Tag Archives: Encryption

RAW Data

PGP Whole Disk Encryption

PGP WDE is an encryption tool that uses a boot loader installed on an internal hard drive. This utility launches before Windows and prompts the user to input their password. Without the password you cannot gain access to the data.

This utility is widely used by IBM personnel and is now part of IBM’s  process that has to be adhered to by end users. Prior to this utility IBM hard drives were restricted access by a low level ATA hard drive password setup  by the internal IBM IT department.  As computer systems advanced and maybe as a result of a reduced IBM IT department,  IBM adopted the user friendly PGP encryption process.

We regulary receive these hard drives from IBM, and we find that the major problem is related to the PGP boot sequence. PGP does not like a hard drive that is suffering from bad sectors, especially within the partition table. It results in the user being unable to load their access code on startup, or in some cases the code is accepted but does not boot correctly due to bad sectors further along.

We have a lot of experience recovering data from PGP whole disk encrypted hard drives and as a result our data recovery process has a very high success rate.

What To Do When You Run Out Of Space

It’s a common problem that as we generate more data each year we start running out of space to put it. This is now even more of an issue in the smartphone market, where built-in cameras are generating increasingly large photos and videos, without providing much in the way of additional storage. The most common iPhones are still 16 & 32GB but the photos they now produce can be megabytes in size, with videos easily reaching 1GB.

What To Do When You Run Out Of Space

What To Do When You Run Out Of Space

It’s tempting to take that data and put it somewhere else, so either a laptop or external hard drive. Then once you’ve copied it all you delete it from the phone and gain back all that space. Problem solved.

Not So Fast…
If that copy on your laptop is now the only copy, then you could be one spilt coffee from disaster. If the laptop goes up in smoke, gets stolen, dropped or any of the myriad other ways of failing then it’s bye bye data.

The Fix

The key to making backups is redundancy. The key to making backups is redundancy. The key to making backups is redundancy.

You need to make extra copies of your data to different types of storage. This could be an external hard drive, NAS, USB Pen, SD card, anything. But don’t just pick one of those. Make a few backups. Put one in a locked safe somewhere. Send photos off to the cloud. Store a copy of your music at your nan’s house. If any of those copies gets lost or broken you can just replace it with another copy.

So let’s run through an example. All those photos on your iPhone have filled it up. Here’s what I would do:

  1. Copy the photos to my computer. Check them.
  2. Backup the computer as usual. (You’re already doing that, right?)
  3. Make another backup, or copy the photos to an online storage service like Dropbox.
  4. Now it is safe to delete the photos from the iPhone and revel in all that fresh space.

Note: Deleted photo recovery is virtually impossible for all modern iPhone versions due to encryption. 

Here’s another example for when your computer runs out of space instead:

  1. Is it possible to upgrade the internal storage? If it is then you should do that.
  2. If this is not possible, or too expensive then you will have to get creative. It will be more fiddly but copy all data to two external hard drives.
  3. You always want to avoid just leaving your data in one place. All electronic devices can (and will) fail, and they have a terrible habit of doing so at the worst possible moment.

So, just remember that no single copy of your files are safe. Making extra copies is cheaper and easier than waiting until something fails.

Thanks to Alexander Armstrong for inspiring this post.

SSD Data Recovery

SSD Data Recovery

SSD Data Recovery

SSDs (Solid State Drives) may one day become the standard form of storage in computers. Apple laptops are already heading that way. There are certainly many advantages when comparing SSDs to HDDs (Hard Disk Drives), however they do bring their own problems, which are often not well reported. We don’t care how good SSDs can be. We care about how they fail. It’s common to hear things like: “I’m replacing my hard drive with an SSD so I won’t have to worry about it crashing again.” While this is technically true – there are no moving parts to crash – there are plenty of other ways an SSD can fail. Whether it’s technically crashed or not doesn’t matter at all when you can’t access your files. It’s a shame but an SSD does not get you out of the boring task of running regular backups.

There are some pros and cons which specifically affect data recovery from SSDs. I haven’t listed things like battery life or read / write speed as they are not relevant when it comes to recovering data from them.

SSD Data Recovery Pros:

  • Shock resistance. No moving parts to crash.
  • Just as susceptible to filesystem issues, deletion, reformatting, bad sectors etc which can be recovered using existing equipment.

