon Hughes on a project called the secure erase initiative. It is a ANSI disk standard and it
complies with the DOD for 5220 standard for sanitation.


43

40
Reallocated Bad Blocks
Q: What is secure erase?
A: Gordon Hughes, Associate Director of CMRR,
USSD on the Secure Erase Initiative:
Secure erase is a means of erasing all data
on a disk drive so the original user can be
certain that it cannot be recovered, including
data on reallocated blocks on the drive.
Its electronic data shredding, and allows a
user to safely sell or donate an old drive.

From an interview with Gordon Hughes, one of the things that I found most important was the
statement about including data on reallocated blocks. This is very important because that
means that it overwrites the data, including what is and G-list (Bad Block List) records that could
contain important data before the block was reallocated. A block size is 512 bytes. This is very
important and serious in a program such as DBAN. DBAN is a block erase program, and it
respects reallocated blocks. When you wipe your drive, and a bad block has been relocated,
then the content that was originally located in the block before has been relocated as well and
still exists unless you use a tool like secure delete enhanced mode.

REF: cmrr.ucsd.edu/people/Hughes/SecurEraseNewsletter1004.pdf


44

41
SE Wipe Widely Adopted Standard in 2004
At the ANSI T-13 Committee meeting in 2004, Gordon
described the differences between block erase as
described in government document DoD 2550 and
Secure Erase. Unlike block level erase, Secure Erase
also overwrites reassigned blocks and can be up to
eight times faster (per CMRR tests).
In addition the enhanced SE command qualifies for
Federal Government secret data classification erasure.
This has been added to newer drives since 2005.

So what this means is that unlike the block erase level, secure erase begins at each track and
erases each sector, regardless of reallocation. After 2004 there was an enhanced secure erase
command that qualifies to sanitize drives and federal government uses this for secret data
classification.


45

42
Faster Process for Erase
Gordon stated that drives verify the block writes via
their internal write fault detection hardware, avoiding a
separate read verify pass. This speeds execution time,
increasing user willingness to secure erase drives.
SE Sets a password before erase that is release after
completion.
The password is a known password.
I have secure erased a 500 gig in 2 hours in our
lab.

One of the other reasons than Gordon states he designed this process was because it took so
long to wipe a drive and because it took so long people were not as willing or able to do it . So
now he believes that it is faster and is more likely that people will correctly erase a hard drive.

A few things to note about the erasure process, is that at the beginning of the process a
password is set on the drive that it is erasing so that if there is an interruption in power or some
other issue , the drive is not usable again. This was because there was a fear that the erase
cycle might not have completed, and you werent there to restart the process.

So in order to try to protect the drives information, it was password protected, which would
block any reads to any bytes of data on the drive until the password was reapplied. Part of the
problem is that this is a known password, and even displayed on the screen. So the moral of the
story is: dont let the drive out of your sight, until it has completed its wipe cycle. Testing in my
lab has resulted in a 500 Gig drive being securely erased in 2 hours. Thats pretty fast for 500
Gig drive.

Some manufacturers have blocked this command because of a fear of a virus that
could send this command. Gordon put out another version that will bypass the freeze
on the Intel bios motherboards.
This method is very quick and efficient, and is the easiest way to erase the G-list
without special equipment.


46

43
There is a secret magic tool
that can recover your data after
it has been wiped or over
written.
FALSE

I get asked quite a lot about a magnetic force microscope and whether or not the government or
some other party could magically recover the data after it has been wiped. There is a slight
chance that it is possible, yet it is not practical, although, I have heard that one such agency
recovered a 36K JPEG in three months.

Writing over the disk one time is all that is needed to make files unrecoverable, not 35 times.
The space between the tracks is so small that it is virtually impossible to read, and in addition to
that, data is stored in a cylinder, and you would have to get snapshots with a magnetic force
microscope of all the sides of all the platters before you could reassemble much of the data. In a
few days youll have a clearer understanding of what the problems with this would be, and
especially with the recent changes in hard drive technology.

While there is a small amount of residue surrounding the tracks, there is such a high
amount of error that it is unlikely to be recovered.
Not even with a Magnetic Force Microscope.


47

44
Magnetic Force Microscopy (1)
It is a type of atomic
force microscope that
uses a cantilever with a
magnetic head to read
the magnetic grains of
the storage device.
This allows examination
of the magnetic
domains independent of
logical structures.

This is what a magnetic force microscope looks like. It is a variation of an atomic force
microscope. There are many different models, and they all vary in size and performance. The
simple way to these is that there is a laser that measures the movement of cantilever. The
cantilever has a smooth magnetic surface and is able to read the content and resistance on the
platter, and the small movement of the cantilever is reflected in the content that can be seen by
the microscope.

Ref: http://chemistry.uconn.edu/SuibGroup/AFM2.JPG -The Department of Chemistry at the
University of Connecticut


48

45

This is an example of content that was shot from the tracks on a CD viewed under a MFM.
Notice the granularity.

REF: These were sent to me by a friend at the University of Michigan that shot them just for me
to use in class.


49

46

This is an example of a CD that has been broken in half. In the top layer you can see the tracks.

REF: These were sent to me by a friend at the University of Michigan that shot them just for me
to use in class.


