Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Video Recovering Data From Broken Hard Drives and SSDs (Video) 173

Video no longer available.
Russell Chozick owns a small company in Austin. TX, called Flashback Data that recovers data from messed-up hard drives. And SSDs and Flash memory, too. How badly damaged does a drive have to be to defeat Russell and his crew? Apparently, smashed to bits. Not long aqo we did a video about a company that destroys data on hard drives, and we've had at least one Ask Slashdot where the question was, "What's the Best Way To Destroy Hard Drives?" In today's video, Russell is talking about the opposite of destruction -- except that he destroys data upon request, too. Obviously, checking the wrong box on a customer order form could cause big problems at Flashback Data, couldn't it? Let's hope they never do that -- and let's hope we all back up all of our data so we never need to use a data recovery service. You do back up all your data, don't you?

Russell Chozick: I am Russell Chozick, from Flashback Data, data recovery and computer forensics firm in Austin, Texas.

Robin Miller: So, if I accidentally were to remove the hard drive from this computer and throw it out in the thrash and waste management corporation took it to their landfill, you would go through that landfill and find it for me.

Russell Chozick: I don’t know if I want to go through a landfill, but if that drive is bent in half or completely smashed into millions of pieces, then if we find that thing, I’ll get data from it.

Robin Miller: Okay. Because actually there’s another video interview we did not that long ago with a company that destroys data.

Russell Chozick: Yeah.

Robin Miller: They destroy hard drives.

Russell Chozick: Yeah, we do it sometimes here ourselves.

Robin Miller: So, how destroyed a hard drive can you save?

Russell Chozick: No, there’s varying levels of unrecoverableness that we come across, if the physical platters are destroyed, i.e. the data is actually completely scraped off of them because of a full-on head crash where there’s little filters inside of a hard drive that filter in until no dirty air can get into them and that thing looks black, that means your data just got scraped off of that hard drive platter right into that filter and no one is going to get that back.

As far as lot of laptop drives have blast platters, if you throw that thing on the ground hard enough, that glass shatters, no one is going to get that data, but the stuff we have recovered from that is pretty severe, for example, drives that have been submerged in salt water for a long time after Hurricane Sandy, Katrina, any of the big natural disasters, we’ve recovered from fire damage where that drive looks like it’s completely melted. But we’re still able to save it.

So there’s definite ways to destroy it and obviously the destruction company is ____2:19. I think I looked at their video. They talk about degaussing and when you degauss a hard drive, you also erase the servo track, so not only is it unrecoverable and it’s never even usable again. So then you just got to send it to the recyclers. But what we do here to destroy data is either overwrite it by writing data over the entire portion of the hard drive, but completely overwriting it or we crush them or we send them to a destruction company as well if we’ve done whole lot that we need to get rid off.

Robin Miller: Obviously destroying as a number of people, Slashdot readers, yes, you know, how you are, you guys pointed out, you could have a lot of fun with a sledge hammer instead of spending money to destroy hard drives.

Russell Chozick: Yeah, you got to make sure that thing is good and smashed, because especially with the larger desktop drives and SCSI drives, those things are pretty durable, and you got to really beat that thing up to make a dent in those platters because they’re pretty strong.

Robin Miller: What do you do with SSDs, what do you do with the digital drives?

Russell Chozick: Well, it’s kind of evolved through our business; when we first started we didn’t have the technology to read directly from NAND Flash memory, so what we do and it was fairly common was pretty simple part replacement type stuff where Flash drives controller fails, we would take the actual memory chip itself, find an identical circuit board, take the Flash memory, put it on the new circuit board or make electronic repairs on the actual board itself and then recover the data that way. But it’s evolved quite a bit. So we’ve done a lot of research and development over years and we are pretty much on the forefront of Flash technology where what we started to do is, you know what let’s get a device programmer and start reading the data into the computer raw and see what it looks like.

