Data Recvovery: External Hard drive Options

The Plain Truth: The External Hard Drive Recovery Options You Have

Before there where computers we had scrap books and photo boxes full of past memories.

Now personal data is put into different drives and folders for information. Like many people your internal hard drive got to big so you started to move information over to your external hard drive. Storing more information on to drive more drive has become a bigger responsibility in the modern day. With all the moving parts and internal mechanisms they are someday going to fail over time.

Even though hard drives have changed over from being spinning drives in your computer to solid state drives this doesn’t mean there 100% reliable. Remember nothing lasts forever. External hard drive recovery is a daunting task to say the least. A word of caution if you’re not comfortable with taking apart a computer then taking apart an external hard drive to fix should not be done. Here are a few tips that should help you actually help you with hard drive recovery…

To read the full article check out External Hard Drive Recovery.Net


Forensics: Wiping Hard Drives….Do you need thermite?

Every week, or possibly every day, there are new forums where people (with little to no experience of data recovery) discuss the merits of different methods of wiping data and destroying hard drives. One of the the frequent conclusions is that data cannot be deleted or wiped and  thermatie is the only answer.

Some people will discuss, at length, the number of wipes that are required to wipe a hard drive, with answers varying from  7 to 32.  Some insist that once you wipe it 32 times you then need to grind the hard drive to a find powder, and then, of course, use thermite.

These answers, as anybody who actually works in the data recovery industry will attest to are complete rubbish.

Once data has been overwritten i.e. a 0 is converted to a 1, or vice versa, then that data is gone. It cannot be recovered by software, electron microscopes, or men in dark suits.  It is gone.

In addition to this, the moment that the platters of a hard drive are scratched, recovering data from them is very hard, and can be impossible. Hard drive platters are surprisingly sensitive, its just that the hard drive itself is a very good design. Anyone doubting this can perform a simple test, take an old hard drive out of your computer (one with data on, but data you don’t want), open the drive and put a long deep a scratch along the platters. Then, send the drive to a data recover company and see who can recover the data. Most data recovery companies offer a free diagnoses, i.e. you can find out for free if they can recover it.

Or, if you want to use the same service the CIA, MI5, and all the other spooks use, you can pay £100 for a diagnosis and send it to Ontrack, the worlds biggest data recovery company.

KrollOntrack recovered the data from the Shuttle, they are the company that governments use when is a major case, from the  Madrid bombing to old backup tapes that contain critical data.

To wipe data do you need thermite? No. [But that would definately work!]

How do you destroy a hard drive?

The question of hard drive destruction is often raised, when people want to prevent access to their data, e.g. getting rid of old computers.

Questions include:

  • How do I destroy my hard drive? Will drilling it work?
  • Can I burn my hard drive, will that work ?
  • Can I put it in water?
  • How many times do I need to wipe a hard drive, to get rid of all data?

Often, the answers involve “the only thing that destroys a hard drive is thermite” or “wipe the drive 100 times, then grind it up into a fine dust and then melt the dust”.

These statements almost certainly come from those who have never been in a data recovery clean room, and certainly never worked in one.

Destroying data, on a hard drive, is relatively easy and can be done one of two ways:

1)      Wiping the entire hard drive. Just once. Not 3 or 32 or 320 times

2)      Destroying the platters. Once the platters are destroyed recovery is impossible.

The latter option can be achieved by a variety of ways, such as drilling the hard drive. In theory “somebody” could read the data around the holes, though no commercial company would ever do that. As the governments outsource their major data recovery work, to commerical companies, from the NASA Columbia disaster to international terrorist incidents if its very technical and very important it gets outsourced. Therefore who exactly “somebody” is, is unclear.

The idea that overwritten data, on a modern hard drive, can be recovered is just fanciful. Nobody has ever recovered data an overwritten modern drive, and nobody has said they can, it’s merely a theory, an old theory that was never tested or proved. However, when this theory was tested, it was not possible.

Remember wiping data is not formatting or deleting data. It is wiping every single sector on a hard dive.

In short there no evidence for recovering wiped data but there is evidence to showing wiped cannot be recovered.