50

47
Overwriting Hard Drive Data:
The Great Wiping Controversy
By, Craig Wright, Dave Kleiman and Shyaam Sundhar
Book Series Lecture Notes in Computer Science
Publisher Springer Berlin / Heidelberg
ISSN 0302-9743 (Print) 1611-3349 (Online)
Volume 5352/2008
Book Information Systems Security
DOI 10.1007/978-3-540-89862-7
Copyright 2008
ISBN 978-3-540-89861-0
DOI 10.1007/978-3-540-89862-7_21
Pages 243-257
Collection Computer Science
SpringerLink Thursday, December 04, 2008

Used with Permission.
http://www.springerlink.com/content/408263ql11460147/?p=650ee5e3e45d4e1e845e2bfe8a959
f1a&pi=20

Book Series Lecture Notes in Computer Science
Publisher Springer Berlin / Heidelberg
ISSN 0302-9743 (Print) 1611-3349 (Online)
Volume 5352/2008
Book Information Systems Security
DOI 10.1007/978-3-540-89862-7
Copyright 2008
ISBN 978-3-540-89861-0
DOI 10.1007/978-3-540-89862-7_21
Pages 243-257
Collection Computer Science
SpringerLink Thursday, December 04, 2008

Craig Wright3 Contact Information, Dave Kleiman4 Contact Information and Shyaam Sundhar
R.S.5 Contact Information
Contact Information Craig Wright
E-mail: Craig.Wright@bdo.com.au

Contact Information Dave Kleiman
E-mail: dave@davekleiman.com


51

Contact Information Shyaam Sundhar R.S.
E-mail: shyaam@gmail.com
(3) BDO Kendalls, Sydney, Australia
(4) ComputerForensicExaminer.com, Florida, US
(5) Symantec, USA


52

48
The hard drive knows all about
your files and where they are.
FALSE

Your drive does not have a clue about where your files are. Keep in mind that your drive does
not know anything about your files, and there is no layout of the sectors that tells you which
sectors belongs to which files. That is a function of the operating system.

The only thing the hard drive knows is the request that was made of it. The operating system
will request a block from the drive and will translate to the location. Technically an LBA block still
stores the content of CHS. CHS stands for cylinders, heads and sectors, which is the
predecessor to how the content was stored on the drive prior to LBA boxes. However, that
content is still maintained for legacy support. Actual true CHS translation is only necessary for
drives between 528 megs and 8 gigs. If your drive is smaller than 528 megs, no translation is
necessary and everything is maintained in CHS. There is no support in the ATA command set
for CHS commands for drives larger than 8 gigs.

Remember: Windows NT had a limit for a boot partition of 8 gigs (4 gigs could be converted).
The reason for the 80 gig delimiter is that this is the maximum capacity supported by the
physical ability to count in CHS. This limiting factor is 1024 cylinders with 256 heads and 63
sectors. A sector in all current hard drives with the exception of solid state is 512 bytes.
Multiplied out that equals 8 gigs.

In addition, when a sector goes bad there is a reallocation block. This content is a pointer that
points to a new location where the actual data exists. And again, the operating system will know
nothing about this process that exists at drive level.


53

REF: http://www.t13.org/Documents/UploadedDocuments/technical/d97145r3.pdf

The following is always true for LBA numbers less than or equal to 16,514,064 for devices
supporting the current CHS translation: LBA = ( (cylinder * heads_per_cylinder + heads ) *
sectors_per_track ) + sector 1 where heads_per_cylinder and sectors_per_track are the
current translation values.

NOTE: Look at $BadClus on a NTFS File system for what the OS thinks is bad.

Your drive is not aware in any way of the content. That is the job of the Operating
System (OS from here on). When the OS asks for a file, the OS will request a logical
block from the drive; if both the OS and the BIOS support Logical Block Addressing
(LBA) translation, then a formula similar to this one from the Advanced Technology
Attachment (ATA) 2 Command Spec are used: Cylinder-Head-Sector (CHS)
translation Formula:

LBA = ( (cylinder * heads_per_cylinder + heads ) * sectors_per_track ) + sector - 1


54

49
When you get a new drive, it is
perfect and does not have any
errors.
FALSE

Every hard drive running has errors. The manufacturers are not even trying to create a hard
drive that does not have errors. What they do is try to create a formula that can compensate for
the errors with as little failure as possible. This is where ECC (Error Correction Code) comes
into play.

Basically when a sector is read it is compared to ECC for that sector, and if there is a problem, it
is reread until it reaches a maximum threshold defined by the manufacturer. If it reaches its
maximum number and never returns correctly, then you have a bad block, which requires data
recovery for the data in that block. Generally programs will crash, or the machine wont boot, or
you get a failure because the content cannot be read correctly. However, if the sector is
correctly read, even if it was incorrect before, the drive will happily go about its business,
ignoring the fact that there was ever an error.

All drives always have errors!
ECC (error correction code) corrects errors for every block on normal reads.
ECC will ignore a problem if it can correct under its threshold values and it never will
report it or move data to the bad block area.
There is not such thing as a good drive.


55

50
50
Data Recovery Tools
Hardware


56

51
Tools Introduction
Clean Room Technology
Cleaning Solutions
Head Comb Tools
HPE Platter Tools
Voice Coil Magnet
DeepSpar Disk Imager / Forensic Disk Imager
Salvation Datas Data Compass
PSI Cyclone / IDE Hammer / SCSI Hammer
Ace Recovery Labs PC3000

We'll now start with introductions to tools that data recovery companies and professionals use.
This will cover the things that you mostly would not know anything about and leave out the most
common things that are generally well known.


