Data recovery from Intel SSD – how Covid-19 prevention measures can lead to data loss…

Any measures taken to prevent the propagation of the SARS-CoV-2 in Ireland are laudable. However, we came across an interesting case last week where a preventative measure resulted actually resulted in a data loss situation.

How one bottle of Isopropyl Alcohol and a Frayed Laptop Cable nearly led to disaster…

Let me explain. The staff of a church parish office in the Midlands were using bottles of Isopropyl Alcohol (pure alcohol) as a disinfectant. (Alcohol of over 70% purity being a highly effective agent in deactivating the virus) However, recently one of their alcohol bottles got knocked over, spilling the liquid over a desk and onto their office floor. No big deal right? Well, this is where it gets interesting. The mains power cord connected to their Fujitsu laptop was frayed exposing some bare wiring. In accordance with Murphy’s Law, some of this high-purity alcohol, which is highly flammable, came into contact with this wire. This resulted in an immediate power surge to the laptop along with a dramatic plume of smoke emanating from its rear ventilation grill. This was shortly followed by a strong burning smell. Great – just what you want on a Monday morning! Luckily, no one was injured. The office staff quickly disconnected the power cord from the wall socket.

Parish records up in smoke?

After having composed themselves and with some trepidation, they turned the laptop back on. The system fan momentarily spun up and then spin down. The screen remained black. All the parish records stored in .MDB (Microsoft Access) were stored on the system as well as their Sage accounts file (ACCDATA file). The last backup they had was over eight months old. Updating parish records and reconstructing accounts would have incurred a significant administrative overhead on the office. It would have also been a soul-destroying task.

Their IT support guy removed the Intel 2500 Series SSD (encrypted with VeraCrypt) from the disk bay of the Fujitsu. Using an S-ATA cable he slaved it onto another PC, but alas, it was not showing in Windows Explorer nor in Disk Management. In fact, it was not even detected by the PC’s BIOS. They sent the drive to Drive Rescue to see if we could help.  

Diodes that died…

Our data recovery systems could not recognise the disk either. We removed the metal enclosure surrounding the PCB (printed circuit board). We used our electronic microscope to examine the NAND chips and board components. Nothing really stood out except for the two diodes near the S-ATA connector which looked a bit “off colour”. We zoomed in on them and their appearance looked as if they had been subject to some sort of recent over-voltage event. Using a multimeter, we tested the suspect components. Both gave a reading of “OL” (open loop) in both (current) directions. Neigbouring diodes tested fine. We micro-desoldered the two diodes off the SSD’s printed circuit board. After a lengthy identification process, we were able to identify the diode type. (Intel does datasheets for this SSD model SSD, but not to PCB component level of detail). We ordered identical replacement diodes from a specialist supplier in Germany. Upon arrival, we soldered the new diodes into position. After letting them bed in, our multi-meter tests showed them to be fully operational.

Resurrection of Data…

We connected the SSD to our recovery system again. This disk model and capacity was recognised which was promising but no logical disk volume appeared. So, we put the disk into “technological mode” which finally revealed a volume of randomised data. This is exactly what we were looking for. Unlike encryption applications such as BitLocker or Symantec Endpoint, VeraCrypt does not use encryption signatures. After resolving some disk offset issues, we imaged the volume to another SSD. We then decrypted this volume to finally get a valid NTFS partition with a very healthy looking folder structure showing. We extracted these onto an external USB drive. The parish office got all their records and accounts files successfully retrieved.

Lessons from this case:

  • Always use a power surge protector to act as an intermediary between mains power and your computing devices.
  • Similar to a lot of accidents, a series of small failures or errors in IT systems often culminate in data loss. In this case, if the frayed laptop power cord has been replaced, no power surge would have occurred. It pays to have well maintained equipment. And it pays to resolve small issues with computing devices, backup systems or storage devices quickly before they play a role in a data loss event.
  • And finally, just one up-to-date back-up would have negated the need for data recovery. Get into the habit of backing up or just use one of the many automated backup solutions on the market.   

