First published March 2005
by Charles H. Sobey, Chief Scientist of ChannelScience
[Note from Jamie Morris, Forensic Focus – In February 2005 Nick Majors of ActionFront Data Recovery Labs Inc. happened to post a link in the Forensic Focus forums to a whitepaper commissioned by his company in April last year. With his kind permission I have reproduced a number of sections of this whitepaper below which I think will be of particular interest to our membership. I would encourage anyone interested in data recovery issues to read the entire paper at http://www.actionfront.com/ts_whitepaper.asp, it’s very well written and covers a lot of ground, including details of ActionFront’s SignalTrace technology.]
When a hard disk drive containing valuable data no longer responds, the user’s last hope is to send the drive to a data recovery company that specializes in drive hardware failures. There is a general perception that data recovery companies have “magic machines” for retrieving data in almost any situation. The reality is less glamorous. The most sophisticated, commercially successful recovery techniques involve careful part-replacement, in a cleanroom environment, of the heads, the spindle motor and base casting, the electronics board, and/or the drive’s firmware and parameter tables. Part-replacement has historically been successful for data recovery about 40 to 60% of the time. Claimed data recovery success rates are much higher. While they may, in fact, approach 100% for some drive models, for other models and failure modes the success rate is near zero. Drive-independent data recovery methods are needed now to read these drives. Furthermore, as the data density of hard disk drives continues to increase the number of unrecoverable drives is expected to grow.
The reason for this lack of successful recovery can be traced to the methods drive manufacturers must employ to achieve both high data density and high production yields. Specifically, current drives are hyper-tuned in the factory to optimize the performance of each section of each hard disk drive. The data format, head, disk, electronics, and firmware parameters are all optimized together. This means that it is less likely that a head stack or electronics board or parameter tables from one drive even of the same model will work well when used as a replacement in a failed drive. When drives cost thousands of dollars, drive repair was a lower priced alternative to purchasing a new HDD. Today, the most economical option for dealing with a malfunctioning drive is to replace it with a new one. For criminal investigations requiring data forensic analysis, there is no substitute for the drive in question. It must yield its information even if it has been intentionally destroyed.
In the field, a drive may acquire defects due to corrosion, handling, or other causes. These are typically identified in a table of exceptions (sometimes called the P-list and the G-list, for primary defects and grown defects, respectively). This table, the table of parameters, and the firmware are typically stored on the disk itself in the outermost tracks. These tracks are referred to as the system area, maintenance tracks, diskware, negative cylinders, etc. However, some drive models store the table in non-volatile memory on the printed circuit board. Clearly this table of exceptions is uniquely linked to the media in a particular drive. The table for one drive will not, in general, be the same for the media from another drive.
Inside a modern HDD, a user’s data is encoded about 5 times before being written to the disk. This is done to 1) Ensure no incorrect data is provided to the user, 2) Correct as many errors that may occur in detection as possible, and 3) Improve the quality of detection by improving timing recovery and by mitigating the effects of certain error-prone patterns. Because of these levels of encoding, the user’s data itself is not written to the disk. Instead it is the encoded user data that is stored. Even if a tool such as PRMLproTM is used to recover the data, it is actually detecting the encoded data. To yield useful information that can be reassembled into files, the various encoding steps must be decoded.
In a failed hard disk drive, the disk surface may or may not be damaged. If the disk is not physically damaged, the user’s data is still there, unless it has been overwritten. If the disk is physically damaged, there is no data left wherever the magnetic material of the disk is removed. The magnetic layer that contains the data is only about a microinch thick. So any scratch is likely to have completely removed the magnetic material in that area. The heads do not scratch the disk in normal operation because they are actually flying over the surface although the flight is at a spacing of less than 1 microinch! If the disk is bent so that the heads can no longer fly, there is no documented method for commercially viable recovery.
The most advanced, commercially viable technique for recovering data from a hardware-failed disk drive is careful replacement of the failed parts. If the part to be replaced in inside the head/disk assembly (HDA), the replacement should be performed in a clean environment. Remember that the head must fly about a microinch above the surface of the disk, so a greasy fingerprint or a stuck particle can cause the repaired drive to crash. This is likely to result in even more damage to the data on the disk. For part-replacement to be successful, spare parts must be available for the specific drive. Drive companies and their component suppliers do not supply spare parts. The parts must come from new donor drives of the same type. However, the tight matching of the head with the disk and the hyper-tuning of the system parameters means that it is less likely that a similar drive’s parts will work. The parts must come from the same drive model.
