Hard Drive Diagnostics With Scott Moulton Hard Drive Data Recovery Forensics SANS 2010 1
Goals of this Speech! 1. Give you useful knowledge you can take away and use right now. 2. Make sure you know what is possible to do yourself in DR, but also when to STOP! 3. Honestly, to make you want to take my class to learn more. Hard Drive Data Recovery Forensics SANS 2010 2
Speech Details Lots of Ugly Text, but very important knowledge! Get a copy of slides @ www.myharddrivedied.com/sans.html Hard Drive Data Recovery Forensics SANS 2010 3
We are going to try to find out.. Is the problem a:» Firmware Problem?» Head Damage?» Board problem?» Motor Problem?» Platter Damage? Hard Drive Data Recovery Forensics SANS 2010 4
Not Everything is this Obvious! Hard Drive Data Recovery Forensics SANS 2010 5
10 Minute Pre-Education Title of Course - 2008 SANS 6
FIRST MISTAKE! Thinking about swapping parts? If you are able to read even one sector from the drive you need to exhaust every possibility before swapping out equipment, boards, heads, etc. Otherwise you probably will cause more damage! Hard Drive Data Recovery Forensics SANS 2010 7
Five Phases of Data Recovery 1. Diagnostics of the drive is the first step. If the drive can be imaged go to step 3, else continue with step 2 2. Repair the hard drive so it is running in some form, usually requiring hardware or special equipment 3. Image, Copy or Recover the physical drive and sectors primarily by bit stream imaging. If the drive is functioning, it is possible to do this with software, however there are some hardware solutions that work very well with damaged drives 4. Perform Logical Recovery of files, partition structures, or necessary items; usually this is by software and is the most common type of application sold 5. Repair files that might be corrupt or have existed in damaged space or sectors to recover what is possible. This is usually the requirement in Forensics, to be able to re-assemble data to display what was there, whether full or partial data is present Hard Drive Data Recovery Forensics SANS 2010 8
Our Recovery Goal! Imaging/Cloning the drive is the most important process and can be used for diagnostics. Forget about files (well, for the most part)! Dude, the drive does not work or I would have done that! Hard Drive Data Recovery Forensics SANS 2010 9
Junk Science Topics to get out of the way first. Imaging Tools. Tools like Microscope, & Vendor Tools. What about software repairs tools? Should I freeze the drive? USB vs. ATA Controller! Doesn t SMART tell me if the drive is bad? Hard Drive Data Recovery Forensics SANS 2010 10
Question: What s wrong with these? Title of Course - 2008 SANS 11
http://disk-imaging-software-review.toptenreviews.com/ Hard Drive Data Recovery Forensics SANS 2010 12
Things that don t usually work on damaged drives! On a damaged hard drive most standard imaging utilities usually FAIL! i.e.: dd, SelfImage, Ghost, Acronis, FTK Imager Hard Drive Data Recovery Forensics SANS 2010 13
Things that work better More Robust to error prone drives & bad sectors: MyRescue, DDRescue, Media Tools Pro, SpeedClone, HD Duplicator, CopyR DMA, ByteBack, etc. Hardware: DeepSpar Disk Imager, PSI Clone Ultimate Boot CD has lots of utilities including MHDD on it as well as others. Hard Drive Data Recovery Forensics SANS 2010 14
Reverse Imaging Hard Drive Data Recovery Forensics SANS 2010 15
Waste of Time for Diagnostics Microscope and QT, etc. other tools: They don t do much to tell you anything if the drive is not functioning. Vendor Tools They are easy to use, straight forward test, but usually even the tech support people from the drive manufacture don t know what the error messages mean! Hard Drive Data Recovery Forensics SANS 2010 16
Absolutely Do Not Ever..run any utilities on original or until after you image (it will only get worse) your drive: Chkdsk Fixmbr fixboot, or whatever other OS tools JUST SAY NO TO SPINRITE! You can run them on the imaged/cloned drive, but on damaged drives they cause more problems. Hard Drive Data Recovery Forensics SANS 2010 17
Frozen Drives Can Damage Hard Drive Data Recovery Forensics SANS 2010 18
