The latest storage trends: Embedded World 2023, Nuremberg.

The latest storage trends: Embedded World 2023, Nuremberg. Data Recovery Ireland

Last week Drive Rescue attended Embedded World 2023 in Nuremberg, Germany. This is one of the biggest convergences of Asian, European, and American disk manufacturers in Europe. Some of the latest NAND-based storage devices were on display. Moreover, it was a pleasure to discuss the latest storage trends from teams all over the world.

How the EU’s Right to Repair legislation might influence computer manufacturers’ choice of storage disk in the future

The European Commission is expected to implement Right to Repair legislation which will impact manufacturer component choices in devices such as PCs, laptops, and mobile systems. For example, by 2027 most manufacturers selling electronic products in the EU market will have to devise designs for removable batteries. It is also speculated that the implementation of non-removable SSDs (such as eMMC flash memory and BGA SSDs) might also be discouraged by future EU regulation.  

The Dangers of QLC NAND

For those involved in the procurement of SSDs, you might have noticed some manufacturers offering QLC NAND in some of their drives. Many disk manufacturers at Embedded World 2023 were unanimous and candid in their sentiments regarding QLC NAND. While QLC NAND (4 bits per cell as opposed to 3 bits per cell for TLC NAND) is faster and cheaper, it also wears out a lot quicker. For example, some QLC NAND only allows for a paltry 100 Program/Erase (P/E) cycles. Applications such as those used in crypto-mining, data-logging, RAW continuous burst photography and video recording would chew up these cycles in no time – leaving you with a burnt-out SSD. The bottom line is that QLC-based SSDs are fine for use cases such as PCs and laptops used for internet browsing or basic office tasks. But using QLC SSD for any sort of write-intensive applications could be asking for trouble.  

SSDs and Vibration

The difference in durability between SSDs and HDDs is stark. Drop a laptop running an HDD on a relatively hard surface and more likely than not you could be looking at some disk-head damage. Drop an SSD-running laptop on the same surface and the disk will hardly notice. However, SSDs are not as hardy as you might think. Heat can damage them, and also vibration. The super-nice team from Biwin Storage (OEM manufacturers for HP, Lenovo, and Acer branded disks) explained just how insidious continued SSD exposure to vibration can be. In vibration-heavy environments such as manufacturing facilities and ship’s engine rooms, vibration can loosen the solder joints between NAND ICs and the disk’s PCB. This can result in a failed SSD. For this reason, Biwin Storage have introduced SSDs which use an “underfill” epoxy-resin coating which secures a stronger adhesive bond between the NAND IC soldering balls and the PCB. This makes disk failure due to vibration much less likely to occur.

The latest storage trends: Embedded World 2023, Nuremberg. Data Recovery Ireland
An Apacer CorePower SSD using Tantalum electrolytic capacitors.

Power Loss Protection

NAND-based storage devices with in-built power loss protection were a huge theme at Embedded World 2023. Sudden power loss can be a huge issue in sectors such as manufacturing, where machinery or PLC controllers subject to sudden power loss can result in hours (or even days) of downtime. This power loss can occur due to an overburdened power grid (a very common problem in some countries), or it can be the result of human error. Some manufacturing operatives will sometimes kill power to machinery before it has fully shut-down – resulting in data loss.

SSD Controllers and VW Golfs

The controller chip is at the heart of any SSD device. It manages data reads, writes, and erase functions. It performs data scrambling. It performs encryption. It performs error correction, garbage collection, and wear levelling. You could say that the SSD controller is the brain of the disk. A representative from Transcend (a major SSD manufacturer) described controllers as being like VW Golfs. The latest generation Golf is going to be more efficient and more sophisticated than the last one. And that’s an apt analogy. SSD controllers are vastly more sophisticated than those from a decade ago. For a start, they use less power. Some of them have already deployed 5th-generation LDPC error correction. Some use dynamic scheduling. And some controllers now even have the ability to predict bit errors before they happen using Predictive-LDPC (Pre-LDPC). All a far cry from the early 2010s when SandForce controllers were seen as top-end…

The latest storage trends: Embedded World 2023, Nuremberg. Data Recovery Ireland
A Kioxia CD7 SSD using EDSFF (Enterprise and Datacentre Form Factor)

The new SSD form factor for enterprises and data centres

Just when you thought another SSD form factor was impossible – along comes EDSFF (Enterprise and Datacentre Standard Form Factor). This has been developed by the Storage Networking Industry Association (SNIA) in response to the demand from enterprise and data centre customers for an alternative to the M.2 form factor. There are a number of reasons why M.2 is not that suitable for this cohort of customers. Firstly, M.2 disks are relatively small. Even the “2280” iteration is only 20mm by 80mm in size. This allows limited space for NAND flash chips. In contrast, the EDSFF E1 form factor is 318.75mm in length. This extra surface area not only allows for more NAND but also greatly facilitates more heat dissipation. Moreover, in terms of data bandwidth, EDSFF has a theoretical architecture of PCIe x16. In reality though, at the time of writing most manufacturers such as Kioxia are just using PCIe x4. And another great advantage of the EDSFF standard is it’s hot-swappable. In theory, at least, making the serviceability of these disks much easier.

