Digital forensics

Hard Drive Head Stack Replacement Demo – Data Recovery

June 9, 2014 by Jeremy Martin

Data recovery has been needed since man started to write things down. Why? Because what ever medium they tried to store the data on, it has always been susceptible to destruction. From earthquakes versus wall paintings to fire versus the library of Alexandria to head crashes versus your corporate file server. There has always been a weakness in how we have stored our information. While the risk mitigation to that sounds easy (back it up), the reality of the matter is that data loss happens all the time. When it does, there are 2 methods of data recovery.

  1. Physical recovery — Make sure the physical medium is functional
  2. Logical Recovery — Once the physical works, get the data

The data recovery process has 4 basic steps.

  1. Physical repair
  2.  Image the device
  3. Recover the data
  4. Fix the data

Now to put this in perspective, the first method and the first step of data recovery go together hand in hand. The second method is more of a software data recovery that takes steps 2-4. Most people can do logical recovery with relatively inexpensive tools such as getdataback, rstudios, or even most of the forensic suites out there today. Physical recovery is an entirely different issue. It takes time, patience, a steady hand, practice, a clean room, the proper equipment, and an almost identical donor to use as a parts replacement cadaver. It is just like surgery and the donor needs to be compatible with the recipient if there needs to be an organ transplant. Just like the human body, the internals or organs of a hard drive are very fragile when not in the most ideal of environments. Platter based hard drives have more moving parts than a Solid State Drive (SSD), but the difficulty is still there. Just as in a normal transplant example, you need to understand that there is never a 100% guarantee that the recipient will come out of the surgery and recover. You can just hope and pray that the hard drive comes out and lives long enough to transfer the data to a secondary host so you can perform logical data recovery.

What causes the Click-o-Death? It is because the SA cannot be read. You can have 4 main reasons (and a possible combination of them) for this to happen:

  1. Heads are dead
  2. Preamp is dead
  3. SA corrupted or scratched
  4. Firmware on the PCB

This is a video of a head stack replacement. There is a donor drive and a recipient drive. As luck would have it, there is only half a head, so the replacement was very fast with minimal risk to the donor head stack. Enjoy the video!

If you have any questions or comments, please feel free to fire away.


Data Recovery Training from InfoSec Institute

Posted: June 9, 2014
Jeremy Martin
View Profile

Jeremy Martin is a Senior Security Researcher that has focused his work on Red Team penetration testing, Computer Forensics, and Cyber Warfare. Starting his career in 1995, Mr. Martin has worked with Fortune 200 companies and Federal Government agencies. He has received numerous of awards for service. He has been teaching Advanced Ethical Hacking, Computer Forensics, Data Recovery, SCADA/ICS security, Security Management (CISSP/CISM), and more since 2003. As a published author he has spoken at security conferences around the world. Current research projects include SCADA security, vulnerability analysis, threat profiling, exploitation automation, anti-forensics, and reverse engineering malware. You can find more of Jeremy's writings & services at