SSD Data Recovery

SSD Data Recovery
SSD Data Recovery

SSDs (Solid State Drives) may one day become the standard form of storage in computers. Apple laptops are already heading that way. There are certainly many advantages when comparing SSDs to HDDs (Hard Disk Drives), however they do bring their own problems, which are often not well reported. We don’t care how good SSDs can be. We care about how they fail. It’s common to hear things like: “I’m replacing my hard drive with an SSD so I won’t have to worry about it crashing again.” While this is technically true – there are no moving parts to crash – there are plenty of other ways an SSD can fail. Whether it’s technically crashed or not doesn’t matter at all when you can’t access your files. It’s a shame but an SSD does not get you out of the boring task of running regular backups.

There are some pros and cons which specifically affect data recovery from SSDs. I haven’t listed things like battery life or read / write speed as they are not relevant when it comes to recovering data from them.

SSD Data Recovery Pros:

  • Shock resistance. No moving parts to crash.
  • Just as susceptible to filesystem issues, deletion, reformatting, bad sectors etc which can be recovered using existing equipment.

SSD Cons:

  • False sense of security. The word reliable comes up a lot in SSD marketing with phrases like “More reliable, faster, and more durable than traditional magnetic hard drives.” Maybe research exists that shows SSDs are less prone to failure but it doesn’t seem to be the case at the moment. Anything that holds your valuable data runs the risk of getting drenched, getting stolen, getting lost, and that’s before we even take general failures into account.
  • Susceptible to electronic failure, Maybe more so than a hard drive as the storage and electronics are combined in SSDs. Some of the most common hard drive failures are caused by errors in the firmware which controls the performance of the drive. SSDs have very complex firmware, which opens the possibility of firmware corruption. In most cases firmware corruption will block access to your data.
  • Encryption. Most modern SSDs encrypt the data at a hardware level, which makes it impossible to remove data chips and extract data from them externally (you can do it, but the data is encrypted). The keys to the encryption are often stored within the controller chip, so if that fails, you could be locked out of your data for good. Modern encryption works well. You can’t get round it.
  • Wear-levelling algorithms. Which move the data around the SSDs to improve performance, can make recovery difficult as these algorithms would need to be taken into account when accessing a failed SSD. They don’t store data in logical order like hard drives do.

How Hard Drives Store Data Across Multiple Heads

In most computers, when you save files they get stored on a hard drive. Although you wouldn’t know it, the drive does not store your files in a straightforward way. The data is written magnetically by a fixed comb of heads stacked above one another. These heads pass between several magnetic discs, writing data as they go. In most cases, instead of storing files on one whole disk they are split up and spread across the disks. This means that when we carry out data recovery we usually need all of the disc surfaces in good condition to get the data back.

How Hard Drives Store Data Across Multiple Heads
How Hard Drives Store Data Across Multiple Heads

When required we can use a process to take the data from the drive by one disc surface at a time. This can allow us to avoid a failing head until we have the rest of the data extracted. When we have extracted all of the data the parts are combined to allow access the files. In some cases this is the only way to get the data back.

Hard drives do not allow access to individual disks during normal operations so we need to use specialist hardware and software.

We commonly need to access individual heads on Hitachi drives, due to degraded magnetic discs. Also if a drive is dropped when in-use, it will often damage at least one head.

Data Recovery Success Rates October 2012

October was a pretty busy month for us, so I thought it would be a good chance to check on our success rate. As you can see from the graphic below, we have a great success rate of at least 69%. We always keep an eye on our success rate, to make sure we are still recovering as many drives as possible. Our success rate is often higher than 69% but we did get a few non-recoverable drives which had suffered physical media damage. For an example of why those are unrecoverable, have a look at a photo of a head crash. (Tip: Those dark circular lines are not meant to be there!)

Data Recovery Success Rate October 2012
Data Recovery Success Rate October 2012

Of those successful jobs, a whopping 90% of them were recovered without even needing to repair them in our cleanroom. This is interesting as cleanroom facilities are often advertised as one of the most important factors when choosing a data recovery company. Not to undermine the need for cleanroom facilities, but they are not required for most hard drives.

Data Recovery Success Rate October 2012 Split
Data Recovery Success Rate October 2012 Split

In the graphic above we have classified non-cleanroom jobs as external, and cleanroom jobs as internal.

 

How a Data Recovery Engineer Sees RAID

As somebody recovering data from RAID arrays, my view on them is a little different to the norm. In most cases I would say avoid RAID wherever possible. Simplicity is key.