Drive Rescue data recovery is based in Dublin, Ireland. If your Intel SSD disk is not being recognised or has just stopped working – we can help you recover data from your Intel SSD. We offer a full data recovery service for Intel SSDs such as the 520, S3500, S3510, S3610, S3700, S4500, P3520, P3700, P4500, P5450, 660p and 800p (Optane).

Data Recovery from Inaccessible Iomega External Disk

Over the years, Iomega external disks have been very popular drives in Ireland for their ease of use and wide variety of capacities. Using a 3.5” or 2.5” form factor, these disks usually come in a brushed aluminum or plastic lacquered enclosure. The 3.5” version such as (MDHDU500) comes with a 12V 2A power adaptor while the 2.5” variants (such as LPHD-UP and RPHD-TG) are USB bus powered. Given their popularity, it’s no surprise that we see a lot of them in our lab for data recovery.

Inaccessible Iomega external disks can show many symptoms including:

  • Your Iomega disk appears as “unformatted” in Windows.
  • Your Iomega external hard disk is not getting detected by your Windows, Mac or Linux computer.
  • When your Iomega disk is connected to a Mac, you receive the message “the disk you inserted was not readable by this computer”.
  • Your Iomega external disk will not turn on.
  • Your Iomega external disk shows a flashing light, but no data appears.
  • Your Iomega disk is making a clicking, buzzing or knocking sound.
  • You are presented with an error message about “the parameter is incorrect” or “cyclical redundancy check” when you connect your Iomega disk’s USB cable.
  • You can see your files and folders on your Iomega disk but cannot copy them over to another medium.

Or, a specific event may have occurred to your disk which has resulted in it failing such as:

  • Your Iomega external disk has suffered a suspected power surge
  • Your Iomega external disk got accidentally dropped.
  • You accidentally formatted your Iomaga hard disk containing priceless photos.

Recently, we had a customer whose Iomega external disk contained all their work for the last seven years but stopped working unexpectedly. Their 3.5” MDHDU500 Iomega disk failed to be recognised by any of their Windows computers. We opened the enclosure and found a Seagate Barracuda 7200.11 500GB S-ATA disk (ST3500820AS). Our recovery systems indicated that the disk appeared to be in continual “Busy” mode. This means that the disk could no longer receive ATA commands needed for  diagnostics or repair. When a disk is in this mode, it’s like trying to call a telephone number, but continually getting the engaged tone. Either the person’s phone is busy or there is a problem with their connection and/or phone.  In this case, any ATA commands we issued to the disk to initiate an exit from this very restrictive mode of operation proved fruitless. We did not suspect the disk-heads because platter and head-disk assembly rotation sounded normal. Moreover, we had come across similar problems with this family of disks before.  The problem is usually – but not always – rooted in a faulty media-cache. The media-cache in these disks buffers sequential and random writes so they write more smoothly to the disk. (It should not be confused with the media-cache used in SMR disks) However, the media-cache can sometimes go corrupt causing the disk to be unreadable.

Fixing the Iomega External Drive and Recovering its Data.

In order to get the disk to exit “Busy” mode, we had to short the read-channel of the disk. This can be performed by using an anti-ESD tweezers and applying its two tongs to two shorting points on the disk’s PCB. Once this had been completed, we patched the ROM. Patching the ROM is like adding an extension of code onto the existing module allowing our data recovery equipment recognise the drive. This procedure got us a mountable volume again. The media-cache can an be an awkward beast to handle, but having the experience of successfully resolving this problem numerous times made this procedure less daunting. We achieved a 100% data recovery rate – over 450GB of data. We were very surprised to see that the customer was still using FAT32 as their main data storage partition though. (FAT32 should not be used on USB memory sticks let alone disks containing almost half a terabyte of important data…) We extracted his recovered data onto a USB external drive. Another happy customer. Another case closed.