57

52
Clean Room Technology

The first item is clean rooms and clean room technology. They are all classified by the number
of particulates that remain in the air after the air is cleaned. Generally when they are classified it
is not with working material or people inside the airflow. It is classified by how it performs empty.
In many cases, introducing material or people into the room would cause the certification to
degrade. So this is an instance where you would cover your entire body so that you are not
introducing any other particulates into the clean room.

REF: Intel Apple Commercial on TV

Most of what sticks to your drive isnt dust but human cast off (hair, finger grease, dead skin
cells)!


58

53
Federal Standard 209: "Airborne Particulate Cleanliness Classes
in Clean Rooms and Clean Zones"

According to the air cleanliness classes from the federal standard number 209E:

Airborne particulate cleanliness classes in clean rooms and clean zones

Class 10 Clean rooms, have been designed to allow no more than 350 particles of 0.1 microns
in size.

The class 100 clean room would have a particle count that does not exceed more than a total of
100 particles per cubic foot, and they must eliminate a size of .5 and larger.

A class 10,000 and clean room would have a particle count that is not to exceed a total of
10,000 particulates per cubic foot, eliminating microns .5 and larger.

A class hundred thousand clean room would have a particle count not to exceed a total of
hundred thousand particles per cubic foot, eliminating the size of .5 and larger.

Classes and their Typical Uses
Class 1 & 10 - production laboratories for electronic integrated circuits
Class 100 - production areas for photo labs, medical implants
Class 10,000 - production locales for TV tubes, hospital operating theaters
Class 100,000 - production of ball bearings

http://www.engineeringtoolbox.com/clean-rooms-d_932.html


59

54
Clean Rooms ISO Standard 14644

The size of contaminants and particles are usually described in microns, a metric unit of
measure where one micron is one-millionth of a meter. There are 25,400 microns in one inch.
The eye can see particles to about 40 microns. Optimum levels for temperature should normally
be 70 to 72 degrees Fahrenheit, with humidity levels at 50%.

An example of something that could be filtered out by using a class 2 clean room: anthrax as 1
, bacteria is usually .3 or larger, or Yeast is generally 1 .

Items not likely to be filtered out: radioactive fallout will be .1 , tobacco smoke is .01 s, or
viruses which are generally smaller than .3 .


60

55
HEPA Filter Technology

HEPA filters normally eliminate 99.99% of particles 0.3 microns or larger.

Most of the technologies surrounding clean rooms is based on HEPA filters. HEPA (high
efficiency particulate air) will generally remove particulates, also referred to as aerosols. This
includes micro organisms in the air. HEPA filters are generally made from silicate microfibers
formed into flat sheets. They are then pleated to increase the surface area, and then separated
by aluminum baffles, which direct the airflow in a particular direction. HEPA filters are comprised
of tightly compressed fiberglass fibers that are arbitrarily laid out to trap pollutants and particles.
Most other filters function as sieves.

Generally, for every 10,000 particulates that are in the air, the filter can filter out 99.97 - 99.99%.
HEPA filters are commonly used in most workbenches that are used for hard drive repair.
Generally these workbenches are called horizontal laminar benches, otherwise also known as a
hood.


61

56
Laminar Work Bench

The bench generally has fiberglass pre-filters covered by an aluminum grill for intake air. The
bench itself is usually made of Formica and acrylic. They often come with options for laser
scanning to remove 99.9995% of particles 0.12 or larger. There is a motor that has an intake
percent, but which also provides a filter, and it sucks the air at a constant speed and forces it
out towards where the user would be working at the workbench.

By doing this at a constant rate and filtering the air using a blower motor and a HEPA filter, the
air can reach a class 100 clean room. There are generally some problems with regards to a
workbench, the problem primarily being there can be a backwash. What that means is when you
introduce items into the area where youre going to work, they block the consistent airflow,
allowing outside unfiltered air to be introduced, contaminating the workspace. Generally
speaking, a laminar workflow is probably one of the better things if you are going to work on
hard drives, professionally. It is possible to have alternatives that are more affordable. Lately it
has been possible to get a decent laminar workflow bench for less than $2,000 on eBay. Search
for a Class-10 Laminar Flow Cabinet to locate one for purchase.

REF: My Laminar Sales Information Sheet Company Out of Business, No Info except it was
made by Clean Room Engineering.


62

57
Clean Bench Technology

This is how clean bench technology works. Air is sucked in through a filtered vent in the top, or
sometimes the bottom and is then pushed in behind the HEPA filter and forced out the front
towards the user. This creates positive airflow at the user, keeping dust, particles and other
contaminants from getting inside.


63

58
eBay Air Flow Bench

You can get clean rooms fairly cheep by searching eBay. This company had a large
professional enclosure for $700. I have seen the same as low as $350.


64

59
Gloveboxes (1)
There are less
expensive ways to
build a clean room,
called gloveboxes.
It works well for small
jobs, like hard drives,
and will get the job
done. These are also
very portable.
http://www.thenook.org/archives/3487.html

There are sites dedicated to how to create the best glovebox and do it in an affordable manner.
This is an example of one. I have built several and used them in the beginning, before acquiring
a laminar horizontal work flow bench.