Physical Methods that will not work to destroy data on a hard drive include:

  • Throwing it in the water (this does not do much)
  • Setting it on fire (the temperature is not going to be high enough at home)
  • Throwing it out of the window. Hard drives can take quite a bit of G force.  They are not heavy so the impact of the hard drive on the ground is not likely to destroy the platters.
  • Drive over the hard drive. A car, or even a tank, driving over a hard drive will do nothing, any more than they  would driving over a book. Unless the drive is actually flattened, the platters are not going to be destroyed.

Electronic Methods that will not work in destroying data are:

  • Deleting files
  • Formatting files
  • Shredding files/Wiping Files

The whole drive needs to be wiped, not just some of it. Nothing else can guarantee all data is gone.

Forensics: Does water destroy a hard drive?

In computer forensics, and data recovery, it is not unheard of to come across hard drives that have got wet, and not always accidentally. In one year, the same police force, had to recover several hard drives that had deliberately been thrown into the sea – along with the rest of the laptop.

As this type of recovery is more often than not outsourced to the civil sector this leads to the question: Does water destroy a hard drive?

Water alone is not harmful to data. If the hard drive is off, and not spinning, the water will not destroy the data. The data, after all, is stored magnetically on the platters, this is not going to lost by the addition of water.

Firstly hard drives are pretty well sealed, so a quick dunk in the water is unlikely to effect the hard drive itself. Secondly, even if the hard drive is left in the water, or sea for a long time, all is not lost.

What is important is the drying process. If a hard drive has been left in the sea or dirty water for a couple of days, and is then dried out, this is not going to work straightaway, and powering it up could be damaging. The reason for this is that the salt or dirt that is left behind once the water has evaporated will stick to the platter, as the platters spin up (if that even happens) there could be damage to the surface of the platter – which will damage the hard drive.

Once the drive has been wet for a period of time it is recommended that the drive is taken to a specialist recovery company (ideally while its still wet and before its been dried out). The company will then clean the platters professionally. Even if the entire hard drive casing is damaged/destroyed they can put the platters into a new casing and recover the data that way.

Forensics: Is it possible to recover data after wiping tapes?

Is it possible to recover data after wiping tapes? Absolutely not, and possibly yes.

The answer very much depends on what the term “wiping” means in the question. If a tape is used to store data, then reformatted and the a new set of data overwritten, the previous data cannot be recovered, it has been effectively wiped.

If a tape is wiped using degaussing technology then once again the data has been lost/wiped, and cannot be recovered. 

If a tape has been reformat ed, but not overwritten, it is possible though far from guaranteed that it can data can be recovered. The reason for this is that formatting the tape, much like a hard drive, just changes the data at the beginning, of media. But the actual data is still on the tape. However, unlike hard drives, tape software puts an End of File marker at when it has finished writting data to a media which the tape drive reads and does go past, unless its overwritten. This means that when the tape is re-formatted a new End of File marker is placed at the beginning of the tape, this means that the tape drive will not read past this, so recovery of the old data is not possible, with a regular tape drive, even though the data is still on the tape.

There are solutions to this, but they are only undertaken by specialist tape recovery companies, and very much depend on the tape and tape drive in use.

This offers an excellent opportunity for forensic investigators to recover data that may have been lost.

Forensics: Deleting and Wiping Data

The subject of hard drive destruction, data wiping, and data deletion is source of numerous, forums, websites, and blogs. Sadly, the vast majority of the information being published is rubbish, and is based on urban myth.

In Yahoo! Answers one commentator described deletion of files as “compression”, with the more a file is deleted the “more it is compressed”, and it just gets” smaller and smaller”, until “only the police can recover it”.  Bizarrely this was voted “best answer”, hopefully “best  surreal answer”.

A lot of the debates about data deletion and hard drive destruction is due to a combination of urban myth, misinformation, old technology, misunderstanding, exaggeration, blaggers and trolls.

This article attempts to resolve some of these issues, and possibly explain why these myths came into existence.

File Deletion: Does this destroy data?

When a file is deleted what happens depends on a variety of factors, how the users deletes the file, what operating system they are using, where the file exists, etc.  However, in the most common file system on PCs (the Windows based NTFS), deletion does not destroy a file but merely prevents the user from accessing the file. Then using “specialist tools” deleted files can, sometimes, be recovered.