Drive Rescue is based in Dublin, Ireland. We offer an external hard disk data recovery service for Iomega external USB drives which are unrecognisable, which are clicking, which are appearing as “unformatted” or Iomega drives which have been dropped. Common models we recover from include the MDHDU, MDHD500-ue, MDHD320-U, GDHDU2, LDHD-UP, LPHD-UP and Iomega Go 2.5” portable disks such as the RPHD-TG, RPHD-U, RPHD-UG and RPHD-UG3.

Data Recovery from inaccessible Samsung Evo 750 SSD

Data Recovery from inaccessible Samsung Evo 750 SSD

This Samsung Evo 750 SSD (MZ-750500) taken from a 2013 Apple iMac was no longer accessible to the user. Instead, this retro-fitted disk, presented him with the dreaded “flashing folder and question mark” screen. When in Apple’s Recovery Mode, the disk also failed to appear in Disk Utility. The user, an author, stored copious amounts of PDF, Word and image files on it – all of which needed to be retrieved to meet upcoming publication deadlines.

The Samsung Evo 750 is an SSD, which was introduced by the company in 2016. It uses 16nm planar-based TLC NAND, has a 512 DRAM cache and is managed by an MGX (Samsung in-house) controller.

Our SSD data recovery equipment provided us partial access to the Evo’s firmware. The wear- level of the SSD’s blocks was high and it also became apparent that the disk was over 94% full. An almost full-capacity solid-state with high-wear levels is far from optimal. This is because when some blocks go bad, the SSD controller will allocate (good) spare blocks to replace them with. This is known as bad block management (BBM). But, here is the catch, when the controller has a sparse level of blocks to choose from and those that are available are worn out – the controller can easily lock-up. We suspect this is why the user could no longer access his data.

How could this have been prevented?

First and foremost, this problem could have been prevented if the user didn’t fill his disk up to near-full capacity. It’s generally a bad idea to use an SSD that is over 90% full, without freeing up some capacity first. SSDs need some breathing space to perform essential housekeeping operations like garbage collection and BBM.       

Secondly, the user might have been prevented the problem if they over-provisioned the disk. Over-provisioning can be achieved by creating a partition that does not use the disk’s full capacity. This “unclaimed” space will then be used by the SSD controller as a pool of “spare” blocks.

In some cases, SSD manufacturers already do this in a process known as “factory over provisioning”. But, for this disk, Samsung did not factory-over-provision it. The deployment of factory over-provisioning is usually indicated by the disk having an “uneven” capacity.  For example, a 480GB disk is normally a 500GB disk, but with 20GB reserved for over-provisioning. Likewise, you can have a 960GB SSD, which is really a 1TB disk with 40GB allocated for over-provisioning.

The paucity of free blocks was not the only factor which culminated in this disk becoming inaccessible. Consistent with many earlier generations of SSD disks, this Samsung 750 Evo SSD was only using 2D planar NAND. This suffers higher rates of cell-to-cell interference than 3D NAND commonly used in SSD’s today.

Recovering the Samsung Evo 750 with a Firmware Emulator

Even though the controller on the disk appeared to be locked. We were able to use a firmware emulator to access the partition table. The emulator mimics the disk’s MGX controller, enabling us to get access to its APFS partition. Much to his satisfaction, the author got all his files retrieved and was saved the painful process of re-doing work which he had already completed. Moreover, he would meet all of his publication deadlines.

Drive Rescue is based in Dublin, Ireland. We offer a SSD data recovery service for inaccessible SSDs such as the Samsung Evo 750 (MZ-750500, MZ750250), Samsung Evo 840, Samsung Evo 850 (MZ-75E1T0) and Samsung Evo 860 (MZ-76E500BW and MZ-76E1T0b). Contact us on 1890 571 571.

