Hard Drive Encryption Data Recovery

What is Hard Drive Encrytion

Encrypted hard drives come in many forms. They can be created by the hard drive manufacturer as part of the hard drives firmware or as a third party software add on such as Symantec PGP or Microsofts Bitlocker.

Hard drive Encryption is becoming much more common especially in many large enterprise companies. Some hard drive encryption is more sophisticated than others, but in many data recovery cases we receive, a common flaw is the inability of the encryption software to overcome bad sectors on a hard drive. In most cases it results in partial or no access to the decrypted data on the hard drive by the user or even their I.T dept.

We have created an image and decryption process that allows us to recover the users data with the original file and folder structure intact. The time it takes to carry out this process will depending on the level of hard drive encryption used.

How To Ruin Your Chances Of Data Recovery

No Chance Data Recovery

Maybe the title is a bit harsh, but in the past week I have seen an unusually high number of hard drives ruined by avoidable problems. There is nothing more frustrating than knowing the data would have been recoverable if  the hard drive hadn’t been tampered with first.

Manufacturing

Hard drives are manufactured in a controlled environment. Staff wearing white overalls,  gloves, and masks, control machines which are carefully organised to prevent contamination getting inside the hard drive.

Clean Room

To prevent contamination when repairing the inside of a hard drive, it is necessary to use a cleanroom. This is a specially designed system that filters the air and keeps airborne particles to a minimum. A cleanroom is the only safe way to open a hard drive. We have one of these, which allows us to carry out the most intricate repairs without any risk of particle damage.

Damage

Before opening a hard drive for internal rework, it is crucial to confirm that there is an internal mechanical problem in the first place. For instance, our data recovery process has numerous tests we can carry out before we confirm that the problem is under the hood. Only then will we open the top cover and check for damage inside. Unlike CDs or DVDs, the internal disks of a hard drive are not designed to come into contact with normal air. Even a fingerprint could mean the difference between a successful or unsuccessful recovery. If you slip with a screwdriver then forget it.

The numbers

On a percentage basis of all the failed drives we receive (hundreds per year), we only need to go to the cleanroom with around 10%. There are likely to be far less intrusive ways into the data without ever taking off the top cover.

Even if…

I’ve lost count of the number of times I’ve been told, “It’s an internal fault. The heads are clicking.” Although some drives will click as a symptom of failed heads, there are so many other reasons to cause a drive to click that it is not a reliable way to diagnose problems.

Reasons a hard drive will click

  • Electronic fault
  • Firmware fault
  • Bad sectors
  •  Weak (but not completely failed) heads
  • Problems reading partition info

All of the problems above can be overcome without ever unscrewing the top cover. In fact, removing the top cover will only introduce more doubt to the diagnosis. If the top cover is removed outside of a cleanroom, then not only do the above problems need to be solved, but also new problems of contamination and possibly damage by tools.

(Don’t) Get the discs out

Another common wrong diagnosis is to take the disc pack from one drive and place it into a donor drive. Although this is a correct course of action for some drives, there are some serious implications. First, when the disc pack is built it is clamped together onto the spindle motor. This alignment is so crucial that if you remove one disc at a time, you will never be able to regain this alignment. This was true 20 years ago when the magnetic data was nowhere near as densely packed. Rotate the discs a fraction of a millimetre and you can wave goodbye to all the files.

It is also the case that most of the hard drive firmware is now stored on the discs, so moving them to a new donor will not help if the fault is firmware based.

Advice

If you are even considering a destructive course of action, at least get some professional advice first. You don’t need to follow the advice, but at least it gives somebody (maybe me) the option to give a warning. You don’t want to find out later that the data would have been simple to recover, if only…

2TB Western Digital 2nd Opinion

Hard Drive Data Recovery

Case Study

Drive: WD20EARS-00MVWB0
Problem: Clicking. Previously diagnosed by a third party as unrecoverable due to media damage.

We are always keen to test our services against our competitors, just to make sure we’re still up there with the best of them. When we heard from one of our service partners (ABC Rawpaw) that one of the top ranking data recovery companies on Google had given up on a customer’s drive, we were curious to take a look. It’s also worth mentioning that the client had paid £234 to the other company, despite them recovering no data.

Third party report

We received a copy of the original diagnosis report with the hard drive. The report mentioned incorrect head alignment and also damage to the head assembly preventing the drive from functioning correctly. It also stated that they had subsequently replaced the old heads with new ones but due to suspected disc damage, recovery was unsuccessful. A plausible enough report, but was it accurate?

Booking in

The drive was booked into our process. We noted that the warranty seals had been removed and the top cover showed signs of being previously opened. Whenever we receive a drive in this state, we always want to make sure the drive has been rebuilt correctly. We need to do this in our cleanroom to prevent any contamination getting in from the air. Our office is clean, but it’s no place to open a hard drive.

