Data recovery from Seagate Laptop Thin HDD 500GB disk encrypted with TrueCrypt

Data Recovery from Seagate Laptop Thin HDD

Last week Drive Rescue recovered data from this hard disk which was removed from a Dell laptop. The disk had a seized spindle (see previous blog post for another Seagate disk with a seized spindle, the recovery process was similar).

The user’s IT support team from a company in Carrick-on-Shannon, Co. Leitrim came to us for assistance because the Seagate disk was making a buzzing noise when trying to initialise.  

Even after recovery, the volume was still inaccessible because the disk was encrypted with TrueCrypt (AES 256 in XTS mode).  However, after the user had emailed us the encryption key, we decrypted the disk and were able to mount the NTFS formatted volume.  All of their Solid Edge (.IGS and .IGES) design files were successfully recovered.

Need to recover data from a Seagate Laptop Thin HDD? Drive Rescue are based in Dublin, Ireland and offer a complete data recovery service for Seagate laptop hard disks. www.datarecoverydublin.ie

Data Recovery from a beeping Seagate Mobile HDD 1TB (ST1000LM035)

The ST1000LM035 is a mechanical 1TB 5400RPM S-ATA mechanical disk from Seagate introduced in 2016. It’s capacity and thin 7mm form factor has proven extremely popular with laptop manufacturers such as Dell, Acer, Asus and HP. The aforementioned companies all desiring to make their computing devices as slim as possible. In turn, since around 2010-2011, hard disk manufacturers have responded by introducing thin form factors (7mm) for their 2.5” S-ATA disks. (The standard 2.5” S-ATA being 9.5mm). However, from our experience spindle motors used in “thin” disks have a high propensity to fail than motors used in standard 9.5mm disks.

Spindle failures such as seizures was an extremely common problem

In early generation hard disks, spindle failures such as seizures was an extremely common problem.  Most of these disks using conventional ball bearings had a tendency to experience a phenomenon known as “non-repetitive run out vibration”. This occurred due to nano-metre inconsistencies found on the bearing balls causing read/write interference. In worst case scenarios the spindle would seize altogether making the disk inoperational.

From conventional ball-bearings to fluid-dynamic bearings

Then around 2002-2003, spindle motor manufacturers began using fluid-dynamic bearings. This was a paradigm shift for mechanical hard disk design. Fluid dynamic bearings use a fluid such as oil between the bearings and the shaft. When the shaft rotates the pressure generated by the fluid helps the bearings move more smoothly. While this led to greater disk reliability, it also made hard disks run more quietly and saved computer users the irritation of having to listen to metallic scraping noises.   

A “slim” hard disk also means a slimmed down and less reliable spindle motor

But the pull of technological innovation never sleeps. Just as spindle motors used in 9.5mm disks were going from “reliable” to “extremely reliable”. Spindle motor manufacturers had to go back to drawing board to design models suitable for 7mm disk form factors. This would mean a complete redesign or a compromised design. Spindle motor size can only be 70-75% the thickness of the disk. Most spindle manufacturers seem to have taken their motor designs for 9.5mm disks and “cut them down to size” to fit the smaller form factor disks. From a reliability standpoint, the “thinner and lighter” trend pervasive in hardware at the moment is a classic example of two steps forward one step back.

Two Steps Forward – One Step Back

With this slimmed down design, the bearings have less room to build a suitable magnetic force needed for a 5400 RPM platter. Maybe this is because the motors used in this form factor are not as reliable as those deployed in 9.5mm disks. (Other 2.5” 7mm disk models such Western Digital’s WD10SPCX and Seagate’s Momentus Thin also exhibit spindle motor problems).

Recovering data from a beeping hard disk

In this particular case, the ST1000LM035 disk which was removed from a Dell laptop was beeping. We transplanted the disk platters containing their client’s data using a customised unwinder tool designed specifically for use with Seagate 2.5” thin disks. We removed the platters and transplanted them into an exact-match Seagate ST1000LM035 donor disk. Platter removal is an extremely intricate job. For a successful transplant, a number of criteria must be met. These include:

  • Perfect alignment between the platter unwinder tool and notches of the platter ring. Otherwise torque forces might incur further damage.  
  • You must apply a clockwise force. Remember, most hard disks spin in an anti-clockwise direction.
  • The platter securing ring must be carefully removed with a tweezers. These must be free from any residual magnetic forces and must not touch the platter surface.
  • The transplanted platter must align perfectly with the notches on the donor disk. This can be achieved by rotating the platter-tool until you feel a slight click.
  • Once the hard disk ramp has returned to its original position the disk lid can be safely closed.

