Digital Device Security & Forensics ...

How, and How NOT, to Recover Data
From a Failing or Crashed Hard Drive

By Dr. Eamon P. Doherty

This article describes the attempted recovery from a failing hard disc drive that which was actually benign data, but the situation described is one that could well be encountered in a criminal or a terrorism investigation.

Recently, one of my associates, Don Purdy, had a laptop hard drive that he suspected was failing, although it was still bootable. Don contacted the computer manufacturer, who provided a script to run chkdsk on bootup. Chkdsk ran and hung. Thereafter chkdsk ran and hung on every bootup, thus making the disk drive functionally unbootable.

What We Did:
Don and I took advantage of the situation to setup the hard disc drive to simulate a forensic examination of a terrorist's hard drive. The first step was to connect a write blocker and USB drive enclosure.

We found that the drive was still accessible and took the easy route (big mistake) by dropping and dragging entire folders onto a 1 TB external drive. Many files were immovable and prompted a response which delayed the activity and caused the process to stop. Within one hour, the drive was no longer accessible and no more data could be recovered. The drive by then was making a clicking sound about every two to four seconds.
Our next strategy was to implement the "freezer trick." I put the hard drive in a plastic bag and placed it in the freezer for two hours. After I removed the drive, we put it in the drive enclosure and connected the write blocker. Don and I connected this to the USB port and were pleased to note that the clicking sounds were gone and the drive appeared to work again. Next we used Access Data's Forensic Toolkit (FTK) Imager to copy every used and unused byte of information on the entire drive. This process took about 90 minutes. We should have then been able to use the data carving utility and recover all the pictures, documents, and spreadsheets on the drive. However, all the clusters contained only zeroes because the drive was too damaged and the toolkit could not recover the data.

What We Should Have Done:
The big lesson we learned was that we should have imaged the contents of the entire hard drive first with FTK Imager while the drive was still functioning. From there we could have used the data carving function to recover the files. Alternately, we might have used a Logic Cube to copy the failing drive's image to a good drive, and continued with the good drive.

Further Steps We Might Have Taken:
We might have, for a price, taken the failed drive to an organization with clean-room disc-drive repair capability.

Had this been a real case, the drive would most likely have gone to the FBI computer forensics labs where they would have probably taken the platters from the drive and placed them in the exact same type of hard drive. Then recovery would have been routine.

Don Purdy, Dr. Doherty, and a class of Visiting Cybercrime Students from South Korea Examining a Computer

«« «  [...] | 11 | 12  » »»

IACSP Mailing List


bullet Special Promotions
bullet Banner Ad Rates
bullet Promotional Graphics

Grab your subscription to the most read, well respected magazine on counterterrorism in the world.
Subscribe Now!