Data recovery from Seagate Barracuda 1000 GB Hard Drive

This morning we successfully recovered from this Seagate Barracuda 3.5″ ST1000DM003 hard disk for a business client.

This disk is from Seagate’s dreaded “DM” family, which is notorious for developing problems with its media cache, problems with flaking platters and issues with weak heads. This disk had an issue with all three.

Software to recover a inaccessible Seagate disk?

The client’s IT support did try to run data recovery software on this Seagate disk. However, while the disk was recognised. The data recovery software kept on freezing during operation.

Why data recovery software is useless at recovering from ST1000DM001,ST1000DM003, ST2000DM002, ST2000DM0006 ST3000DM007 series disks.

Unfortunately, data recovery software is designed to run on healthy electro-mechanical disks. It is not designed to run on disks with firmware problems or disk-head problems. Nor, it is designed to work on disks which have flaking platters!

We backed up the ROM, P-list, non-resident G-list, translator and firmware overlays. We then resolved the media cache issue which finally took the disk out of its continual “BSY” or “busy” mode. We then modified the head-map and imaged the disk at very slow speed.

All of the client’s Word, Excel, PowerPoint along with their Herbst ERP data files were successfully recovered.  The recovered files were delivered on a new USB external disk to the delighted customer.

Drive Rescue are based in Dublin, Ireland – we offer a complete data recovery service for Seagate failed hard disks

Data recovery from an inaccessible PNY CS900 SSD.

The two main areas of an SSD are the User Area and the System Area. The former stores the actual data while the System Area contains firmware code essential for the operation of the disk. The System Area is one of the busiest areas of the disk because some of firmware code is stored here. (Additional firmware code is stored on the controller chip itself) Every time the disk is intialised, the SA needs to be read. Everytime a Bad Block Management operation is executed, the SA is read. Even when the disk is shutting down, the SA is accessed or written to again as error logs are updated.

The Achilles Heal of SSDs

It’s no surprise then that this area of the disk  wears out the quickest. Moreover, the SA area is not protected by ECC (error correction management) which means small bit errors which develop in this area are not corrected.

As a result, when the oxide-layer of the NAND cells in the SA degrades due to constant wear-and-tear, the intructional code needed for disk operation can no longer be read. This can result in an SSD which is no longer recognisable by your computer.

“Fatal Device Hardware Error”

Last week, we were helping a medical device company in Sligo with this problem. Their PNY CS900 SSD (taken from a HP EliteDesk PC) was no longer recognised. When connected to a Windows PC via a USB dock, they received the message “The request failed due to a fatal device hardware error”. The disk was using a SMI 2258H controller and appeared to have a worn out Service Area. We put the disk into technological mode and used a 2258H loader (on our recovery equipment) to access the file system. We achieved a complete recovery of all their  SLDDRW, SLDPRT and SLDASM (SolidWorks) files.  This recovery, saved their technicians hours of reconstructing some very intricate technical drawings.

Drive Rescue data recovery are based in Dublin, Ireland. We provide a complete SSD recovery service for disks which are no longer recognised in BIOS, not recognised in Disk Management or not appearing Windows or MacOS. Common models of PNY SSD we recover from include the PNY CS900 250GB, PNY CS900 480GB, PNY CS900 960GB and 1TB. We also recover from their XLR8 CS3030 PCIe SSD and the PNY Portable Elite Black USB drive.

Data recovery from Intel SSD – how Covid-19 prevention measures can lead to data loss…

Any measures taken to prevent the propagation of the SARS-CoV-2 in Ireland are laudable. However, we came across an interesting case last week where a preventative measure resulted actually resulted in a data loss situation.

How one bottle of Isopropyl Alcohol and a Frayed Laptop Cable nearly led to disaster…

Let me explain. The staff of a church parish office in the Midlands were using bottles of Isopropyl Alcohol (pure alcohol) as a disinfectant. (Alcohol of over 70% purity being a highly effective agent in deactivating the virus) However, recently one of their alcohol bottles got knocked over, spilling the liquid over a desk and onto their office floor. No big deal right? Well, this is where it gets interesting. The mains power cord connected to their Fujitsu laptop was frayed exposing some bare wiring. In accordance with Murphy’s Law, some of this high-purity alcohol, which is highly flammable, came into contact with this wire. This resulted in an immediate power surge to the laptop along with a dramatic plume of smoke emanating from its rear ventilation grill. This was shortly followed by a strong burning smell. Great – just what you want on a Monday morning! Luckily, no one was injured. The office staff quickly disconnected the power cord from the wall socket.

