Ahmed Hashad

Security Researcher @ 701 Labs

Data Loss : Logic , Physical .As :

Mechanical failure of the device . Damage to the device . Human error . power surges . software viruses .

Data recovery is the process when the corrupt or inaccessible data is being retrieved from the damaged or in some way corrupted digital media when it cannot be accessed normally .

Here , you recover evidence not any data . “The forensic acquisition in full or in part of

data stored on non-functioning storage media through the use of sophisticated equipment and techniques for the purpose of presenting the data in a legal forum.”

Todd G. Shipley

Data needs to be recovered from such devices as DVDs, CDs, Floppy Disks, Hard Disk Drives, Xboxes, Mobile Phones, Tapes, Memory Cards, Personal Digital Assistants and many other items.

1. Repair the Hard Drive so it is running in some form, usually requiring hardware or special equipment.

2. Image, Copy or recover the physical drive and sectors primarily by bitstream imaging. If the drive is functioning, it is possible to do this with software, however there are some hardware solutions that work very well .

3. Perform Logical Recovery of files, partition structures, or necessary items; usually this is by software and is the most common type of application sold.

4. Repair of files that might have existed in damaged space or sectors to recover what is possible. This is usually the requirement in Forensics to be able to reassemble data to display what was there, if whole or not.

Sections of the Drive :

Actuator Arm Assembly Platter Assembly PCB and IC circuit Assembly Drive Casing and Filter Assembly

Spindle :A spindle holds one or more platters, it is connected to a motor that spins the platters at a constant revolutions per minute (RPM) .

Platter : A platter is the disk that stores the magnetic patterns. It is made from a nonmagnetic material, usually glass or aluminum, and has a thin coating of magnetic material on both sides.

Head :The read-write head of an HDD reads data from and writes data to the platters. It detects (when reading) and modifies (when writing) the magnetization of the material immediately underneath it. Information is written to the platter as it rotates at high speed past the selected head.

Actuator :An actuator arm moves the heads in an arc across the spinning platters, allowing each head to access the entire data area, similar to the action of the pick-up arm of a record deck.

MCU : MCU usually consists of Central Processor Unit or CPU which makes all calculations and Read/Write channel - special unit which converts analog signals from heads into digital information during read process and encodes digital information into analog signals when drive needs to write.

Motor Driver or (VCM Controller ) : This fellow is the most power consumption chip on PCB. It controls spindle motor rotation and heads movements. The core of VCM controller can stand working temperature of 100C/212F.

Rom chip : rom which contains firmware of hard disk . When you apply power on a drive, MCU chip reads content of the flash chip into the memory and starts the code. Without such code drive wouldn't even spin up. Sometimes there is no flash chip on PCB that means content of the flash located inside MCU .

buffer Ram : Size of the memory defines size of the cache of HDD. you can find such information in data sheet on this HDD .

Capacity : The number of bytes an HDD can store. The current maximum capacity of an HDD is 4TB.

Data transfer rate : The amount of digital data that can be moved to or from the disk within a given time. It is dependent on the performance of the HDD assembly and the bandwidth of the data path.

Seek time : The time the HDD takes to locate a particular piece of data. The average seek time ranges from 3 to 9 milliseconds .

On a typical microcomputer, a single physical hard drive is divided into one or more logical units named partitions , or volumes?! . Each formatted partition is represented by a separate drive letter such as C, D, or E, and it can be formatted using one of several file systems .

A drive may contain two types of partitions: primary and extended. Two configurations are possible, depending on whether you want an extended partition or not .

An extended partition can be divided into an unlimited number of logical partitions.Each logical partition appears as a separate drive letter. Primary partitions can be made bootable ,whereas logical partitions cannot. It is possible to format each system or logical partition with a different file system .in file system files stored in clusters where a clusteris the smallest unit of space used by a file; it consists of one or more adjacent disk sectors. A file system stores each file as a linked sequence of clusters . The size of a cluster depends on both the type of file system in use and the size of its disk partition.

when Hard disk is powered on , the first thing is checking for a return status from the chip to ensure that electronics are functioning and every thing is ok . then like Bios the Hard disk does something like POST but for it's components ( Self- Check ) and wait for another return status . to start properly the two return status must have been returned then the next is to spin up the spindle .

spindle has been spinned up , platters begin to revolve , we need to un-mount head from its parking position to reach system area and read its firmware but head doesn't reach system area until it read servo timing firmware which contains the location and geographic info for each sector . reading process happen without any touch from head to platter otherwise physical damage to platter so RIP hard disk :D . head gets the location and geographic info for each sector so it can reach System Area and reads its sectors .

A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device(s) which contain it

control access to the data and Metadata . Metadata /Metacontent data providing

information about one or more aspects of the data .

FAT 16 , 32 . NTFS . HFS+ . Ext 3 , 4 .

head crash . Bad Sector . Circuit failure . Bearing and motor failure . Miscellaneous mechanical failures . Firmware Corruption .

Special Equipment , Clean Rooms .

MBR , GPT Recovery .First sector damaged, unreadable , infected , removed

Partition Recoveryloss , Corruption , Formatted .

File-system RecoveryDeleted , shift-Deleted , MFT- FAT Fixing , File and Folder Structure Recovery .

File Carving .Header-footer or header ,File

Structure Based, content-based .

Imaging : FTK , Oxygen , R-studio and media tools pro . Logical Recovery : Recover My Files , Acronis True Imager , DD_rescue , GetDataBack , Easeus , Scalpel , Foremost , Recuva , File Finder and Photorec .

Write Blockers :Tableau T35es-R2 Forensic eSATA/IDE Bridge Duplicators : Atola Insight Forensic , Atola Disk Recycler , Data Compass and DeepSpar Disk Imager™ 4 .

Q ?

Data Recovery Class Color Version By Scott Moulton . Hddguru . Wikipedia .

Thank you