Damaged hard drives are unique objects of computer forensics. The main reason – they usually die suddenly. A hard drive can be damaged physically, or, for example, during unwanted desktop (or laptop) rebooting, making digital evidence inaccessible. This fact can keep bad guys from covering their traces – and it’s very important for us. Our lab gets up to 40% of damaged (both logically and physically) drives every month. Here we’ll speak about extracting data from such drives.
FTK Imager and EnCase Forensic
If a hard drive has a fatal logical damage or a few bad sectors, you can image it using FTK Imager or EnCase Forensic. This software will miss bad sectors writing zeros instead.
| Physical Evidentiary Item (Source) Information: [Device Info] Source Type: Physical [Drive Geometry] Cylinders: 4,864 Tracks per Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 78,140,160 [Physical Drive Information] Drive Model: HITACHI_ DK13FA-4 USB Device Drive Serial Number: D0W784 Drive Interface Type: USB Removable drive: False Source data size: 38154 MB Sector count: 78140160
ATTENTION: The following sector(s) on the source drive could not be read: 77855232 through 78140159 The contents of these sectors were replaced with zeros in the image.
[Computed Hashes] MD5 checksum: ab0775b04c0e81c314172280d1490372 SHA1 checksum: 64b7cea951b97637429fd6fc21a7d2fc03acf1d6 |
Figure 1. FTK Imager log fragment
But if the drive is damaged badly, these pieces of software won’t help you.
Victoria [1]
Victoria is a free utility that can be used with all kind of drives, including HDD, SSD and Flash. Version 4.0 of this tool started to work under Windows (up to Windows 10, both 32 and 64). Victoria analyses drive’s state in details and can fix almost any problem. While other utilities can read only SMART, Victoria can start self-diagnostic tests for drives.
By default, all its destructive functions are disabled, so it’s impossible to destroy data on the drive. Victoria can work in two modes: POI and API.
POI mode
In this mode, the utility works with drive’s controller via special driver – porttalk.sys. That’s how it sends any ATA commands to the controller passing OS and standard drivers. Using this mode takes lots of time, but it has more chances to help. It doesn’t work on 64-bit systems, though.
API mode
In this mode Victoria interacts with drive’s controller via standard drivers. Scanning and bad sectors remapping in this mode is faster, but you can’t set or remove ATA-passwords, and you don’t have access to Host Protected Area.
Figure 2. Victoria 4.47, API mode
Victoria uses four methods and three types of drive testing (twelve modes in total). In each mode, it counts the number of bad sectors and writes it to log file. In PIO mode, Victoria shows info about logical structure even if the drive isn’t detected in BIOS. Victoria can also test and fix SMART errors. Also, you can use it to remove or set ATA-passwords (we’ll write about it in our following articles).
Figure 3. Victoria 4.47. Drive reading graph
Write-blockers capable of extracting data from damaged drives [2]
EPOS Bad Drive Adapter [2]
EPOS Bad Drive Adapter was developed by a Ukrainian company EPOS. It is a write-blocker with the ability to hide drive’s defects from OS, so typical imaging tools can be used for acquisition. It’s really easy to work with it – just connect damaged hard drive.
Figure 4. EPOS Bad Drive Adapter
Atola Insight Forensic [3]
Atola Insight Forensic is developed by a Canadian company. It has the same features as EPOS Bad Drive Adapter – it’s a write-blocker with the ability to hide drive’s defects from OS.
PC 3000 Portable [4]
This unique piece of hardware developed by ACE Lab is capable of extracting data from almost any damaged drives. And with the help of Data Extractor an examiner can create a RAW – image of the drive. The image can be examined with any piece of forensic software.
Figure 5. PC 3000 Portable
PC 3000 Portable includes adapters for different hard drive interfaces: microSATA, SATA, PATA, etc.
Figure 6. Adapters
Although this hardware is very expensive, it is very helpful. Here is a very good example: a SWAT team stormed suspect’s apartment while he was damaging his hard drive with a hammer. He had 30 minutes to totally destroy the drive. After the incident, we got the drive, changed the damaged system board and used Data Extractor to image the drive. As a result, we got 98% of data. Later, we used EnCase Forensic for examination.
Discussion
When your lab gets damaged hard drives for forensic examination, you shouldn’t bring them to data recovery service immediately. Very often you can extract data yourself using free software or relatively cheap write-blockers capable of working with damaged drives. If your lab has expensive data recovery hardware, like PC 3000 Portable, you can recover data from most hard drives damaged both logically and physically.
References:
1.Victoria 4.47 (Freeware) http://www.myac.pro/ftp/victoria_447.zip
2.EPOS Bad Drive Adapter http://www.epos.ua/view.php/en/products_epos_baddrive_adapter
3.Atola Insight Forensic http://atola.com/products/insight/
4.PC 3000 Portable http://www.acelaboratory.com/PortableSystem
About the author:
Interests: Computer, Cell Phone & Chip-Off Forensics
Comments are closed.