Parish records up in smoke?

After having composed themselves and with some trepidation, they turned the laptop back on. The system fan momentarily spun up and then spin down. The screen remained black. All the parish records stored in .MDB (Microsoft Access) were stored on the system as well as their Sage accounts file (ACCDATA file). The last backup they had was over eight months old. Updating parish records and reconstructing accounts would have incurred a significant administrative overhead on the office. It would have also been a soul-destroying task.

Their IT support guy removed the Intel 2500 Series SSD (encrypted with VeraCrypt) from the disk bay of the Fujitsu. Using an S-ATA cable he slaved it onto another PC, but alas, it was not showing in Windows Explorer nor in Disk Management. In fact, it was not even detected by the PC’s BIOS. They sent the drive to Drive Rescue to see if we could help.  

Diodes that died…

Our data recovery systems could not recognise the disk either. We removed the metal enclosure surrounding the PCB (printed circuit board). We used our electronic microscope to examine the NAND chips and board components. Nothing really stood out except for the two diodes near the S-ATA connector which looked a bit “off colour”. We zoomed in on them and their appearance looked as if they had been subject to some sort of recent over-voltage event. Using a multimeter, we tested the suspect components. Both gave a reading of “OL” (open loop) in both (current) directions. Neigbouring diodes tested fine. We micro-desoldered the two diodes off the SSD’s printed circuit board. After a lengthy identification process, we were able to identify the diode type. (Intel does datasheets for this SSD model SSD, but not to PCB component level of detail). We ordered identical replacement diodes from a specialist supplier in Germany. Upon arrival, we soldered the new diodes into position. After letting them bed in, our multi-meter tests showed them to be fully operational.

Resurrection of Data…

We connected the SSD to our recovery system again. This disk model and capacity was recognised which was promising but no logical disk volume appeared. So, we put the disk into “technological mode” which finally revealed a volume of randomised data. This is exactly what we were looking for. Unlike encryption applications such as BitLocker or Symantec Endpoint, VeraCrypt does not use encryption signatures. After resolving some disk offset issues, we imaged the volume to another SSD. We then decrypted this volume to finally get a valid NTFS partition with a very healthy looking folder structure showing. We extracted these onto an external USB drive. The parish office got all their records and accounts files successfully retrieved.

Lessons from this case:

  • Always use a power surge protector to act as an intermediary between mains power and your computing devices.
  • Similar to a lot of accidents, a series of small failures or errors in IT systems often culminate in data loss. In this case, if the frayed laptop power cord has been replaced, no power surge would have occurred. It pays to have well maintained equipment. And it pays to resolve small issues with computing devices, backup systems or storage devices quickly before they play a role in a data loss event.
  • And finally, just one up-to-date back-up would have negated the need for data recovery. Get into the habit of backing up or just use one of the many automated backup solutions on the market.   

Drive Rescue data recovery is based in Dublin, Ireland. If your Intel SSD disk is not being recognised or has just stopped working – we can help you recover data from your Intel SSD. We offer a full data recovery service for Intel SSDs such as the 520, S3500, S3510, S3610, S3700, S4500, P3520, P3700, P4500, P5450, 660p and 800p (Optane).

Data Recovery from Inaccessible Iomega External Disk

Over the years, Iomega external disks have been very popular drives in Ireland for their ease of use and wide variety of capacities. Using a 3.5” or 2.5” form factor, these disks usually come in a brushed aluminum or plastic lacquered enclosure. The 3.5” version such as (MDHDU500) comes with a 12V 2A power adaptor while the 2.5” variants (such as LPHD-UP and RPHD-TG) are USB bus powered. Given their popularity, it’s no surprise that we see a lot of them in our lab for data recovery.