Data recovery from a dead Sony Vaio and how disk lubrication can prevent permanent data loss…

Last week, a customer from Dublin contacted us needing data retrieval from their old Sony Vaio laptop. The customer, an architect, recently removed the system from a storage cupboard in his office. Its hard disk contained drawings of a project which he had completed in 2008. Recently, he got the green light for a very similar project. If he could salvage these old drawings (stored in DWG format) along with planning permission files (Word and PDF) from the laptop, he could save himself a lot of time and expedite the planning permission and design process for his customer. Could we recover this customer’s Vaio’s hard disk?

The Vaio laptop running Windows 7 laptop was no longer starting up. The system was completely dead. We opened up the laptop and removed its Seagate Momentus 640GB disk (ST9640423AS). When attached to one of our Windows systems via S-ATA cable, it failed to mount. So, we connected it to one of our data recovery systems to peform a more detailled diagnosis. However, our tests to analyse the platter surface and disk-heads could not even run because the disk was not spinning. Though we did get a succesful identification of the disk’s firmware family and version number. In our clean-room, we opened the disk. The heads were not parked on the disk ramp, but rather precariously positioned in the middle of the platters.

This is not ideal because an adhesive bond can form between the disk-heads and the platter surface. This is known as “stiction” and used to be a big issue for electro-mechanical disks until “ramps” or “parking areas” were incorporated into disk designs. This design change resulted in the stiction problem being more or less eliminated for disks being stored in ambient temperatures. However, in this case, the disk evidently experienced a sudden shut down and the head-disk assembly (the component on which the disk-heads are mounted) never got an opportunity to “park”.

Using specialised tools, we “unstuck” the heads from the platter surface. This procedure needs to be performed extremely delicately. An exertion of force can lead to platter or disk-head damage whilst too little force can result in the disk-heads remaining stuck. Drive Rescue use a number of finely tuned processes and tools to perform this task in the safest possible way.  

Perfluoropolyether – the hard disk super-lubricant

In this case, while the HDA was not in a “parked” position, there is another feature of hard disk design which helps mitigate against stiction events. Manufacturers apply a very thin layer of perfluoropolyether (PFPE) to the platter surface. This “super-lubricant” is a colourless synthetic oil commonly applied to HDD platters because of its durability, chemical inertness and good cohesiveness with the platter’s carbon layer. If a minor scratch does occur, the composition of PFPE exhibits just the right amount of viscosity to replenish the disk areas that have been depleted of lubricant. Its cohesiveness means that the lubricant remains in-situ, even with the constant stress of air-flow that is generated by the slider as it moves over the platters. The qualities of PFPE also mean that it can also prevent the disk-heads forming a strong metallurgical bond with the platters.  

While PFPE might sound like a lubricant that Captain Kirk might use for greasing up the old Starship Enterprise, it is not faultless. At high temperatures, the efficacy of this super lubricant reduces, increasing the risk of tribological events, i.e. the read or write elements that come into direct contact with carbon or magnetic layer on the disk. In this case, however, PFPE seems to have done its job well. (The ambient temperature of the office where the customer stored the host laptop no doubt helped). While the disk-heads and platter had collided, they were joined by only a weak bond. If the bond had been stronger – disk-head or platter damage would have been inevitable. Thus, the need for a full head-disk assembly replacement was negated. The delighted customer was reunited with all his historic work, which was presented to him on an external USB drive. He now had some extra free time in the summer and would not have to backtrack on work he had previously completed.

Drive Rescue, Dublin, Ireland have been recovering data since 2007. We offer a complete recovery service for non-booting, unreadable or damaged disks from Sony Vaio (E, PCG. VGN-Z and VPC-Z) series of laptops. This includes disks such as the Seagate Momentus ST500LT012, ST9640423AS, HGST Z5K-500, HGST Z5K1000 and the Toshiba MQ01ABD050

Two Hard Disks Joined at the Hip – The Case of Data Recovery from an iMac Fusion Drive

Last week, we successfully recovered data from a 2015 iMac, which was using an Apple Fusion Drive. (Samsung PM830 and Seagate ST2000DM001)

The Apple Fusion Drive was first introduced by Apple in 2012 and offers lower latency rates for frequently accessed data. The Fusion Drive concept was introduced at a time when high-capacity SSDs were prohibitively expensive. Apple, always wanting to be one step ahead of the posse, believed that this new hybrid type of storage would give users a foretaste of the future.