REF: http://www.thenook.org/archives/3487.html

One item about using a glovebox is that sometimes it is hard to see into depending
on plastics and covers.
Also it is difficult if you need a tool that is not inside the box.
However, this is a great tool to use in the field if you need a portable clean room.
Your basic goal is to keep contaminants off the platters.


65

60
Gloveboxes (2)
You can use items
available at your local
hardware store to create
your own glovebox. There
are sites dedicated to
building your own. I have
built some for around
$200.00. If you are going
to do this a lot or
professionally I suggest
getting a Laminar Flow or
Positive Flow Bench.

This is some of the materials I used to make a glovebox. All of this was less than $200. You
can use Tupperware, pvc piping, and HEPA filters from a vacuum cleaner. I bought several
small vacuum cleaners and used it on one side of the HEPA filter to create suction so the
positive airflow could clean out the box while working.


66

61
Clean Room Basics
Even when using a Clean Bench,
most common tech procedures
apply. You should be wearing
anti-static bands and gloves if
possible. Scrubbing your hands
before a process helps quite a
bit also. When the platters spin,
the air bearing created will
usually spin off small debris.
The drive was actually designed
this way. However, if your
flakes of skin stick to the
platters, they do not come off
easily. Touching it is a mistake!

Here you can see an example of particle size compared to the location head flying over the
platter. You can see the effect it would have on the platters if hair or dust got between the head
and the platter. The way the drive is designed, there are always chances of fragments internal
to the drive flinging off.

There is even a design incorporated to take care of flakes of metal that might be loose in the
drive, however, there is no easy way to compensate for fingerprints or other matter that might
get stuck to the platter, primarily if the matter was a flake of skin. Dead skin from your body has
oil in it and can stick to the platter, which can be detrimental to the drive being that dead skin is
larger than dust and smaller than hair.

It is very wise to be cautious about material and trying to keep the area clean. You will see later
today in the lab that after you open the drive and work on it a while you will start to see flakes,
spit, and dust on the platter. Some will fling off when the drive is started, some will not.


67

62
Air Tracks Used by Air Bearing
The track is meant to guide any excess material
that might come off while the drive is in use into
the Air Filter Pillow for containment so that it does
not continue to move around in the drive.

This is the design built into the drive to compensate for loose matter in the drive. There is a
track around the outside of the platter in most hard drives. This track leads to a filter in the edge
of the drive. The filter allows material spun off the platter to go around the track and get trapped
by the filter around the back of the track. This will keep loose material from getting caught in the
working components of the drive and getting stuck in the heads.

Keep this in mind each time you are moving a drive, especially one that has been running in a
system for a long time. When you remove the drive and change the angle, some of the material
might come loose again and can get stuck in the drive. This includes moving the whole
machine. From time to time you hear a story about how it all worked well before the move, but
after the move the drive wont start or the platter appears scratched and damaged.


68

63
Air Tracks Capture Particles

This is a photo of the track, and in this case you can see fragments and dust that got dislodged
from behind the filter inside the track. Be careful that if you are moving an older system or older
hard drive that has not been turned off in awhile that you do not change the angle causing this
material to be lodged under the head or in another location that could do harm.


69

64
Cleaning Tools for Hard Drives

There are several materials that can be used to clean, if necessary. Obviously you want to be
as careful as possible, and there are still issues with separating the two platters to clean
between them, so most of these methods are used only on the exposed area, usually where
someone put a fingerprint on the drive, or where there is something stuck to the platter. It is
very important to use lint free materials and even special medical Q-tips that will not leave
residue or material behind.
Materials for cleaning a disk are: For platters you can use ISOPROPYL ALCOHOL, for PCB
boards you can use contact cleaner and chemicals made for the boards to clean and protect
them, like DeoxIT.

There are some special cleaners that are very expensive just for professional hard drive and
head cleaning made by 3M. A few ounces are hundreds of dollars. Most cleaning can be done
with less expensive materials but if necessary you have 3M as an option.

Cleaning of Hard Drive Components And Assemblies3MNovecEngineered
Fluids are excellent in meeting the demanding cleaning requirements of the hard
disk drive industry. These fluids are used for cleaning light oils and particulate
from many parts of the drive, including MR heads, HGAs, suspensions and
media.

http://multimedia.mmm.com/mws/mediawebserver.dyn?333333SQa783cMj3wMj333Fiuu
FiiiiH-


70

Salvation Data talks in their news about a new device they are developing to clean and polish
platters that are dirty or damaged. Since this device is not released yet, it is difficult for me to
give much insight except what they tell me. I saw an estimate that it would be about $7,000 US.

http://www.salvationdata.com/data-recovery-company/news.htm


71

65
Head Comb Tools

This is a set of head combs. A good set of head combs can cost around $200. At the ends you
can see where the V shape would fit on the edge of the platter, and the flat sides would brace
between the suspension triangle before the end where the head is located holding the heads
apart and allowing them to slide off the platters without damage. This way you can remove the
head stack assembly safely, keeping the heads apart, and be able to reassemble with the brace
in the middle.

I will teach you to build something I think is superior to this. However, there are at least 5
different ways to disassemble the head stack and everyone has different preferences. We will
attempt at least three ways to do it in this class using paper, plastic, and foil.


72

66
Homemade Head Tool

We will be building custom sets of head combs using wrappers and foil materials. These work
amazingly well, and because you can make as many as you want you will find it useful that you
dont have to spend hundreds of dollars on combs. Can find this documented on YouTube:
Hard Drive Head Replacement Tools for 50 Cents.