Inaccessible Iomega external disks can show many symptoms including:

  • Your Iomega disk appears as “unformatted” in Windows.
  • Your Iomega external hard disk is not getting detected by your Windows, Mac or Linux computer.
  • When your Iomega disk is connected to a Mac, you receive the message “the disk you inserted was not readable by this computer”.
  • Your Iomega external disk will not turn on.
  • Your Iomega external disk shows a flashing light, but no data appears.
  • Your Iomega disk is making a clicking, buzzing or knocking sound.
  • You are presented with an error message about “the parameter is incorrect” or “cyclical redundancy check” when you connect your Iomega disk’s USB cable.
  • You can see your files and folders on your Iomega disk but cannot copy them over to another medium.

Or, a specific event may have occurred to your disk which has resulted in it failing such as:

  • Your Iomega external disk has suffered a suspected power surge
  • Your Iomega external disk got accidentally dropped.
  • You accidentally formatted your Iomaga hard disk containing priceless photos.

Recently, we had a customer whose Iomega external disk contained all their work for the last seven years but stopped working unexpectedly. Their 3.5” MDHDU500 Iomega disk failed to be recognised by any of their Windows computers. We opened the enclosure and found a Seagate Barracuda 7200.11 500GB S-ATA disk (ST3500820AS). Our recovery systems indicated that the disk appeared to be in continual “Busy” mode. This means that the disk could no longer receive ATA commands needed for  diagnostics or repair. When a disk is in this mode, it’s like trying to call a telephone number, but continually getting the engaged tone. Either the person’s phone is busy or there is a problem with their connection and/or phone.  In this case, any ATA commands we issued to the disk to initiate an exit from this very restrictive mode of operation proved fruitless. We did not suspect the disk-heads because platter and head-disk assembly rotation sounded normal. Moreover, we had come across similar problems with this family of disks before.  The problem is usually – but not always – rooted in a faulty media-cache. The media-cache in these disks buffers sequential and random writes so they write more smoothly to the disk. (It should not be confused with the media-cache used in SMR disks) However, the media-cache can sometimes go corrupt causing the disk to be unreadable.

Fixing the Iomega External Drive and Recovering its Data.

In order to get the disk to exit “Busy” mode, we had to short the read-channel of the disk. This can be performed by using an anti-ESD tweezers and applying its two tongs to two shorting points on the disk’s PCB. Once this had been completed, we patched the ROM. Patching the ROM is like adding an extension of code onto the existing module allowing our data recovery equipment recognise the drive. This procedure got us a mountable volume again. The media-cache can an be an awkward beast to handle, but having the experience of successfully resolving this problem numerous times made this procedure less daunting. We achieved a 100% data recovery rate – over 450GB of data. We were very surprised to see that the customer was still using FAT32 as their main data storage partition though. (FAT32 should not be used on USB memory sticks let alone disks containing almost half a terabyte of important data…) We extracted his recovered data onto a USB external drive. Another happy customer. Another case closed.

Drive Rescue is based in Dublin, Ireland. We offer an external hard disk data recovery service for Iomega external USB drives which are unrecognisable, which are clicking, which are appearing as “unformatted” or Iomega drives which have been dropped. Common models we recover from include the MDHDU, MDHD500-ue, MDHD320-U, GDHDU2, LDHD-UP, LPHD-UP and Iomega Go 2.5” portable disks such as the RPHD-TG, RPHD-U, RPHD-UG and RPHD-UG3.

Data Recovery from inaccessible Samsung Evo 750 SSD

Data Recovery from inaccessible Samsung Evo 750 SSD

This Samsung Evo 750 SSD (MZ-750500) taken from a 2013 Apple iMac was no longer accessible to the user. Instead, this retro-fitted disk, presented him with the dreaded “flashing folder and question mark” screen. When in Apple’s Recovery Mode, the disk also failed to appear in Disk Utility. The user, an author, stored copious amounts of PDF, Word and image files on it – all of which needed to be retrieved to meet upcoming publication deadlines.

The Samsung Evo 750 is an SSD, which was introduced by the company in 2016. It uses 16nm planar-based TLC NAND, has a 512 DRAM cache and is managed by an MGX (Samsung in-house) controller.