Drive Rescue are based in Dublin, Ireland and offer a complete data recovery service for SSDs. Contact us on 01 485 355.

An Olive Oil Disaster and Data Recovery from a 1TB Seagate One Touch

An Olive Oil Disaster and Data Recovery from a 1TB Seagate One Touch Data Recovery Ireland

We came across a rather interesting case recently. One of our customers, a videographer for a Dublin-based marketing agency, was on assignment in Parma, Italy. The video footage for a multinational food company took two days to shoot. After the first day of filming, the SD card inside their Sony Alpha camera was running a bit low on space. Luckily, they had brought a small portable Seagate One Touch external drive with them. So, after the first day of filming, they were able to transfer their footage (XAVC-S, a proprietary Sony video format) to the external drive. Before they wiped the card, they dutifully checked the folder size on the One Touch disk to make sure it was the same as on the SD card. It was, so they formatted the card and popped it into the camera ready for the shoot the next morning. What could possibly go wrong?

As expected, the second day of shooting did not take as long as the first. After filming, they brought their camera gear back to their hotel and took a stroll around the city. They came across a shop selling artisanal food produce where they bought some cheese and olive oil.

Back in Dublin, they opened up their flight bag and, to their shock, discovered an unbelievable mess inside. It was like a mini-Amoco Cadiz disaster had unfolded inside – except with extra-virgin artisanal olive oil in lieu of crude oil. It now dawned on them what must have happened. The artisanal olive oil bottle had a cork top on it. This must have popped due to the air pressure on the flight home. Their clothes were sodden with this viscous liquid. And to their horror their Seagate One Touch was covered in it. They were now getting flashbacks of formatting that SD card. This was turning into a nightmare. Miraculously, their Sony Alpha camera ensconced inside a camera case escaped a soaking.With some trepidation they connected their One Touch drive to their MacBook’s USB port. It was dead as mutton.   

On recommendation of a colleague, our distraught customer delivered the disk to Drive Rescue. Our diagnostics revealed a dead PCB. Opening the main chamber of the disk (Seagate ST1000LM024) in our clean room thankfully did not show any olive oil ingress. Phew! In this particular case, anything could have been wrong with the PCB. It could have been a failed IC (chip) such as a diode, transistor, or motor controller chip. Or, the problem could have been related to a short-circuit on one of the tracks. We took the decision to replace the PCB with a new one which we had already in stock.

Now we would need to de-solder the ROM (EEPROM) chip off the old PCB. This is a crucial step because this tiny chip contains servo parameter adaptives unique to the drive. This would need to be transferred to the new board.

The clean-up process:

Before we started the de-soldering process we used copious amounts of isopropyl alcohol to clean up the olive oil. (In this case, flux would have been of little use because that really only works well in cleaning oxides). Using a hot-air gun and with the assistance of anti-ESD tweezers we removed the Windbond ROM chip from the Seagate’s PCB. It was vital that the temperature of the hot-air gun was correct so as not to damage this tiny chip.

An Olive Oil Disaster and Data Recovery from a 1TB Seagate One Touch Data Recovery Ireland
Winbond ROM Chip pin-out design – such a chip plays a crucial role in storing HDD servo-adaptive information.

We then carried out the same de-soldering process on the new (donor) PCB.

It was time to micro-solder the original ROM of the damaged drive onto the new PCB. This was the most intricate part of the task because the pin of the chip must align perfectly with the 8 place markers of the chip. Just one of these pins out of place and the chip will not make a proper bond with the PCB. This process involves adding a tiny piece of solder to each of the markers. Too much solder applied here will result in “solder bridges” – a surefire way to create a short-circuit.

After waiting a while for the solder to cool and settle, it was then time to place the PCB back onto the disk and see if it would ID. The disk ID’d successfully and the HFS+ volume appeared. Their X-AVC S footage could now be transferred to another disk.

Lessons from this case:

The important lessons of this case… Firstly, don’t skimp on SD cards. They are relatively cheap these days. Formatting an SD card with an active workflow on it is really not a good idea – even when you have it backed up to a second location. Secondly, liquids should never be placed in the same luggage as electronic equipment. Ideally, electronic equipment, including hard portable disks, should be transported in a protective case such as those made by Peli. These cases use watertight O-ring seals which ensures IP-67 liquid resistance. They also use foam padding to protect your equipment from shock damage. A worthy investment!

Is your Seagate One Touch not showing up on your Windows or Mac computer? Drive Rescue offers a complete clean-room data recovery service for Seagate One Touch external drives which are inaccessible or clicking, such as the Seagate One Touch 1TB, Seagate One Touch 2TB (STKB2000400), Seagate One Touch 4TB (STKC4000402) and Seagate One Touch 5TB (STKC5000400).

What to do when the “Sanitize” (SecureErase) function of Crucial Storage Executive SSD management software won’t work…

What to do when the “Sanitize” (SecureErase) function of Crucial Storage Executive SSD management software won’t work… Data Recovery Ireland

One of the system administrators of a healthcare organisation recently contacted us.

