ther was a recent thread about a local data recovery service.a followup
on a business opportunity.
this class might be the training needed if someone is still interested
in that business opportunity
-or-
if you want to take a training class that teaches the techniques
mentioned below.
i have signed up for this class and can provide feedback.
That is a great question. That is exactly what I do, take the two
disciplines and cover them as one, joining them where they logical meet.
I cover everything done in a real data recovery environment (as I own
and run a data recovery company) and complement it with forensics. I
cover the unusual issues that are not covered by other classes. I
complement the file system section from 508 and do not try to rehash the
stuff that Rob Lee does such a great job covering.
There are several people that have taken my class that will give their
own opinion and I will list some of them at the bottom of this email.
There are several that have taken my class in three letter agencies that
cannot discuss it publicly or write a testimonial so those are excluded.
But I am sure any of these people below will be happy to discuss with
you their benefits in my class. Look for them at the bottom.
The clean room issue is not what it used to be. Amazingly enough there
are several ways to deal with drives before opening them that include
both hardware and software. However you can build a clean glove box for
less than $200 that can do drives without introduction of foreign
particles but with the recent "going out of business" sales you can
easily find a great Laminar Flow Clean Bench (generally a Class 10) for
several hundred dollars. I saw some great ones a few weeks ago that
were probably originally 10k going for $300 at the end of the bid. I am
only including this as an example but this looks like a great buy. You
need to do your own research but it is a start and for an opening bid of
$199 that is quite a steal.
http://cgi.ebay.com/NuAire-NU-425-600-Laminar-Flow-Safety-Fume-Hood_W0QQ
itemZ220353066776QQcmdZViewItemQQptZLH_DefaultDomain_0?hash=item22035306
6776&_trksid=p3286.c0.m14&_trkparms=72%3A1205|66%3A2|65%3A12|39%3A1|240%
3A1318|301%3A0|293%3A1|294%3A50#ebayphotohosting
IN addition there are several places that talk about and build their own
boxes for different purpose. I have built several in the past using HEPA
filters and vacuum cleaners with positive air flow. See:
http://www.thenook.org/archives/3487.html
I cover the basics of all the hardware and equipment in the class and
bring with me a PC3000, Salvation Data's Data Compass, Salvation Data's
Hard Drive Doctor Suite as well as a dozen other items. We then do
physical rebuilds of the drives for two days. Keep in mind that in the
real world the necessity to rebuild drives is usually less than 15% of
the drives. There are many that can be fixed other ways without opening
them, but sometimes it is necessary.
Here is the details for the class itself and everything I cover. I am
actually in the process of reorganizing the info for a more even flow in
the class but the content will remain the same, plus I have a stack of
new hardware I am including.
Details of all Five Days
Data Recovery Forensics
Dead hard drives; damaged hard drives; corrupt file systems; If you have
dealt with any of these scenarios, or have ever sent a hard drive out to
a data recovery company, then this is the class for you. Scott Moulton
is a data recovery expert and has been teaching recovery for years.
Scott Moulton is known all over the world for the dozens of excellent
videos published on YouTube, and from conferences like Defcon or
Shmoocon where he has presented. After viewing those, you will see that
this is THE class and information you need to know! Often data recovery
techniques are enshrouded in a cloud of mystery called trade secrets. We
will teach content from the professional data recovery world merging it
with information in the forensics world. This will allow you to maintain
best evidence and recover the content you need. We perform labs
repairing damaged drives, recovering corrupted information from
operating systems, and using affordable Windows software tools so you
can perform jobs successfully yourself when you leave this class. You
will recover information in the lab from RAID 0/5 arrays, NTFS, Mac OSX,
and Linux file systems EXT 2/3 and Reiser. Everything will be provided
for you in this class including laptops. Every forensics or data
recovery specialist needs to know the information that is taught in this
class!
Day One
On day one we will introduce you to the basic hardware equipment used by
data recovery professionals. We will discuss each tool the purpose as
well as pros and cons of each tool. This will begin to give you the
vocabulary and basic knowledge, the groundwork needed to be able to
continue discussions of what is possible in the lecture over the next
few days. Some of the tools we will be looking at will be head combs,
the PC3000, the Deepspar Forensic Disk Imager, the Salvation Data's Data
Compass, the Atola and Platter Extractor tools.