73

67
Drive Platter Exchange Tool

This is a tool called an HPE. HPE stands for Hard Drive Platter Exchange Tool. This fits around
one to several platters and will allow you to remove an assembly of platters on a drive that has a
bad motor.

The reason this tool exists is because you cannot just remove each platter and restore them to
a new drive. Since the data residing on the platters is done in a cylinder or more importantly,
designed around something called the servo information, you must move the platters together in
sequence all at once. If the platters get out of sequence or turn even the smallest amount, you
might not be able to recover your data. These tools work on about 90% of drives. There are
other tools for the remaining 10%.


74

68
Display Platter Tools


75

69
HDRC Platter Exchange with
Spacers

This is a set of tools made by HDRC Online that are for part of the 10%. They have special cut-
outs for something called spacers. There is still a lot of work being done to get around different
problems with spacers. Spacers are pieces of plastic or metal that are used as braces in-
between the platters and screwed to the case. They are inserted at assembly time, generally
before initialization of the platters and the servo information. You will see why this is important
very soon.

The important thing to understand now is that there are other tools and other methods being
developed, and you should never stop looking or trying to be creative in solving these problems.
Data Recovery is more of a reverse engineering science and evolves everyday. Many of the
tools we use we will have to make out of available materials such as toothpicks, rubber bands,
clamps and so on.


76

70
Exchange with Spacers

New Salvation Data Tool for removing platters with spacers that are plastic and metal.


77

71
Spacers on Drives (1)

This is an example of spacers on hard drives. They are sometimes referred to as brackets. They
are screwed on to both sides of the drive and you cannot remove them without removing the
platters. But you can not remove the platters because the spacers prevent you from getting your
tools around them. This is where these special tools come in with special cut outs. Keep in mind
that the distance between each of these is different fore each drive, or model, or even
manufacturer, so there may be a dozen different sizes needed over time.


78

72
Spacers on Drives (2)

After removing the top platter, this is what the spacer looks like in between the two platters.
Youll notice that there are screws around three of the edges. The entire assembly, platters and
spacers, must be removed at the same time. This is a very difficult task and requires special
tools.


79

73
Drive Brackets (1)

Note the screws on the outside edges that hold the spacers down in-between the platters.


80

74
Drive Brackets (2)

If you were able to remove the motor from the other side, this is what you would see. This
centerpiece snapped off of the chassis and you can now see what it is like inside the motor.
This is what it looks like removed with the jammed motor.


81

75
After the Motor is Removed

This is the underside section that the motor snapped off of. You can see the wires that were
connected to the motor itself, as well as a small piece of ceramic that was attached to the
spindle.


82

76
Drive Brackets (3)

These are metal spacers that are distributed between platters, making it impossible to use the
standard platter tools we have had for years. New tools are just coming out to solve this issue.


83

77
Drive Brackets (4)

Metal spacers from a different angle. These are metal spacers that are distributed between
platters, making it impossible to use the standard platter tools we have had for years. New tools
are just coming out to solve this issue.


84

78
HPE SP: Spacer Tool

This is an example of the new HPE SP tool from Salvation Data in use. This is used on drives
that have spacers so that you can remove the platters and exchange them with another drive if
you have a bad motor.


85

79
HDRC Platter Exchange with
Spacers

This is the bottom of the HDRC Onlines HPE. As you can see, there is a special cutout for
different spacers to allow the tool to reach around the platters with the spacers and remove
them all at once.


86

80
Spacer Platter Tools

This is an example of what the platter tool does. As it reaches around the outside edges of the
platter, on one side there will be a thumbscrew with the pressure guide that will snap below the
platters, holding them in place while you remove them. Again, this is specialized for certain
platters that have spacers and need connectors in different locations and pressure from other
directions.


87

81
HDRC New Platter Tools (1)

This is a similar tool from HDRC Online. They have interchangeable components for different
size drives. Some of the space sizes vary in location and depth, and these new variations may
give you the size you need.


88

82
HDRC New Platter Tools (2)

HDRC Online also makes different sizes that I have not seen in other tools. They make a 2.5
and a 1.8 Zif Drive Version.


89

83
HDRC New Voice Coil Tool

This is HDRC Onlines voice coil removal tool. The magnet is built in and when you push down
it touches the voice coil magnet.


90

84
Magnetic Voice Coil Remover

This is a magnetic voice coil remover tool. It is a very strong rare earth magnet. Be careful
where you put this. You can also get your fingers crushed or snapped under them while
removing or reinstalling a voice coil magnet.

This tool goes over the top of the magnet and then will allow you to apply pressure in an upward
motion to remove an existing magnet. Be careful, if there is a stop pin in-between the two
magnets, do not bend this backwards and snap the pin while removing it.


91

85
Platter Swap Bench

This is primarily used to swap platters by putting your donor drive on the left bracket and your
bad drive, the destination, on the right. However, this tool is also very useful in the process of
swapping head assemblies. The hole in the front allows you to have access to the screw that
might pass though the actuator arm joint, allowing you to remove the head stack. It also gives
you full access to the bottom section of the metal casing of the drive where you might have the
IC board coming though to be removed.


92

86
Other Tools

There are other tools you will need that include Torx, Phillips, and flat head screwdrivers, as
well as tweezers. Most of the other tools are standard tools you can get locally or at an
electronics store. Keep in mind that using static pads and wrist guards are typically needed as
well.