AFusion Drive” is not the same as a “Hybrid Drive”

Using their Apple Core Storage software, two disks, a solid-state disk and mechanical platter-based one are “fused” together to create one volume. (Many users confuse a “Fusion Drive” with a “Hybrid Drive”. But a hybrid disk (such as the ST2000LX001) is different in that it uses flash memory (NAND) and mechanical platter-based storage all in one self-contained disk. On hybrid disks the flash is used as temporary storage cache, whereas with an Apple Fusion drive, data is copied (not cached) to the SSD component. Frequently accessed files can be stored on the SSD, while those less frequently used are stored on the HDD. For example, all the system files needed for MacOS to boot up are stored on the SSD meaning the iMac will boot up much faster. Users get to enjoy the speed of flash and the high-capacity of platter-based disks – the best of both worlds.

Auto-Tiered Storage is not New

Apple Fusion drive uses a form of “auto-tiering” which adaptively migrates data between the two disks. Even in 2012, it was not an entirely novel consumer-level technology. Intel’s Smart Response Technology – part of their Intel Rapid Storage Technology suite – introduced it for consumer-level computing in early 2011. Apple Core Storage acts as an LVM (logical volume manager) and migrates data between the SSD and HDD in 128KB blocks.

Diagnosing a Failed Apple Fusion Drive

This technology is great until it goes wrong of course. In this case, our customer, a professional video editor, was using a late 2013 iMac with a Fusion Drive (Samsung PM830 120GB blade SSD fused with a Seagate ST2000DM001 2TB S-ATA HDD). The Samsung SSD passed our tests with flying colours. The Seagate 2TB disk, however failed the “read” component of our diagnostic tests almost immediately. As an aside, the ST2000DM001 and its sister disks, the ST3000DM003 and ST4000DM004, have garnered much notoriety the data recovery industry. Due to their inherently unstable firmware and often weak heads, these disks can suffer all sorts of unusual ailments. Moreover, this family of disks are also known for generating all sorts of weird noises, including those of chirping, squeaking, fluttering and even scraping.

Data Recovery from Apple Fusion Drive

The ST2000DM001 disk we extracted from the iMac was no exception. It had multiple read issues and had several firmware “media cache” issues. It also made continual chirping noises akin to a caged budgerigar whose owner had hydrated it with a little too many Nespressos. Despite this, after resolving multiple issues with the disk, we managed to make a good image of it. Now, all we needed to do now was to “re-fuse” its image with the image of the Samsung PM830 SSD. This would enable us to recover the HFS+ volume. “Re-fusing” or repairing a Fusion Drive can be extremely tricky not helped by the limited repair options offered by Apple. For example, “diskutil” commands provide very limited options for manipulating Fusion Drive (Core Storage) data. And their Disk Utility tool provides no functionality for recovering a Fusion Drive.

Fortunately, at Drive Rescue we use forensic-level hardware tools which can be configured to merge two Core Storage image and reconstruct your Apple Fusion drive. For our video editor customer, we attained a 100% recovery rate of all his Adobe Premiere Pro files.

Here are a few tips for recovering from an Apple Fusion drive:

  1. Trying to reset your Fusion Drive configuration on a disk(s) which are failing can complicate issues. Refrain from doing this.  
  2. Do not attempt to re-format any disks which are part of a Fusion Drive.
  3. Do not attempt to re-install MacOS. This will overwrite Core Storage configuration data needed for data recovery.