We will break down the four main phases of data recovery. We will then
discuss the Myths surrounding hard drives and dispel some of the
existing beliefs so that we can start to understand the truth verse
marketing or false information.
We will then start with the anatomy of the drive and begin to break down
what each item is, what it is called, and what its function is. A hard
drive has an extremely large amount of planning involved with each part
and function in it. There is nothing in a hard drive that is extra and
that does not have a purpose. We will review each of the physical
attributes and how they affect your ability to recover the data from the
drive. Items discussed will include the Actuator Assembly, the Voice
Coil, the locking pins, the Pre-Amp, The circuit boards, the motor and
spindle, as well as the platters themselves that contain your data. We
will even discuss the landing zone and the purpose and locations of the
parking locations and why they were chosen.
Newer methods of recording to the hard drive including perpendicular,
instead of longitudinal recording, will be discussed and we will address
what affect it has on your data and your ability to recover data. This
will be followed by recordings of sounds that hard drives make with
pictures and examples of the types of damage that has occurred. Our goal
is to begin to get a feel and to be able to tell what some of the types
of problems are with the drives just by listening to them, feeling them
or examining them.
We will review the goals of the labs and display examples of what you
will be performing during the lab and what order it will be executed in.
There will also be a process for building your own head replacement
tools from foil and foam that is better than almost any head combs that
exist.
During the labs you will mount hard drives using USB connectors, format
the drive and put data on the drive that you will attempt to recover
after you completely break the hard drive down to bare metal. You are
going to very carefully disassemble two hard drives during the lab and
extract all the parts including the head stack assembly, the printed
circuit board, the IC circuit board, and finally the platters
themselves. You will then reassemble each piece and attempt to get the
drive working again. You will most likely not be successful on the first
attempt so over the next two days we will do a total of five drives. At
this point you will start to get a better grasp on the puzzle pieces
like the locking pin assembly and the spacer for the heads.
While this lab is progressing, I will be walking around helping and
mentoring people doing this function. Many times I will give advice to
all students and may call people over to look at a particular hard
drive, as each drive is different. You will get an assortment of drives
so you will get the advantage of seeing variety and the different way
each drive is manufactured. This will increase your skills at
recognizing processes and parts you learns this process.
After you have experience with the internals of the drive and now have a
better grasp of the basics, I will show you a few videos and pictures of
drives I have disassembled and repaired and recovered data from.
We will close the day with a display of how to match hard drives for
donor drives. This is where you will learn what you need to acquire your
parts to rebuild your damaged hard drives.
Day Two
Now that you have a basic understanding of the physical attributes of
the drive, we will move to the more logical functions controlled by the
drive and the internals of initialization processes done by the drive at
the power on cycle. As we cover the power on sequence, we will cover the
self-check functions, the spindle spin up and its creation of the air
bearing. Following that we will cover the locking pin and accelerometer
functions that shut down a hard drive to protect it. Once that function
is complete we can cover the processes the heads perform as the actuator
arm can now be released. This includes the Servo timing being read, the
System Area, and Firmware extensions.
As we move into the heads and cover those functions, we can discuss the
content in each of those items read by the heads. Primarily this is
addressed by the contents of the System Area then referred to as the SA
area. This will lead us into the UBA blocks, P-Lists, G-Lists, ECC, Zone
Tables, and Password tables. As we cross over into the platters we will
start with a breakdown of the cylinder structure vs. zone tables. The
servo arcs and geographical information surrounding the platters will be
affected since we have switched to voice coils over stepping motors.
Finally having reached the heads themselves, we can cover the basic
types of heads that include MR and GMR heads. We will discuss the basic
function of the GMR head and the properties that are affected by physics
along with the super-paramagnetic affect. There will be a display of
some drives or pictures showing the advancements in these categories
over the years to arrive at where we are now.
Now that we know how the data arrives at the heads as it passes though
the preamp, we will look at the content that is encoded and built around
randomization patterns to be written to the platters as a sector. We
cover the content encoded in that sector and each location and what it
looks like. This is the introduction to error codes that you will get
tied back to the data recovery hardware and software covered in lecture
on the first day. We will have in depth information about the servo
data, the addresses on the drive and locations in respect to the head,
sector, and cylinder boundaries.