Below are my answers to some real questions I have received from clients about RAIDs.

Why did this RAID disk fail?

Hard drive failure is not unusual and is often not avoidable. The truth is that all hard drives fail eventually, whether they are used in a RAID or not. Even though a RAID system can provide some fault tolerance from physical drive failure, they do have limits. A RAID5 on three disks for example can only handle a single drive failure at any one time. It is common for a second disk to fail whilst the other disk is being replaced. This is when RAID recovery is required; to first access the failed drives, and then rebuild the RAID. The best protection against RAID failure is to make backups. Backups in as many formats, in as many different physical locations as possible.

Why did the server fail so badly? Isn’t RAID meant to prevent this?

A 3-disk RAID5 can only cope with one bad disk. This doesn’t help when two drives fail at the same time. Although a RAID array can provide some leeway when it comes to disk failures, it doesn’t always help when you have multiple failures in quick succession. Adding more disks to the RAID can provide more redundancy, however this costs more money, and also adds complexity when things go wrong. Also you could be in a similar position if three disks happen to fail next time. A live system could fail at any time so prepare for the worst. Backups are cheap, and take a relatively short amount of time. RAID recovery can be expensive and cause unnecessary downtime.

Why couldn’t our IT support recover this?

We are a specialist data recovery company, with access to tools and resources which are not available to IT Support staff. We have spent the last fifteen years perfecting the process of extracting data from failed & failing hard drives and RAID arrays. For the best chance of recovery, we like to get the drives as soon after failure as possible. If more work gets carried out on the drives, things can be made much worse.

How can we avoid this happening again in the future?

To avoid similar problems in the future, the best way forward is some form of regular backup. The backups should be verified and then tested / restored as often as possible. This is where disaster recovery comes in, which can involve simulating certain types of failure and making sure you can get up and running again from your backups. At the very least, it wouldn’t hurt to put the really crucial business files onto an external hard drive every few weeks and store it in your company safe. It’s low-tech but at least you could plug it in to any PC and access the important business data if required as a last resort.

I’m not against RAIDs. They do have their place, but cannot be relied upon as a replacement for regular backups.

We have more articles about RAID here.

Common Data Recovery Myths Exposed

Myth 1: When files are deleted they are gone forever.

Fact: When files are deleted they are actually only removed from an index. Unless you then overwrite those sectors with new data, the files will still be there. If you delete a file it is important to stop using the computer. Even browsing the internet causes cache files and images to be downloaded to the hard drive, potentially overwriting the deleted files.

Myth 2: Putting a hard drive in the freezer will bring it back to life.

Fact: This is an old one, which will not die. We have never had to put a hard drive in a freezer. There is only anecdotal evidence that freezing a hard drive helps in any way. One of the most common types of hard drive failure is firmware corruption, which cannot be fixed in a freezer. I would be worried about introducing condensation into the drive, which could be devastating. If anyone knows where this idea came from, or how the freezer is supposed to help, then I would love to hear about it.

Myth 3: The FBI can recover anything.

Fact: The FBI are bound by the same laws of physics as we are. If a hard drive has had a head crash, and scraped the magnetic coating off the platter, there is no data left to recover. You cannot read magnetic data from particles of dust! Even the FBI can’t recover that.

Myth 4: The best way to recover a hard drive is by swapping the platters out.

Fact: In almost all cases, you should not disturb the alignment of the platters. They are manufactured within strict tolerances which cannot be recreated outside of a manufacturing environment. If the problem lies with the on-disk firmware, electronic components, or read / write heads, then swapping the platters would not solve anything.

Note – If the spindle motor gets stuck then it can be necessary to swap the platters, but only as a last resort.

What Is Hard Drive Firmware?

What is Hard Drive Encrytion

Hard drive firmware is the embedded software which controls the running of your hard drive. Most of it is stored within hidden sectors on the hard drive, and in normal operation you wouldn’t know it was there. Whenever you power up a drive, the firmware makes the motor spin, starts the read / write heads, and checks against a list of bad sectors. Only then will the computer be able to access the data area and allow you to see your files. If there is a problem with the firmware, the drive will get stuck and you won’t be able to access your data at all.

Symptoms.

Failed firmware is almost impossible to diagnose without specialist equipment. In fact, it is hard to confirm that the firmware is faulty at all. Many hard drive problems manifest themselves in the same way; by clicking, or spinning down, or just generally not being identified by the PC. You shouldn’t start changing components until you know where the problem lies.

Repair.