They were decommissioning around 18 of their Dell laptops. For data security purposes, he removed all the Crucial MX500 S-ATA SSDs from the systems and attempted to use Crucial Storage Executive software (hosted on a desktop PC) to perform a SecureErase function on them. The only problem was SecureErase was not executing on any of them. This left him with in a bit of a pickle because even just formatting the SSDs using Windows Disk Management is not considered secure. This is because, there is a high probability that a “Windows format” is going to miss areas on the NAND flash of the SSD like the user space area, the overprovisioned space, the spare blocks and bad block locations. SecureErase is designed get into all of these nooks and crannies.

He was beginning to think the problem was related to the TPM chips inside the Dell laptops and was not relishing the prospect of re-inserting all the SSDs. As a previous customer of Drive Rescue, he contacted us – did we have any suggestions?

Get the Sequence Right…

We did actually! This is a known problem with the Crucial Storage Executive software.  Sometimes, the “PSID revert” utility has to be run before “Sanitize”. PSID revert involves reading the label of the disk and inputting the PSID code, as written on Crucial MX500 series SSDs, into the CSE software. Without following this sequence, the Sanitize (SecureErase) function will not work. This is just a quirk of the SSD management software.  

This morning we got a nice Starbucks gift card in the post from the kindly systems admin who was very relieved to have found a quick and secure solution to this problem.

Is a hard disk damaged by fire recoverable?

Is a hard disk damaged by fire recoverable? Data Recovery Ireland
A fire damage hard disk with extensive burn marks on label. However, the label in this case is still partially readable.

Surprising facts about disks and fires…

Successful data recovery from a hard drive which has been exposed to a residential, office or industrial fire depends on a number of factors. These include factors such as the level of exposure to the fire. It depends on the level of smoke particle ingress. It depends on whether the label has been burnt or not. It depends on whether the disk is a hard disk drive (HDD) or solid state drive (SSD). And recovery can also depend on how much exposure the disk had to fire suppression agents such as water.  

Burnt disk labels – If you have an HDD or SSD damaged by fire, sometimes the biggest challenge can be a burnt label. The reason for this is simple. If you have an HDD with a fire-damaged PCB but is otherwise mechanically sound, using specialised data recovery equipment such as PC-3000 it’s firmware can be emulated and the volume read. However, in order to emulate a disk’s firmware, you need to know the disk family and the model number. Without this firmware information emulation cannot take place. Similarly, if an HDD involved in a fire requires a head-disk assembly (HDA) replacement swap, it’s also imperative to know the model number. HDA swap operations need to use exact-match donor parts.  Likewise with an SSD, you might have a fire damaged SSD which could be read using disk emulation. But you need to know the model first. You also need to know what controller chip the disk using. We really wish disk manufacturers would use fire retardant labels…

SSDs will survive a fire better than a HDD – The NAND chips on SSDs can survive temperatures of up to 300 degrees Celsius. (Controller chips are much more sensitive to heat though) In contrast, HDDs exposed to temperatures of over 60 degrees Celsius you will see bit errors start to multiply. Moreover, with HDDs exposed to fire their disk-heads are liable warp and are also liable to make contact with the platters due to excessive heat.

The water damage incurred by sprinkler systems or fire crews can be worse than the damage incurred by the fire itself – This one surprises a lot of people, but water (used for fire suppression purposes) often does more damage to hard disks than the fire itself. Within a very short space of time, micro corrosion sets in on the PCB components (such as diodes, capacitors and tracks) causing short-circuits. These short circuits can prevent a disk from initialising.    

Smoke Damage – Electro-mechanical hard disks are hermetically sealed units designed to block out any contaminated air. They use a rubber gasket to secure the seal between the chamber and the lid. Even in polluted industrial environments, this mechanism works well at keeping contaminants out. However, the intense heat of a fire can cause a disk’s rubber gasket to deform or melt paving the way for the ingress of smoke particles. For the disk, this can be catastrophic. Smoke particles on the platters are the equivalent of rocks on a railway track. These particles can accumulate under the disk-heads blocking the read/write signals, scouring the platter surface but can also cause the disk-heads to overheat.

Is a hard disk damaged by fire recoverable? Data Recovery Ireland
A fire-damaged PCB board.

Practical Tips

  • Off-site backup provides the best protection against data loss due to fire damage. Even if you think your premises has a low fire risk, it can often be an adjoining premises that’s the source.   
  • Your server or comms room should have a high-sensitivity smoke detection system (HSSD) smoke detector installed which is regularly tested.  
  • Try to maintain an off-site inventory of disks inside your systems. A record of disk model numbers can sometimes make the difference between a failed or successful recovery. IT asset management tools like LanSweeper can automate this task.
  • If adopting a belt-and-braces approach in mitigating the fire risk to your data, you could consider fire-retardant DAS and NAS solutions from ioSafe. These storage devices running DSM (from Synology) offer protection of your disks from fires up to 840 degrees Celsius for up to 30 minutes. They also offer IP68 water protection – very useful protection from sprinkler systems and over-zealous fire crews.  

