This issue covers technique application case study conducted by SalvationDATA technicians —— data extraction through secondary opening of Toshiba 500 hard drive. The hard drive involved in this case study was seriously bumped, with vital part of the disk pitted and its edge deformed. This drive had been opened before using unknown procedures and techniques under unknown opening environment, and possible damages to the disk and other hardware remain unclear, which led to difficulties and typical characteristics of the secondary opening.
In Technique Application issue 3, situations with disk scratches were explained in detail that external force could lead to collision between disk and the head (or other hardware components), causing disk scratches. One small pit or scratch on the disk seems insignificant with inactivated motor, yet it would cause massive scratches and add data extraction difficulties when the disk is in high-speed operation.
- Data Extraction Target Drive: Toshiba 500G hard-drive with intact enclosure and no obvious damage, as shown in picture 1.
Picture 1: Toshiba 500G hard-drive (case study drive)
- Drive Preparation (3+N Physical Disks)
(1) Target Disk A: The damaged disk stored with massive video data that needs to be extracted
(2) Image Disk B: The disk to store image documents during data analysis
(3) Spare disk(s) C: Necessary in head replacement (from the same model and the same batch as A)
- Symptom: Hard drive cannot be identified and data extraction by technicians from other institutions failed
- Failure Detection
Target hard drive had already gone through data recovery procedure(including hard drive opening) in other institutions and all failed, which indicates complicated damages to the hard drive. Secondary damages caused by multiple data recovery operations are difficult to estimate; thus SalvationDATA arranged the most experienced technicians in this field to conduct data recovery of this drive.
(1) Observation: Through comprehensive view of the target disk A, it is concluded that there was no obvious damage, including the most vulnerable sides and corners. (Observation must be conducted carefully and thoroughly. Any deformation of the disk means possible serious damage of disk internals and more cautious recovery operation.)
(2) Drive Opening: Conduct drive opening in dust-free studio (level: double hundred) and an obvious pit on the disc can be observed. This pit happens to be at the key position for disc operation and adds to difficulties of data recovery.
Picture 2: Red arrow indicates pit on the disc (can be observed on the physical disk)
(3) Analysis: The pit indicates that the drive suffered severe impact, otherwise a deep circle shaped ‘runway’ would be created on the disk. Fortunately, the disk has not been powered on after the impact, which leads to the conclusion that data recovery could be successfully done but requires more time.
These three steps form fully failure detection of the Toshiba 500 G hard drive.
- Data Recovery
Data recovery follows failure detection steps and begins with ‘disk processing and head replacement’. If the disk can be identified with the replaced head, data recovery could be conducted successfully; otherwise more solutions are needed because unknown possible secondary damages caused by former data recovery operations.
- Disk processing and head replacement: Process the disk in dust-free studio (level: double hundred) and replace the head of the target disk A with the one from accessory disk C. (Attentions during the opening were already introduced in technique before.)
- Electricity current detection I: Connect target disk A with its replaced head to the DRS(Data Recovery System); click sound should be heard if the disk is powered.
Picture 3: DRS can pre-examine the health condition of hard drive
- Opening detection: Enter dust-free studio (level: double hundred) to conduct opening detection again. Through the comparison between the disk cavity of the target disk A and the one of accessory disk C, it’s noted that disc cavity sides of target disk A has irregular deformation. The deformation point on the disk probably the reason why data recovery was failed. Process disk cavity sides of target disc A appropriately.
- Electricity current detection II: Connect target disk to the DRS again; model identification and disk track seeking was conducted successfully and it could be noted that sector 0 only has one section. The attempt to access section information through DRS failed (picture 4).
Picture 4: Quick scanning of sections can be conducted in DRS
- Creating image documents: Connect target disk A and image disk B through DRS and create image documents of target disc A; the existence of both good and bad periods during the image document creation indicates possible faulty of the disk firmware.
- Repairing firmware: Cut off power, change USB interface into SATA interface, and connect to HD Doctor Toshiba hard drive firmware (picture 5). DRS currently supports firmware restoring for Western Digital, Seagate, and Hitachi hard drives; thus firmware repairing of Toshiba hard drives still need to be conducted through HD Doctor Toshiba hard drive firmware, which does not support USB interface. After dealing with the good and bad periods situation, connect the disk to DRS data recovery system again to access section information and identify different sections.
Picture 5: HD Doctor supports firmware repairing for 7 brands
- Data extraction: Extract data required by the client. Due to the fact that all required files were video files and of large amount, the extraction process will take days. Although eight heads of the disk were damaged during the extraction process, data extraction was conducted successfully with nearly 90% percent of the important data extracted.
The situation introduced in this issue, is the one that often encountered during digital forensics and data recovery. Difficulties during the process are, also reasons for extraction failure in other institutions, deformation of the disk cavity, its quality of being secondary opening, extracting video files, and high demands in extraction environment, equipment and professionalism of technicians. Main methods used during this case study are opening detection, changing of heads, repairing firmware and etc., all of which bears high requirements of the operation environment and professionalism of operators.
It should be noted that failure rate of secondary opening is fairly high with unknown previous procedures done to the drive and unknown possible damages. It is highly recommended by SalvationDATA technicians that hard drive recovery of important data (especially when major events or important evidences are involved) must be conducted by professional institutions to avoid further damage to the drive and loss of important evidences.
XLY Salvationdata Technology INC. is China’s leading integrated solutions provider of digital forensics, data recovery, data security and E-discovery. As a pioneer of the industry, SalvationDATA is always committed to providing innovation platform with proprietary technologies for Law Enforcement Agencies, Government, Military Intelligence Agencies, Digital Forensics Laboratories and Corporations, etc. SalvationDATA’s professional engineers and forensic experts are dedicated to providing outstanding service to more than 9,000 customers from over 130 countries around the world.
Click HERE to learn more about DRS.