93

87
Finger Prophylactic

This is a finger glove. This will keep your fingers covered tightly so that you can work on head
assemblies without touching the platters themselves. These come from HDRC Online.


94

88
Motor Bearing Tool

This tool is used for turning a motor that is stuck or has damaged bearings.

REF: Used by permission from Data Savers, LLC and John Yaeger.


95

89
Head Alignment Tool

This tool is used to align heads in hard drives after a head replacement or the alignment is
damaged.



96

90
Head Alignment Tool with
Drive

This tool is used to align heads in hard drives after a head replacement or the alignment is
damaged.



97

91
Peilter Cooling

This is a device out of a USB cup cooler. Between the heat sink and the metal plate is a ceramic
cooling chip powered by USB. It will turn ice cold in a few seconds on one side, and burning hot
on the other side as it transfers the heat from the cold side. This is useful for keeping a drive
that is heat sensitive cool while you are doing a recovery.


98

92

This is the CoolIT Systems USB cup cooler that you can raid for parts to use for Peltier cooling
for your drive.


99

93
SATA to IDE Bridge Boards

This is a SATA to IDE bridge board. These board are necessary because some of the data
recovery equipment does not have SATA directly on the device. Since SATA and IDE are
essentially the same, you can just use a converter to get to the necessary connector you need.


100

94
Magnification Tools

This is one of many tools you can use for magnification. You will find that it will be necessary to
get up close and look at several items on the boards and heads and it helps to have something
to help you see allowing you to have your hands free.


101

95
Other Magnification Tools

These two sets of tools are amazing at how cheap and helpful they are. The pen on the left is a
25x magnification and can zoom way in on small parts and examine chips for damage. The
jewelers eye piece loupe set range in magnification and the largest being 10x. These will give
you great variety to have around to examine small items.


102

96
Microscopes

A microscope can be very useful if you have to resolder chips or work on USB adapters. This
particular model also has a 3MP Camera attached to take pictures or work of the computer
screen as you are soldering or reviewing a case. This microscope is called an AM Scope with a
95x rating.


103

97
Complex Soldering

As you can see, if you have to do up close soldering, this photo that was taken using the
microscope in the previous slide shows the detail with which you can work.


104

98
Soldering Tool

In order to repair some drives you will need a decent soldering tool. This one has temperature
controls and a very fine tip.


105

99
Oscilloscopes

An Oscilloscope can come in very handy trying to determine a problem with a board or
comparing damaged boards and electronics to other good boards.


106

100
Air Soldering and Desoldering

This is an air soldering and desoldering station. If you have damaged boards, this device makes
it easier to repair. It is possible to also use ChipQuik to keep things on the cheap side, however
Air Soldering and Desoldering offers quicker, cleaner work.


107

101
For Example: Damaged Chip

With a damaged chip like this, you might be able to get another board that works with your
drive, but what if you have to replace this chip? This is where air soldering and desoldering can
make your adventure more successful.


108

102
WD: Resolder U12/U5 Serial Chip

This is a common chip to have to resolder from one board to another. It is a serial chip from
Western Digital drives and labeled U12 or U5. It will need to be soldered when swapping
boards. There are other drives this will be necessary for as well, such as IBM/Hitachi or even
Seagate.


109

103
DeepSpar Forensic Disk Imager

This is called the DeepSpar Forensic Disk Imager. The Disk Imager can image badly damaged
hard drives and sectors on damaged hard drives. It is different from standard imagers in that it
does not have to do each block sequentially. You can think of this as imaging a hard drive
similar to the way BitTorrent works. It maps out the original drive to a destination, and then for
every sector it correctly copies, it never needs to do those sectors again.

You can control the direction and timing of the box, forcing imaging to go backwards or forwards
and controlling how many milliseconds each read takes. You can then make multiple passes,
increasing and fixing more of the sectors that did not get covered in the previous passes.

The black box in the rear contains all the electronics and the computer itself. It controls the two
drives, the original bad drive, and the destination drive. This tool comes in two models, one
much cheaper than the other. This is the forensic model made for portability; the second model
is a standard small black box that contains flash and will boot off the device. It connects to an
existing computer system over an IDE cable and can then control the power and function to
repair the drive.


110

104
DeepSpar Disk Imager

This is the more affordable version of the Disk Imager. It does everything involving repairing
sectors that the forensic disk imager does. It just does not have the packing and portability of
the forensic version. The forensic version does a few other things with USB ports and standard
DD imaging, however, for the purpose of Data Recovery they are not useful here. None of those
functions include the ability to fix bad sectors on the fly during the other standard modes of
operation, so there are many ways you can create a DD file without needing the forensic
versions and its USB ports using many other forensic tools that are either free or fast hardware
imagers.

REF: http://www.deepspar.com/products-ds-disk-imager.html


111

105
Ace Recovery Labs PC3000

The PC3000 was created to deal with Firmware on drives and has many functions that no other
device has. It has additional software that you can acquire with the device to extract bad data
from drives and can examine the System Area on drives and repair them. This is the device
necessary to understand the internals of the drive. It will not replace the process of dealing with
damaged heads or physical damage to the disk.

REF: http://www.deepspar.com/products-pc-3000-drive.html


112

106
PC3000 Screenshot

This is an example of the PC3000. The PC3000 has several modes and operations, but I will
refer to just this sample. This screenshot is looking at a Western Digital 500 Gig hard drive. The
last two lines of the terminal show the Master and User Passwords, which in this case have not
been set. You can also see that there are two copies of the System Area, and in this drive the
head map says there are 6 heads.


