A Visit to the Drive Doctor

At DefCon, a forensic expert offers a closer look at how to recover a crashed hard drive

11:20 AM -- Have you ever had to deal with an employee who tried to damage a company computer to prevent you from obtaining evidence of his or her alleged wrong-doing? Did that person simply try to erase files by deleting them or formatting the hard drive? Or did the employee actually cause physical damage?

I've conducted a couple of forensic examinations where the files were deleted maliciously but only one that involved physical damage. In fact, the poor laptop looked like it had been thrown into a ditch from a moving car. Thankfully, the laptop was an aluminum 17" Apple Powerbook G4 that could handle the abuse, keeping the hard drive safe for future analysis in my lab.

But even if the drive hadn't been so lucky, I might have been able to recover the data using the drive recovery techniques documented in Scott Moulton's DefCon presentation titled Re-Animating Drives & Advanced Data Recovery, which was presented at DefCon last week.

Here's a synopsis of Moulton's presentation, condensed into a quick "triage" you can do when your disgruntled employee tosses that company laptop down the stairs.

First, to recover data from a damaged drive -- most commonly diagnosed by a hideous clicking sound -- you have to repair the drive so it runs. Now, stop right there! I hear you saying, "Thanks, Captain Obvious!" But do you know why a damaged hard drive makes that clicking sound?

Have you ever heard of the System Area of the hard drive? Neither had I, prior to Mr. Moulton's presentation, but apparently it is responsible for keeping track of bad sectors, the translation of logical to physical locations on the drive, the serial number, SMART data, and more. If a drive's System Area becomes unreadable, the drive will begin clicking as it tries to read it, making the rest of the data on the drive inaccessible. This is exactly what your secret-stealing, laptop-tossing former employee wants.

So, now that we know what causes the clicking, how do we fix it? You could start by hiring fewer deranged employees, but that's a subject for another column.

There are four recovery techniques that start off with simple software tools. The simplest method involves reading data off the drive backwards. According to Moulton, some read errors are caused by a hard drive's caching feature. When a drive is read backwards, the cache is not used to getting around those read errors. A free software utility called dd_rescue can do this for Linux, but Windows users must pay $400 for a tool called Media Tools Pro to get the same functionality.

The next techniques require a steady hand, clean work area, the proper TORX screwdrivers, a nearly identical drive and, according to Moulton, some Post-It notes. The first involves swapping the PCB (circuit board on the drive) from a working hard drive to the bad drive -- while the good drive is powered on. The key is to make the operating system put the good drive to sleep before swapping the drives. Once they're swapped, wake up the drive and copy your data off quickly.

If the first two methods don't work, then it's time to delve into the innards of the drives themselves, either replacing the actuator arm or swapping the platters from the bad drive to a working drive. Open up the drive using the TORX drivers and use the Post-It notes to separate the heads, preventing them from touching and damaging each other.

Then, either remove the actuator arm and replace it with one from the working drive, or remove the platters and place them into working drive. Hard drives that have a single platter are easy. Multi-platter hard drives must be moved together without any rotation, or they will be misaligned and the data will be lost.

Hard drive recovery is one of those things where practice certainly makes perfect. If you foresee yourself trying out these recovery techniques, practice them on some old drives. You'll be thankful you did -- when the time comes to do it for real.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5