Now when you look at Flash media read in raw straight from a USB drive, it’s completely mixed up. The way that Flash controllers work is they are constantly reorganizing the data for wear-leveling and encryption and all kinds of different algorithms to make to; one, speed up the Flash memory and two, make sure that you’re not going to wear out certain cells before other cells to make it last long time.

So what you get when you read just the Flash memory is take the controller out of the situation you get, just the whole bunch of scramble data that is not only the data area, but there’s also portions of each sector that contain information about error correction and kind of clues on how the data is reassembled. So what we started to look at was how we can kind of reverse engineer the controllers once we have the raw data read in, and that’s how it’s evolved.

Now what we can do is as long as the data is not encrypted we can pull the Flash memory itself off. The actual data chips, for example, here is an SSD drive and these are the data chips, pull those off and look for markers that – common markers on a file system. For example, we know what FAT32 file system looks likes typically in a linear format. So we may find part of the FAT file system on one chip and part of the FAT file system in another chip, and what we have to do is rearrange the data to where it kind of lines up and gets an order and then the computer can – and then kind of reimage that and then we can use that image to rebuild the file system on the Flash. And it sounds very complicated and

Robin Miller: It sounds expensive actually.

Russell Chozick: It sounds very complicated than it is, but basically what we’ve done is we’ve built kind of an internal wiki of cases, so once we crack one, we see it again, it’s much easier for us to do it again, and we have thousands of it. I mean, so we see it a lot and so it’s starting to get to the point where the costs are coming down, but new challenges keep arising as new chip form factors start coming out and they keep making these devices smaller, I know you probably seen micro SD cards.

They’re extremely small and there’s actually no independent Flash memory on those. It’s basically a monolithic chip that contains the controller and the Flash in one chip. So in order to recover something like that it requires a lot of patience. We basically have to take sand paper and find all the traces on the device, sand it down until it’s just to its bare traces, and then use a logic analyzer and find out where all the data points are to actually connect straight to the Flash, which now in that example those are the types of recoveries that are extremely expensive right now because it’s a lot of manual work, whereas, if it’s a typical type of NAND Flash memory, those are starting to get where we’ve got nerves where we can get them in and get them out pretty quickly.

Robin Miller: I’m assuming that people who come to you that the data is valuable. I had one ever hard drive failure where I didn’t have stuff backed up, that’s critical, just one and I spent $600 to get my data.

Russell Chozick: And you know that to backup and then back up your back ups. We will FTP people critical information, but we’re not going to let them download 40 gigs of information what they’ve recovered. So what we found now is we started using – any time speed increases happen we started using the newest technology, so anyone that comes in with a MacDrive will it out of whatever enclosure that they have and we’ll put it right in our thunderbolt dock and use thunderbolt to a thunderbolt source and a thunderbolt destination to make sure that we can move data as fast as possible and then all of our systems are – the PCs are all the USB 3 in any status, so we can move data as fast as possible. It’s just going to take very less time for us to move data and get it in the mail overnight than it is to use the Internet . Austin is getting Google fiber here soon, so...

Robin Miller: Isn’t that special. Are you all happy? Why doesn't Manatee County, where we have more cows than people, Manatee County, Florida, we need that more than you guys....

Russell Chozick: Well, I mean I know the cows use a lot of bandwidth, so maybe that’s why they won’t let you guys. This industry is a bit strange and you really have to be careful on who you use, because your first chance of data recovery is always usually the best. There’s a lot of people out there that claim to do it all and maybe they can and that’s great, and I know there’s lot of great companies out there. But there’s a lot that see dollar signs in this and they maybe can only do low level or logical stuff, logical recoveries recovered from corrupt files systems and things like that, and they can’t work on the stuff that I’m talking about here where I have to wire up memory chip from an Android phone to pull data off of it.

You can’t tell me that a one man shop somewhere is going to be able to have the resources to do that, this is an expensive business to run, we have expensive equipment, we have large lab space, lot of computers, lot of overhead, we have laminate flow benches to open hard drives underneath, we have a huge parts inventory, so there’s just – you just got to be careful on who you use, and there are several reputable companies out there.