In recovering this disk this methodology was followed. But upon disk initalisation the volume could still not be seen by our host system. Such surprises are to be expected in data recovery. One common reason for such an occurrence is the new spindle not being “tuned” to the new disk.  This can be remedied by using a firmware emulator. We did this and restarted the disk. This time a volume appeared with the client’s Word, Excel, Photos, PDFs and .RVT (Revit) files now being accessible. We performed an integrity check on these and they were perfect. These files were extracted onto a USB portable disk and delivered to a very happy customer.   

Drive Rescue is based in Dublin, Ireland. We hope you have found this post useful and interesting.  We have also successfully retrieved data from the 2TB model (ST2000LM007) of the disk mentioned in this case study. Other “thin” disks which we recover data from include the Seagate Momentus Thin, WD Blue models WD10SPCX, WD10SPZX and HGST Z5K500, 5K1000.

Driving Good Causes

Drive Rescue were recently at the Capuchin Day Centre to present this extremely worthwhile charity with a donation.  We know this does not solve the homeless problem in Dublin but some help is better than no help.

Brother Kevin Crowley and Robert Scanlon of Drive Rescue

Data recovery from external hard disk displaying the “Cyclic Redundancy Check” error message when connected to Windows

A Longford-based customer recently sent a 1TB Seagate Backup Plus disk for data recovery. When connected to a Windows PC, the following error message was displaying:

D:\ is not accessible
Data error (cyclic redundancy check)

Cyclic Redundancy Check is a mathematical equation used to ensure the integrity of data. It works by multiplying the number of bits in the data packet by a pre-determined number prior to data transmission and retains the answer. Once the data is received, it executes the same equation again. If the two answers match, your computer processor knows the data is intact. CRC checking is commonly used in TCP/IP networking but is also in disk-to-disk communication such as when an external hard disk or USB memory device is connected to a computer.
Fix Cyclical Redundancy Check errors
Typically, the Cyclic Redundancy Check error message tells us there is a problem with a storage device. In a small minority of cases, the issue can be resolved by running the Checkdisk (Chkdsk) command on the disk within Windows. However, in the vast majority of cases the Cyclic Redundancy Check error message is indicative of a more serious problem with a disk.

In this particular case the client’s Seagate Backup Plus disk had over 20,000 uncorrectiable bad sectors. We used our specialised data recovery equipment to “read around” these sectors and then performed a “read retry” operation on them. Our equipment does this at a very low level, meaning we can access data which would be otherwise unreadable to operating systems such as Windows, OS X or Linux.
We were successful in recovering all the file types needed by the client. These included .docx, .xlsx and .mdf (Microsoft Access) files. Case was closed with one extremely satisfied customer!

Drive Rescue Data Recovery Dublin offer a complete data recovery service for external hard disk drives such as Seagate Backup Plus, WD My Passport, MyPassport Ultra, Freecom Toughdrive, Maxtor M3, Toshiba Canvio, Transcend and Verbatim. To find out more visit: www.datarecoverydublin.ie

Data Recovery from QNAP NAS (WD Purple X 2)

We recently recovered data from a QNAP TS-253 Pro. This is a popular two-bay NAS device which uses the QTS operating system. This particular NAS was using two WD Purple (WD20PURX) S-ATA disks formatted with EXT4. Even though the device was set up in a RAID 1 configuration – it experienced an event which corrupted the firmware of both disks. The problem was surmountable as we recovered 100% of the client’s data, but this case presents a number of important lessons in secure data management.



Why using WD Purple are not a good idea for general data storage

The roots of the problem go back to when the device was first set-up. Their IT administrator chose two WD purple disks. These 5400 RPM disks are primarily designed for use with NVRs (network video recorders) and DVR (digital video recorders). The firmware in them is optimised for constant ATA streaming of contiguous data. It is not really designed for the kind of random reads and writes as you would expect in an administrative office. Moreover, the error correction algorithms used in these disks are tuned for speed with data integrity taking a back seat. It is really not surprising then that just after a couple of months usage – the data on the volume became inaccessible. And of course, Murphy’s Law kicked in with both disks failing simultaneously.

How this data loss situation could have been averted.

Ideally, the client should have been using WD Red disks (or other disks designed for NAS) to prevent this problem from occurring. And of course, they should have been backing up their QNAP. A NAS (even configured in RAID 1) is not a backup in itself. They should have been using an app such as Duplicati backing up an off-site server such as S3 or B2.

Recover Data from a Corrupt VHD

As virtualisation becomes more prevalent, it’s nice to have some VHD recovery tools in your arsenal. One great tool that we can recommend is Hyper-V Recovery from SysTools. If you have a VHD which has become corrupted or inaccessible, give it some tender loving care with Hyper-V Recovery. It uses smart algorithms bundled with an intuitive interface to repair the dynamic and static VHD files on FAT and NTFS.