We can help you recover data from a split iMac Fusion Drive due to physical disk problems, disk bad sectors, firmware problems and from accidental MacOS installation scenarios. We can recover from 21” and 27” iMac models such as iMac 2012, iMac 2015, iMac 2017 and iMac 2019. Successful recovery from your Apple Fusion drive means you can be re-united with previous work-related projects and of course your photos and videos

When backing up your Synology via USB 3.0 NAS becomes painfully slow…

Yesterday, a previous client contacted us for a bit of advice. Before the lockdown, they needed data recovered from their aging Synology NAS DS411J as some of its WD Red S-ATA disks, configured using Synology Hybrid RAID, unexpectedly went into a “degraded” status. Luckily for them, we were able to recover all their important data.

Recently, they procured a new Synology DS218. In order to avoid the need for data recovery again, they followed our advice and tried to back up the NAS to an external LaCie Rugged disk. So, they connected the external disk to the USB 3.0 port of the Synology and using HyperBackup (part of DSM Explorer), proceeded to copy their files.

Returning an hour later however, the copy process from their new NAS to external disk was running at a miserable 1.2MB/s. It would take days before it would be completed!

Fixing Slow Data Transfer Speeds of Synology

This is a common problem with Synology NAS devices. Unfortunately, DSM Explorer does not play well with NTFS formatted disks. We recommended that they format the LaCie Rugged external disk to EXT4 format first. (This can be performed easily with Ubuntu or any other Linux-based OS.) After changing the formatting from NTFS to EXT4, they retried the copy process. This time round, the data transferred at nearly 90 MB/s. A much better improvement. For disk-to-disk data transfer operations, having both disks use a homogeneous file system can drastically help with file transfer speeds. It’s always the little things, isn’t it…

Why the MFT is one of the most important files on your hard disk…Case study: Data recovery from a Seagate Free Agent Desktop external hard disk

In the same way that a printed book will have a contents page and index – an NTFS (Windows Formatted) hard disk uses what is known as a Master File Table (MFT). This file, usually 1024 bytes in size, stores information about every file such as its name, size, timestamps and other file attribute information. It also contains “pointers” which help your hard disk find data on your hard disk. It is perhaps one of the most important files on your hard disk. In hard disk volumes using FAT and FAT32, the MFT shares the same function as the File Allocation Table.  

The MFT ($MFT) file was designed with disk access speed in mind because all the file metadata is stored on contiguous blocks. This, for example, saves the operating system having to parse through every file on the disk for a command such as simple file search.

However, underlying disk problems can result in a corrupt MFT. Such problems might be precipitated by a malfunctioning bus controller on a host system. Or sometimes, malfunctioning disk firmware corrupts data or writes data to the wrong location. Moreover, power surges, bad sectors, platter scratches and non-repeatable runout errors can all lead to MFT problems.

Chkdsk will be able to repair some disk issues, but in some cases, it will do more harm than good. Chkdsk will typically run “type checking”. This checks whether the disk cluster conforms to footprint of data type. “Sanity checking” will also be performed, verifying that the data structures meet the normal parameters of the NTFS file system. For example, it will check the metadata location of the boot sector to validate pointer integrity. If this utility does find errors, it can refer back to $MFTmirror (which acts an MFT backup) to reinstate files. However, this will not always work.

Last week, we recovered data from a Seagate Free Agent external USB disk. The NTFS formatted disk was inaccessible. The user let Chkdsk (Checkdisk) run when their Windows 10 computer started up. But, alas, it seemed to have complicated issues. The user received the rather ominous sounding error message:  

Windows cannot recover the master file table. Chkdsk aborted”

On recommendation of a colleague, he brought his disk to Drive Rescue. The disk was exhibiting multiple problems with bad sectors and firmware. Once these issues had been resolved, the volume was still inaccessible. On further analysis, we found that the disk’s MFT pointer files, namely, RootSecDesc and DirIndxbuf files were corrupted. These files had to be reinstated manually using a hex editor.  All Word, Excel, .avi and almost 9 years of worth of priceless photos were recovered.

Drive Rescue offer a complete data recovery service for Seagate Free Agent external hard disks such as the Seagate Free Agent Desktop 500GB, Seagate Free Agent Pro 750GB, Seagate Free Agent Go 1000GB and Seagate FreeAgent GoFlex 500GB and 1000GB models. Our Seagate data retrieval service is based in Dublin, Ireland.

