View
702
Download
3
Category
Preview:
DESCRIPTION
In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation. Dai Shimogaito CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan. Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally. Trainings : Data Recovery Trainings for NPA and IDF Seminars etc., Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments
Citation preview
Disaster Data Recovery method for HDD
by Dai Shimogaito
January, 17th, 2014
at CODEBLUE in Tokyo
1.To Recover Computer Systemwhich had suffered from natural disaster, like
tsunami, river flood, storm, and earthquake
Platter Surface Damage
2.To Protect Computer System and get Readyfor a large scale crash.
What is Disaster Recovery ?
AFTERDisaster
The most difficult problem for data
recovery
BEFOREDisaster
Physical Damage caused by Software
HDD Customization for Platter Damage
Three Failures Lead to Data Loss
• Logical Failure• System failure• Data corruption• Deletion of data.
• Electronic Failure• Printed Circuit Board (PCB)• On or more of the PCB components• ROM or the System Area data is damaged.
• Physical Failure• Sticktion• Spindle bearing is frozen• Head crash (dropped hard drive).
Features of HDD which suffered from natural disaster
1. Chips on PCB are gone
2. HDD falls down and gets stong shock
3. Dirt comes inside HDD
4. Water comes inside HDD
Severe Damage !Normal Data Recovery Process is useless, because the damage level is extremely high
After a Natural Disaster, HDD can look like this
What is Data Recovery ?
Trying to image data from non-accessible HDD sector by sector.アクセス不能な HDD から、できるだけ多くのデータをクローンコピー取得を試みる
Copy
BrokenNo access to data
(故障でアクセス不能)
GoodFull Access to data
(正常動作する HDD)
What is Data Recovery ?
Basically, parts replacement is the way for temporary repair.基本的には、故障した部品を交換して、一時的に HDD を復活させます。
Fire Accident
What is Data Recovery ?
100% clone is always preferrable, but the result depends on the type of damage to HDD and the data recovery process.
できれば 100 %クローンコピーの作成が望ましいのですが、故障の種類や損傷の強弱、そして復旧プロセスの違いによっては、回収率が低くなることがあります。
← Low
High →
Replaceability with Donor Part (ドナー部品との置換性)
HSA YES [ Head Stack Assembly ]Head Map, Capacity, Architecture Family, Microjog
SPM YES[ Spindle Motor ]Seizure Problem, Lubricating oil
PCB YES[ Printed Circuit Board ]Serial ROM, NV-RAM, Fuse, Resister, Diode, Capacitor, Coil, Microchip / Repairment is also useful
FW YES & NO[ Firmware ]Unique module, Non-unique module, Regeneratable module, Essential Module
Disk NO[ Platter ]Bad Sector, Scratch, particules on surface
Replaceability with Donor Part (ドナー部品との置換性)
HSA YES
SPM YES
PCB YES
FW YES & NO
Disk NO
Replaceability with Donor Part (ドナー部品との置換性)
HSA YES
SPM YES
PCB YES
FW YES & NO
Disk NOスラスト軸受
ジャーナル軸受
回転方向回転方向
潤滑油
溝
ディスク
Replaceability with Donor Part (ドナー部品との置換性)
HSA YES
SPM YES
PCB YES
FW YES & NO
Disk NO
Replaceability with Donor Part (ドナー部品との置換性)
HSA YES
SPM YES
PCB YES
FW YES & NO
Disk NO
SAService Area
UAUser Area
SA
SA
SA
SASA SA SA
SA
SA
SA
SA
SA
SASA
SASASA
SA
SA
Firmware = Service Modules
SA Modules are located on platters
Replaceability with Donor Part (ドナー部品との置換性)
HSA YES
SPM YES
PCB YES
FW YES & NO
Disk NOData is recorded into platters.
Replacement means nothing.
