Data recovery has been needed since man started to write things down. Why? Because what ever medium they tried to store the data on, it has always been susceptible to destruction. From earthquakes versus wall paintings to fire versus the library of Alexandria to head crashes versus your corporate file server. There has always been a weakness in how we have stored our information. While the risk mitigation to that sounds easy (back it up), the reality of the matter is that data loss happens all the time. When it does, there are 2 methods of data recovery.

  1. Physical recovery — Make sure the physical medium is functional
  2. Logical Recovery — Once the physical works, get the data

The data recovery process has 4 basic steps.

  1. Physical repair
  2.  Image the device
  3. Recover the data
  4. Fix the data

Now to put this in perspective, the first method and the first step of data recovery go together hand in hand. The second method is more of a software data recovery that takes steps 2-4. Most people can do logical recovery with relatively inexpensive tools such as getdataback, rstudios, or even most of the forensic suites out there today. Physical recovery is an entirely different issue. It takes time, patience, a steady hand, practice, a clean room, the proper equipment, and an almost identical donor to use as a parts replacement cadaver. It is just like surgery and the donor needs to be compatible with the recipient if there needs to be an organ transplant. Just like the human body, the internals or organs of a hard drive are very fragile when not in the most ideal of environments. Platter based hard drives have more moving parts than a Solid State Drive (SSD), but the difficulty is still there. Just as in a normal transplant example, you need to understand that there is never a 100% guarantee that the recipient will come out of the surgery and recover. You can just hope and pray that the hard drive comes out and lives long enough to transfer the data to a secondary host so you can perform logical data recovery.

What causes the Click-o-Death? It is because the SA cannot be read. You can have 4 main reasons (and a possible combination of them) for this to happen:

  1. Heads are dead
  2. Preamp is dead
  3. SA corrupted or scratched
  4. Firmware on the PCB

This is a video of a head stack replacement. There is a donor drive and a recipient drive. As luck would have it, there is only half a head, so the replacement was very fast with minimal risk to the donor head stack. Enjoy the video!

If you have any questions or comments, please feel free to fire away.

Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:
  • Perform Volume Shadow Copy (VSC) analysis
  • Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems
  • Timeline Analysis & Windows Application Analysis
  • iPhone Forensics