Reading some data recovery websites can lead one to believe that they have “Magic Machines” that routinely recover data from failed drives. I saw no evidence or independent verification that such devices exist for commercially viable data recovery. If they do have a magic machine it may have been created for a high-value job in the past, and probably only worked marginally. However, there are very special machines used by drive manufacturers for the design and analysis of drive components. It is often suggested that these precision instruments, spin-stand testers and magnetic force microscopes (MFMs), can be used for data recovery.
Although such exotic methods of data recovery are theoretically possible, and have even been discussed in the peer-reviewed literature, I have found no evidence of commercially viable recoveries being performed with them. Furthermore, I have seen no public demonstrations of any of these methods that show the recovery of files or even user data only images or raw encoded data.
Recovering currently unrecoverable data requires the development of drive-independent data recovery techniques. These techniques must return user data, cost-effectively, from most drive models. In a public demonstration on the exhibit floor of the 2004 IEEE NASA Mass Storage Systems and Technologies Conference (Adelphi, Maryland), ActionFront Data Recovery Labs, Inc. demonstrated the successful drive-independent recovery of user data with their prototype system employing SignalTrace technology. ChannelScience assisted with some portions of the development of SignalTraceâ„¢ technology.
ActionFront and ChannelScience worked together to overcome many long-standing challenges in order to achieve this milestone in data recovery history. An especially important advancement is the cryptographic procedures employed by the research staff at ActionFront to descramble, RLL decode, and ECC correct the raw detected data. This was reverse engineered, based on first-principles analysis of a good drive of the same model. These highly specialized techniques as well as the determination of many channel parameters, servo layout and data layout must be applied to each new drive model before recovery can be attempted. This is because the needed information for drive-independent data recovery is not readily available from the drive and channel companies.
Drives continue to evolve, getting more sophisticated, adaptive, and hyper-tuned. For data recovery of hardware-failed drives to continue to be successful, drive-independent data recovery techniques, such as SignalTraceâ„¢ technology, must be made commercially viable. Furthermore, they must work for most popular drive models and they must continue to accommodate the relevant new innovations in HDDs. An important additional benefit of drive-independent data recovery is that it can be compatible with exotic data acquisition techniques for retrieving readback signals from intentionally damaged disks. This can be a significant tool for law enforcement and counter-terrorism professionals.
The majority of drives that are sent to data recovery companies for hardware failure are a few years old. While some of them still respond well to traditional part-replacement, there are some that are almost never recoverable. These may have been hyper-tuned in the factory so that high data density can be achieved together with high manufacturing yields, and/or they may have corrupted system-areas on the disk where drive parameters tables are stored. Such drives require a very precise matching of the characteristics of the head, disk surface, and the system parameters that is not possible with traditional part-replacement. As data density continues its rapid increase, it is expected that fewer hardware-failed drives will be recoverable with traditional part-replacement.
Drive-independent data recovery methods need to be developed that re-optimize the replaced head, disk location, electronics, and/or firmware and parameters table for the media from the failed drive. This requires recreating much of the drive’s optimization routines as well as mimicking the drive’s own methods of seeking to a disk location and track-following. This can vary from drive-to-drive even within the same model of drive. Creating a cost-effective, reliable data recovery method that works across many drives now and in the future requires constant R&D at the edge of the state-of-the-art in disk drives.
Therefore, it is likely that the capability to recover data from almost all of the latest drives will only be available from the best of the best — the data recovery companies that other data recovery companies turn to for their most challenging tasks. Drive manufacturers could help data recovery efforts by providing features such as special commands to load and run optimization routines that allow part replacement to work better. However this is unlikely given the effort that drive companies must devote to increasing areal density, manufacturing yields, and reliability.
ActionFront Data Recovery Labs Inc. is a privately held corporation founded in 1989 by Nicholas Majors and incorporated in December 1990.
ActionFront operates full service recovery labs with professional clean-room facilities in five US and one Canadian location. Since 1996 they have also maintained a receiving depot in Buffalo New York to facilitate the trans-shipment of jobs between our various labs. ADC – Advanced Design Corporation of Tokyo Japan represents their Asian market and they service European clients through an association with IBAS Data Recovery of Norway.