Replaceability with Donor Part
HSA YES [ Head Stack Assembly ]Head Map, Capacity, Architecture Family, Microjog
SPM YES[ Spindle Motor ]Seizure Problem, Lubricating oil
PCB YES[ Printed Circuit Board ]Serial ROM, NV-RAM, Fuse, Resister, Diode, Capacitor, Coil, Microchip / Repairment is also useful
FW YES & NO[ Firmware ]Unique module, Non-unique module, Regeneratable module, Essential Module
Disk NO[ Platter ]Bad Sector, Scratch, particules on surface
If unique parts are corrupt, there is no way to recover data
The Most Difficult problem is Platter Damage
3.5inch PATA
The Most Difficult problem is Platter Damage
2.5inch SAS
The Most Difficult problem is Platter Damage
The Most Difficult problem is Platter Damage
The Most Difficult problem is Platter Damage
For a long time, DR from scratched disk has been impossible
If the surface is partially damaged, there should be recoverable data in the areas which
were not damaged.部分的にしかキズが付いていないなら、
それ以外の部分にはデータは残っているはず、、、、、、
Why is it so difficult to read damaged surface ?
Let’s take an extreme close look at
Disk & Head !
Disk Surface & Slider
Flying Height
1-3 nm
3nm
1nmLubricant Layer 潤滑層Diamond Like Carbon Coating Layer コーティング層
Magnetic Layer 磁性層
Disk Rotation Direction →
1 ~ 3nm
Slider
スライダ
R/W Head
Slider
The gap between Head and Disk is very small
Flying Height1-3nm
Particle Size ofParticle Size ofCigarette SmokeCigarette Smoke
100-1000nm100-1000nm
How head crash damages the surface
Lubricant Layer
DLC Layer
Magnetic Layer
Slider R/W Head
Lubricant Layer
DLC Layer
Magnetic Layer
Slider R/W Head
Lubricant Layer
DLC Layer
Magnetic Layer
Slider R/W Head
Cause of malfunction of HSA when reading damaged surface
1. Scratch is not the main cause of the bad operation of Head Stack Assembly
2. Particles on the surface stick to sliders.
3. Slider’s flying becomes unstable because of the particles on the surface of the disk and the sliders.
So, Let’s clean the surface !
Disk Burnishing Process
NO DUSTNO PROBLEM
The 1st step of the research completed with a good result
0.02%
94%
UP !
Newspaper : Nikkei Business Daily, 26th Septempber 2013
Precise surface analyzing is required for better recovery
Optical Surface Analyzer
July 2012, research was started by Prof.Hiroshi Tani
Prof. Hiroshi Tani@ Kansai Univ.
What we can do BEFORE disater occurs
Physical Damage caused by Software ???ソフトウェアがハードウェアを壊す???
What is the HDD’s Boot Sequence ?
Start Finish
Let’s go to the finish line
together with everyone !
HDD’s Boot Sequence
PowerON Ready
Needs to complete each sequence,then can reach to “Ready” mode
User Area & Service Area
SAService Area
UAUser Area
SA
SA
SA
SASA SA SA
SA
SA
SA
SA
SA
SASA
SASASA
SA
SA
SA Modules
• P-List : Primary Defect List
• G-List : Growth Defect List
• Translator : LBA access ⇔ PBA access
• S.M.A.R.T.
Self-Monitoring Analysis and Reporting Technology
Defects
× ×
×
××
×
×
×
Defects info = Position of Bad Sectors in PBA
Defects info is Unique to each disk
× ×
×
××
×
×
×
×
×
×
× ×
×
×
××
×
×××
×
××
×
×
××
×
×
×
×
××× ×
P-List : Primary Defect List
G-List : Growth Defect List
Defects info is Unique to each disk
× ×
×
××
×
×
×
×
×
×
×××
× × × ×× × × ×
Number of Defects
PBA (物理アドレス)と LBA (論理アドレス)
LBA exists logically upon PBA. The following shows good sectors from address 0.
通常、“アドレス”や“セクタ”が指す対象は論理アドレスのこと。
下図は、欠陥セクタが無い正常なセクタが連続している領域の状態を示しています。
0 1 2 4 53
0 1 2 4 53
Physical Block Address 物理アドレス →
Logical Block Address 論理アドレス →
Defects Controlling (不良物理セクタの管理)
0 1 2 4 53
0 1 3 42
物理アドレス →
論理アドレス →
P-List Table
2・・・
Translator
Converter function between LBA and PBAIf the translator is broken, no data is accessible. One of the most important module.