As we discuss this content and introduce each type of error, I will
break the errors down logically so they can be understood based on the
data recovery equipment and software used. This will include the error
codes for: IDNF; Index Location Not Found, the AMNF; Address Marker Not
Found, ECC; Error Correction Code, ABRT and UNC; Aborts Errors and TONF;
Track 0 Not Found.
This will help us understand the types of problems can cause the "Click
of Death" often heard in hard drives and what exactly the parts are that
failed. We will then discuss the possible steps though which one might
repair the drives. These win include methods such as live board swaps,
SA repairs. We will also cover the ability to repair sectors using
reverse imaging and as part of the education about the proper way to
disassemble drives we will pursue a discussion of clean room technology
and possible ways to be cost effective using a glove box or positive
airflow containers for small jobs.
Now that you have an even better understanding of the sensitivity of the
hard drive and how everything affects the heads, platters and alignment
and how even a small amount of change can affect the drive, you will be
given three more rives today. We will do the same functions we did on
day one being much more careful. We will format the drives, copy files
to the drive for us to recover, then break the drives down to bare
metal. Following that we will reassemble and attempt to recover the
data we wrote earlier.
Day Three
Beginning on Day three we will put away all the physical rebuilds
components and begin to focus on the imaging and logical corruption and
repair. We now have the skills to physically repair drives and get it
working again, now we need to deal with the content and acquire the data
and repair any corruption that might have occurred. We begin the day
looking at standard ways of imaging content.
We will also have carefully crafted USB Memory Sticks that contain NTFS
file systems (usually on fat us used on small drives) and are corrupted
exactly like you will see on drives in your lab. We then begin by using
tools like FTK Imager, DriveImage XML and Medial Tools Pro all of which
have special advantages and disadvantages. After you have a clear
understanding of the way software imaging looks, I will demonstrate a
high-end data recovery tool like the Deepspar Forensics Disk Imager and
show you the capabilities and what all the functions do. I will educate
you on how to do a repair on sectors and copy a damaged drive using this
tool on a sample damaged hard drive. This will be followed by an
example of Salvation Data's Data Compass and the functions it supplies
on the fly and the protection it offers for damaged hard drives.
We will close out the second phase of data recovery, drive imaging, and
move into the third phase, which involves file systems and corruption
after the image is made. Again we will use a carefully crafted USB
memory stick, which will not properly mount NTFS and we will step though
how you can recover or repair and see the content in the MFT using tools
and find the location of the files you wish to recover. The major part
of this will include discussions of file systems and labs which I will
explain the advantages and disadvantages of each tools and show you all
the items that are special about the tools.
We will have several labs that you will do that demonstrate how you can
see and recover data from corrupt drives. That includes reviewing
partition structures including the GUID Partition Structure, recovering
from NTFS when it won't mount. The labs will include the use of Disk
Explorer for NTFS and its special qualities that make it a superb data
recovery tool when used in parallel with GetDataBack for NTFS. We will
also review a NTFS drive using Testdisk.
Day Four
On day four we will spend the first half of the day finishing up logical
structures of the top three operating systems followed by lecture and
lab on assembling RAID 0 and RAID 5 arrays. We start the day finishing
up Windows and NTFS with the unusual differences between Vista and XP
with regards to data recovery. This included options like Shadow Copy
file recovery, changes to the structure of files in the recycle bin as
well as info2 files.
Mac OSX HFS+ partitions when Mac OS X can't repair or recover from them.
During these sections we will use reference material and discuss the
nature of each operating system touching on its basic format and file
structure. Labs during this day will include HFSExplorer where we can
see the B* Tree structure stored in the Mac OSX Catalog. We will then
move on to examining the basic functions and software available to
recover Linux EXT 2/3 and Reiser partitions. There are additional tools
used to recover and rebuild Linux that will include tools like
R-Studios, Disk Explorer for Linux.
In the afternoon we will begin with an examination of the HPA's (host
protected area) effect on JBOD, how to review custom arrays created by
different manufactures and then crossover into RAID 0/5 arrays. We are
only addressing the functions necessary to recreate the RAID arrays to
be able to retrieve data from them, not to rebuild them to be able to
put the array back in place. We are only interested in the ability to
acquire data from the drives and be able to deliver that content back to
whomever needs it.
The labs for RAID 0 and RAID 5 will include several premade images,
which we will process. Rebuilding these arrays can be done several ways
and will require a lot of time. I will show you what happens when you
have the settings for RAID wrong, quick and easy ways to identify the
problems and how to find the correct settings by doing entropy by sight
or sound and correcting the issues so you can do a successful recovery.