Robin Miller: Well, look we can see right behind you, those are some very uncheap looking racks with monitors on top of them.

Russell Chozick: Yeah, I mean, and to be honest, those computers are typical every day computers, but there’s hardware in there for imaging computers that is very expensive, what’s running right back here are we got three different computers all imaging hard drive sector-by-sector and what it does is when it runs into bad sectors, it can dig deeper, it can skip that, it can come back to that later, we could even say it, oh we really want to image everything that’s on one certain surface of the platter of the hard drive and things like that.

So we can get real granular and we could also go forwards and we can go backwards and then we could say, set the time out for a little bit longer. So we can kind of create our own algorithm for how a driver is behaving. And this stage is even after we’ve done the physical work to the drive. So pretend the read/write heads failed on a particular drive, we bring it into our clean room, we do any kind of part replacement that may need to be done to repair, temporarily repair the drive and then it goes to back here where we image the drive.

It’s a non-tech savvy that really just think that the devices are invincible and that or it’s not going to happen to them, but it does, and we do recoveries for a wide range of people anywhere and like you said, the data is got to be valuable, but the most irreplaceable data is sometimes what lot of people would consider not that valuable in a sense of this is going to take my whole business down. It’s more like pictures of your kids since they were a baby and if someone has that only in the digital format that’s the kind of data that it’s not only irreplaceable, you can’t create that again.

This discussion has been archived. No new comments can be posted.

Recovering Data From Broken Hard Drives and SSDs (Video)

Comments Filter:
  • BS Summary (Score:5, Insightful)

    by gweihir ( 88907 ) on Thursday April 25, 2013 @01:20PM (#43548231)

    Do one overwrite with zeros for magnetic media. They cannot recover that. Open the drive, take out the platters, bend or break them, they cannot recover that. SSDs are more tricky, but one overwrite with random data assures that no more than the spare capacity can be recovered.

    • by TWX ( 665546 )
      Just remove the casing and put the SSD board/chips into a microwave... If anything, physical destruction of an SSD should be even easier... Just pop the chips off the board with a flat knife and cut them into pieces with aviation snips...
    • by guttentag ( 313541 ) on Thursday April 25, 2013 @01:41PM (#43548457) Journal

      Do one overwrite with zeros for magnetic media.

      I just send all my broken storage media to the Nixon Presidential Library, labelled "18 1/2 minutes" in a box with a return address for "Flasback Data Recovery Specialists: We Recover Anything, Confidentiality Guaranteed. Austin, TX." They replace all the 1s and 0s with pure silence. Nothing beats that.

      • Do one overwrite with zeros for magnetic media.

        I just send all my broken storage media to the Nixon Presidential Library, labelled "18 1/2 minutes" in a box with a return address for "Flasback Data Recovery Specialists: We Recover Anything, Confidentiality Guaranteed. Austin, TX." They replace all the 1s and 0s with pure silence. Nothing beats that.

        ===
        Best way to clean a hard drive. Give it to my grandson. He can dismantle it, use a platter with the dog as a frisbee, strip away the electronics for projects, and don't worry. He once wanted some oxide, and scraped the platter surface to remove it all.

    • This should work for both spinning disks and SSD. [eecue.com] of course you can't make an aluminum ingot from an SSD.
    • by Shatrat ( 855151 )

      I used to use 'dd if=/dev/zero of=/dev/sda1' on every laptop that got decommissioned from the network and donated or sold.
      It's not rocket surgery.

    • Re:BS Summary (Score:4, Insightful)

      by SuricouRaven ( 1897204 ) on Thursday April 25, 2013 @03:36PM (#43549547)

      You're close. Overwriting media with zeros almost entirely erases everything - there was a time when it was possible for someone with a highly specialised magnetic probe to pick up leftover traces from the space between the tracks, but modern drives have the tracks far too close for that. There is just one place data may survive: Remapped sectors. The drive logic does detect if a sector is going to fail or already failed, and if so will remap it to a spare area, just as SSDs do. The old data gets left behind in the now-disused space.