Imaging with USB?? USB is a failure for data recovery on damaged drives! You are relying on some cheap Chinese boards or chips made by the lowest bidder of the day that got installed in that device you have. You cannot talk directly to the hard drive unless you have control of the ATA Adapter, which does not happen in USB drives. Get a good ATA Controller, or at least connect directly to motherboard and will solve some of your issues! Hard Drive Data Recovery Forensics SANS 2010 19
What helps better imaging? Better ATA Controllers, or even using one if you are trying to do things over USB! Use tools that talked to the ATA Controller instead of through the BIOS. See Status with MHDD / Victoria (and copy sectors) http://www.benchmarkhq.ru/english.html?/be_hdd.html esata works with Victoria for Windows w/driver Installed PIO Mode instead of UDMA even setting it in Windows can help with recovery of some drives. Reverse Imaging i.e. ddrescue & Media Tools Pro, or X-Ways Replica Hardware Imagers, i.e. DeepSpar, PSIClone, etc. Hard Drive Data Recovery Forensics SANS 2010 20
WHERE S SMART DATA COME FROM? Hard Drive Data Recovery Forensics SANS 2010 21
Hard Drive Data Recovery Forensics SANS 2010 22
Hard Drive Data Recovery Forensics SANS 2010 23
Why S.M.A.R.T. SUCKS Smart is not reliable at all at predicting drive failure. Smart compares parameters to predict failure. SMART lacks standards and much is left up to the manufacture. The BIOS does basic SMART monitoring only capable OK Status SMART is usually turned off in most hard drives/ motherboards due to the fact It can add seconds to boot time! SMART TABLE PROBLEMS Can actually causes errors making the drive fail! Hard Drive Data Recovery Forensics SANS 2010 24
RAW SMART DATA Hard Drive Data Recovery Forensics SANS 2010 25
But. when SMART works.. If Smart can be read it means you probably made it though the System Area, which means the board, probably the firmware and the System Area Head are good! (there are a few exceptions) Hard Drive Data Recovery Forensics SANS 2010 26
Special Diagnostic Exceptions Title of Course - 2008 SANS 27
Special Exceptions To Know 3.5 Seagate F3 Firmware 7200.11 and 7200.12 Serial Port and you can read status like Head Mask Error CPU Usage Problems with Pending Bug, reads every other sector, slowly 3.5 WD Head Alignment Issues if lid removed Serial chip such as the U12 or U5 need to be soldered swapping boards Royal Board Problems Need firmware copied Reads Half the drive All Can Have Bad Heads Stuck Heads TVS Chip Problems Motor Problems Board Problems Scratched Platters Hard Drive Data Recovery Forensics SANS 2010 28
7200.11 / 7200.12 Firmware Bug http://bit.ly/tfrzc Hard Drive Data Recovery Forensics SANS 2010 29
$25 Seagate Serial Cable http://bit.ly/nzik5 Hard Drive Data Recovery Forensics SANS 2010 30
Seagate Serial Cable Orange Wire Yellow Wire Hard Drive Data Recovery Forensics SANS 2010 31
Seagate Pending Bug Hard Drive Data Recovery Forensics SANS 2010 32
WD Head Alignment Hard Drive Data Recovery Forensics SANS 2010 33
WD Head Alignment Tool Hard Drive Data Recovery Forensics SANS 2010 34
WD: Resolder U12/U5 Serial Chip Hard Drive Data Recovery Forensics SANS 2010 35
WD NEWER BOARDS Hard Drive Data Recovery Forensics SANS 2010 36
Atola Firmware Recovery Hard Drive Data Recovery Forensics SANS 2010 37
Now on to Diagnostics Title of Course - 2008 SANS 38
You have a damaged drive, now what? Does the Drive come Ready? Can I see Serial Number or Smart Information? Do you hear Phasers? Does the Drive Click? Or Clunk? Does the Motor Spin? Does the Motor Sound Correct? Or whine? Electronics or chip burnt? Does it smell burnt? Does it have TVS Chips? Does it make a sound? Is it scraping? Check the Silver Label? Hard Drive Data Recovery Forensics SANS 2010 39
Does Drive Come Ready? Y See Serial or SMART? Y Can You Image Whole It? Even with Err. Y Done Seagate Does Test F3? the TVS Motor N 7200.11 N N N N Motor Chips? w/ 7200.12 Spin? Board?? Y Y Y Y Firmware Fix Kill-TVS N System Scraping N N Area N Noise? Y Seek? WD Royal or Check Seagate N N Silver for N F3 Damage Series? 50%? Y Y Repair Board Y Advanced Head Copy Advanced Repair Can You Image Whole It? Even with Err. Done Repair Board Hard Drive Data Recovery Forensics SANS 2010 40 Y Y N Motor Repair