Data Recovery from Lenovo Thinkpad X1 Carbon SSD (SanDisk)

A customer recently delivered a Lenovo Thinkpad X1 to us for data recovery. When the system would start, the error message “a disk read error occurred” would appear on the screen. The POST process will halt at this point.

We opened up the system and found a proprietary SSD made by SanDisk (SD5SG2-256G) using a form factor of (70mm x 20mm) and a 20+6 connector pin. Proprietary SSD form factors and connectors were common in the early days of mass SSD deployment in laptops and tablets as device manufacturers raced to make their devices as thin and light as possible.

The SanDisk SSD recovery process.

We put the drive into “technological mode”. This is the same mode SSD manufacturers use to perform disk repair and diagnostics. Then using a custom-adaptor for this SSD we connected it to our firmware emulator and uploaded a Marvell 88SS9174 firmware module. The Windows 10 and recovery partition appeared but was still not readable. However, adjusting read parameters on our equipment (which dynamically adjusts voltages used to read NAND cells), we able to access the volume in full. All the customer’s Word, Excel, Calc and Quantrix were successfully recovered onto a USB external disk.

The Perils of Problem Fixation: what End-Users and Sys Admins can learn from Aviation Accidents

The tail fin of flight Air France 447 – Problem fixation can have tragic consequences.

On the 29th of December 1972 Eastern Airlines flight 401 takes off from a bitterly cold New York en route to Miami. 163 passengers are on board, most of them hoping to celebrate the New Year in the sun. Approaching Miami the pilot presses the button to activate the landing gear. Normally, a green light illuminating in the cockpit indicates successful deployment. However, in this case, no green light illuminates. The crew removes the bulb and blow on it to remove any dust. They screw it back tightly. Meanwhile, they fail to notice that the autopilot has become disengaged and the aircraft is now losing altitude. However, the crew is so fixated on fixing the bulb they fail to notice the rapid descent of the aircraft. Being night time, they have little visual cues. Their aircraft stalls and hits the ground. Only 75 of the 163 passengers survive the crash.

Fast forward to 2009, Air France flight 447 leaves Rio bound for Paris. Just three hours into the flight, the aircraft’s pitot tubes (used to detect airspeed) malfunction. This causes the autopilot to disengage. The cockpit becomes a cacophony of sirens and alarms. The pilots fixate on raising the plane’s nose when they should have been lowering it. The aircraft stalls. Tragically, according to aviation experts, the type of stall their aircraft experienced was recoverable from. However, the pilots were so fixated on raising the plane’s nose – they fail to recover the aircraft from its stall and it plunges into the South Atlantic.

Problem Fixation and IT Troubleshooting

These two cases illustrate how problem fixation can sometimes have tragic consequences. You might be thinking how does this relate to data loss? Well, unfortunately, problem fixation is also an issue in the world of information technology. Hard disk failure provides a classic example of this. When a disk is failing, some end-users and sys admins can easily mistake the symptoms of a failing disk with another un-related problem. This is understandable because symptoms of a failing disk will often manifest themselves in unexpected ways. For example, a failing disk can cause an operating system such as OS X or Windows to throw up all sorts of spurious error messages. This can lead to some frantic googling of symptoms which have little or no relation to the real problem. Likewise, the symptoms of a failing hard disk can often mirror those of failing hardware components such as RAM or graphics cards. And then of course, there is the issue of viruses and malware – the symptoms of which also closely resemble those of a failing disk. Applications may fail to start or run painfully slow. Some users will perform virus and malware scans in their efforts to remove a non-existent infection. The potential for problem fixation does not end there though. When a failing external hard disk is connected to an operating system spurious error messages like “Data Error – Cyclic Redundancy Check” (Windows) or “you need to format the disk in drive E: before you can use it. Do you want to format it?” (Windows) can be thrown up. As for NAS devices, these can be a veritable Pandora’s box of cryptic error messages which users can end up fixating on. Take for example, Buffalo’s error coding system which begins with “E”. You might get an ”E13” message or “E14” “E15”, “E16” “E22” “E23”or “E30”. All of which might look like something written on the back of a packet of Skittles but are all basically reporting the same thing “there is something seriously wrong with one of your disks”. However, if a user goes down the Google rabbit hole with these error messages – valuable time can be lost, all while a disk’s condition might be deteriorating rapidly.

Don’t Fixate on Error Messages or Symptoms

The philopsher William of Ockham (of Ockham’s Razor fame) once said “With all things being equal, the simplest explanation tends to be the right one”. And there is some truth to this. If a computer system or storage device is acting strangely – sometimes going back to basics is a worthwhile strategy. Start off with performing disk diagnostics first to find out whether the disk(s) are healthy or not. But fixating on particular error messages wastes valuable time especially when the underlying problem might be a failing disk. Finding this out quickly affords you the opportunity to perform a complete disk backup and possibly negating the need for a data recovery service!

