Data recovery from a Dell server running Windows Server 2008 and the perils of handling old servers…

Data recovery from a Dell server running Windows Server 2008 and the perils of handling old servers… Data Recovery Ireland

Electro-mechanical hard disks are designed to spin continuously. For most 3.5” form factor disks, rotational speed is 5400, 7200 or 10,000 revolutions per minute. If the disk is used in a blade or tower server, for example, it will get cooled by the host’s system fan and will hopefully have a steady supply of clean power. Operating in an ambient temperature, such a disk (whether standalone or RAID) can run for several years without interruption.

However, there is one risk factor which a lot of IT admins forget about. As the disk(s) is running, because it uses an “air bearing”, some external air is inducted. This air is filtered by a tiny filter known as a barometric or breather filter. In addition to this, due to the effects of internal component wear and tear, tiny debris from the platters can also start to accumulate inside the disk chamber. For the most part, even with debris accumulating inside the disk, the read-write process can continue as normal. That is until, some poor IT person gets assigned the task of physically moving the server or migrating its data as they can be in for a nasty surprise.

Take last week, for example where a company in Dublin got into a spot of bother with their old Dell PowerEdge server running Windows Server 2008. Their IT administrator was tasked with the job of decommissioning it. The server was running fine, but was slow and no longer meeting the organisation’s requirements. He turned the system off and carried it back to his basement office with the intention of doing a complete backup. However, back at his office, he switched it on again, only to be greeted with the hue of a Windows Server 2008 “blue screen of death” informing him about an “Unmountable_Boot_Volume”. He removed the disk (Hitachi HDT721010SLA360) and slaved it onto another PC. No dice. In Computer Management, the disk was showing up as “unformatted”. This was the last thing he wanted. So, if this disk was spinning fine for the last 12 years, why did it pick the most inopportune time to kick the bucket?

Well, when you move an old hard disk which has been in-situ for years, the dust and debris collected by its air filter can get displaced. This can result in particulate matter getting strewn across and platters and collecting under the disk-heads, making the drive unreadable.

Drive Rescue took the disk into our clean-room where we removed the head disk assembly and cleaned the disk platters using a process which merits another blog post. We were able to recover 98% of their data.   

Lesson: the benefit of in-situ backups…

Servers can be located in the most uncomfortable places such as under staircases or in cramped comms rooms. The temptation for the IT admin to move an old server and perform a full disk backup in a more congenial environment can be quite strong. However, before moving the server anywhere or removing its disks, it would be prudent to a use a disk replication tool such a Macrium Reflect to copy the server’s volume onto another medium. This should be performed while the server is in-situ. This way, you can prevent any nasty surprises and need the call a data recovery service!

Drive Rescue are based in Dublin. Ireland. We offer a full server data recovery service. This includes Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019. Our service covers both standalone disks (S-ATA, SAS) and RAID (0, 1, 5,6,10)

The problems of locked firmware: data recovery from a 2TB Seagate Ultra Slim Portable Drive (SRD00F1)

The problems of locked firmware: data recovery from a 2TB Seagate Ultra Slim Portable Drive (SRD00F1) Data Recovery Ireland

For years, the firmware of most HDDs was open and made easily accessible by just using a serial connection and the right ATA commands. This enabled data recovery technicians to perform essential pre-recovery housekeeping tasks, such as G-List, P-List and SMART clearing. It also allowed technicians to read and write modules to the ROM. However, with the latest multi-terabyte electro-mechanical disks, manipulation is becoming a little trickier due to manufacturer locked firmware. This fairly recent trend of locked disk firmware can partly be explained by explosive revelations made by Kaspersky Lab in 2015. They discovered a strain of malware dubbed EquationDrug and GrayFish that is capable of dropping a customised installer into an operating system. This enables the installation of a modified controller code onto a person’s hard disk that would act as a persistent backdoor, allowing data exfiltration without triggering any alerts in conventional security controls. Given that governments and corporations throughout the world tend to use standardised equipment, this vulnerability was seen by many security and privacy experts as a grave threat to data integrity and confidentiality. In response to this threat, manufacturers such as Seagate have introduced features like their “Locked Diagnostics Port”, which aims to thwart users from accessing or modifying the disk’s firmware. Seagate has also introduced digital signing of firmware modules.