      But all that'll save is the odd little fragment here and there, either 512 bytes or 16k depending on the drive. An attacker would need a lot of luck to find something good in there.

      • "You're close. Overwriting media with zeros almost entirely erases everything - there was a time when it was possible for someone with a highly specialised magnetic probe to pick up leftover traces from the space between the tracks, but modern drives have the tracks far too close for that"

        I don't think that this is merely about the tracks being too close to each other. One has to keep in mind that today, "overwriting a sector with zeros" basically means "overwriting one existing continuous magnetic trace on the media with a trace of semi-randomly alternating magnetized domains that happens to be related to the semi-random alternating magnetization changes of the existing trace by means of a fractional (analog) offset that continuously drifts along the trace)". That's one hell of a problem fo

      • That said, for SSDs - would not a Secure Erase take care of even remapped sectors? Seeing as its just a blind 'flush all cells' operation.
        • Secure Erase is even more brilliant than that. Modern SSDs (and phones) run 128bit/256bit AES encryption full-time. So when the drive needs to be Secure Erased, they simply throw away the key and generate a new one.

          As a result the data has been rendered inert in a fraction of the time it would take to actually overwrite it, and without needing to put all of the cells through a P/E cycle.

          • It still undergoes a P/E cycle however. The erase process is very time consuming, and SSD performance is severely impacted if it has to do those on the fly. SE on drives with Encryption still has the role to reset the drive so that it performs at peak capacity afterwards, which means draining all the cells. Skipping the P/E cycle would mean that drive performance would be severely reduced.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Do one overwrite with zeros for magnetic media. They cannot recover that

      For those that don't believe it:

      Assume, for argument's sake, that one could recover one previous generation of data written to magnetic media after an single overwrite. That means a nominal 1TB drive could be used to store 2TB of data. The fact that no hard drive manufacturer has been able to take advantage of any hysteresis effect to increase their storage densities is a strong indication that it's not possible.

      http://xkcd.com/808/

      • by lindi ( 634828 )

        Maybe they are selling 2 TB drives as 1 TB drives that keep a history of old data and then profit from the recovery services? ;)

  • by TWX ( 665546 ) on Thursday April 25, 2013 @01:21PM (#43548245)
    ...is to literally destroy the drive...

    A small four-pound sledge and a suitable hard surface to act as an anvil and one can break the aluminum case into bits in a couple minutes and crease and crack the platters to the point that there realistically isn't anything being read from there. If you're REALLY worried, break out the plasma cutter and just cut the platters into bits...

    Speaking of bits, Spanish colonial currency were "pieces of eight". "Shave and a Haircut, two bits" is a $0.25 cost. So, eight bits to a full unit... Coincidence for eight bits to a byte, or intentional?
    • by admdrew ( 782761 )

      Speaking of bits...

      Interesting, I never knew that... I was sorta hoping it was intentional, but looks like we have to blame a combination of ASCII (popularizing 7-bit over 4- or 6-bit) and the rise of 8-bit machines.

    • Speaking of bits, Spanish colonial currency were "pieces of eight". "Shave and a Haircut, two bits" is a $0.25 cost. So, eight bits to a full unit... Coincidence for eight bits to a byte, or intentional?

      Coincidence. I imagine it makes a lot of sense to keep the size of a byte as a power of two (for addressing reasons, maybe?) 4 bits isn't even enough to represent all of the characters in the Latin alphabet, and 16 bits was probably overkill at the beginning of the computer revolution.

      This is all a bunch of random guesswork. I have no facts for any of this :)

      • >> I imagine it makes a lot of sense to keep the size of a byte as a power of two (for addressing reasons, maybe?)