Data Recovery of VMDK files from HP Proliant Server

Data Recovery of VMDK files from HP Proliant Server Data Recovery Ireland

HP Proliant servers are a very common on-premise server in Ireland. These systems come in two main form factors – blade or tower. Their blade series includes models such as the DL360, DL380 and DL385. While their tower series includes models such as ML10, ML110 and ML350.

Recently, we recovered data from an HP Proliant ML350. This Windows Server 2019 server running VMware virtualised machines. Using 4 X HP SAS disks, it’s RAID 5 array had gone into degraded mode. While this can be very frustrating, “degraded mode” is actually like a self-protection mechanism of the server. It occurs when unrecoverable errors are detected in one or more of the disks. Its role to prevent any further damage that might occur due to silent data corruption. The server subsequently became unbootable.  

Examination of the 4 x 1.2TB HP SAS (EG001200JWFUT) disks (formatted in EXT4) proved interesting. Disk 0 was fine. Disks 1 and 2 were seriously over-heating. Our infrared thermometer recorded temperatures of 48 and 49 degrees Celsius respectively. While disk 3 was clicking. Great…

We made bit images of each of the 3 working disks. Then using a SFF-8492 cable we connected each of the disks to our Areca SAS card. It is important to note that this PCIe card was not a RAID controller. The last thing you want is for a RAID rebuild process to initiate with a missing disk. Specialised software is required. Using a non-RAID SAS card means the integrity of the images remains sound.

Data Recovery of VMDK files from HP Proliant Server Data Recovery Ireland
HP SAS Disk x 4

We now had to ascertain the exact RAID parameters used in the original array. If you don’t use the exact parameters, corrupted files will be inevitable. The HP documentation as to the parameters used, was unsurprisingly lousy. Therefore, we used a HEX editor to find the original RAID parameters – namely the block size, the offset and the block order. With these parameters now electronically recorded using the high-tech medium of Microsoft Notepad and using specialised RAID re-build software, we could start the re-build process. This took a number of hours, but eventually, we had on our recovery system several VMDK and -flat.vmdk files. Exactly what we were looking for! Our file integrity checks revealed all files to be intact. The client was extremely fortunate. Some VMDK virtual disk files can be unwieldy, fragmented and liable to corruption during RAID array failure events. Anyway, the client’s data (Excel files, PDFs, ROS certificates and BrightPay payroll data) could now be extracted onto a 4TB external disk for delivery.

This recovery process saved this Dublin accountancy practice hours and hours of labour time that would otherwise have been spent reconstructing files.

How RAID 5 failure and recovery could have been prevented…

First of all, RAID 5 should not be considered a backup. In this particular case, the client should have had a valid up-to-date backup of their main server. There are swathes of virtual machine backup applications (such as Veeam and Nakivo) out there which can backup locally and to the cloud.

RAID 6, which users dual-parity can sometimes be a better and safer alternative to RAID 5. This is especially true in cases where disks are over 1TB in size which is commonplace in many of even the most basic servers.

If your on-premise RAID server stores a lot of data that is infrequently accessed, you should have a data scrubbing regime in place. The scrubbing process reads all the data and checks for consistency. For some file systems like BTRFS, you can use the “BTRFS scrub” command. For EXT4, it does not checksum data. However, it does allow for metadata check-summing which can help detect early disk problems.

Drive Rescue is based in Dublin, Ireland. We offer a complete RAID data recovery service for HP Proliant and HP Microserver systems. Whether your data is stored in bare metal format or VMDK, VDI or VHD virtual disk formats – we can help recover your data.

How to recover data from encrypted storage devices without the encryption key.

How to recover data from encrypted storage devices without the encryption key. Data Recovery Ireland

Without an encryption key, if threat actors or intelligence agencies cannot access an encrypted storage device such as a laptop HDD, contrary to popular belief, they will not try to brute force it. Nor, will they use a quantum computer. If it’s really important, more likely than not, they will deploy what is known as a side-channel attack. Such an approach does not endeavour to “break” the encryption of the storage device, but rather, gain access to the protected volume by side-stepping it.

One of the most common side-channel attacks exploits DMA ports. But what are DMA ports? Well, first some context, in the 1990’s with the proliferation of multimedia use, some computer manufacturers wanted to equip their devices with data transfer speeds faster than the 1.5 Mbps or 12 Mbps afforded by USB 1.0 and USB 1.1. This gave rise to DMA ports such as FireWire (IEEE 1394) which allows peripheral hardware devices to access the host memory directly. In the mid-1990’s, Sony and Apple were pioneers in equipping their devices with FireWire ports, giving their multimedia users vastly improved data transfer speeds. So, for example, in the early 2000s, USB 2.0 allowed transfer speeds of 400Mbps while FireWire 800 (IEEE1394B) enabled double those transfer speeds. Today, on consumer and enterprise-class computing devices, the most common DMA ports in use are Thunderbolt and USB Type-C. Lesser known hardware components having DMA access include network cards and external GPUs.