I will also demonstrate how you can do some of these functions faster
using other tools like X-Ways Forensics and R-Studios and Raid
Reconstructor.
Day Five
We will begin with a lab rebuilding 2.5" hard drives. It will take time
to go through the process and rebuild but will show the differences in
rebuilding a 2.5" over doing a 3.5".
On day five we view information about Solid State Drives. We focus on
what happens over time to data on a solid state drives, and how the
solid state drives functions. We will cover the lower level functions
that are different than a physical hard drive and why that is important
to data recovery and forensics. I will display some screen shots of some
research I have done capturing dd images of solid state drives at
different times and what has happened to the data. You will be amazed to
find out the effect on unallocated and file slack space and
defragmentation. This will lead us to discussions about the impact solid
state will have on the future of forensics and data recovery and
possible issues we may have getting recovered content admitted into
court. This will also include a discussion about a newer FAT file
system, FAT64 and the purpose that it was developed to solve.
I will have some new information about the future of storage and changes
to hard drives, as well as flash media and introductory information
about new technology called Domain Walls or RaceTrack Memory under
development by the same designer of the current head technology on the
hard drive. The lifespan of current media and shelf life of flash media
as a long term storage will be reviewed and we will discuss alternative
methods of keeping data safe or how to do refresh the content so that it
will remain intact if you have to store forensic data for years to come.
In addition, during a recovery, there are some issues with security on
drives that does not involve encryption such as GUID/SID folder
protection. These items will keep you from knowing the data is on the
drive and since it is "invisible" during the data recovery phase it is
possible you might miss extracting important content. We will discuss
ways to get around this "file protection" in the different operating
systems.
As we wind down to close the fifth day we will cover a few of the unique
items that are functions of the drive that might affect your ability to
get an image such as TPM, hard drive passwords, flash updates to the
drive, translator tables, and secure erase wiping tools built into the
motherboard and drive for high speed wiping. How the HPA can be used for
many other functions such as Lo-Jack for laptops, or resizing a drive to
limit software recovery. We will also have a demo of other tools such as
MHDD and Victoria, and look at how you can recondition a drive and purge
or kill bad or slow sectors making the drive faster and more useful.
Additionally we will also cover some software items such as zone tables
and tools for testing the speed of drives or RAID arrays.
Testimonials & a Review:
Scott's data recovery class was well suited for me. My previous skills
in software data recovery were intermediate level and hardware recovery
were nil. The course expanded my knowledge 100 fold. I hope to be
successful in hardware recovery soon. Scott freely imparts of his
knowledge and skills and I found his course to be extremely helpful to
my education.
Thanks,
Steven Wright / Symantec
Systems Administrator for Symantec.com
IT-Alexandria
office 703-373-5335
cell 703-919-8610
Most of my forensic training has focused on the evidence resident in
logical disk structures. Scott's instruction on the inner workings of
traditional hard drives, solid state drives, and RAID arrays at such a
granular level has made me a better forensic examiner. Not only do I
now have the hands-on training to potentially save "dead" hard drives
seized from a crime scene, but I can also now confidently explain to a
jury how the state of the physical disk impacts on the evidence that I
have recovered. This course is invaluable for any forensic examiner
wanting to expand her knowledge beyond how to use software to recover
evidence, and I highly recommend it.
Beth Whitney, CFCE, SCERS
Forensic Computer Examiner
City-County Bureau of Identification
PO Box 550, Raleigh, NC 27601
You put on a fantastic class!
William F Paulin / Infrastructure Generalist
Boeing SVS,Inc.
4411 The 25 Way Suite 350
Albuquerque, NM 87109
Scott is an extremely knowledgeable instructor and has no problem at all
sharing information...even some of those industry secrets that no one
else wants to divulge. As a person who has spent a lot of money (like
most of you I am sure) on past training, I will go as far as saying it
was the best training for the dollar that I have ever had. If anyone of
you are looking into data recovery training, you can't go wrong with
Scott Moulton.