113

107
DeepSpar Drive Tester (1)

This is a diagnostics tester for hard drives produced also by DeepSpar. It can read the stats of
the drive and electronics and give you info and feedback. This device is not publicly released
however it shows the future of what is possible in doing hard drive diagnostics.

REF: Given by DeepSpar, used with Permission.


114

108
DeepSpar Drive Tester (2)

This is a screen that the Disk Tester displays. There is a lot of feedback and information on this
screen about the drive, electronics and the status, which can help diagnose problems.
DeepSpar is currently working on a modification for the Disk Imager to show these voltages so
you can get a reading if it is a good processor, or do some basic analysis.

REF: Given by DeepSpar, used with Permission.


115

109
Salvation Datas Data
Compass

Salvation Datas Data Compass is a tool designed to work on the original drive live and avoid
the time delay of imaging at the same time. It does this by doing what they call Shadow Copy.

You will have an additional good drive hooked to the system, and every time you touch a sector
on the bad drive it images that content to the good drive. The purpose of this is so that the
second time you touch the sector it will come from the good drive and not from the bad drive.
This eliminates the excessive reading from the drive that sometimes causes future damage to
the drive. This allows you to mount the bad drive and start copying files, and while you are
doing that it is basically cloning the drive for the items you care about. It also has an additional
unique function called System Area Emulation, which allows it to emulate a working hard drive
with a specific type of damage.

Some marketing stuff is not true, such as the statement that this box can Amplify
signal. They cannot do this, this is wrong.
It is a great multi-purpose box whose point in life is file-based imaging and imaging
Hitachi drives. This is all new and perhaps the only hats vendor to do this.
One down side is that it hooks up over USB, and that makes the box slower.
Think of it as an error-recovery box.
When you hook up a hard drive to a computer and there is an error, you are usually
left hanging, and the software becomes unresponsive. Thats what this box will
handle. It will even handle restarting the drive and suspend a software process so
that software imaging doesnt bomb if you have to reboot the drive.
There is a function called Shadow-Copy. Anywhere that a sector is read from the
original drive is immediately cloned to the destination drive, that way if something

116

happens and the original dies, it never has to request it from the original drive a
second time.

Data compass can read the MFT and knows that your file structure is allowing you to
pinpoint your recovery of certain files.
Where you would want this product is if you have a guy who calls and says they
need specific files off a drive in 24 hours, or quicker and you do not have the time to
make an image.
Hitachi has a special way of dealing with the System Area structure, and this device
has built-in ROM code from a wide variety of IBM/Hitachi drives.
It is a Live, file-based cloning device.


117

110
Salvation Data: HD Doctor Suite

This is the HD Doctor Suite from Salvation Data. Each one is unique for the individual vendor
and designed to deal with firmware problems. This set of devices works on Western Digital,
Seagate, Maxtor, and IBM drives. There is a module for each one that can deal with specific
issues with firmware, G-List, P-List, and Tables. These are not as mature as the PC3000,
however, for specific drives it is much cheaper and easier to use. These tools cannot do
everything, but many of the functions they do are easy to address with the software.


118

111
Atola Insight

The Atola insight connects to your computer via a USB adapter. This tool has software and
hardware that intercepts the signal going to the hard drive and controls it with special
commands. It is meant to be an all-in-one single button type device.

It can backup and restore firmware and do imaging, as well as testing of the PCB board and
heads stack. This device is meant to be a lot simpler to use than a PC3000 and tries to cover all
phases of the data recovery cycle: diagnostics, firmware, imaging, and logical recovery. Again
this is a USB based device, so your speed is limited by the USB interface.

REF: Screenshots used with direct permission from Dmitry Postrigan, creator of the Atola
Insight.


119

112
Atola Insight PCB Analysis

The Atola Insight attempts to determine the problem with the drive by examining voltages and
currents and by testing the PCB, Heads, Media, Firmware, and file system. It has many features
that make it very simple and straightforward to use for many complex tasks. This is an example
of the testing of the PCB (Printed Circuit Board) and the oscilloscope for the current and power
consumption.

Insight.


120

113
Atola Insight Current Monitor

Current to the hard drive is very important. It is possible in some cases to determine what is
wrong with the drive by what your current readings are. For example, in some drives if the 5v
current drops off it can indicate a processor failure on the Printed Circuit Board.

Insight.


121

114
Atola Media Scan

This is a screenshot from the Atola Insight performing a media scan. You can see that this scan
is telling you that you have a bad head. Every time you see the RED indicates a section that the
head cannot read.

Insight.


122

115
Zone Tables

This is an example of the layout of a zone table. The point is that the drive does not write data
broken up on each platter, it writes a segment of data and then moves to the next platter. It
takes time to turn a head on and off, so zone tables are divided up for speed. You might have
two megs written to the same location on a platter, so if there is a bad head, you have a chance
of reading some files back, even if one platter and head is completely damaged.


123

116
Atola Firmware Recovery

The Atola Insight also has the ability to backup firmware and restore it. In many cases you can
repair damaged firmware or copy the data from a different drive to produce a working drive.

Insight.