Our SSD data recovery equipment provided us partial access to the Evo’s firmware. The wear- level of the SSD’s blocks was high and it also became apparent that the disk was over 94% full. An almost full-capacity solid-state with high-wear levels is far from optimal. This is because when some blocks go bad, the SSD controller will allocate (good) spare blocks to replace them with. This is known as bad block management (BBM). But, here is the catch, when the controller has a sparse level of blocks to choose from and those that are available are worn out – the controller can easily lock-up. We suspect this is why the user could no longer access his data.

How could this have been prevented?

First and foremost, this problem could have been prevented if the user didn’t fill his disk up to near-full capacity. It’s generally a bad idea to use an SSD that is over 90% full, without freeing up some capacity first. SSDs need some breathing space to perform essential housekeeping operations like garbage collection and BBM.       

Secondly, the user might have been prevented the problem if they over-provisioned the disk. Over-provisioning can be achieved by creating a partition that does not use the disk’s full capacity. This “unclaimed” space will then be used by the SSD controller as a pool of “spare” blocks.

In some cases, SSD manufacturers already do this in a process known as “factory over provisioning”. But, for this disk, Samsung did not factory-over-provision it. The deployment of factory over-provisioning is usually indicated by the disk having an “uneven” capacity.  For example, a 480GB disk is normally a 500GB disk, but with 20GB reserved for over-provisioning. Likewise, you can have a 960GB SSD, which is really a 1TB disk with 40GB allocated for over-provisioning.

The paucity of free blocks was not the only factor which culminated in this disk becoming inaccessible. Consistent with many earlier generations of SSD disks, this Samsung 750 Evo SSD was only using 2D planar NAND. This suffers higher rates of cell-to-cell interference than 3D NAND commonly used in SSD’s today.

Recovering the Samsung Evo 750 with a Firmware Emulator

Even though the controller on the disk appeared to be locked. We were able to use a firmware emulator to access the partition table. The emulator mimics the disk’s MGX controller, enabling us to get access to its APFS partition. Much to his satisfaction, the author got all his files retrieved and was saved the painful process of re-doing work which he had already completed. Moreover, he would meet all of his publication deadlines.

Drive Rescue is based in Dublin, Ireland. We offer a SSD data recovery service for inaccessible SSDs such as the Samsung Evo 750 (MZ-750500, MZ750250), Samsung Evo 840, Samsung Evo 850 (MZ-75E1T0) and Samsung Evo 860 (MZ-76E500BW and MZ-76E1T0b). Contact us on 1890 571 571.

Data recovery from a dead Sony Vaio and how disk lubrication can prevent permanent data loss…

Last week, a customer from Dublin contacted us needing data retrieval from their old Sony Vaio laptop. The customer, an architect, recently removed the system from a storage cupboard in his office. Its hard disk contained drawings of a project which he had completed in 2008. Recently, he got the green light for a very similar project. If he could salvage these old drawings (stored in DWG format) along with planning permission files (Word and PDF) from the laptop, he could save himself a lot of time and expedite the planning permission and design process for his customer. Could we recover this customer’s Vaio’s hard disk?

The Vaio laptop running Windows 7 laptop was no longer starting up. The system was completely dead. We opened up the laptop and removed its Seagate Momentus 640GB disk (ST9640423AS). When attached to one of our Windows systems via S-ATA cable, it failed to mount. So, we connected it to one of our data recovery systems to peform a more detailled diagnosis. However, our tests to analyse the platter surface and disk-heads could not even run because the disk was not spinning. Though we did get a succesful identification of the disk’s firmware family and version number. In our clean-room, we opened the disk. The heads were not parked on the disk ramp, but rather precariously positioned in the middle of the platters.

This is not ideal because an adhesive bond can form between the disk-heads and the platter surface. This is known as “stiction” and used to be a big issue for electro-mechanical disks until “ramps” or “parking areas” were incorporated into disk designs. This design change resulted in the stiction problem being more or less eliminated for disks being stored in ambient temperatures. However, in this case, the disk evidently experienced a sudden shut down and the head-disk assembly (the component on which the disk-heads are mounted) never got an opportunity to “park”.