Dell Latitude laptop looking for BitLocker Recovery key even though BitLocker was never set…

We had a customer in yesterday with a Dell Latitude Windows 10 laptop. The system, running Windows 10, was requesting a BitLocker key even though the user never remembered this full disk (FDE) encryption application being setup. They were starting to panic because their research on Google informed them that losing your BitLocker key can result in accessible data. BitLocker normally uses XTS-AES (128 or 256bit) which is very strong. One website even advised our customer, if they waited a few years, BitLockered disks could be easily cracked when quantum computing becomes more mainstream. But understandably they were not prepared to wait a few years…

However, this is a problem which Drive Rescue had encountered before. On some Dell laptops, the “Expert Key Management” in the system’s BIOS can sometimes go skewways resulting in a BitLocker Recovery key request window appearing unexpectedly.  

Recovering from BitLocker

The fix for this problem is simple. Enter the BIOS of the Dell system. Navigate to “SecureBoot” and then click to expand the section called “Expert Key Management”. Now you should see a “Restore Settings” button, followed by “Factory Settings”. Select this and then click on “ok”. When exiting the BIOS, don’t forget to save changes. Restart your system. The BitLocker key request box should now be gone and all your files should be fully accessible. No data recovery needed!

Drive Rescue offer a data recovery service in Dublin, Ireland for BitLocker encrypted disks (S-ATA, PCIe, mSata) even in cases where a TPM chip is used. We frequently recover from disks removed from laptop systems such as the Dell Latitude, HP Elitebook, Fujitsu LifeBook and Lenovo Thinkpad T and X Series of laptops. Phone us on 1890 571 571

Data recovery from a Dell server running Windows Server 2008 and the perils of handling old servers…

Electro-mechanical hard disks are designed to spin continuously. For most 3.5” form factor disks, rotational speed is 5400, 7200 or 10,000 revolutions per minute. If the disk is used in a blade or tower server, for example, it will get cooled by the host’s system fan and will hopefully have a steady supply of clean power. Operating in an ambient temperature, such a disk (whether standalone or RAID) can run for several years without interruption.

However, there is one risk factor which a lot of IT admins forget about. As the disk(s) is running, because it uses an “air bearing”, some external air is inducted. This air is filtered by a tiny filter known as a barometric or breather filter. In addition to this, due to the effects of internal component wear and tear, tiny debris from the platters can also start to accumulate inside the disk chamber. For the most part, even with debris accumulating inside the disk, the read-write process can continue as normal. That is until, some poor IT person gets assigned the task of physically moving the server or migrating its data as they can be in for a nasty surprise.

Take last week, for example where a company in Dublin got into a spot of bother with their old Dell PowerEdge server running Windows Server 2008. Their IT administrator was tasked with the job of decommissioning it. The server was running fine, but was slow and no longer meeting the organisation’s requirements. He turned the system off and carried it back to his basement office with the intention of doing a complete backup. However, back at his office, he switched it on again, only to be greeted with the hue of a Windows Server 2008 “blue screen of death” informing him about an “Unmountable_Boot_Volume”. He removed the disk (Hitachi HDT721010SLA360) and slaved it onto another PC. No dice. In Computer Management, the disk was showing up as “unformatted”. This was the last thing he wanted. So, if this disk was spinning fine for the last 12 years, why did it pick the most inopportune time to kick the bucket?

Well, when you move an old hard disk which has been in-situ for years, the dust and debris collected by its air filter can get displaced. This can result in particulate matter getting strewn across and platters and collecting under the disk-heads, making the drive unreadable.

Drive Rescue took the disk into our clean-room where we removed the head disk assembly and cleaned the disk platters using a process which merits another blog post. We were able to recover 98% of their data.   

