The digital age has brought with it a false sense of security. All of the information on our computers, tablets and hard drives may seem magical, almost immortal. Unlike paper, it does not tear, wrinkle, collect dust or go yellow with age. Instead it remains unchanging and intact, safe from the wear and tear that can so easily destroy physical records.
Until, one day, your hard drive malfunctions. In one moment, everything disappears.
That’s more likely to happen than you might think. A recent study published by Carnegie Mellon University found that twenty percent of mechanical drives fail within their first four years and, surprisingly, just over 5% fail within their first 18 months. And don’t think that solid state drives are a cure-all; the limited testing conducted so far shows them failing at roughly the same rate as mechanical drives, albeit for different reasons.
All of this means you should back up your data. Now. Yet many people don’t, which provides labs like Flashback Data with no shortage of customers. Located Austin, Texas, Flashback Data handles hundreds of drives every month and is America’s only non-governmental lab to meet the standards set by the American Society of Crime Laboratory Directors. We spoke with Russell Chozick, one of the company’s technicians, to find out how lost data can be retrieved from a seemingly dead drive.
Calling the experts
Expert data recovery can be intimidating at first. The average user, who has no idea how to recover a drive, likely envisions a long, grueling and expensive process. In fact, diagnosing a drive’s problem is usually quick, which is why Flashback Data provides free evaluations. “Most of our techs have been working for years,” Mr. Chozick says, “so it doesn’t take much to know what is wrong. With certain mechanical failures, they know the problem by smell.” Though mechanical drives are the most common device sent in for recovery, every type of drive imaginable can be serviced, including not just modern solid state drives but also legacy formats like tape drives and floppy disks. Once the evaluation is complete, a report is made available to the customer through an online report, which includes both the diagnosis and a quote. If it’s accepted, data recovery begins; if the customer declines, the drive is simply sent back.
Mechanical drives are commonly sent in not only because of their popularity but also because mechanical failure is the leading reason for sudden, disastrous hard drive failure. In most cases, the problem occurs because of age or a defect in the drive rather than any external factor, which means there’s little indication the drive is about to die before it goes belly-up. Accidental damage is less common, but when it does occur, it’s usually the result of a drop or bump instead of a more dramatic event, such as fire or flood. Flashback Data lumps such unintended human-assisted destruction under the category of “user error.”
The security of drives received by Flashback Data is, of course, a major concern. Flashback Data does work not only for individuals, but also corporations and even police departments, none of which want to worry that a stranger might be able to snoop around during the recovery process. The risk of theft or unauthorized access is virtually eliminated through a three-zone security setup of heavy locked doors secured with fingerprint scanners, all of which are monitored by 24-hour surveillance. The last security zone, the laboratory itself, is accessible only through a “man trap” – a connecting room that only permits one door to be open at a time. Deliveries are left in this room and can only picked up by lab staff after the deliveryman has left and closed the door behind him.
Even if a ninja did manage to evade the man trap, he’d have a hard time finding anything of use. Drives are only identified by their job number, so it’s impossible to identify a drive without gaining access to the company’s database, which is only open to lab technicians through on-site computers. Jobs sent in for forensic investigation are further secured by another locked area inside the lab, accessible only by a handful of authorized investigators, and drives involved with an investigation are stored in a locked cage with motion sensors that monitor any attempt at entry from below or above.
Hard drive surgery
Once a drive is delivered and diagnosed, and the customer has approved the recovery project, the lab team gets to work. What that work involves depends on the drive – and what’s wrong with it.
Many failures are mechanical in nature, and that means recovering data is impossible until the drive has been physically repaired. “When a drive has failed mechanically,” says Chozick, “the first step is to source parts. Usually we have them in house. We typically have between three and four thousand parts on hand and, as needed, we’ll order even more.” Once the parts are obtained, repair begins. Adapters, read/write heads and other components that have stopped functioning are replaced inside a “clean workstation” which keeps dust and other foreign objects out of the open drive. Though this is delicate work, it is second-nature to these experts, who have handled thousands of repairs.
Mechanical parts are often the culprit, but electronics can fail, too. The mainboard, for example, can experience issues like faulty soldering or damage from a power surge that fries chips or melts contacts. Problems like these are fixed using a stereoscopic microscope and specialized soldering equipment, a delicate and time-consuming process made more challenging by the small size of modern hardware.
Once a drive is operational, the next step is to image the drive. An exact sector-by-sector copy is made, or at least attempted; bad sectors can interrupt the process. Flashback Data uses conventional desktop PCs with special adapters to make recovery possible. This setup allows lab techs to move forward or backwards through a drive’s sectors to focus on certain data or use custom algorithms to speed up recovery. Mr. Chozick explained that a lab tech might program the hardware to “do a fast pass, and if any slow sectors are hit, skip forward 1,000 sectors and keep going.” This tactic can quickly retrieve large amounts of data. If bad sectors turn out to be an issue, the techs can go back with a slower, more detailed algorithm which searches sector-by-sector for every last bit that’s still intact. Even specific file types, like .jpeg images or .mp3 audio files, can be located using algorithms that search for known file headers.
While mechanical drives are fairly straightforward, flash memory presents a particular challenge. An operational flash drive uses a controller chip to manage data, and if that chip stops working, or is corrupted, sorting through files becomes a long, difficult process of browsing raw hex data in search of anything that looks familiar. Recovery is only possible because experts know how key data structures, such as file tables, look in hex form. Once found, these can be restored, making it possible to recover most data from a drive.
Modern solid state drives are even more difficult to work with because, unlike a flash drive (which may contain just one or two chips), an SSD may contain up to sixteen chips, each of which has separate “dumps” across which data can be split. Technicians must analyze data from each dump and piece it together like a digital jig-saw puzzle. Matters are made more difficult by automatic drive encryption features found on many SSDs which, though they can provide extra security, make normal data recovery impossible. Flashback Data’s experts first have to focus on repairing the controller chip itself, as it’s the only way to decode what’s on the drive.
Returning the hard drive home
Even with solid state drives, which is the most challenging storage format to work with, success comes more often than not. “In 98 percent of cases the drive is sent back looking exactly like it did before failure,” says Chozick. “All the folders, files will be in the same place.” Even if such in-depth recovery isn’t possible, lab techs can usually find and retrieve individual files by searching through a drive’s data after it has been imaged. The files returned to the customer may be missing their original file name, and may not be organized, but at least they can be returned otherwise intact.
Once recovery is complete, the data is uploaded to a local server, which is not connected to the Internet for security reasons. The customer then receives word of the good news via a notification. Data is returned on a physical drive for security reasons; in most cases a flash drive, though larger jobs may require the use of a mechanical hard drive. While most of Flashback Data’s customers use Windows, the company is happy to return data in whatever format the customer requires, so Mac users aren’t left out in the cold. For customers, this means retrieving data is a plug-and-play affair.
Of course, once data is retrieved, it should be protected. Though Flashback Data makes money by helping people who don’t have a proper backup, Mr. Chozick was happy to tell us what he thought was most effective for the average user. “I think the easiest backup is an external hard drive running a backup utility. You can’t just rely on yourself to move files regularly. And cloud backup solutions are good, affordable. They protect data from fires, natural disasters and other unexpected events.”
But if you forget, don’t fret. The experts can help – for a fee.