Thursday, October 21, 2010
Hard Drive Data Recovery Splained by Scott Moulton
Scott Moulton of myharddrivedied.com teaches hard drive data recovery and forensics. Here are a series of talks about hard drives. The first talk is a top ten useful hard drive trivia talk. The DIY talk is very informative and tells you what software is the most useful for data recovery, and what you can and can't fix if you lose a drive.
Ten Cool Things You Did Not Know About Your Hard Drive.
DIY Hard Drive Diagnostics Presentation. (7/7)
Other presentations are here. His youtubechannel is here. The Defcon 14 talk isn't as informative as the DIY Hard Drive Diagnostics presentation, but it is still valuable.
Some tips:
Software:
MHDD, Victoria, ddrescue, NTFS Explorer, Secure Erase
Overwriting the data on the drive one time will ensure that any sensitive date is gone forever. There is no need to overwrite the disk multiple times, but Secure Erase is a much faster and safer way to destroy sensitive data.
Hardware:
After 2006, chances are you will have a firmware or board problem. WD drives with triangular integrated electronics boards can not be fixed simply by replacing the boards. A ROM chip (U12) has to be moved from the old board onto the replacement board. Also, never open a WD drive without some research. The way the hard drives are manufactured, if the case is opened, chances are that you will misalign the platters and then you are screwed because there's no way to realign the platters to recover the data. The drive may be repaired, but the data is lost. Here's a video presentation by another data recovery firm, ACSData.
The outer edge of the drive is the fastest part of the hard drive. Your first partition goes there. Many operating systems partition the drive such that the places where you want the greatest performance are at the worst location, closer to the spindle. Basically, you want the swap partition to be the last partition and the database partition to be the first partition. Ubuntu's default install partitions the drive very suboptimally. My Debian (apttosid) laptop is partitioned properly, but my Ubuntu KVM server/workstation isn't. :-\ I'm glad that I at least had clue enough to use ddrescue for data recovery issues in the past.
Backup, backup, backup! SCSI drives are superior to ATA drives. Today's ATA drives are so cheaply made that their failure rate has gone through the roof. That said, 70% of drive failures are recoverable via software such as a Knoppix live CD with ddrescue and testdisk. 10% of the remaining failures are the IDE PCB which in some cases can be replaced easily (see onepcbsolution.com). So, 80% of the time, hard drives' data can be recovered without opening the hard drive. USB flash memory and other forms of flash memory are the discards from Cisco and other NAND flash memory manufacturers/users. Also, flash memory will fail after 10 years without periodic recharging. SSD drives can not be easily recovered since you would have to desolder and move the chips from one board to another. Yikes!
Ten Cool Things You Did Not Know About Your Hard Drive.
DIY Hard Drive Diagnostics Presentation. (7/7)
Other presentations are here. His youtubechannel is here. The Defcon 14 talk isn't as informative as the DIY Hard Drive Diagnostics presentation, but it is still valuable.
Some tips:
Software:
MHDD, Victoria, ddrescue, NTFS Explorer, Secure Erase
Overwriting the data on the drive one time will ensure that any sensitive date is gone forever. There is no need to overwrite the disk multiple times, but Secure Erase is a much faster and safer way to destroy sensitive data.
Hardware:
After 2006, chances are you will have a firmware or board problem. WD drives with triangular integrated electronics boards can not be fixed simply by replacing the boards. A ROM chip (U12) has to be moved from the old board onto the replacement board. Also, never open a WD drive without some research. The way the hard drives are manufactured, if the case is opened, chances are that you will misalign the platters and then you are screwed because there's no way to realign the platters to recover the data. The drive may be repaired, but the data is lost. Here's a video presentation by another data recovery firm, ACSData.
The outer edge of the drive is the fastest part of the hard drive. Your first partition goes there. Many operating systems partition the drive such that the places where you want the greatest performance are at the worst location, closer to the spindle. Basically, you want the swap partition to be the last partition and the database partition to be the first partition. Ubuntu's default install partitions the drive very suboptimally. My Debian (apttosid) laptop is partitioned properly, but my Ubuntu KVM server/workstation isn't. :-\ I'm glad that I at least had clue enough to use ddrescue for data recovery issues in the past.
Backup, backup, backup! SCSI drives are superior to ATA drives. Today's ATA drives are so cheaply made that their failure rate has gone through the roof. That said, 70% of drive failures are recoverable via software such as a Knoppix live CD with ddrescue and testdisk. 10% of the remaining failures are the IDE PCB which in some cases can be replaced easily (see onepcbsolution.com). So, 80% of the time, hard drives' data can be recovered without opening the hard drive. USB flash memory and other forms of flash memory are the discards from Cisco and other NAND flash memory manufacturers/users. Also, flash memory will fail after 10 years without periodic recharging. SSD drives can not be easily recovered since you would have to desolder and move the chips from one board to another. Yikes!
Labels: Scott Moulton myhardrivedied.com data recovery