Lesson: the benefit of in-situ backups…

Servers can be located in the most uncomfortable places such as under staircases or in cramped comms rooms. The temptation for the IT admin to move an old server and perform a full disk backup in a more congenial environment can be quite strong. However, before moving the server anywhere or removing its disks, it would be prudent to a use a disk replication tool such a Macrium Reflect to copy the server’s volume onto another medium. This should be performed while the server is in-situ. This way, you can prevent any nasty surprises and need the call a data recovery service!

Drive Rescue are based in Dublin. Ireland. We offer a full server data recovery service. This includes Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019. Our service covers both standalone disks (S-ATA, SAS) and RAID (0, 1, 5,6,10)

The problems of locked firmware: data recovery from a 2TB Seagate Ultra Slim Portable Drive (SRD00F1)

For years, the firmware of most HDDs was open and made easily accessible by just using a serial connection and the right ATA commands. This enabled data recovery technicians to perform essential pre-recovery housekeeping tasks, such as G-List, P-List and SMART clearing. It also allowed technicians to read and write modules to the ROM. However, with the latest multi-terabyte electro-mechanical disks, manipulation is becoming a little trickier due to manufacturer locked firmware. This fairly recent trend of locked disk firmware can partly be explained by explosive revelations made by Kaspersky Lab in 2015. They discovered a strain of malware dubbed EquationDrug and GrayFish that is capable of dropping a customised installer into an operating system. This enables the installation of a modified controller code onto a person’s hard disk that would act as a persistent backdoor, allowing data exfiltration without triggering any alerts in conventional security controls. Given that governments and corporations throughout the world tend to use standardised equipment, this vulnerability was seen by many security and privacy experts as a grave threat to data integrity and confidentiality. In response to this threat, manufacturers such as Seagate have introduced features like their “Locked Diagnostics Port”, which aims to thwart users from accessing or modifying the disk’s firmware. Seagate has also introduced digital signing of firmware modules.

However, there is another, albeit more commercial reason why disk manufacturers are eager to lock their firmware. Most of the disks’ secret sauce, such as algorithms for error correction servo-track control and thermal-fly height control, are stored in this area of the disk. Not wanting their extensive R&D efforts to be stolen by their competition reverse engineering their disks, manufacturers increasingly just lock down their firmware modules.

For the data recovery technician, this can be exasperating. You’re about to perform a firmware repair only to be greeted with the “Diagnostic Port Locked” message… argh!

The side-effect of this development is that data recovery technicians sometimes encounter a brick wall when trying to remedy firmware issues. Moreover, developers of professional data recovery equipment who could previously analyse firmware modules and develop sophisticated disk repair tools are now being thwarted by manufacturer-locked firmware. Not in all cases however.

To circumvent locked firmware modules, some wily data recovery tool developers have designed “special extensions” to the ROM code which can be saved via a boot code and written back to the HDD. Once applied, terminal commands magically start working on the disk again.

Last week, we got this Seagate Ultra Slim Portable drive in with some serious firmware issues. The disk inside, a Mobile HDD ( ST2000LM007), uses Seagate’s Rosewood firmware and was not even recognisable to the BIOS. This means that under normal circumstances, very little could be done to repair the disk and access the data. However, using the aforementioned tools, we added a modifed ROM extension to the disk. This enabled us to repair the disk’s corrupt firmware modules and access the user area of the disk containing .CR2 (Canon raw),.DWG (created with DraftSight) and Microsoft Office files. The customer was happily reunited with all their data again. This proves the truism that everything is indeed hackable…

Drive Rescue are based in Dublin, Ireland. We offer a complete data recovery service for Seagate Ultra Slim Portable and Seagate Mobile HDD drives. We have experience of successfully recovering from models such as the ST500LM034 ST200LM007, ST1000LM0048, ST1000LM0035 and ST2000LM0015. We can help you if your Seagate Ultra Slim or Mobile HDD disk is no longer recognised by your PC or Mac. Or, if your disk has been accidentally dropped. Call us on 1890 571 571.