How to recover data from encrypted storage devices without the encryption key. Data Recovery Ireland
ThunderBolt USB-C ports on a MacMini system

How DMA ports can provide a backdoor to your data

Ok, so let’s say you have a HDD or SSD in a laptop which is using a full-disk encryption application such as BitLocker? Could a threat actor access your data? Theoretically, yes! Here are a few side-channel permutations to consider.

Cold Boot Attack – This type of attack occurs when a threat actor performs a memory dump from a computer system’s RAM. This attack vector exploits remanence – a phenomenon where some data still resides in RAM shortly after the power of the host system has been turned off.  

How to recover data from encrypted storage devices without the encryption key. Data Recovery Ireland
A TPM module from Asus. This connects the Lower Pin Count bus on a computing device. This same bus can be sniffed…

Recovering a BitLocker Key using an FPGA and data sniffing software – Microsoft and many hardware manufacturers extoll the virtues of using a Trusted Protection Module (TPM) to store the cryptographic keys of BitLocker. Unfortunately, this is not as secure as most people think. For example, using a field programmable gate array (FPGA) card (such as a Lattice Ice 40) combined with software like LPC_Sniffer, which can sniff BitLocker Volume Master Keys from the Low Pin Count bus used by the TPM chip. However, this only works if BitLocker’s pre-boot authentication is disabled.

How to recover data from encrypted storage devices without the encryption key. Data Recovery Ireland
Combined with software like ThunderClap, a FPGA card such the Intel Aria can be used to circumvent Apple’s FileVault encryption.

Bypassing Apple File Vault Encryption using ThunderClap – Some Apple users believe that if their MacBook is encrypted with FileVault 2 that they are immune from such attacks. Not according the developers of ThunderClap however. This powerful software, used in conjunction with an FPGA card (such as Intel Arria), mimics an Ethernet card and enables the sniffing of data packets to and from an encrypted macOS system.

But surely, software and hardware vendors have implemented protections against DMA attacks?

Software and hardware vendors are well aware of such attacks. This is why they have introduced input-output memory management units (IOMMUs). This acts as a gatekeeper to the system memory only allowing privileged devices to access sensitive memory regions. Apple was one of the first mainstream computer manufacturers to embrace this technology enabling it by default on OS X 10.8.2 Mountain Lion. Today, macOS is one of the few mainstream operating systems that has IOMMU enabled by default. However, even in macOS, its implementation is not fully watertight. Some security researchers have found that a single IOMMU page uses shared mappings (i.e. user data could be stored in the same memory space as the peripheral used by the attacker). So, for example, a threat actor or investigator could in theory, use a modified hardware device such as a trojanised Thunderbolt dock to access the memory of a macOS system. This operating system is supposed to be protected from rogue hardware devices (like a modified Thunderbolt dock) by hardware whitelisting. However, this security mechanism could be easily thwarted by using an “Apple approved” PCIe bridge board (taken from a Thunderbolt dock, for example) and using that to bridge a nefarious DMA device.

Aside from IOMMU, there are other protections against DMA attacks. For example, Microsoft provides Kernel DMA protection for Windows 10 and Windows 11. But, in Microsoft documentation, there is rather worrying admonition that “This feature doesn’t protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on”.

How to access an encrypted SSD just like the CIA…

The “DarkMatter” files of WikiLeaks gave us a brief insight into how intelligence agencies like the CIA access encrypted hard disks. Not surprisingly, they don’t use any FileVault or BitLocker “bruteforcing software” which tries to use multiple combinations of passwords to bypass disk authentication. Instead, and perhaps not surprisingly, they exploit DMA ports. More specifically, it was discovered that they use a device known as a Sonic Screwdriver. This device, using modified firmware of a Thunderbolt-to-Ethernet adaptor can change the boot path of MacBooks whilst injecting keylogging malware into system files which have the ability to harvest encryption credentials.

We need to talk about self-encrypting SSDs…

The term “Self-encrypting disks” (SEDs) has to be the biggest misnomer in the data storage world ever! SEDs basically use an AES processor to enable encryption. The data is protected using a disk encryption key (DEK). Each disk is automatically encrypted with this. For users, such as governments and corporate entities, it means that disks can be erased by simply deleting the key facilitating easier asset decommissioning and disposal. And while “self-encrypting” drives are encrypted, for most SSD manufacturers, by default, any sort of authentication protocol is disabled. This means that while their users are very re-assured by using a “self-encrypting disk” the reality is, if that disk was lost or stolen, any dog on the street could connect it a standard PC system and all their files would be accessible. Moreover, even if authentication on self-encrypting drives (SED) is enabled, many S-ATA SEDs can be subject to what are known as “hot plugging attacks”. This involves an adversary or investigator disconnecting the S-ATA data connector of a disk and connecting a data cable of another system without cutting its power. In a substantial number of cases, this normally grants access to the data because the SED, even with authentication enabled, still thinks it is connected to the original host. The main condition needed for this approach to work is that the second system, to which the disk is being connected, must have a hot-swap compatible motherboard.  