Best regards,
Vadon Willis
Forensic Investigator
Ispirian Computer Forensics
16401 Swingley Ridge Road, Suite 250
Chesterfield, MO 63017-0762
USA
Dear Scott,
Thank you very much for the excellent course. Though initially I took
the course because of the certification, I realize that the knowledge
you gave me was very valuable. The curriculum was very well thought out
and the delivery of it was awesome! I would absolutely recommend your
course to anybody who wants to get into data recovery and also to
anybody who has been doing it for less than a year. Your skill in
supervising labs of 17 people -- while they were simultaneously changing
head assemblies -- was amazing. Also, the certification in Data
Recovery you've arranged for us could be helpful one day.
Gratefully,
Sam Roitman, President
784 Columbus Ave. Suite 11L
New York, NY 10025
212.222.1440
Scott's data recovery class was a great investment. We got to learn from
somebody who is not just a trainer, but somebody who does data recovery
on a daily basis and knows the tricks, and which tools work best in
which scenario. There were also lots of hands-on labs where we got to
take drives apart and practice removing heads and platters, in addition
to labs covering numerous logical and physical data recovery scenarios.
Thanks
Gary Huestis / Houston Computing Services
9000 Emmott Rd, Suite C
Houston, TX 77040
Phone: 713-896-1777
Fax: 713-896-1155
info@houstoncomputing.com
Scott -
I wanted to send you an email quick to say thanks for such a great week
of class! At this point I have spent plenty of time in trainings and
found this to be hands down one of the best trainings I have been too!
It isn't an easy task to keep people's attention for 8+ hrs a day, but
you certainly managed to do it. The hands-on portion as well as the
RAID reconstruction was alone worth the price of admission!
Also, one of your questions on the survey was about doing a forensic
class... Is this something you are thinking seriously about? I think I
would be very interested in that.
Thanks again -
Brandon Fannon
Mainstay Data Services
office: 616.855.2559
cell: 616.893.3533
fax: 616.532.4552
email: bfannon@mainstaydata.com
Scott Moulton is a fabulous speaker and a true expert in the data
recovery industry. Scott can explain some of the most difficult data
recovery scenarios in the simplest terms. Scott's classes are hands on
and very interactive with multiple types of hard drives for every
student. Scott truly sees the link between data recovery and IT
forensics. I was so impressed with his course and material that I
purchased several of his training manuals for the Atlanta-IISFA forensic
group and have asked him to be a regular speaker. I highly recommend
Scott's class to anyone working in the data recovery or forensics field.
Lou Lombardy Forensics Specialist
President, Atlanta IISFA Chapter
After having seen Scott's presentations and videos, I attended his
class. What an eye-opener! His class gives a no-nonsense view of data
recovery, and blows away all of the myth and mystery behind the 'black
art'. His class is well designed, very interactive, and Scott always was
open to the 'what if' questions. For anyone that is serious about
wanting to do data recovery, I highly recommend his class. Cheers Scott,
for sharing your knowledge.
Trevor Hearn / Information Security Officer
Peabody College at Vanderbilt
Thank you,
----------------------------------------------------------
Scott A. Moulton / CCFS CCFT CDRP DREC
Certified Computer Forensic Specialist
Certified Computer Forensic Technician
Certified Data Recovery Professional
Data Recovery Expert Certification
SANS Instructor for SEC606
Forensic Data Recovery
http://www.sans.org/info/37599
----------------------------------------------------------
Forensic Strategy Services, LLC &
My Hard Drive Died, DBA
----------------------------------------------------------
601b Industrial Court, Woodstock, Ga 30189
Phone: 770-926-5588 Fax: 770-926-7089
Web: www.ForensicStrategy.com <http://www.ForensicStrategy.com>
Web: www.MyHardDriveDied.com <http://www.MyHardDriveDied.com>
----------------------------------------------------------
From: whipsmack [mailto:whipsmack0@yahoo.com]
Sent: Friday, January 30, 2009 12:56 PM
To: Scott Moulton
Subject: Re: [GCFA] Recovering a dying hard drive, revisited
Scott.. great posts and your training class seems very interesting.
However, will it be beneficial for the majority of forensic
professionals to help enhance and couple their existing knowledge of
forensics (i.e. or is most of this training and accompanying exercises
solely based on implementing or having access to a clean room?). I feel
that one of the primary road blocks in forensic analysis is indeed
dealing with damaged media, and therefore software techniques used to
gather forensically sound images seem to fail in these cases.. it would
be fantastic is the two disciplines could be coupled, as I know your
training is geared towards... but most of the forensic examiners do not
have a suitable place to assess and fix damaged media. Suggestions??
