Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/14/2007
03:20 AM
50%
50%

A Visit to the Drive Doctor

At DefCon, a forensic expert offers a closer look at how to recover a crashed hard drive

11:20 AM -- Have you ever had to deal with an employee who tried to damage a company computer to prevent you from obtaining evidence of his or her alleged wrong-doing? Did that person simply try to erase files by deleting them or formatting the hard drive? Or did the employee actually cause physical damage?

I've conducted a couple of forensic examinations where the files were deleted maliciously but only one that involved physical damage. In fact, the poor laptop looked like it had been thrown into a ditch from a moving car. Thankfully, the laptop was an aluminum 17" Apple Powerbook G4 that could handle the abuse, keeping the hard drive safe for future analysis in my lab.

But even if the drive hadn't been so lucky, I might have been able to recover the data using the drive recovery techniques documented in Scott Moulton's DefCon presentation titled Re-Animating Drives & Advanced Data Recovery, which was presented at DefCon last week.

Here's a synopsis of Moulton's presentation, condensed into a quick "triage" you can do when your disgruntled employee tosses that company laptop down the stairs.

First, to recover data from a damaged drive -- most commonly diagnosed by a hideous clicking sound -- you have to repair the drive so it runs. Now, stop right there! I hear you saying, "Thanks, Captain Obvious!" But do you know why a damaged hard drive makes that clicking sound?

Have you ever heard of the System Area of the hard drive? Neither had I, prior to Mr. Moulton's presentation, but apparently it is responsible for keeping track of bad sectors, the translation of logical to physical locations on the drive, the serial number, SMART data, and more. If a drive's System Area becomes unreadable, the drive will begin clicking as it tries to read it, making the rest of the data on the drive inaccessible. This is exactly what your secret-stealing, laptop-tossing former employee wants.

So, now that we know what causes the clicking, how do we fix it? You could start by hiring fewer deranged employees, but that's a subject for another column.

There are four recovery techniques that start off with simple software tools. The simplest method involves reading data off the drive backwards. According to Moulton, some read errors are caused by a hard drive's caching feature. When a drive is read backwards, the cache is not used to getting around those read errors. A free software utility called dd_rescue can do this for Linux, but Windows users must pay $400 for a tool called Media Tools Pro to get the same functionality.

The next techniques require a steady hand, clean work area, the proper TORX screwdrivers, a nearly identical drive and, according to Moulton, some Post-It notes. The first involves swapping the PCB (circuit board on the drive) from a working hard drive to the bad drive -- while the good drive is powered on. The key is to make the operating system put the good drive to sleep before swapping the drives. Once they're swapped, wake up the drive and copy your data off quickly.

If the first two methods don't work, then it's time to delve into the innards of the drives themselves, either replacing the actuator arm or swapping the platters from the bad drive to a working drive. Open up the drive using the TORX drivers and use the Post-It notes to separate the heads, preventing them from touching and damaging each other.

Then, either remove the actuator arm and replace it with one from the working drive, or remove the platters and place them into working drive. Hard drives that have a single platter are easy. Multi-platter hard drives must be moved together without any rotation, or they will be misaligned and the data will be lost.

Hard drive recovery is one of those things where practice certainly makes perfect. If you foresee yourself trying out these recovery techniques, practice them on some old drives. You'll be thankful you did -- when the time comes to do it for real.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.