Using specialised tools, we “unstuck” the heads from the platter surface. This procedure needs to be performed extremely delicately. An exertion of force can lead to platter or disk-head damage whilst too little force can result in the disk-heads remaining stuck. Drive Rescue use a number of finely tuned processes and tools to perform this task in the safest possible way.  

Perfluoropolyether – the hard disk super-lubricant

In this case, while the HDA was not in a “parked” position, there is another feature of hard disk design which helps mitigate against stiction events. Manufacturers apply a very thin layer of perfluoropolyether (PFPE) to the platter surface. This “super-lubricant” is a colourless synthetic oil commonly applied to HDD platters because of its durability, chemical inertness and good cohesiveness with the platter’s carbon layer. If a minor scratch does occur, the composition of PFPE exhibits just the right amount of viscosity to replenish the disk areas that have been depleted of lubricant. Its cohesiveness means that the lubricant remains in-situ, even with the constant stress of air-flow that is generated by the slider as it moves over the platters. The qualities of PFPE also mean that it can also prevent the disk-heads forming a strong metallurgical bond with the platters.  

While PFPE might sound like a lubricant that Captain Kirk might use for greasing up the old Starship Enterprise, it is not faultless. At high temperatures, the efficacy of this super lubricant reduces, increasing the risk of tribological events, i.e. the read or write elements that come into direct contact with carbon or magnetic layer on the disk. In this case, however, PFPE seems to have done its job well. (The ambient temperature of the office where the customer stored the host laptop no doubt helped). While the disk-heads and platter had collided, they were joined by only a weak bond. If the bond had been stronger – disk-head or platter damage would have been inevitable. Thus, the need for a full head-disk assembly replacement was negated. The delighted customer was reunited with all his historic work, which was presented to him on an external USB drive. He now had some extra free time in the summer and would not have to backtrack on work he had previously completed.

Drive Rescue, Dublin, Ireland have been recovering data since 2007. We offer a complete recovery service for non-booting, unreadable or damaged disks from Sony Vaio (E, PCG. VGN-Z and VPC-Z) series of laptops. This includes disks such as the Seagate Momentus ST500LT012, ST9640423AS, HGST Z5K-500, HGST Z5K1000 and the Toshiba MQ01ABD050

Two Hard Disks Joined at the Hip – The Case of Data Recovery from an iMac Fusion Drive

Last week, we successfully recovered data from a 2015 iMac, which was using an Apple Fusion Drive. (Samsung PM830 and Seagate ST2000DM001)

The Apple Fusion Drive was first introduced by Apple in 2012 and offers lower latency rates for frequently accessed data. The Fusion Drive concept was introduced at a time when high-capacity SSDs were prohibitively expensive. Apple, always wanting to be one step ahead of the posse, believed that this new hybrid type of storage would give users a foretaste of the future.

AFusion Drive” is not the same as a “Hybrid Drive”

Using their Apple Core Storage software, two disks, a solid-state disk and mechanical platter-based one are “fused” together to create one volume. (Many users confuse a “Fusion Drive” with a “Hybrid Drive”. But a hybrid disk (such as the ST2000LX001) is different in that it uses flash memory (NAND) and mechanical platter-based storage all in one self-contained disk. On hybrid disks the flash is used as temporary storage cache, whereas with an Apple Fusion drive, data is copied (not cached) to the SSD component. Frequently accessed files can be stored on the SSD, while those less frequently used are stored on the HDD. For example, all the system files needed for MacOS to boot up are stored on the SSD meaning the iMac will boot up much faster. Users get to enjoy the speed of flash and the high-capacity of platter-based disks – the best of both worlds.

Auto-Tiered Storage is not New

Apple Fusion drive uses a form of “auto-tiering” which adaptively migrates data between the two disks. Even in 2012, it was not an entirely novel consumer-level technology. Intel’s Smart Response Technology – part of their Intel Rapid Storage Technology suite – introduced it for consumer-level computing in early 2011. Apple Core Storage acts as an LVM (logical volume manager) and migrates data between the SSD and HDD in 128KB blocks.