Thanks
John
________________________________
From: Scott Moulton <SMoulton@nicservices.com>
To: giac-alumni@nathanielhall.com; tilley.rb@gmail.com
Cc: gcfa@lists.sans.org
Sent: Friday, January 30, 2009 11:12:25 AM
Subject: Re: [GCFA] Recovering a dying hard drive, revisited
The correct way to do what Spinrite is doing, and going to a separate
destination disk. The DeepSpar Disk Imager and the Forensic Disk Imager:
A response I wrote about the risk of using a Forensic Disk Imager vs
something else:
The Forensic DeepSpar Disk Imager:
When a drive is being read and there are errors, there is code inside
the drive that is compensating for the errors and can do a number of
things including moving content around. The Disk Imager has a
pre-allocation mode where you can turn this feature off. This is
generally where software (like Spinrite) fails in many cases and can
cause unintentional changes to the drive.
Somehow it has become acceptable for forensics to use an image that has
bad sectors padded with zeros (or padded with something else). How is
it that it is a risk to use a tool that can ACTUALLY copy the correct
data from the sector instead of just returning nothing. The process used
by the DeepSpar disk imager has to be much better than the other
FORENISIC IMAGERS that just pad the un-copyable sector with nothing. If
you have a damaged drive, and I can make a good image of the drive with
the content from the bad sectors, as long as the process is documented
it would generally be accepted as "Best Evidence" however that is
entirely up to the judge. The DeepSpar Forensic Imager ACTUALLY copies
these sectors and I would say pretty close to 95% of damaged drives that
other imagers or other recovery software cannot. In many cases even with
drives that cannot be seen by the ATA controller itself on your
motherboard (Keep in mind, we do want to be careful about the settings
when we copy sectors with Ignore ECC on as those are questionable.)
The Forensic Disk Imager makes an image of the clients data, and makes a
map of the LBA blocks to store the success or failure of the sectors it
copies and their state as well as some logging information about the
process. If an HPA is set the content for the clients data will be
exactly the same depending on the state of the sectors that were copied.
While the LBA map is on the drive, it is not necessary to include it in
your client data any more than when you make an image file and store the
text file of the MD5 on the drive with it. The HPA is how you control
the location of the map. The larger disk option is only an issue while
imaging the disk, then you set the HPA for the drive and imaging it just
like any other drive once you have the good copy, that is if you want
to.
In addition, if you have a damaged drive with bad sectors, in almost
every case you will not get a matching MD5 anyway regardless of the
tool. The newly "cloned" repaired drive might actually have all good
sectors recovered but the MD5 from the original drive cannot be produced
correctly from the damaged media (even though the Forensic Disk Imager
actually did the job correctly). Again we are talking about Best
Evidence.
I can tell you that I have corrected damaged drives in cases the FBI
(and others) is using and is well aware of the process required to get
that evidence from drives where heads have actually flung off the
actuator arm. The first step is to get the best copy of the evidence
possible and the second step is to explain how you got it and let the
judge decide what to do with it. That is his job.
I cannot imagine that anyone who can afford this powerful tool that
works with damaged drives as well as good drives, would pass just to use
some plain jane imager that fills bad sectors with zeros. Because, I
would much rather be sitting in a lawyer's office telling him "I am
sorry but it has bad sectors and I my device fails" instead of wiping
out my Forensic Disk Imager and just getting the job done at 3.5 gigs.
Cause I have been there, so many times.........
In addition there is an update being added to the current models of Disk
Imagers that allow you to turn off a head that is bad and image the rest
of the drive. Then you can replace the bad head (the whole assembly) and
read the data just from the heads you need to. This is something that
was available only on a high-end piece of hardware called the PC3000 but
will now be available after March in the $3200 version of the DeepSpar
Disk Imager.
Since the drive is broken up into Zone Tables, LBA blocks are scattered
in the order the manufacture wants to locate them, when you read with
the good heads it fills in the locations on the destination drive
similar to what happens with a bittorrent. When you repair the bad heads
and read again it only fills in the sectors that were not covered and
imaged in the first pass.
PS: The forensic imager can also make a standard DD image from a good
drive just like those OTHER tools, just not while in sector recovery
mode, but really, what would be the point.