And another problem with self-encrypting drives is the unknowns involved with Vendor Specific Commands (VSC). Basically, every SSD manufacturer has their own language command set for their disk models. These commands can be used for diagnostics, maintenance and firmware repair. They are also proprietary – therefore not very open to public scrutiny. And, like with any proprietary software, this opaqueness presents a security problem. In fact, security researchers from the Netherlands have successfully used SSD VSCs to access encrypted data on some models of Crucial MX, Samsung T3 and T5 SSDs. And it is also rumoured that the NSA’s Equation Group extensively used Seagate and Western Digital VSCs in designing their HDD firmware rootkits. These vulnerabilities remind us of the importance of projects such as the OpenSSD Project which advocates for SSD firmware to be open-source and fully transparent.    

How to recover data from encrypted storage devices without the encryption key. Data Recovery Ireland
A WD My Passport 4TB external disk. This series of disks have a number of critical hardware vulnerabilities. And if these can’t be exploited to access the data, you can just patch the ROM of this drives using commercial data recovery equipment.

WD My Passport disks provide a classic example of the weaknesses of hardware encryption. This line up of portable disks has encryption keys which can be bruteforced. Some of these models use a very leaky random number generator for key protection. Other My Passport models use hard-coded AES-256 credentials. Moreover, when their ROM can be “patched” by data recovery systems.        

Practical Prevention: To protect highly confidential information using BitLocker, it is essential that the application is configured correctly. BitLocker should always be setup with pre-boot authentication using an alphanumeric PIN. Make sure you have SecureBoot enabled which helps prevent devices with unsigned firmware code booting up. A BIOS password is recommended. In standby or hibernation state, some Windows systems will store the BitLocker encryption key in RAM, therefore it is recommended that you disable standby or hibernate mode on the systems you wish to protect. To enable IOMMU in Windows systems, you will need to access the BIOS. The protection will be either listed as “IOMMU”, “I/O Memory Management”, “Intel VT-d” or “AMD Vi”. For protection of external storage devices, you might want to give hardware encryption a wide berth. Instead, you can an open-source encryption like VeraCrypt for whole disk encryption.  

Drive Rescue, Dublin, Ireland provide a full hard disk recovery service for disks encrypted with BitLocker, FileVault, VeraCrypt and many other leading data recovery applications. We also provide a recovery service for WD My Passport external disks including My Passport Slim, My Passport Ultra and My Passport for Mac.

SSD ECC failure and data recovery from an Asenno AS25 SSD

SSD ECC failure and data recovery from an Asenno AS25 SSD Data Recovery Ireland

ECC (Error Correction Code) plays a crucial role in maintaining the integrity of data stored inside your solid state drive. ECC is a bit like a quality-control inspector inside your disk. When it detects soft bit errors, it automatically corrects them helping to keep the integrity of your data is kept intact.

However, sometimes, due to defects such as wear of the oxide layer, ECC failure will occur. Here your SSD controller has another trick up its sleeve. Many SSDs employ what are known as “superpages”. These are tracts of data spread across multiple dies. For example, you might have an SSD with 4 dies (NAND chips). If you have a data (a 200 page PDF document, for instance) stored on your SSD, the file probably won’t just be stored on one chip. Instead, it will be spread out among the 4 chips. The data is then XOR’ed. This is kind of analogous to the way data is stored in RAID volumes. The spreading of multiple I/O requests to multiple dies means much faster processing times. Now, even if ECC is unable to rectify the bit-errors, using superpage-level parity, data recovery is still possible.

For example, a client recently presented us with an Asenno 240GB SSD. There were numerous un-correctable bit-error showing.  Using the power superpages along with some powerful data recovery equipment, we were able to recover the complete NTFS volume for the client.

Drive Rescue (Dublin, Ireland) offer a complete data recovery service for Asenno 240GB, 480GB, 512GB, 960GB and 1TB (S-ATA and NVMe PCIe) SSDs. Typical problems we help with include:

  • Your Asenno SSD is not showing up in Windows or macOS
  • Your Asenno SSD appears to be corrupted
  • Your Asenno SSD is appearing as “unallocated” in Windows Disk Management
  • You’ve accidentally deleted files from your Asenno SSD
  • You’ve got a BIOS-level warning that “SMART failure” is predicted on your Asenno disk.
  • Your Asenno disk appears as “unformatted” in Windows Explorer or macOS Finder

Data recovery from an inaccessible G-RAID 8TB Thunderbolt drive showing a red light on power-up

Data recovery from an inaccessible G-RAID 8TB Thunderbolt drive showing a red light on power-up Data Recovery Ireland
The 8TB G-Drive Thunderbolt from G-Techology with HGST 4TB S-ATA Disk X 2 which was unfortunately configured in RAID 0.

DAS (or direct access storage) devices are ideal for tasks involving high data throughput such as photo or 4K video editing. Unlike an NAS, no network equipment such as routers or switches are required. The device can simply be attached to a host system using a USB or Thunderbolt connection.