Diagnosing a Failed Apple Fusion Drive

This technology is great until it goes wrong of course. In this case, our customer, a professional video editor, was using a late 2013 iMac with a Fusion Drive (Samsung PM830 120GB blade SSD fused with a Seagate ST2000DM001 2TB S-ATA HDD). The Samsung SSD passed our tests with flying colours. The Seagate 2TB disk, however failed the “read” component of our diagnostic tests almost immediately. As an aside, the ST2000DM001 and its sister disks, the ST3000DM003 and ST4000DM004, have garnered much notoriety the data recovery industry. Due to their inherently unstable firmware and often weak heads, these disks can suffer all sorts of unusual ailments. Moreover, this family of disks are also known for generating all sorts of weird noises, including those of chirping, squeaking, fluttering and even scraping.

Data Recovery from Apple Fusion Drive

The ST2000DM001 disk we extracted from the iMac was no exception. It had multiple read issues and had several firmware “media cache” issues. It also made continual chirping noises akin to a caged budgerigar whose owner had hydrated it with a little too many Nespressos. Despite this, after resolving multiple issues with the disk, we managed to make a good image of it. Now, all we needed to do now was to “re-fuse” its image with the image of the Samsung PM830 SSD. This would enable us to recover the HFS+ volume. “Re-fusing” or repairing a Fusion Drive can be extremely tricky not helped by the limited repair options offered by Apple. For example, “diskutil” commands provide very limited options for manipulating Fusion Drive (Core Storage) data. And their Disk Utility tool provides no functionality for recovering a Fusion Drive.

Fortunately, at Drive Rescue we use forensic-level hardware tools which can be configured to merge two Core Storage image and reconstruct your Apple Fusion drive. For our video editor customer, we attained a 100% recovery rate of all his Adobe Premiere Pro files.

Here are a few tips for recovering from an Apple Fusion drive:

  1. Trying to reset your Fusion Drive configuration on a disk(s) which are failing can complicate issues. Refrain from doing this.  
  2. Do not attempt to re-format any disks which are part of a Fusion Drive.
  3. Do not attempt to re-install MacOS. This will overwrite Core Storage configuration data needed for data recovery.

We can help you recover data from a split iMac Fusion Drive due to physical disk problems, disk bad sectors, firmware problems and from accidental MacOS installation scenarios. We can recover from 21” and 27” iMac models such as iMac 2012, iMac 2015, iMac 2017 and iMac 2019. Successful recovery from your Apple Fusion drive means you can be re-united with previous work-related projects and of course your photos and videos

When backing up your Synology via USB 3.0 NAS becomes painfully slow…

Yesterday, a previous client contacted us for a bit of advice. Before the lockdown, they needed data recovered from their aging Synology NAS DS411J as some of its WD Red S-ATA disks, configured using Synology Hybrid RAID, unexpectedly went into a “degraded” status. Luckily for them, we were able to recover all their important data.

Recently, they procured a new Synology DS218. In order to avoid the need for data recovery again, they followed our advice and tried to back up the NAS to an external LaCie Rugged disk. So, they connected the external disk to the USB 3.0 port of the Synology and using HyperBackup (part of DSM Explorer), proceeded to copy their files.

Returning an hour later however, the copy process from their new NAS to external disk was running at a miserable 1.2MB/s. It would take days before it would be completed!

Fixing Slow Data Transfer Speeds of Synology

This is a common problem with Synology NAS devices. Unfortunately, DSM Explorer does not play well with NTFS formatted disks. We recommended that they format the LaCie Rugged external disk to EXT4 format first. (This can be performed easily with Ubuntu or any other Linux-based OS.) After changing the formatting from NTFS to EXT4, they retried the copy process. This time round, the data transferred at nearly 90 MB/s. A much better improvement. For disk-to-disk data transfer operations, having both disks use a homogeneous file system can drastically help with file transfer speeds. It’s always the little things, isn’t it…

Why the MFT is one of the most important files on your hard disk…Case study: Data recovery from a Seagate Free Agent Desktop external hard disk

In the same way that a printed book will have a contents page and index – an NTFS (Windows Formatted) hard disk uses what is known as a Master File Table (MFT). This file, usually 1024 bytes in size, stores information about every file such as its name, size, timestamps and other file attribute information. It also contains “pointers” which help your hard disk find data on your hard disk. It is perhaps one of the most important files on your hard disk. In hard disk volumes using FAT and FAT32, the MFT shares the same function as the File Allocation Table.  