In the early days, most firmware could fit onto the electronic circuit board; simply swapping a damaged PCB with a good one was a common fix. Firmware is now too large to fit on the PCB, so the PCB contains just a very simple boot loader which starts off the drive and then loads the firmware from the disk surface. This means that swapping the PCB is no longer a common fix, and won’t work on most modern hard drives.

We have specialist hardware and software that allows us to check and repair the firmware on most hard drives. We have also dealt with many of these problems before and have a huge database of previous experience to draw on.

Recovering Deleted Data

In the vast majority of cases, deleted data is actually still lurking around on your hard drive. If you put data in the Recycle Bin or Trash, and them empty it, all you are actually doing is telling the system that it can reuse those parts of the disk when it wants. Until you replace those areas with new data, the old data will still be there.

Recovering Deleted Data

The Filing Cabinet

The tried and trusted analogy is of a filing cabinet. When you delete a file, you are removing the index card from the front of the drawer, but the actual file is still in there.

This is why it is really important to switch off your computer as soon as possible if you have accidentally deleted some files. You may not realise but even small actions like checking e-mail or browsing the internet can write cache files to the disk. That is when data could be lost.

Overwritten / Deleted Data

We often hear about the FBI being able to recover overwritten files. While this may have been possible on very old – low capacity hard drives (~100MB), it is unlikely to be possible on modern hard drives. The magnetic material is far too densely packed. Even then, it would only be tiny fragments of data recovered, and not whole files.

The Problem With SSDs

Solid state drives bring a whole new problem of their own. Due to the way the data is distributed around the device, known as wear levelling, you can never be sure of which sector you are writing or overwriting. Wear levelling is necessary to prolong the life of an SSD, but it means the drive could be moving data around behind the scenes, making deleted files much more difficult to track down.

Specifics

In most cases, we can recover deleted files with the original file names and folders. With deleted Mac data, this is often not possible. In that case we have to use a special type of scan, which finds all files of a given type and saves them to numbered files. This means camera photos may be recovered into a JPG folder, with files named like photo0001.jpg, photo0002.jpg and so on.

If required we can process certain types of these files into more meaningful order. For photos we can arrange into folders by date taken, and for music files we can arrange into Artist / Album order.

The Important Bit

If you accidentally delete some files, they are likely to be recoverable. It’s the actions you take next which can make the recovery difficult – if not impossible.

Why RAID Can Be Bad For Business

RAID is often touted as the silver bullet in data storage. Increased storage capacity, resistance from hardware failures and improved performance. While these are all valid upsides to a RAID setup, there are also a few downsides which need to be addressed.

1. Extra Storage.

RAID can allow for a huge pool of storage, but with that storage comes great responsibility. You should factor in at least enough capacity to backup the RAID data somewhere else. If you can only afford 8TB of storage then you should only use 4TB for data and the other 4TB to back it up; Preferably on another machine / standalone system.

2. Redundancy.

The first letter in RAID stands for redundancy. This means you can afford to lose a certain number of disks without losing access to your data.  This also means that if you have a disk failure you need to get it replaced immediately, otherwise you’re running without redundancy.

3. Downtime.

Nobody likes downtime. If your 16TB RAID array goes offline without a backup then you have a couple of options. One option is to attempt to get the RAID back online by replacing disks, rebuilding the array etc, but this is risky. If this is your only copy of the data then rebuilding / reformatting the RAID could corrupt the data beyond recovery. Don’t do this if you don’t have a backup to fall back on.

The second and preferable option is to get the RAID professionally recovered. When we receive a RAID, the first thing we do is make images of all disks. This allows us to work on the RAID without risk. Then we use a read-only process to extract the data onto another form of storage. This is where downtime comes in. Unless you go for an emergency process, you could have to make do without the data for a number of days.

So What’s The Way Forward?

It’s one word. Redundancy.

Whatever you do, make sure your data is replicated across as many types of storage as possible. In an ideal world you would have a duplicate system running alongside the live system, which can take over if anything goes wrong. Then have the data on another type of storage, which you can access from somewhere else. Imagine if the RAID controller failed, and you could only access the data from that one machine.

It doesn’t matter how many backups you have if they all require the same system to access them.

I’ve only just scratched the surface here, but you should always look to make extra copies of your data. It may seem redundant now, but when your server fails containing all your data, all your accounts, all your client details and your website, you’ll be glad you kept that extra copy.

Burning Linux ISO to USB Using a Mac

My main computer is an old MacBook Pro. I often download Linux ISOs to install on other computers. In recent Debian-esque releases this is actually really simple.