To increase the I/O (input / output) rates of these devices, it is common for manufacturers to use a RAID 0 configuration. This simply means that two (usually S-ATA HDDs) disks are joined at the hip (using software) to form one (NTFS, HFS+, EXT3 etc.,) data volume. If large files need to be transferred to the volume, the data is written concurrently to the two disks (instead of just one) making the write operation faster.  For example,  typical write speeds would be around 320 MB/s. This is a relatively fast speed for spinning metal platters and is a perfect example of how storage devices can exploit data parallelism afforded by RAID.  

However, there is a downside to using RAID’ed disks like this. Namely if one disk fails, the whole volume topples over like a proverbial house of cards. And this is exactly what happened to a customer we were helping last week. Their 8TB G-RAID (12V 5Amp) device had two HGST 4TB S-ATA disks (HUS726040ALE614) in a RAID 0 configuration. One of the HGST disks developed firmware issues and bad sectors causing the volume to become unrecognised by Windows. When our customer connected his G-RAID drive to his Windows 10 system, it was no longer showing up. Instead, they got an ominous red light on power up.  

Reasons why your G-Technology G-RAID drive no longer shows up in Windows or Mac.

  • One or more of the disks inside your G-RAID drive might have developed physical faults such as issues with the read-write heads. For example, heads can physically deform due to shock damage while some heads will just fail due to wear-and-tear. Problems with the read-write heads can make the MBR (master boot record), the firmware on the servo-tracks and the user-created data of each disk unreadable.
  • One or more of the disks inside your drive might have developed firmware faults. Firmware is microcode used by hard disks to manage the drive. It is typically stored on the ROM chip of the PCB and on the servo tracks of the disk. Firmware code helps manage errors on the disk and is also involved in crucial functions such as logical block addressing.
  • Another reason why your G-RAID rive is no longer being detected is that one or more of your disks inside your 4TB or 8TB G-RAID drive might have developed bad sectors. Sectors are the smallest area in a hard drive where data is stored. Some bad sectors are normal. In fact, most electro-mechanical hard disks leave the factory with some bad sectors already in place (this is recorded in the P-List). As the disks gets used, more bad sectors start to develop – these are recorded on the G-List. Then, after a while, a surfeit of bad sectors may culminate in your G-RAID drive failing to initialise.
  • The PCB (printed circuit board) inside your G-Technology G-RAID drive might have failed. This can occur due to thermal stress, over-voltage (e.g. a power surge) or due to liquid damage.  

Data recovery from a G-RAID device

Thankfully most of the problems with G-RAID drives can be fixed. In this particular case, we resolved the issues with the firmware and bad sectors. The using byte-for-byte disk images, we performed a detailed analysis on them ascertaining key RAID parameters that were used such as disk order, block size, block order and disk offsets. All of these are parameters are needed for the RAID rebuild process. We eventually rebuilt the RAID. We now had a complete NTFS volume and were able to recover all the drive’s data (video footage and .tiff images) for our very pleased customer.

Is your G-RAID drive not mounting on your Mac? Is your G-RAID drive not showing in Windows? Is your G-RAID disk freezing? Is your iMac or MacBook reporting that your G-RAID disk is “not readable”. Is your G-RAID drive showing a red light? Drive Rescue offer a complete data recovery service for G-RAID devices such as G-RAID Thunderbolt 4TB, 8TB and 12TB. We have extensive experience in recovering and repairing the hard disks (usually HGST 3.5” S-ATA) used inside these drives.

Data Recovery from Lenovo IdeaCentre Q180 Ultra Small Form Factor PC

Data Recovery from Lenovo IdeaCentre Q180 Ultra Small Form Factor PC Data Recovery Ireland

So called “Ultra small form factor” PCs have never been so popular for their compactness, versatility and low power consumption. You can hold them easily with one hand and most are lighter than a dictionary. In fact, during the pandemic, some organisations were able to dispatch these book-size PCs to their home-working employees in the post. All the employee had to do was connect the system to a monitor cable (HDMI, DPI), mouse and keyboard and they were up and running in no time.   

While all this sounds great, but here at Drive Rescue we’ve noticed one thing. Some of the disks inside these ultra small form factor PCs, seem to experience higher-than-average failure rates. This is not surprising. While very convenient, most of these systems do not offer the same level of airflow as their more internally capacious brethren. Even with sophisticated heat sink designs, lower levels of internal airflow, mean that inside, the components (such as northbridge chip) and disks inside these systems can get hotter than a Tokyo metro train during rush hour during a heatwave.

And that’s not good news for HDDs or SSDs. Conventional hard disks (P-ATA, S-ATA) never liked the heat. They have too many metal components (such as platters, spindles, sliders and voice-coil motors) inside which expand when exposed to heat. SSDs (such as M.2 NVMe) on the other hand, actually run better when hot, but after a while this heat-induced performance boost begins to take a toll on the disk’s controller. Too much heat can cause the controller to execute failed bad block management operations, failed logical block addressing and eventually the thermal stress can culminate in complete failure of the controller IC itself.

How to recover data from a Lenovo small form factor PC?

Take last week for example, we were recovering data from a Lenovo IdeaCentre Q180. The disk inside a WD Blue 500GB S-ATA (WD5000LPVX) had a failed head-disk assembly (HDA). More specifically, the head-gimbal assembly at the end of the HDA had “lifted” from the fly zone. Damage in congruence with thermal stress. Anyway, we replaced the HDA in our clean-room, we then imaged the disk enabling a full data extraction from it’s NTFS partition table.