Findings

The inside of the drive was examined in our cleanroom and found to be spotlessly clean. There were no signs of disc damage or particles, but we did notice that the screws were not factory-tight, suggesting previous work had taken place. Happy that there was nothing untoward inside the disk, it was rebuilt for further diagnosis. The drive was powered on and initially failed to reach a ready state. This is common for Western Digital drives as they often have firmware corruption. We used our proprietary firmware tools (and John’s keen knowledge) to repair some of the firmware area of the drive which then allowed the drive to reach a ready state and allow access by our imaging tools.

Imaging

We did find that one of the heads was not performing within spec, but we were able to work around this, again using specialist tools. After imaging the majority of the drive we replaced the heads to allow better access to the missing areas. This helped improve the amount of successfully recovered data.

Result

We ended up with over 800GB of data recovered from the drive in good condition, even though one of the biggest companies (according to Google) was unable to get anything! This is not the first time we’ve recovered data where others have failed, but we always wonder how many people give up on ever seeing their data again, even though it may be recoverable with the right knowledge.

In the end we had an extremely happy customer (and service partner), and were able to test ourselves against one of the biggest data recovery firms in the UK. A great result for us that shows the importance of getting a second opinion.

SSD Data Recovery

SSD Data Recovery
SSD Data Recovery

SSDs (Solid State Drives) may one day become the standard form of storage in computers. Apple laptops are already heading that way. There are certainly many advantages when comparing SSDs to HDDs (Hard Disk Drives), however they do bring their own problems, which are often not well reported. We don’t care how good SSDs can be. We care about how they fail. It’s common to hear things like: “I’m replacing my hard drive with an SSD so I won’t have to worry about it crashing again.” While this is technically true – there are no moving parts to crash – there are plenty of other ways an SSD can fail. Whether it’s technically crashed or not doesn’t matter at all when you can’t access your files. It’s a shame but an SSD does not get you out of the boring task of running regular backups.

There are some pros and cons which specifically affect data recovery from SSDs. I haven’t listed things like battery life or read / write speed as they are not relevant when it comes to recovering data from them.

SSD Data Recovery Pros:

  • Shock resistance. No moving parts to crash.
  • Just as susceptible to filesystem issues, deletion, reformatting, bad sectors etc which can be recovered using existing equipment.

SSD Cons:

  • False sense of security. The word reliable comes up a lot in SSD marketing with phrases like “More reliable, faster, and more durable than traditional magnetic hard drives.” Maybe research exists that shows SSDs are less prone to failure but it doesn’t seem to be the case at the moment. Anything that holds your valuable data runs the risk of getting drenched, getting stolen, getting lost, and that’s before we even take general failures into account.
  • Susceptible to electronic failure, Maybe more so than a hard drive as the storage and electronics are combined in SSDs. Some of the most common hard drive failures are caused by errors in the firmware which controls the performance of the drive. SSDs have very complex firmware, which opens the possibility of firmware corruption. In most cases firmware corruption will block access to your data.
  • Encryption. Most modern SSDs encrypt the data at a hardware level, which makes it impossible to remove data chips and extract data from them externally (you can do it, but the data is encrypted). The keys to the encryption are often stored within the controller chip, so if that fails, you could be locked out of your data for good. Modern encryption works well. You can’t get round it.
  • Wear-levelling algorithms. Which move the data around the SSDs to improve performance, can make recovery difficult as these algorithms would need to be taken into account when accessing a failed SSD. They don’t store data in logical order like hard drives do.

What Is Hard Drive Firmware?

What is Hard Drive Encrytion

Hard drive firmware is the embedded software which controls the running of your hard drive. Most of it is stored within hidden sectors on the hard drive, and in normal operation you wouldn’t know it was there. Whenever you power up a drive, the firmware makes the motor spin, starts the read / write heads, and checks against a list of bad sectors. Only then will the computer be able to access the data area and allow you to see your files. If there is a problem with the firmware, the drive will get stuck and you won’t be able to access your data at all.

Symptoms.

Failed firmware is almost impossible to diagnose without specialist equipment. In fact, it is hard to confirm that the firmware is faulty at all. Many hard drive problems manifest themselves in the same way; by clicking, or spinning down, or just generally not being identified by the PC. You shouldn’t start changing components until you know where the problem lies.

Repair.

In the early days, most firmware could fit onto the electronic circuit board; simply swapping a damaged PCB with a good one was a common fix. Firmware is now too large to fit on the PCB, so the PCB contains just a very simple boot loader which starts off the drive and then loads the firmware from the disk surface. This means that swapping the PCB is no longer a common fix, and won’t work on most modern hard drives.

We have specialist hardware and software that allows us to check and repair the firmware on most hard drives. We have also dealt with many of these problems before and have a huge database of previous experience to draw on.