Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Damaged hard drives are unique objects of computer forensics. The main reason – they usually die suddenly. A hard drive can be damaged physically, or, for example, during unwanted desktop (or laptop) rebooting, making digital evidence inaccessible. This fact can keep bad guys from covering their traces – and it’s very important for us. Our lab gets up to 40% of damaged (both logically and physically) drives every month. Here we’ll speak about extracting data from such drives.
If a hard drive has a fatal logical damage or a few bad sectors, you can image it using FTK Imager or EnCase Forensic. This software will miss bad sectors writing zeros instead.
Source Type: Physical
Cylinders: 4,864
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 78,140,160
Drive Model: HITACHI_ DK13FA-4 USB Device
Drive Serial Number: D0W784
Drive Interface Type: USB
Removable drive: False
Source data size: 38154 MB
Sector count: 78140160
ATTENTION:
The following sector(s) on the source drive could not be read:
77855232 through 78140159
The contents of these sectors were replaced with zeros in the image.
MD5 checksum: ab0775b04c0e81c314172280d1490372
SHA1 checksum: 64b7cea951b97637429fd6fc21a7d2fc03acf1d6
Figure 1. FTK Imager log fragment
But if the drive is damaged badly, these pieces of software won’t help you.
Victoria is a free utility that can be used with all kind of drives, including HDD, SSD and Flash. Version 4.0 of this tool started to work under Windows (up to Windows 10, both 32 and 64). Victoria analyses drive’s state in details and can fix almost any problem. While other utilities can read only SMART, Victoria can start self-diagnostic tests for drives.
By default, all its destructive functions are disabled, so it’s impossible to destroy data on the drive. Victoria can work in two modes: POI and API.
In this mode, the utility works with drive’s controller via special driver – porttalk.sys. That’s how it sends any ATA commands to the controller passing OS and standard drivers. Using this mode takes lots of time, but it has more chances to help. It doesn’t work on 64-bit systems, though.
In this mode Victoria interacts with drive’s controller via standard drivers. Scanning and bad sectors remapping in this mode is faster, but you can’t set or remove ATA-passwords, and you don’t have access to Host Protected Area.
Figure 2. Victoria 4.47, API mode
Victoria uses four methods and three types of drive testing (twelve modes in total). In each mode, it counts the number of bad sectors and writes it to log file. In PIO mode, Victoria shows info about logical structure even if the drive isn’t detected in BIOS. Victoria can also test and fix SMART errors. Also, you can use it to remove or set ATA-passwords (we’ll write about it in our following articles).
Figure 3. Victoria 4.47. Drive reading graph
EPOS Bad Drive Adapter was developed by a Ukrainian company EPOS. It is a write-blocker with the ability to hide drive’s defects from OS, so typical imaging tools can be used for acquisition. It’s really easy to work with it – just connect damaged hard drive.
Figure 4. EPOS Bad Drive Adapter
Atola Insight Forensic is developed by a Canadian company. It has the same features as EPOS Bad Drive Adapter – it’s a write-blocker with the ability to hide drive’s defects from OS.
This unique piece of hardware developed by ACE Lab is capable of extracting data from almost any damaged drives. And with the help of Data Extractor an examiner can create a RAW – image of the drive. The image can be examined with any piece of forensic software.
Figure 5. PC 3000 Portable
PC 3000 Portable includes adapters for different hard drive interfaces: microSATA, SATA, PATA, etc.
Figure 6. Adapters
Although this hardware is very expensive, it is very helpful. Here is a very good example: a SWAT team stormed suspect’s apartment while he was damaging his hard drive with a hammer. He had 30 minutes to totally destroy the drive. After the incident, we got the drive, changed the damaged system board and used Data Extractor to image the drive. As a result, we got 98% of data. Later, we used EnCase Forensic for examination.
When your lab gets damaged hard drives for forensic examination, you shouldn’t bring them to data recovery service immediately. Very often you can extract data yourself using free software or relatively cheap write-blockers capable of working with damaged drives. If your lab has expensive data recovery hardware, like PC 3000 Portable, you can recover data from most hard drives damaged both logically and physically.
1.Victoria 4.47 (Freeware) http://www.myac.pro/ftp/victoria_447.zip
2.EPOS Bad Drive Adapter http://www.epos.ua/view.php/en/products_epos_baddrive_adapter
3.Atola Insight Forensic http://atola.com/products/insight/
4.PC 3000 Portable http://www.acelaboratory.com/PortableSystem
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Speak to a Specialist Now
Get Help Now