Drive Rescue (Dublin) offer a complete data recovery service for small form factor PCs such as Fujitsu Esprimo E420, G5011, G5010, Q520, Q910, Q958, Intel Nuc, Lenovo ThinkCenre M700, M900, M710s, M710q, ThinkStation P350, Dell Optiplex 780,790,3020,3050,7010, 7040,9020m and Asus PN50, PN60. We recover from most disk types used in these systems including M.2 NVMe (SSD) disks, m-SATA and S-ATA disks.   

Standard PCs are not designed for Data Recovery: the case of a LaCie Rugged Thunderbolt USB 3.0 2TB external disk

Standard PCs are not designed for Data Recovery: the case of a LaCie Rugged Thunderbolt USB 3.0 2TB external disk Data Recovery Ireland
A LaCie Rugged Thunderbolt with its international orange insulating high-viz on.

For conventional hard disks (HDDs), the smallest unit of storage is called a sector. This traditionally has been 512 bytes with most hard disks of the last 10 years or so using 4096-byte sectors (Advanced Format). Each sector will hold the user-generated data, sync bytes but will also hold some ECC (Error Correction Code) to maintain the integrity of the data. The ECC acts as a sort of checksum to filter out corrupt data before it’s transmitted to the host’s RAM.

The problem with ECC

Modern ECC algorithms (such as Reed-Solomon and Bose-Chaudhuri-Hocquenghem) are great, they help prevent bit-rot and other corrupting processes. However, when you have a failing hard disk with bad sectors and try to read it on a standard PC, ECC will probably be the reason that the disk can’t be read. The host computer attempts to read the sectors once but ECC will report the sectors as unreadable. To the user, they will probably see a “not responding error” or similar on their GUI. ECC is a fusspot in this regard – any corruption at all and it won’t let the host PC read the data.

ECC and consumer-grade data recovery software

ECC is not only problematic for reading failing disks via an operating system, but it is also one of the main reasons why so many consumer-grade data recovery software applications can’t recover data. Like with operating systems, data recovery applications cannot always read from sectors whose ECC is reporting errors. In order to bypass this, these applications will read and re-read inaccessible sectors multiple times in the hope that ECC might allow a successful read. However, for a hard disk that is failing or damaged, these repeated attempts of reading are the equivalent of torture for your disk.

It’s not only ECC…

ATA controllers, as used in standard PCs, require that data transfers from disk to host use the host’s RAM. This can be problematic, especially when processing disks with bad sectors or read-media issues as BSOD events are likely. In addition to this, ATA controllers in standard PCs cannot perform disk re-set operations.  

How professional data recovery equipment circumvents ECC errors and the problems associated with standard ATA disk controllers…

  • Data recovery technicians use dedicated hardware systems that enable disk-reads that bypass the BIOS and the operating system. They use systems which can ignore ECC errors.
  • Moreover, technicians use equipment which can directly read the disk’s error register. This gives the technician (and equipment) much more specific information about the underlying problem. For example, this could be a UNC (un-correctable) data error or a TONF (track not found) error. When the equipment knows what the underlying fault is, it can choose a recovery algorithm to maximise the probability of a successful recovery.    
  • Data recovery technicians will typically use systems with ATA disk controllers equipped with Ultra Direct Memory Access. This enables direct data transfers whilst bypassing the host’s RAM.
  • ATA controllers used in standard computers cannot perform disk re-set operations if the disk becomes unresponsive. A disk re-set operation is much less stressful on a failing hard disk compared to a re-power operation.  
Standard PCs are not designed for Data Recovery: the case of a LaCie Rugged Thunderbolt USB 3.0 2TB external disk Data Recovery Ireland
Seagate BarraCuda 2TB disk as found in LaCie Rugged. No surprises there as Seagate now own the LaCie brand!

Only last week, we were dealing with a very frustrated end-user who was trying to extract data off his LaCie Rugged Thunderbolt USB 3.0 2TB external hard drive. Everything time he connected the disk via a Thunderbolt port to his MacOS system, it would freeze. He found this very frustrating. He had thousands of Adobe PhotoShop (PSD) and Adobe Premiere Pro (PRPROJ) which he needed to transfer to another working disk. Our diagnostics revealed that the disk inside (Seagate Barracuda 2TB ST2000LM015) had developed extensive bad sectors. Using our ECC-bypassing and UDMA-enabled data recovery systems, we were able to transfer his data to his second disk within 48 hours.

Drive Rescue (Dublin, Ireland) offers a complete data recovery service for LaCie Rugged disks. We regularly recover from models such as LaCie Rugged Mini, LaCie Rugged USB-C, LaCie Rugged 3TB LaCie Rugged 4TB, LaCie Rugged 5Tb which are not mounting or not recognised in Mac. Likewise, we recover from LaCie external disks which are showing up in Windows (10 or 11) or from LaCie disks which are making a clicking or buzzing noise.