Block Level Data Recovery Tutorials

In computing, data recovery is a process of salvaging (retrieving) inaccessible, lost, corrupted, damaged or formatted data from storage media such as NAND flash devices, SSD, HDD, Tapes, and other block level storage. While the term Data Recovery itself is frequently used within computer forensic recovery, the term can be applied for all forms of recovering data from damaged media or even functional media for later archival and usage within a disk or rom image.

The most common data recovery scenario involves an operating system failure, malfunction of a storage device, logical failure of storage devices, accidental damage or deletion, etc. (typically, on a single-drive, single-partition, single-OS system), in which case the ultimate goal is simply to copy all important files from the damaged media to another new drive. This can be easily accomplished using a Live CD, many of which provide a means to mount the system drive and backup drives or removable media, and to move the files from the system drive to the backup media with a file manager or optical disc authoring software. Such cases can often be mitigated by disk partitioning and consistently storing valuable data files (or copies of them) on a different partition from the replaceable OS system files.

Exploring a Drive Image with Autopsy in Kali Linux

In another scenario, files have been accidentally “deleted” from a storage medium by the users. Typically, the contents of deleted files are not removed immediately from the physical drive; instead, references to them in the directory structure are removed, and thereafter space the deleted data occupy is made available for later data overwriting. In the mind of end users, deleted files are irrecoverable through a standard file manager, however the deleted data still technically exists on the physical drive. In the meantime, the original file contents remain, often in a number of disconnected fragments, and may be recoverable if not overwritten by other data files.

Investigating a Flash Drive

Methods of preventing recovery

Two types of methods can be used to prevent recovery of data. The first is to securely shred your documents instead of sending them to the “Recycle bin”/“Trash”. While this method is about 99.9% accurate for a live running storage device. Further methods are required when retiring the storage medium.

The second method is best applied when retiring a storage medium and that is to completely ensure that the physical device is destroyed beyond any form of access.

I was the HIPAA officer for my firm. We had over 50 drives to destroy. I could have drilled them out as done in the video here, but decided to take them to my deer lease and shoot them with my deer rifle as target practice. We lined them up like birds on a wire and shot them off one at a time. It was much more fun than drilling them and it accomplished the same thing. Unfortunately, it made a mess, too which we had to clean up and place into a garbage bag.

What a coincidence! I had just been considering investigating how to recover deleted data. Thanks for collection.

Hard drive = clay pigeon.
Pull!!

I expect photos of this activity without the photos you have no Certificate of Destruction!

I took photos but they are now the property of the company that I don’t work for any longer. Good point though.

yeah but the drives left the premises. who knows what block level copying went on between then and the gun shot

I’ve investigated different recovery methods for HDD recovery. One of the best tools for drive recovery when the firmware of the drive may be corrupted is MRTlab. BUT the price for such software and hardware is beyond high.

Board level HDD fixes mostly are trivial and involve a EEPROM swap and can be done for cheap. (I might be persuaded to give a tutorial sometime in the e-lab.)

That being said no drive, that I want to get rid of, leaves my house w/o a date with a blow torch till slag heap. (I completely and totally melt them, even the screws)

Perhaps we should have a blow torch melting party in the parking lot. I have about 25 drives I could contribute to the slag. Love the idea.

It’s more fun to play with the super strong magnets inside those drives.

The space has an even better solution: The Blacksmith Forge.

Can we get back to the “recovery” part of this? I’d love to learn techniques for data recovery. I have several friends hard drives in my “someday/maybe” pile and recovering information off them would make me a rock star

Thank you. I agree. Destroying drives is easy. I even know of a guy using a raspberry pi, web cam and some 3d printed parts to create an automated drive disposal unit with inventory tracking.

Now back to the topic of recovery. These friends drives; are they SSD, Optical, or Magnetic (Tape/Floppy/HDD) based storage? Also what’s the interface PATA(IDE), SATA, SCSI, EISA, or ESDI?

IDE or SATA internal drives, magnetic.

Perfect, one can use a USB enclosure then get a block level image to do further processing with out the physical drive.

Anyone ever done the Seagate 702.11 bricked drive fix successfully?
i’ve had a few pass through my hands, and tried, but never managed it successfully. I’m sitting on one more that popped up, wanting to try it again…

Here’s one “how to”. https://www.webfoobar.com/node/6 There are any number of “clones” out there. I forget which I considered “the authority” back when I first tried this…

For the most part I’ve been lucky with having backups in one format or another but there has been a few drives that where so far gone to the point of needing to use SpinRite to re-align and magnetize some of the bad sectors.

I need to look at them again however I think the ones I have are not mountable.

I have the software. If you have the hardware then we could meet up at the space and take a look at it together.