論理アドレスと物理アドレスの変換テーブルこのデータが読めなければ、プラッタ上の全ての磁気データを読み出すことができたとしても、ファイルやフォルダは一切復旧できません。 SA モジュールの中でもトップクラスの重要度です。
PBA物理アドレス
LBA論理アドレス
0001
0687
1968
3786
9821
0001
0508
3544
9871
0051
Access RequestFrom Hostホストからのアクセス要求Access to the physically
Assigned positionプラッタ上の指定エリアにアクセス
SA Modules are loaded into PCB
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
Complete(^o^)
When SA Modules loading completes fine
PowerON Ready
LBA Zone
Wow , I did it !I have access to all
data !
やった!LBA 全域アクセス
できるぞー!
Damage of SA Module
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
Error !Can’t Read
OrModule is corrupted
ABORT
Damage of SA Module : No LBA Access
PowerON Ready
LBA Zone
I can’t access LBA zone, because there was a SA module
error.
The data should be in LBA Zone, but I can not access LBA 0
SA モジュールに異常があったから、 LBA 領域にアクセスできない。 HDD にはデー
タあるはずなのにな。
NO SANO DATA
If the SA module error was caused intentionally by ,,,,,
もし、誰かがわざと SA モジュールに異常を生じさせたら、、、
Intentional Damage to SA module
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
Intentional Damage to SA module
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
Damage of SA Module : No LBA Access
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
Error !Can’t Read
OrModule is corrupted
Intentional Damage to SA module
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
Error !Can’t Read
OrModule is corrupted
Damage of SA Module : No LBA Access
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
SAModule
Error !Can’t Read
OrModule is corrupted
ABORT
BARUSER
Let’s see what happens to HDDさあ、実際にやってみましょう
BARUSER
BARUSER = BARUSU + ER
Main Concept of HiDR ( High Integrity Data Recovery )
SA モジュールは百種以上!
このサンプル事例では、
WD10EADS-22M2B0 を使用。
SA モジュール数は全部で 397 種
Main Concept of HiDR ( High Integrity Data Recovery )
このサンプル事例では、
WD10EADS-22M2B0 を使用。
SA モジュール数は全部で 397 種
必須かつユニークなのは 7 種
7 ÷ 397 ≒ 1.76%
Main Concept of HiDR ( High Integrity Data Recovery )
Only 1.76%
Hot Swap Method : ホットスワップ手法
通電した状態のまま、 Patient に PCB を付け替えます。
通電したまま
Main Concept of HiDR ( High Integrity Data Recovery )
未開封、ヘッド交換なしでID認識しないHDDでもデータが読める
必要最低限のモジュールアクセスだけで済む
障害部位を確実かつ詳細に把握し、尚且つデバイスの特徴を予め研究調査しておくことで、より安全かつ多くのデータを回収することができる。
クリーンエア環境下とはいえ、開封時には異物が混入することは避けられない。クリーンルームが絶対にキレイとは限らない。
Non-Destructive Method even for HDD which doesn’t give its device ID.
The least access to the magnetic disk for its booting is enough for data recovery.
It is good to know the details of SA modules because the integrity of data recovery process becomes very high.
Do not rely too much upon clean rooms because inside of the clean room is not always clean.
Security or Utility
Hacked Cracked
Good forData leakage preventing
VS Bad forFuture data use
HDD customization against Future SA Damage
Head 0Head 1
Head 2Head 3
Head 4Head 5
PlatterHead
Head Map
HDD customization against Future SA Damage
Head 0Head 1
Head 2Head 3
Head 4Head 5
System Head
PlatterHead
HDD customization against Future SA Damage
Head 0Head 1
Head 2Head 3
Head 4Head 5
System Disk
PlatterHead
HDD customization against Future SA Damage
Head 0Head 1
Head 2Head 3
Head 4Head 5
SA exists only on the system disk, h0 and h1
SA Region for h2,h3,h4,h5 are empty
PlatterHead
HDD customization against Future SA Damage
Head 0Head 1
Head 2Head 3
Head 4Head 5
Utilize the empty zone for SA backup !
PlatterHead
http://www.disaster-data-recovery.com/
Initial Response GuidelineFor Disaster Effected HDD
1. Do NOT Power ON !
電気を入れない!
2. Do NOT Dry before cleaning !
洗浄前に乾燥させない!
3. Sea Water should be removed ASAP !海水で腐食は待ったなし!
ガイドラインを多言語化(英語・日本語・ロシア語・中国語)
Recommended