However, there is another, albeit more commercial reason why disk manufacturers are eager to lock their firmware. Most of the disks’ secret sauce, such as algorithms for error correction servo-track control and thermal-fly height control, are stored in this area of the disk. Not wanting their extensive R&D efforts to be stolen by their competition reverse engineering their disks, manufacturers increasingly just lock down their firmware modules.

The problems of locked firmware: data recovery from a 2TB Seagate Ultra Slim Portable Drive (SRD00F1) Data Recovery Ireland

For the data recovery technician, this can be exasperating. You’re about to perform a firmware repair only to be greeted with the “Diagnostic Port Locked” message… argh!

The side-effect of this development is that data recovery technicians sometimes encounter a brick wall when trying to remedy firmware issues. Moreover, developers of professional data recovery equipment who could previously analyse firmware modules and develop sophisticated disk repair tools are now being thwarted by manufacturer-locked firmware. Not in all cases however.

To circumvent locked firmware modules, some wily data recovery tool developers have designed “special extensions” to the ROM code which can be saved via a boot code and written back to the HDD. Once applied, terminal commands magically start working on the disk again.

The problems of locked firmware: data recovery from a 2TB Seagate Ultra Slim Portable Drive (SRD00F1) Data Recovery Ireland

Last week, we got this Seagate Ultra Slim Portable drive in with some serious firmware issues. The disk inside, a Mobile HDD ( ST2000LM007), uses Seagate’s Rosewood firmware and was not even recognisable to the BIOS. This means that under normal circumstances, very little could be done to repair the disk and access the data. However, using the aforementioned tools, we added a modifed ROM extension to the disk. This enabled us to repair the disk’s corrupt firmware modules and access the user area of the disk containing .CR2 (Canon raw),.DWG (created with DraftSight) and Microsoft Office files. The customer was happily reunited with all their data again. This proves the truism that everything is indeed hackable…

Drive Rescue are based in Dublin, Ireland. We offer a complete data recovery service for Seagate Ultra Slim Portable and Seagate Mobile HDD drives. We have experience of successfully recovering from models such as the ST500LM034 ST200LM007, ST1000LM0048, ST1000LM0035 and ST2000LM0015. We can help you if your Seagate Ultra Slim or Mobile HDD disk is no longer recognised by your PC or Mac. Or, if your disk has been accidentally dropped. Call us on 1890 571 571.

Where is the best place to store a hard disk?

Where is the best place to store a hard disk? Data Recovery Ireland
The domestic attic is one of the worst places to store a hard disk

You’re about to decommission that old desktop or laptop. However, not knowing when you might need the data on it again, you remove its hard disk or just put the whole system up in the attic.

Unfortunately, this is just possibly the worst place to store a hard disk. Attics and hard disks are about as compatible as frogs and lawnmowers or petrol and matches. Your average domestic attic is a place of temperature extremes. Siberian levels of coldness in the winter coupled with Saharan levels of heat in the summer might be fine for storing nostalgic copies of Q Magazine with pictures of Oasis or Blur adorning the cover. Or storing that gym equipment you swore you would use. But it’s not a good place to store a hard disk containing thermally sensitive components. And you don’t need a Harvard degree in Physics or Metallurgy to know that these metallic components will contract when it gets really cold and expand when it gets really hot. That is why, here at Drive Rescue, customers often tell us how the drive they put up in the attic 2 or 3 years ago now clicks when it is switched on or doesn’t spin up at all. They assure us it was working fine when it was first put up there. The type of damage incurred by hard disks which have been exposed to temperature extremes is insidious. You won’t see disk change shape. And unlike that exercise equipment, you won’t see rust marks either. But inside, the delicate disk-head assembly may well be damaged after months of contracting and expanding.  

So do yourself a favour, if you value your data, don’t store old hard disks in the attic. Disks need to be stored in an ambient temperature. They don’t like extremes, so store them in a living room cupboard or a bedroom wardrobe, but for God’s sake, not in the attic.

Have you removed a hard disk from your attic only discover that it’s now clicking, chirping, ticking or not being recognised by your computer? Drive Rescue offer a Dublin based complete hard disk recovery service for most hard disk brands including Hitachi Deskstar, HGST, Seagate Barracuda, Seagate FreeAgent, Western Digital Caviar, Samsung SpinPoint, Iomega External, LaCie and WD Blue. We also offer a data recovery service for iMacs and MacBooks. Phone us on 1890 571 571.