Over a period of time the deleted file, if its not recovered, will become destroyed/overwritten by the computer. This is not a deliberate action, rather a by product of computer use.

[Specialist tools are not rare any more, and many can be picked up for free, however they will not always work due to issue such as file fragmentation and user error]

It is possible that a user, in a Windows PC, can hit delete, and then moments later be unable to recover the contents of that file, even with the help of a professional data recovery company. But, this is not common and can not be guaranteed. For this reason deletion of data can not be considered “destruction”.

Hard Drive Wiping: Does this destroy data?

This is the most common myth on the internet. The term “to wipe a drive” means overwrite every single sector on a modern hard drive with another character often FF, or it can be a random character sequence.If this is done correctly the data cannot be recovered.

For the purposes of clarity, this will be repeated: If every single sector of a modern hard drive  is overwritten, then NO DATA can be recovered, and especially not by the police. In fact companies such as Ontrack, who spend millions of dollars on research into data recovery are not able to do this. This wiping does not need to be done 33, 12, or even 3 times. Just once.

The caveats here are “modern hard drive” and “every single sector”.

If every single sector is not over written then data can be recovered, even a fragment of a file stating “The super secret account number is XXX-XXX-XXX and the password is YYYYYY” takes up just a few characters and would easily fit into a single sector, for example the file slack of an active file, can store 100s of bytes of data.

Therefore if the wiping tool does not work correctly, then a sector could be left unwiped, and that sector could contain a fragment of useful text. But with over 1,000,000,000 sectors on a 500 GB hard drive, the chance of one of them not being wiped and containing data that can be understood is minimal. In fact if 1 sector is not over written the chance is just 1 in a billion.

This probability of recovery is reduced when the data type is taken into account. File types such as pictures, PDFs, emails, etc, are not stored in plain text and therefore are even harder to recover. E.g a fragment of an email with the above statement would look like total garbage when recovered from the hard drive, therefore even recovering a fragment, if that did occur may be pointless.

The second caveat is “modern hard drives”.

Old hard drives, the old 10 mb physically large style hard drives were not very efficient or accurate at writing the data to the platters.

For this reason each time data was written onto a hard drive it was feasible that data would be written onto a different place on the physical hard drive, i.e the actual location of data on the platters would change slightly, as the heads did not write the data correctly. Therefore, the theory goes, by using electron microscopes, it was possible to pull out the previous “shadow” data. i.e DataTrack 1 is written onto a hard drive, then DataTrack 2 is  used to “overwrite” DataTrack1, however due to poor alignment of heads, and low quality hard drives, its possible to read /recover DataTrack1, and then piece together this information.

This technology makes several assumptions. 1) The hard drive is old. 2) The hard drive is not working very well. 3) The data can be recovered. 4) Enough data can be recovered, de-coded, and re-constructed to produce any information. 5) The data being recovered is so hugely valuable that it is cheaper to do this, than gain the data than any other way.

Having been invited to a tour of a facility in the US, which claims to do exactly this type of recovery, it is fair to say that type of recovery attempts of this nature did, at some point exist.  However, technology has long since moved on.

Modern hard drives are far more compressed, with a smaller hard drives containing a 1,000 times more data. This alone makes the old method redundant. In addition to this modern hard drives have multiple heads, with data on both sides. This means that piecing together data on different sides of a multiple platters is an almost impossible task.

For this reason no commercial company is able to recover data from wiped data. It should be emphasized that US and UK government agencies use commercial companies for even the most sensitive data recoveries,  as the corporate sector is far more advanced in this arena.  The Columbia NASA disaster, parts of the 7/7 investigations, and the Madrid bombing investigations all required data recovery and all were passed out to commercial companies.

Therefore the idea that GCHQ or MI5 has a super secret lab that can recover data from a wiped drive, is the world of fantasy.

With that said the government has still some pretty old technology in existence and tools (and users) cannot be guaranteed to work properly first time. For this reason Government approved wiping tools are always required to wipe data using multiple attempts.  This is the most likely reason why the myth about multiple wipes, and electron microscopes,  still persists.

But, in the real/modern world any data wiped once is destroyed, and unrecoverable.

How to destroy a hard drive?