        I hope you're kidding, but in case you're not: http://en.wikipedia.org/wiki/Byte [wikipedia.org]

        • When I first learned about bytes I was in elementary school and my only frame of reference was the movie Tron (the original).

          Kevin Flynn: Hey! Hold it right there!
          Bit: Yes.
          Kevin Flynn: What do you mean, "yes"?
          Bit: Yes.
          Kevin Flynn: Is that all you can say?
          Bit: No.
          Kevin Flynn: Know anything else?
          Bit: Yes.
          Kevin Flynn: Positive and negative, huh. You're a bit, aren't you?
          Bit: Yes.
          Kevin Flynn: Well, where's your program? Isn't he going to miss you?
          Bit: No.
          Kevin Flynn: I'M your program?
          Bit: Yes.
          Kevin Flynn: Pretty good driving, huh?
          [CRASH]
          Bit: No.

          Bits are very direct. I figured a byte was a bit that knew 8 different ways of saying yes or no, but I was confused about how bits and bytes would communicate, because the bit wouldn't understand all the nuanced shades of yes or no. It seemed like a very fuzzy kind of logic. I made a mental note to study it further in junior high school, as a primer for studying other... curiosities..

          • Kevin Flynn: I'M your program?
            Bit: Yes.

            You forgot the most important part:

            Kevin Flynn: Great, another mouth to feed.
            Bit: Yes! Yes! Yes! [...]

    • break out the plasma cutter and just cut the platters into bits

      Damn all I have is a wire feed welder so I guess I will just have to turn up the power.

    • Or you could simply degauss the drive, or raise it to the curie temperature, rather than dealing with "sort of effective" and difficult methods of destruction.

      Im not clear why people suggest shattering the platter; it doesnt "destroy" the data (simply separates it), its time consuming (unless you were already going for the magnets inside), and generally a quick zero-wipe will be sufficient and more effective for most cases, and degauss / curie temperature will suffice for all others.

      • by TWX ( 665546 )
        I formatted a hard disk drive last night to use it for something else. Smashing it to pieces would have been much faster and more satisfying.
        • I formatted a hard disk drive last night to use it for something else. Smashing it to pieces would have been much faster and more satisfying.

          I just pop into my local undertakers and get my mate Dave, the night security guard, to chuck it in the next coffin up for cremation.

        • Formatting your drive most likely got rid of none of the data.

          All a format does is prepare the necessary bits for storing data (file tables etc). It doesnt usually overwrite the whole drive, even if you pick "full format".

      • by rthille ( 8526 )

        I use multiple passes of random data in a working drive, but when the controller is bad and I have data on the drives I don't want people to get to, I take it apart, save the magnets and shatter the (now glass) platters.

        • The difference between an overwrite and shattering the drive is like the difference between burning sensitive papers, and simply ripping them into shreds.

          Ripping them up may make it difficult to get at, but a really determined attacker could conceivably recover some data.

          • by rthille ( 8526 )

            Sure, but when I _can't_ write to the drive because it's gone bad, then I don't have the choice of 'overwrite'. I suppose I could use my belt sander or welding torch on the platters, but I think shattering them into little pieces and putting some in one trash cycle and some in another works well enough. I'm paranoid, but not that paranoid.

    • by Sloppy ( 14984 )

      Speaking of bits, Spanish colonial currency were "pieces of eight". "Shave and a Haircut, two bits" is a $0.25 cost. So, eight bits to a full unit... Coincidence for eight bits to a byte, or intentional?

      And it's also how many tentacles a single whole-unit octopus has! And how many planets there are (since the loss of Pluto) in the whole solar system. And it's how many ounces are in a .. shit, is it a cup or a pound? I can never remember that one.

    • by rthille ( 8526 )

      Crease the platters? These days, they are _GLASS_ coated with metal, and they shatter into _many_ pieces when they break.