Does the Drive come Ready? Hard Drive Data Recovery Forensics SANS 2010 41
Real Sector An Actual Sector Hard Drive Data Recovery Forensics SANS 2010 42
Oscilloscope Current Monitor Hard Drive Data Recovery Forensics SANS 2010 43
See A Serial Number? So if you were able to see a serial number, or smart information that tells you that you made it though part of the head reading the system area. So while it is still possible there is a bad head, you might need to take into account that data was read. Hard Drive Data Recovery Forensics SANS 2010 44
Did you see a Size? Hard Drive Data Recovery Forensics SANS 2010 45
Is the PCB board is working? Did the drive read Serial Numbers, Smart info? Did it read smart? Did the Head Seek the System Area? If not, then probably a Firmware issue, an you cannot do anything yourself. Hard Drive Data Recovery Forensics SANS 2010 46
Heads Seeking System Area Hard Drive Data Recovery Forensics SANS 2010 47
Show SA Area Movie Hard Drive Data Recovery Forensics SANS 2010 48
Damaged System Area Hard Drive Data Recovery Forensics SANS 2010 49
Head Problems Title of Course - 2008 SANS 50
You can tell a lot by the sounds.. Clunking vs. Clicking Heads Might also take 3 to 4 minutes to come ready Clunking Sounds for a Bad Head Tools That Can get Around Bad Heads Problems if you change the heads before someone else does an image Hardware to control the heads i.e. Deepspar Disk Imager Hard Drive Data Recovery Forensics SANS 2010 51
Do you have bad heads? Hard Drive Data Recovery Forensics SANS 2010 52
What bad head looks like! Hard Drive Data Recovery Forensics SANS 2010 53
Zone Tables Hard Drive Data Recovery Forensics SANS 2010 54
Foil Head Tool Hard Drive Data Recovery Forensics SANS 2010 55
Star Trek Phaser Sounds Hard Drive Data Recovery Forensics SANS 2010 56
Board Problems: Does it have TVS Chips? Transient Voltage Suppressor (TVS) Title of Course - 2008 SANS 57
Transient Voltage Suppressor (TVS) Hard Drive Data Recovery Forensics SANS 2010 58
Transient Voltage Suppressor (TVS) Hard Drive Data Recovery Forensics SANS 2010 59
Transient Voltage Suppressor (TVS) Hard Drive Data Recovery Forensics SANS 2010 60
Electronics or chips burnt? Title of Course - 2008 SANS 61
And how does this happen? Hard Drive Data Recovery Forensics SANS 2010 62
Electronics or chips burnt? Hard Drive Data Recovery Forensics SANS 2010 63
Replacing the Damaged PCB Hard Drive Data Recovery Forensics SANS 2010 64
ChipQuik Desoldering Hard Drive Data Recovery Forensics SANS 2010 65
ChipQuik Demo Hard Drive Data Recovery Forensics SANS 2010 66
Complex Soldering Hard Drive Data Recovery Forensics SANS 2010 67
Air Desoldering Stations Hard Drive Data Recovery Forensics SANS 2010 68
Motor Problems Title of Course - 2008 SANS 69
Motor Problems Hard Drive Data Recovery Forensics SANS 2010 70
Mounted Motor Assembly Hard Drive Data Recovery Forensics SANS 2010 71
Inside the Motor Hard Drive Data Recovery Forensics SANS 2010 72
Drilled Hole for Lubrication Hard Drive Data Recovery Forensics SANS 2010 73
Lubing up for the Recovery Hard Drive Data Recovery Forensics SANS 2010 74
Special Tool for Stuck Platters Hard Drive Data Recovery Forensics SANS 2010 75
Motor Dead: Move the Platters Hard Drive Data Recovery Forensics SANS 2010 76
Platter Scratches Title of Course - 2008 SANS 77
Scratches in Between Platters? Hard Drive Data Recovery Forensics SANS 2010 78
Two Layer Glass Platter Hard Drive Data Recovery Forensics SANS 2010 79
The Drive s Silver Label Hard Drive Data Recovery Forensics SANS 2010 80
Clean Silver Label Hard Drive Data Recovery Forensics SANS 2010 81
Silver Label with Platter Dust Hard Drive Data Recovery Forensics SANS 2010 82
Information Helpful Links for Research on Data Recovery www.hddguru.com www.youtube.com www.myharddrivedied.com http://groups.google.com/group/datarecoverycertification or http://bit.ly/3a5qex ComputerAmerica.com Two Hours Monthly PodNutz.com/myharddrivedied - Monthly Hard Drive Data Recovery Forensics SANS 2010 83
I have so much more I made a 5 day class just like this! Scott Moulton Drive and Data Recovery Forensics SANS SEC606 or Forensics 606 www.sans.org www.myharddrivedied.com/sans.html Hard Drive Data Recovery Forensics SANS 2010 84