Drive Rescue Data recovery is based in Dublin, Ireland. We recover from portable hard disks (LaCie, Seagate, Toshiba, WD), laptop and desktop disks (HGST, Seagate, WD). We also offer a data recovery service for SSD disks (including Micron, SanDisk, Crucial), DAS devices (Lacie and G-Tech) and NAS devices (Buffalo, Synology and ReadyNAS). Phone us on 1890 571 571 www.datarecoverydublin.ie

How to Recover Deleted Emails from a Gmail Account (GSuite Edition)

Drive Rescue normally performs data recovery from physical storage devices such as hard disks, SSDs, USB, memory cards, servers and NAS devices. But last week, a customer from an island off the west coast of Ireland called us desperately wanting to know how to recover deleted emails from their Gmail (for business /GSuite account). Thankfully, Gmail stores deleted emails for the last 30 days. Moreover, the data recovery process for this is a cinch.

To recover deleted emails from Gmail (GSuite Edition) is relatively painless.

1) Login to the account needing recovery at: admin.google.com
2) Click on More
3) Click on Restore Data
4) Select the Data Range (remember 30 days is the maximum amount of time you can wind back to)
5) Select the application. Google Drive is the pre-selected as the default, but using the drop-down arrow, you can select Gmail.
6) Click on Restore.
7) Your deleted emails from the last 30 days should now be recovered.

The same more process can be followed for recovering data deleted from Google Drive. You just select “Drive” instead of Gmail. Easy peasy!

How to Test a Hard Disk

Accurate hard disk monitoring and diagnostic tools are an essential part of every IT admins toolbox. So, we’ve put together a short list of hard disk monitoring and testing tools along with some best practice tips on their operation.

Hard Disk Monitoring and Diagnostic Tools 2018 

For Windows:

Hard Disk Sentinel – nice simple monitoring tool which indicates disk health and temperature.

HDDLife – another reasonably accurate hard disk monitoring tool. Also comes in an SSD variety (SSDLife).

CrystalDiskInfo – Fantastic benchmarking tool which indicates sector reallocation count and un-correctable sector count.

HD Tune – Offers a nice graphical representation of disk performance and scans for errors. Supports SSDs like OCZ and Samsung.

Computer manufacturers like Dell and Lenovo offer their own built-in disk diagnostic tools. The latter offers their Lenovo Solution Center tools while Dell offers their Pre-Boot System Assessment. Both do a reasonable job of testing mechanical hard disks.

Testing a Seagate, WD or HGST hard disk using manufacturer utilities.

The disk manufactures themselves also offer diagnostic tools like SeaTools (Seagate) and WD Lifeguard (Western Digital). HGST offer their Windows Drive Fitness Test (WinDFT). For some reason, Toshiba offer no disk diagnostic tools at all!

 

Testing an Apple Mac hard disk

There is a huge paucity of accurate disk monitoring or testing tools for Apple’s OS X. Many end-users erroneously believe that the “First Aid” utility provided by Disk Utility can check the health of a disk – it does not! It just checks the integrity of the file system.

If you need to test the hard disk in an Apple Mac, we highly recommend SMART Utility from Volitans Software which really stands out from the pack for its accuracy and reliability

Solid State Disks are different…

Because SSDs are designed using manufacturer-specific schemas, for best accuracy you really need to download their own diagnostic utilities. Most of these can be found on the relevant manufacturers’ website.

SanDisk – SanDisk SSD Dashboard

Samsung – Magician

Crucial – Crucial Storage Executive

Best Practice Tips on running Accurate Hard Disk Tests

1) If your hard disk diagnostic test halts half-way through and appears to have frozen. This can be indicative of a defective hard disk.

2) It is important to remember that a hard disk diagnostic test will not always detect early stage failure. This is because most diagnostic utilities only randomly scan certain sectors of the disk. Even a long-diagnostic test might “pass” a disk in the early stages of failure. This is because under most jurisdictions, manufacturers are obliged to offer an RMA policy (return merchandise authorisation) and most have set quite a high threshold for a disk to be deemed “failed”.

3) Most firmware issues will not be detected by hard disk diagnostic utilities.

4) If you suspect software, malware or OS issues are interfering with the accuracy of the test, slave the disk to another system (using a direct M.2 / NGFF/ mSATA / S-ATA / P-ATA connection to the system’s motherboard or just use a USB dock) Alternatively, you can use a bootable ISO containing hard disk diagnostic utilities.

5) Remember that some bootable diagnostics such as Seagate’s SeaTools for Dos will only run if the system’s BIOS/UEFI is in IDE mode (as opposed to AHCI mode)