124

117
WD NEWER BOARDS

Some newer boards, like this Western Digital, have fuse problems, and in order to swap this
board you will have to copy the rom from this board to a working board. That will require a tool
like the Atola Insight or a PC3000.


125

118
Hard Drive Passwords
Hard drives have two passwords:
Master
User
Hard drives have two security modes:
High Security
Maximum Security

A hard drive has two passwords: User and Master. A hard drive also has two security modes;
High and Maximum. If you are in high mode, you can unlock the disk with either the user or the
master password "SECURITY UNLOCK DEVICE" ATA command from the ATA Specification. In
many drives there is a maximum number of attempts before the drive has to be repowered.
Usually the attempt number is set to 5 attempts. If you are in maximum, you cannot unlock the
drive without erasing the data if you do not have the user password. This is done using the
SECURITY ERASE PREPARE and the SECURITY ERASE UNIT commands, unlocking the
drive and erasing the data, thus making the drive usable.


126

119
Atola Insight Passwords

As you can see in this example, in some cases displaying a password from a locked drive or
clearing it can be just a click of a button. There are many drives where it is very simple to clear
the password or just display it.

Default Passwords for many drives:
Maxtor default password: Maxtor
Seagate default password: Seagate
Western Digital Default Password:
WDCx32 characters times. IE:
WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD

For most Fujitsu disks to use functions for "disable with user password, the password is empty,
so just press enter.

In some cases the default password for Toshiba and Hitachi Master Passwords is all spaces.

In addition, if you want to attempt to do other drives with no expensive equipment, look for AFF
Repair Station at http://www.hdd-tools.com/products/rrs/, the just unlock version at
www.hddunlock.com, or see this site http://www.rockbox.org/lock.html

Insight.


127

120
Atola Insight Unlocking Passwords

This is an example of the screens on Atola insight. This happens to be the one for unlocking
passwords on a hard drive. As you can see, they try to be very plain and simple and
straightforward. At the bottom you will see status lights indicating error flags from data recovery
software. That bar across the bottom shows errors and things that are going on. Youll come to
recognize that information better as we to go through it in class. The bar on the bottom will be
similar in almost every high-end package, and even some free tools.

Insight.

*** Password can be viewed and could be important as it could be the same password for other
items.


128

121
Shinobi Password Remover

Shinobi Password Remover
Portable hardware device that will lock and unlock hard drive passwords. Perfect for forensics
experts who need to remove unknown passwords before they can clone the suspect drive. IT
staff can also remove or add passwords to hard drives for security control.

Functions
Unlock
Password unlock for unknown passwords
Easy interface for unlocking with known passwords
Unlock frozen hard drives (frozen by manufacturers master password)
Brute Force and Dictionary Attack through host software* (12,000 Passwords/hr) *
based on custom Master Password Dictionaries for: IBM, HITACHI, WD, Fujitsu,
Maxtor and Seagate
Create Custom Dictionaries and Import Dictionaries (FTK Golden Dictionary,
Manufacturer Master PW...etc.)
Built-in Write Block Feature: Protect HDD from data change/corruption. Great for
Forensic Investigation and Data Recovery.

Security Level - How to Lock and Unlock
High=Set a User Password and Master Password. Unlock with User Password stored in the
HDD. Unlock with the Master Password if User Password is unknown.

Maximum=Set User Password and Master Password. Unlock with User Password and Master
Password. Unlock with Master Password if User Password is unknown. ***However, data will
all be erased. (Erase UNIT Command)

129

122
PSIClone and Hammers

PSIColone and the SCSI Hammer and IDE Hammer

Designed BY Recovery engineers FOR Recovery Engineers
Developed by CPR Tool engineers in answer to our own data recovery lab technician's
requests, PSIClone is packed with useful features for the forensic investigator. Designed with
forensic data integrity in mind, a key feature of PSIClone is that the user is unable to write to
the 'source' side of the device. With the included data recovery software, PSIClone has
everything you need to perform data recoveries - right out of the box

While PSIClone is a drive-to-drive cloning and imaging device, it stands out from other such
devices because PSIClone has the ability to perform a robust compression while imaging a
drive, thereby allowing you to place images of multiple drives on a single dump drive. This
saves time and money.

Version 4.0 of PSIClone is the most robust ever, featuring:
Built in Forensic Write-Block
Built in PATA and SATA interfaces
Sector to Sector Cloning
Drive Imaging
On-The-Fly Image Compression
G-Clone (Clone the G-List)
E-mail Alerts (allows the user to input an e-mail address which gets notified when the process
starts, stops, errors or at specific time intervals)
MD5 Hash generation
Drive erasing with user selectable methods

130

Image Resume - allows the user to stop and resume image files
USB 2.0 Write Block feature (Mass Storage Switch)
FastClone - File System Copy
Partition Copy
DriveKey - Unlocks ATA Password protected drives
Recovery Software included with every PSIClone

Used with permission:
http://www.cprtools.net/store/index.php?main_page=product_info&cPath=3&products_id=5


131

123
PSIClone Imaging DR

This is a screen from the PSIClone and its imaging functions in beta at the time of this writing.
The PSIClone is in the process of adding more advanced features for imaging drives that are
damaged and dealing with ECC errors.

Cis 294 Module One Part One

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cis 294 Module One Part One

Uploaded by

Copyright:

Available Formats

EDMONDS COMMUNITY COLLEGE

INFORMATION SECURITY AND DIGITAL FORENSICS APPLIED

You might also like