  • by pitchpipe ( 708843 ) on Thursday April 25, 2013 @01:26PM (#43548299)
    Does this company offer a way to recover a Slashdot that doesn't disguise advertising as a story?
  • Thanks to Slashdot's video implementation, I get a big div in the middle of the screen that says,

    This plugin is vulnerable and should be updated.
    Check for updates...
    Click here to activate the Adobe Flash plugin.

    Now my Firefox is up to date and the Flash plugin was updated earlier this month.

  • I assumed the video was just a shameless promotion for the company, but clicked it anyway. Then, I saw that I was supposed to sit through a 30 second advertisement for some other random $#!T just so I can see an ad for this company ?

    Sorry, No.

  • by account_deleted ( 4530225 ) on Thursday April 25, 2013 @01:32PM (#43548369)
    Comment removed based on user account deletion
  • This is such a random interview, he should of sat down and planned what he was going to say, this just sounds quick, dirty and unprofessional. I can't take a company seriously where the interviewer doesn't answer questions using a solid brief format. He's not even answers the questions properly, I give this a 2 / 10, to be fair I give most interviews about a 4 / 10, If you include PR you lose marks. Sit down, right out all the question and answer you want to talk about, practice it, re practice it and
    • by gweihir ( 88907 )

      There are a lot of crooks and unprofessionals in data recovery. Immoral scum that prey on those already in pain. Seems this guy is not quite on that level, but fits in somewhere with grand promises he cannot deliver on.

      • Not disagreeing that the video was pretty bad - I can't say I'd do any better if asked to do an interview off the cuff. Definitely not a well planned advertisement if that's what it was supposed to be.

        I've had customers that have used these guys with about a 50/50 success rate at getting 100% data back. The times they couldn't get the data were due to head crashes that had scrapped the platters clean.

        It never seems to fail, customer declares they absolutely don't need backups for their workstations, they

        • by gweihir ( 88907 )

          Good to know. So just their PR sucks. Actually, that may be an indicator that their work is not too bad, because the crooks rely on PR to get new customers, while those that actually get results can rely in part on repeat business.

  • by gweihir ( 88907 ) on Thursday April 25, 2013 @01:40PM (#43548443)

    Why is this stupid marketing BS still displayed?

  • Did you basically just use Youtube's auto-closed-captioning function? The quality of the transcript is so bad it's virtually unreadable.
  • This stuff isn't It's not easy,and the costs can go rediculously through the roof. Having done a TINY bit myself, shipping out some work, etc..

    See my Sig though, it's all right there.

  • by X0563511 ( 793323 ) on Thursday April 25, 2013 @02:22PM (#43548795) Homepage Journal

    We can flag comments as spam, but not "stories" such as this. Hmm.

  • Perhaps Slashdot should follow Fark's lead and put a "sponsored" flag on stories like these and disable commenting? That way it would be clear that the story was an advertisement and they could avoid alienating their user base. Slashvertisements are usually fairly obvious and when they do appear the comments tend to all be very negative against whatever was being advertised. This way Slashdot could get their ad money for the promotion without pissing of the readers and filling the comments with vitriol.

  • by Virtucon ( 127420 ) on Thursday April 25, 2013 @03:03PM (#43549227)

    I doubt after your hard drive goes through a chipper/shredder that they could recover the data.

    • It's doable in theory, but prohibitively expensive. The only people with the knowledge would be the drive designers, and they'd need to spend weeks working with access to the type of cleanroom that makes an operating theater dirty.

  • While DIY data recovery has its risks, most "damaged" disks really just have minor filesystem corruption.

    The wonderful (free) photorec tool from the photorec package can be used to do an amazing amount of recovery. I've never had it fail on SD cards with FAT32 damage. It can also recover all sorts of other document formats, despite the name, and works fine on hard drives - though you should *ALWAYS* disk image the drive and then attempt recovery on the image.

    For imaging, look into ddrescue, it's a vital fir

  • If I was that company I would make people write "I WANT YOU TO DESTROY THIS HARD DRIVE" before I would destroy it.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...