Thank you,
----------------------------------------------------------
Scott A. Moulton / CCFS CCFT CDRP DREC
Certified Computer Forensic Specialist
Certified Computer Forensic Technician
Certified Data Recovery Professional
Data Recovery Expert Certification
----------------------------------------------------------
Forensic Strategy Services, LLC
----------------------------------------------------------
601b Industrial Court, Woodstock, Ga 30189
Phone: 770-926-5588 Fax: 770-926-7089
Web: www.ForensicStrategy.com <http://www.forensicstrategy.com/>
-----Original Message-----
From: Nathaniel Hall [mailto:giac-alumni@nathanielhall.com]
Sent: Friday, January 30, 2009 10:43 AM
To: tilley.rb@gmail.com
Cc: Scott Moulton; Derek Edwards; gcfa@lists.sans.org
Subject: Re: [GCFA] Recovering a dying hard drive, revisited
Brad, I'm with you. I have used SpinRite on several hard drives and
have recovered the data without any problems. In my experiences, only
one bad sector is causing the drive to not work and SpinRite fixes it.
The problem is that if the system can't even boot past POST, then
SpinRite isn't going to help. The system has to be able to read and
write to the disk in order to be able to use SpinRite. If the drive
causes freezing at POST then it isn't a simple problem with unreadable
sectors.
-- Nathaniel Hall Brad Tilley wrote: > I used to use Spinrite in a large IT shop (600 supported users) as a > last ditch effort for in-house data recovery (not forensics). On > average, it worked about 2 out of 3 times. We probably used it about > 50 times. We were very pleased with the product. I'm no longer in IT > Management, but if I were, I would buy and use Spinrite again. > > On Fri, Jan 30, 2009 at 10:32 AM, Scott Moulton > <SMoulton@nicservices.com <mailto:SMoulton@nicservices.com>> wrote: > > WOW. NO please do not do Spinrite. STOP NOW! I have a more > detailed email coming in few minutes about how to look at this > actual problem, however I had to answer this one right now. > > Spinrite is not data recovery software regardless of their > marketing it as such. > > I get many questions about why I left off Spinrite on my > recommendations of data recovery software. I specifically leave > off Spinrite because under the strictest terms it is not data > recovery software. Almost every single data recovery package > knows, and will warn you not to write the data back to the > original source drive. Data Recovery/Forensics software almost > always recover from a source to a DESTINATION. Spinrite does NOT > do that, it refreshes the surface and controls reads to get the > maximum amount of data from the sectors and then puts it back down > on the same drive. It is possible to do more damage to the drive > by doing excessive read and writes. There are times that you only > get once good chance at data and if you use a tool that just goes > in and surgically removes the data you want BEFORE doing the scan > you will be a lot safer. > > I think Spinrite does quite a few things very well and it does an > excellent job at reporting and reading the SMART info and > refreshing the surface of the hard drive. However, I would like to > first try to get the data from the drive before scanning it and > trying to rebuild sectors. There are many reasons for this, but > the most important one being that the drive can die in the process > of running Spinrite. > > If I was going to use Spinrite, I would get everything I could off > the drive to another destination first and then use Spinrite to > try to get anything I could not repair (although I never have to > with the tools I use). Another horrific story I have seen with > drives sent to me, is that if Spinrite it runs successfully, > people are under the impression that the drive is repaired and is > usable again and continue to use it. Big mistake and it usually > dies again shortly. On a Windows Hard Drive I would try > NTFSExplorer/FatExplorer first in the hopes of doing a surgical > recovery as oppose to spending days rewriting sectors in the hopes > that my drive can live though it as Spinrite does. > > I am on a radio show every month and the hosts have been trying to > get Steve Gibson on to talk about why he does not chose to make an > option for a destination drive instead of the original. He has > ignored our requests as well as the ones I have sent personally. > Hopefully someday he will do something about that. > > > > > > > > > > Thank you, > > > > ---------------------------------------------------------- > > Scott A. Moulton / CCFS CCFT CDRP DREC > > Certified Computer Forensic Specialist > > Certified Computer