1. I find it quicker and easier to install from USB so first insert a USB pen / stick of some sort.

Note: This USB stick will be erased, so don’t use one with data that you need to keep!

2. Next we need to find out which number has been assigned to the USB stick. If you only have one disk in your Mac then the USB will usually be disk1, but always check first. (Note: Disks are numbered from zero, so your internal drive should be disk0) On your Mac open Disk Utility, which is located within Applications / Utilities. (See Image)

Disk Utility
Disk Utility

Select the USB stick from the lefthand window and then click the Info button which is on the toolbar. (See Image)

USB Info
USB Info

You will get a pop up window with loads of information about the device. We only need the Disk Identifier. Make a note of this for later.

Disk Identifier
Disk Identifier

3. To allow us to write data to the USB stick we need to unmount any volumes currently on there. (see image)

Unmount USB
Unmount USB

4. Now comes the actual writing. First locate the Terminal application, again within Applications / Utilities. (see image)

Mac Terminal
Mac Terminal

5. Remember to change the code to match your Disk Identifier from earlier. There are a few things to note about the following command.

  • sudo – allows you to run dangerous commands, so will require an administrator password
  • Instead of typing the location of the ISO file you can just drag the ISO onto the terminal when required.
  • “if” means input file (in this case the ISO file), “of” means output file (the USB stick)
  • When we found out the Disk Identifier, it was disk1. That will work in the command, but we use rdisk1 instead, which gives us raw access to the disk. This may not be necessary, but it works for me.

There is a lot of discussion about block sizes, but I find 4MB is reasonable for writing ISOs to USB. In Linux we often type bs=4M, however the Mac prefers it like bs=4096 instead. It’s the same thing, just expressed differently.

The command:

sudo dd if=[drag iso here] of=/dev/r[disk number] bs=4096; sync

Example:

sudo dd if=/Users/dan/Desktop/linux.iso of=/dev/rdisk1 bs=4096; sync

If you’ve got it right, you shouldn’t get any feedback until it finishes. Your USB stick may have a blinking LED whilst the data is being written. For reference the 200MB debian-netinst ISO took just over a minute to write.

Once complete you should get something like:

48896+0 records in
48896+0 records out
200278016 bytes transferred in 95.151719 secs (2104828 bytes/sec)

This means you’re finished. Now eject the USB and try to boot your PC with it. The Mac may complain that the disk is not readable but just ignore that and try it on a PC.

Debian Boot
Debian Boot

What is a Digital Negative

We see various types of camera media come into us for data recovery, with surprisingly varied file formats. Many camera manufacturers use their own raw format, alongside various JPG options.

This raw format is sometimes known as a digital negative, containing (mostly) untouched data straight from the camera. These raw format images can be ten times the size of JPG images.

The benefits of raw files are to allow post-processing without the loss of quality from JPG files. Settings like sharpness, saturation and white balance can be changed at a later date using photographic software. Below are a few of the different raw file types in use.

The following is a description about some RAW formats:

  • CRW – Canon Digital Camera Raw Image Format. Raw image format for some Canon digital cameras. Raw images are basically the data as it comes directly from the CCD detector in the camera. Raw files can also contain text information about the picture and conditions in the camera when the picture was taken.
  • CR2 – Canon Digital Camera Raw Image Format version 2.0. Raw files can also contain text information about the picture and conditions in the camera when the picture was taken. These images are based on the TIFF image standard.
  • NEF – Nikon Digital SLR Camera Raw Image File. Raw image format for some Nikon digital cameras.
  • RAF – Fuji CCD-RAW Graphic File. Exif (Exchangeable Image File) information is within the file along with the image.
  • X3F – Sigma Camera RAW Picture File. Use the SIGMA Photo Pro software provided with the camera to download and manipulate the photos. The Foveon X3 direct image sensor captures all three colors at every pixel location and requires special software to manipulate the RAW files.
  • BAY – Kodak/Roper Bayer Picture Sequence. A specific Kodak picture format used by some high speed video cameras such as Kodak HRC-1000.
  • ORF – Descent 3 Outrage Room Format.
  • MRW – Minolta Diamage Raw Image File. Raw image format for some Minolta digital cameras.
  • RAW – Image Alchemy HSI Temporary Raw Bitmap
  • SRF – Sony DSC-F828 Raw Image File. CCD-Sensor RAW Data File from Sony DSC-F828 8 megapixel digital camera.