SSD Cons:

  • False sense of security. The word reliable comes up a lot in SSD marketing with phrases like “More reliable, faster, and more durable than traditional magnetic hard drives.” Maybe research exists that shows SSDs are less prone to failure but it doesn’t seem to be the case at the moment. Anything that holds your valuable data runs the risk of getting drenched, getting stolen, getting lost, and that’s before we even take general failures into account.
  • Susceptible to electronic failure, Maybe more so than a hard drive as the storage and electronics are combined in SSDs. Some of the most common hard drive failures are caused by errors in the firmware which controls the performance of the drive. SSDs have very complex firmware, which opens the possibility of firmware corruption. In most cases firmware corruption will block access to your data.
  • Encryption. Most modern SSDs encrypt the data at a hardware level, which makes it impossible to remove data chips and extract data from them externally (you can do it, but the data is encrypted). The keys to the encryption are often stored within the controller chip, so if that fails, you could be locked out of your data for good. Modern encryption works well. You can’t get round it.
  • Wear-levelling algorithms. Which move the data around the SSDs to improve performance, can make recovery difficult as these algorithms would need to be taken into account when accessing a failed SSD. They don’t store data in logical order like hard drives do.

iPhone Data Recovery – Obstacles

Hardware

iPhone Data Recovery

iPhone Data Recovery

When developing our iPhone data recovery process we had to make a few decisions about the devices we can support. The newer iPhones (4s +) are not accessible in the same way as older models.

With the iPhone 4 and below we can extract the data using a forensically clean process. What this means is that we can take the data off without writing anything to the NAND chips (storage) inside the iPhone. This fits in perfectly with our regular data recovery process as we never write data to a device we receive.

With the iPhone 4s, Apple changed the part of the system we use to access the iPhone’s memory. There is a chance that a new method of extraction for iPhone 4s will become available, but until it does we will not be recovering files from these devices.

Physical damage

iPhones store their data on NAND chips which are soldered to the main circuit board of the phone. The data can only be correctly decoded if we also have access to other parts of the circuit board, so it is crucial that the iPhone is electronically functional. If water damage has shorted the iPhone then we have no way to access the data externally. It’s not that it’s impossible, just that the work would be unreasonably expensive and time consuming.

Deleted Files

Another potential barrier for iPhone recovery is down to the way files are stored. Since iOS4 most files including iPhone camera photos and videos are encrypted before being written to storage, using unique encryption keys. This means every file ends up with a different header. When files are deleted there is nothing to distinguish a photograph from any other random collection of bytes.

Another problem with the file based encryption is that if you restore the iPhone using iTunes, those encryption keys get erased and new ones are generated. This prevents recovery of the old data, which is good for security but bad for data recovery.

 

Bang Goes The Theory Data Recovery

Bang Goes The Theory – Series 6 Episode 3 – March 26th

Bang Goes The Theory Data Recovery

I love Bang Goes The Theory. I loved the alcohol powered motorbikes last week and find it a good doorway into ideas, which are presented in a fun and interesting way. I was extra excited when I started watching episode 3, and relised they would be featuring data recovery. A perfect opportunity to dispel some common myths, and dish out a bit of advice in the process.

Deletion

The data recovery guy Rob, made a good analogy when he described deleting data as ripping out a page from the table of contents. That is pretty much how it works, and really simple to understand.

Data Recovery Experts

Yes they are the world leaders. I’m not going to dispute that, but I’m also not going to name them. They don’t exactly need the extra publicity. It’s worth noting that any decent recovery firm would have reached the same results from the batch of damaged drives.

Getting Physical

I do have a couple of problems with the way some of the drives were “destroyed.”

  1. Sledgehammer. This would have been a good way to destroy a drive, but only if it had been removed from the PC first. Effectively the metal PC case acted like armour, thus protecting the drive from the brunt of the impact.
  2. Tractor. Same as above. If the drive was bare, and on solid ground, then maybe the tractor would have done more damage. Instead, the PC case protected it sufficiently and all the data was recoverable.
  3. Golf Swing. This was great in the example shown, but is a bit unreliable. If you only hit the edge, or if the disk didn’t have glass platters then it may have been recoverable. Maybe take it apart first, then you can see if it’s damaged.
  4. Tea Damaged USB Pen. This was a good one. Solid state storage should survive liquid damage, as long as it is powered off at the time. When dried out, there is a good chance of getting the data back. The worst thing you could do is plug in a wet drive, as this would cause an electrical short, and potentially damage the electronics of the device, and even the computer you plugged it into.
  5. Big Magnet. This was a good one, and surprisingly effective. Only problems are the fact that most people don’t have a giant magnet, and unless you test it afterwards, you wouldn’t know if it had worked.
  6. Toaster. This is an interesting one for me. Of course the toaster damaged the PCB (circuit board) of this hard drive. These drives were quite old, so that was no major problem. If however these were more modern drives the story could have been quite different. A lot of newer drives encrypt the data using keys stored on the PCB. If you melt that PCB, then you have a very difficult job on your hands.
  7. Torched. 100% successful. If you can see the drive destroyed, then that’s perfect.