Forensic Technician > > Certified Data Recovery Professional > > Data Recovery Expert Certification > > ---------------------------------------------------------- > > Forensic Strategy Services, LLC > > ---------------------------------------------------------- > > 601b Industrial Court, Woodstock, Ga 30189 > > Phone: 770-926-5588 Fax: 770-926-7089 > > Web: www.ForensicStrategy.com <http://www.ForensicStrategy.com <http://www.forensicstrategy.com/> > > > > > *From:* gcfa-bounces@lists.sans.org > <mailto:gcfa-bounces@lists.sans.org> > [mailto:gcfa-bounces@lists.sans.org > <mailto:gcfa-bounces@lists.sans.org>] *On Behalf Of *Derek Edwards > *Sent:* Friday, January 30, 2009 10:25 AM > *To:* giac-alumni@nathanielhall.com > <mailto:giac-alumni@nathanielhall.com> > > *Cc:* gcfa@lists.sans.org <mailto:gcfa@lists.sans.org> > *Subject:* Re: [GCFA] Recovering a dying hard drive, revisited > > > > You gotta try SpinRite. > > http://www.grc.com/sr/spinrite.htm > > > > Steve Gibson developed this hard drive recovery and maintenance > tool, and I've used it to recover data on a number of drives. > After a data recovery pass (level 2) on some "far gone" drives, > the drive usually retains just enough life left to get a good backup. > > > > I also recommend the SecurityNow podcast (also linked from the GRC > site) as a great source of information on security and other geek > topics. > > -- > Derek Edwards, CISSP / CEH / GCFA / GPEN derekedw@yahoo.com > <mailto:derekedw@yahoo.com> > Soli Deo Gloria > > ------------------------------------------------------------------------ > > *From:* Nathaniel Hall <giac-alumni@nathanielhall.com > <mailto:giac-alumni@nathanielhall.com>> > *Cc:* gcfa@lists.sans.org <mailto:gcfa@lists.sans.org> > *Sent:* Friday, January 30, 2009 9:25:13 AM > *Subject:* Re: [GCFA] Recovering a dying hard drive, revisited > > I've even had a couple of drives that quit working, but worked > after I > let them sit for a while. The longer they sit the more data I could > recover. Could be anywhere from a week to three months or more. > > -- > Nathaniel Hall > > Keith Seymour wrote: > > This might sound primitive but I've had really good luck with the > > freezer method. When the HD spins and isn't making any grinding or > > clicking noises throw it in the freezer in a ziplock bag for a few > > hours. When it comes out hook it up and copy the data off of it. It > > isn't as sexy as pulling the drive apart and repairing it but the > data > > you recover is the same. I've done this successfully five times now > > over a span of 10 years. The last time was just a month ago when my > > wife's desktop failed. > > > > Keith > > > > On Fri, Jan 30, 2009 at 12:43 AM, Info Assurance Pro > > <infoassurancepro@gmail.com <mailto:infoassurancepro@gmail.com> > <mailto:infoassurancepro@gmail.com > <mailto:infoassurancepro@gmail.com>>> wrote: > > > > Hi all, > > > > A buddy of mine has a Seagate Momentus 500GB SATA drive as his > > Windows XP boot in his computer. One day the computer starts > > freezing at POST. This is the second drive to fail in his box (I > > suspect a bad controller) so I come over, various rescue disks and > > external connectors in hand, to try and help him out. We pop out > > the drive and hook it up to another box (laptop.) > > > > Short story is, it either freezes at POST (eSATA), freezes (in > > Windows) if you try to plug it in once the computer is booted > > (eSATA), or simply won't recognize the drive at all in Windows, > > Helix or various Ubuntu flavors (USB/eSATA on Helix/Ubuntu.) I > > used an Icy Dock eSATA/USB enclosure and a CablesToGo USB to SATA > > drive adapter with the same results. The drive itself seems to > > power on fine, spin up, and I hear the sound of head access at > > startup (and not any of the "evil sounds" David Hoelzer described > > in his recent blog post > > > <http://sansforensics.wordpress.com/2009/01/16/first-response-recovering -a-dying-hard-drive/>) > > but after that, no access noises, and no drive recognition - not > > in /dev on Linux, nor in New Hardware Wizard on Windows. > > > > I'd love to recover the data for him (he's a professional > > photographer / videographer and these are some of his projects) > > with my GCFA-fu, but I can't even get the frakkin' thing to > > mount. Any ideas out there would be greatly appreciated. > _______________________________________________ gcfa mailing list gcfa@lists.sans.org https://lists.sans.org/mailman/listinfo/gcfa --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Wed Feb 4 03:29:24 2009
This archive was generated by hypermail 2.1.8 : Wed Feb 04 2009 - 03:29:24 AKST