The MFT ($MFT) file was designed with disk access speed in mind because all the file metadata is stored on contiguous blocks. This, for example, saves the operating system having to parse through every file on the disk for a command such as simple file search.

However, underlying disk problems can result in a corrupt MFT. Such problems might be precipitated by a malfunctioning bus controller on a host system. Or sometimes, malfunctioning disk firmware corrupts data or writes data to the wrong location. Moreover, power surges, bad sectors, platter scratches and non-repeatable runout errors can all lead to MFT problems.

Chkdsk will be able to repair some disk issues, but in some cases, it will do more harm than good. Chkdsk will typically run “type checking”. This checks whether the disk cluster conforms to footprint of data type. “Sanity checking” will also be performed, verifying that the data structures meet the normal parameters of the NTFS file system. For example, it will check the metadata location of the boot sector to validate pointer integrity. If this utility does find errors, it can refer back to $MFTmirror (which acts an MFT backup) to reinstate files. However, this will not always work.

Last week, we recovered data from a Seagate Free Agent external USB disk. The NTFS formatted disk was inaccessible. The user let Chkdsk (Checkdisk) run when their Windows 10 computer started up. But, alas, it seemed to have complicated issues. The user received the rather ominous sounding error message:  

Windows cannot recover the master file table. Chkdsk aborted”

On recommendation of a colleague, he brought his disk to Drive Rescue. The disk was exhibiting multiple problems with bad sectors and firmware. Once these issues had been resolved, the volume was still inaccessible. On further analysis, we found that the disk’s MFT pointer files, namely, RootSecDesc and DirIndxbuf files were corrupted. These files had to be reinstated manually using a hex editor.  All Word, Excel, .avi and almost 9 years of worth of priceless photos were recovered.

Drive Rescue offer a complete data recovery service for Seagate Free Agent external hard disks such as the Seagate Free Agent Desktop 500GB, Seagate Free Agent Pro 750GB, Seagate Free Agent Go 1000GB and Seagate FreeAgent GoFlex 500GB and 1000GB models. Our Seagate data retrieval service is based in Dublin, Ireland.

Dell Latitude laptop looking for BitLocker Recovery key even though BitLocker was never set…

We had a customer in yesterday with a Dell Latitude Windows 10 laptop. The system, running Windows 10, was requesting a BitLocker key even though the user never remembered this full disk (FDE) encryption application being setup. They were starting to panic because their research on Google informed them that losing your BitLocker key can result in accessible data. BitLocker normally uses XTS-AES (128 or 256bit) which is very strong. One website even advised our customer, if they waited a few years, BitLockered disks could be easily cracked when quantum computing becomes more mainstream. But understandably they were not prepared to wait a few years…

However, this is a problem which Drive Rescue had encountered before. On some Dell laptops, the “Expert Key Management” in the system’s BIOS can sometimes go skewways resulting in a BitLocker Recovery key request window appearing unexpectedly.  

Recovering from BitLocker

The fix for this problem is simple. Enter the BIOS of the Dell system. Navigate to “SecureBoot” and then click to expand the section called “Expert Key Management”. Now you should see a “Restore Settings” button, followed by “Factory Settings”. Select this and then click on “ok”. When exiting the BIOS, don’t forget to save changes. Restart your system. The BitLocker key request box should now be gone and all your files should be fully accessible. No data recovery needed!

Drive Rescue offer a data recovery service in Dublin, Ireland for BitLocker encrypted disks (S-ATA, PCIe, mSata) even in cases where a TPM chip is used. We frequently recover from disks removed from laptop systems such as the Dell Latitude, HP Elitebook, Fujitsu LifeBook and Lenovo Thinkpad T and X Series of laptops. Phone us on 1890 571 571