Due to stories in the media, which are carefully placed by the PR companies for data recovery companies, it is often believed that anything can happen to a hard drive and the “experts in clean rooms” can recover this data.

Sadly, this is simply not true. The deliberate damage being forced on the innocent hard drives, by the PR controlled media,  is almost as controlled as the reporting, with predicable outcomes. This gives the data recovery company the best chance of recovering the data.

Firstly it must be understood how a hard drive works. A hard drive, in brief, has: Platters which contain the data, heads which read the data on the platters, a motor which spins the platters, and a circuit board which controls the heads and motors, and talks to the computer.

Out of all of these  parts the platters are the only parts which cannot be replaced in a data recovery process.

Data Recovery Myth 1: Fire

Hard drives are often set on  fire to test the ability of a company to recover them. Fire will not touch the platters which are well protected in the casing. Though it may damage the circuit board, which is the easiest part of the hard drive to replace.

Data Recovery Myth 2: Water

Water is more of a risk to hard drives than fire, as the water and  dirt, can get in through the hard drive casing and onto the platters.  This can be resolved by washing the platters with clean water, drying them out, polishing them, and replacing them into a working hard drive

Data Recovery Myth 3: Electric Shock

Electric shocks are sometimes put  through hard drives, this will only damage the electronics, and not the data.  All of which can be placed.

Data Recovery Myth 3: Drop/Hit

Hard drives are often subjected to a variety of impacts. Being dropped out of a window, driven over by a tank, or thrown out of  a car.  Most of these tests have little effect on the hard drive, as it has been powered down first and therefore the heads will not “crash” into the platter. The tests are also not as bad as some may seem – the tank does not put all its weight onto the hard drive, only some of it, being dropped from a car, is only being dropped from a car is only being dropped a few feet and the computer/laptop will act as much of the crumple zone. Dropping the drive out of a window is likely to damage the hard drive circuit board, but this can be replaced.

The results would be very different, i.e from 100% recover to 0%,  if the hard drive was hit while it was spinning. Simply placing a scratch along the length of a platter would  prevent recovery of data.

Hard Drives: 1 TB Solid State

The first ever 1 TB solid state hard drive (flash media) has been released. What makes this all the more amazing is that it is 2.5 inch, not 3.5 inch.

The drive, produced by pureSi, called the 1TB Nitro SSD  (SATA II) , is currently the worlds most compact solid state drive, per GB. 

While those in the data storage business,  data centres, or IT managers maintaining servers,  are no doubt applauding the technology, those in the front line of data recovery and computer forensics are probably groaning as data capcity gets higher and higher.

For those in the data recovery business recovering data from these hard drives is very difficulty (if there is a physical faul), and if there is a logical fault there is more space to go through, which means turn times for data recovery companies will increase.

For the computer forensics industry, the issues of” imaging” (imaging is the process of making an exact copy of the data) has just got worse.  Over the past 5 years hard drives have been getting bigger and bigger, but the imgaging speeds have not been increasing at the same rate.

A 1 TB drive could easily take over 7 hours to image; and as data collections are growing in scale (i.e more users/custodians beign collect), this could pose a real problem.




Specifications for the drive are below.


Feature summary
   --   1TB SSD in 2.5-inch form-factor (highest density ever at
   --   300MB/s SATA II interface
   --   Industry-leading performance
   --   State-of-the-art industrial design

Specifications - Nitro Series SSD:
Capacities: 32GB, 64GB, 128GB, 256GB, 512GB, 1024GB
   --   Transfer rate: 300MB/sec
   --   Sustained read: 240MB/sec
   --   Sustained write: 215MB/sec
   --   Random read (IOPS 4K): 50,000
   --   Random write (IOPS 4K): 10,000
   --   Latency < 100 µsec
   --   MTTF: 2.0 million hours
   --   Temperature (operating): 0°C to +70°C
   --   Temperature (non-operating): -45°C to +85°C
   --   Shock (operating): 1500G, duration 0.5ms, half sine wave
   --   Vibration (operating): 20G peak, 10~2,000Hz, x3 axis
   --   Active: 4.8W typical
   --   Idle: 0.1W typical
   --   2.5in form factor: 100.2mm x 69.85mm x 9.5mm