Optical Discs

Liz later made some good points about the reliability of CD / DVD storage. I agree that although the quoted life spans of DVDs are enormous, in reality DVDs often only last for a couple of years. We have had discs in for recovery that have been stored in temperature-controlled server rooms that have still failed well short of their estimated lifespans.

Hard Disks

Hard disks can last for ages. We have some here that are well over 15 years old and still going strong. The problem is that they can fail without any warning. It is sound advice to backup one drive with another, and then another. This is the only surefire way to avoid being stung by a failed drive. Dallas made a good point of moving one of the backups off site, which is also a good idea.

Scrambling Software

I didn’t like the scrambling advice given near the end. There are problems with the way hard drives are designed, which can prevent the software from accessing bad sectors, and hidden parts of the disk. Although only small parts of the disk, you could leave enough data there to be targeted by fraudsters or whoever.

I advise a two pronged approach. First erase / scramble the data, then physically destroy the drive. This makes it far less likely that your data could end up in the wrong hands.

Summary

It is good to see this sort of thing on mainstream TV, and the advice given was a good starting point for most people. Despite my points above, it was basically a good show: Interesting and informative, with a decent amount of good info.

Many people have little or no knowledge of the way their data is stored, so any way to bring this to their attention is good in my books.

Warning to customers with new WD hard drives

Western Digital Hard Drive Encryption.

New WD drives come with password protection and 256-Bit encryption as standard. Even if a password is not set the encryption is still applied to the data written to the drive. The 256-Bit encryption is controlled by ROM on the USB controller. On portable USB powered hard drives the encrypted ROM is on the actual hard drive. On external desktop drives the ROM is on the interface controller within the external case.
As we have seen come into us for data recovery it means that we need the original encrypted ROM to enable us to overcome the 256_Bit encryption.

Any customers who needs to seek help in gaining access to their data. Make sure you keep hold of the external case the hard drive was in.

What is Hard Drive Encrytion

Encryption is a process to protect data by using sophisticated mathematical functions. Data is converted into a form called Ciphertext when written to the drive. This data is then not readable by an unauthorised person. When Ciphertext data is read back from the drive by an authorised person it is then converted back into Plaintext with full access.

PGP vs 10.6.5 Don’t Update

PGP 10.6.5 Don't Update

PGP 10.6.5 Don't Update

Users of PGP Whole Disk Encryption for Mac are advised agains the recent system update to Snow Leopard 10.6.5. Reports of users getting stuck in a reboot loop after the update have been appearing on PGP forums. The official advice is to first decrypt, then install the update, then encrypt again. More details of this can be found on Threatpost, with links for people that have already performed the update and are now locked out of their systems.

FBI Decryption Failed

It was interesting to read this article recently which shows how strong current encryption technology is. The FBI and other organisations were apparently unable guess or crack the pre-boot passwords of criminal’s hard drives using a technique known as a dictionary attack. As it’s name suggests, a dictionary attack uses a combination of known words to attempt to guess the password. This is opposed to a brute force approach which would start from one series of characters and continue in a sequence to guess possible combinations.

It is worth remembering that if you are going to encrypt your hard drive that even the FBI can’t access your data if you forget the password. Also if the bootable part of your hard drive becomes unstable, it can be almost impossible to gain access to your data, even with the password. Make sure you test out your disaster recovery process on an encrypted drive, before you trust your crucial data to it. And also make backups somewhere that can be accessed quickly if required. Some large drives can take a day to decrypt even if they are fully functional.

Fujitsu Encrypted Hard Disks

Fujitsu’s new 80-320GB “MHZ2 CJ” drives come with a nice added feature. Not only do they spin at a reasonable 7200rpm, they also have the ability to totally lock you out of your data (And throw away the key). With AES-256 encryption you you can be sure that a forgotten password would wave bye-bye to your data. Currently, AES has yet to be broken in a feasible way, leaving a lengthy brute-force attack as the only option. I question the implementation, as we have seen a number of problems with hard drive passwords which are stored on the drive in the service area. Quite often the passwords become corrupt leaving the user locked out of their drive.  The only way to overcome hard drive passwords is by low-level firmware repair, effectively removing the password. This is likely not an option with disk encryption as you would expect a much more robust system. 
Whichever way you look at an encrypted drive, it could  cause major problems to people needing data recovery. Is it just a clever marketing scheme in a paranoid market or is there some really secure basis for the new technology. I can’t wait to get my hands on one and find out.

Read More On Engadget