I am a former data recovery engineer. AMA

[Pickles von Brine]

Hey folks,

In light of the recent LTT video I figured I would put up an AMA from my time in data recovery. 

I will answer questions to best I can.


I forgot to mention. I have been out of the data recovery realm since 2018. The company I worked for got bought out and moved to another state. I didn't wanna move with them. 
I still do some data recovery on the side, but nothing like I use to do. 

ANY INFORMATION IN THIS THREAD IS FOR DISCUSSION ONLY. MUCH OF THE INFORMATION PROVIDED IS PARTIAL AND INCOMPLETE. USE AT YOUR OWN RISK!!!!

[Electronics Wizardy]

Do you know of any HDDs/SSDs that have had data recovered that have been written over once already? Is there a reason to use multiple pass wipes.

[Levent]

Should anyone even bother sending in completely dead mSD/SD cards for recovery?

[bmx6454]

what is the most effective way to ensure data isn't recoverable?(say if your throwing out an old drive and want to be 100% sure nothing can be recovered)

[Zalosath]

What's the most critical piece of data you recovered?

[Brian McKee]

1 hour ago, bmx6454 said:

what is the most effective way to ensure data isn't recoverable?(say if your throwing out an old drive and want to be 100% sure nothing can be recovered)

Thermite duh.

 

 

[Cyberspirit]

2 hours ago, bmx6454 said:

what is the most effective way to ensure data isn't recoverable?(say if your throwing out an old drive and want to be 100% sure nothing can be recovered)

Complete. Total. Destruction. People like to shoot or blow up platters.

[Pickles von Brine]

4 hours ago, Electronics Wizardy said:

Do you know of any HDDs/SSDs that have had data recovered that have been written over once already? Is there a reason to use multiple pass wipes.

Once data is written over on a drive, the likelihood of recovery is essentially nil. However, "supposedly" you can recover from an overwritten drive if you manage to attenuate the heads to pickup weaker signals on the platter. That is why goverment goes nuts with wiping drives. Honestly, I have NEVER had a single bit of data recovered from zeroed or overwritten drives. 

 

That being said, a reinstall of an OS over a drive is different from writing data over the drive. In the former data can a lot of the times be recovered. In the latter not so much. 

4 hours ago, Levent said:

Should anyone even bother sending in completely dead mSD/SD cards for recovery?

There is still a chance of recovery. Those kinds of drives are monolithic, however, there are pads on the back of mSD and SD cards that may allow you have access to the data. and maybe even get recovery. Flash recovery was not my specialty when I was doing data recovery. I just known the gists of it. 

Ace Laboratories are the big swinging members in the industry. Nearly every data recovery company will have their products in their shop. There is no other company who has anywhere near what they have. Deepspar and Dolphin make hardware and software solutions but Ace has them beaten soundly. 

There is one company that specializes in flash recovery but I cannot remember their name. They are also the leading company in that area. 
Actually doing some digging on a few data recovery specific forums it would appear there is a specific software in use plus ace labs. XD Like I said this is not my cup of tea. I did hard drives, not NAND/flash. 

3 hours ago, bmx6454 said:

what is the most effective way to ensure data isn't recoverable?(say if your throwing out an old drive and want to be 100% sure nothing can be recovered)

Zeroing out the entire drive is very effective and non-destructive to the drive itself. I have never been able to recover a zeroed drive. Governments are paranoid so they overdo things. The absolutely best way is complete platter destruction. If it is a 2.5 inch drive you can put a screw driver through the drive where the platters are. They will shatter since 2.5" drive platters are made of glass. 

Putting a bunch of holes into the platter is also effective on 3.5" drives. Unless someone has access to equipment I have never seen or heard of they cannot recover that drive. 

3 hours ago, Zalosath said:

What's the most critical piece of data you recovered?

I cannot go into specifics due to various reasons.

One that I can publicly disclose would be something form NASA. There was land survey data and it had something to do with a watershed project. Not sure on the specifics. But basically millions of dollars was on the line if the data on that drive wasn't recoverable. That was a hitachi 3.5 inch drive. Don't remember model. Just remember it needing at least 3 head exchanges because it kept eating heads due to being SEVERELY degraded on one surface. Was somewhere around a 90% recovery too and took about a month. 

[bmx6454]

1 hour ago, Cyberspirit said:

Complete. Total. Destruction. People like to shoot or blow up platters.

i've shot drives before, but that was for fun, not really for practical data destruction lol

[Electronics Wizardy]

1 minute ago, Pickles von Brine said:

Once data is written over on a drive, the likelihood of recovery is essentially nil. However, "supposedly" you can recover from an overwritten drive if you manage to attenuate the heads to pickup weaker signals on the platter. That is why goverment goes nuts with wiping drives. Honestly, I have NEVER had a single bit of data recovered from zeroed or overwritten drives. 

 

The government seems to have backed off from this stance recently, with NIST SP800-88 rev 1 not recommending using more than one pass to wipe drives, so I think the days of wiping a hdd 7 times are over.

[Pickles von Brine]

3 minutes ago, Electronics Wizardy said:

The government seems to have backed off from this stance recently, with NIST SP800-88 rev 1 not recommending using more than one pass to wipe drives, so I think the days of wiping a hdd 7 times are over.

Yeah, I think also that the older drives may have been easier to recover? I am not sure. This kind of stuff goes so far over my head because you start getting into actual drive engineering, material properties, theory, etc. You don't need a PHD to be good at recoverying hard drives. I mean, I understand how a hard drive works, but when you get into that bit of detail, you understand HOW a hard drive works. If that makes sense. 

[rikitikitavi]

SSD disk encryption without the key (formatted) - foolproof?

[Pickles von Brine]

5 minutes ago, rikitikitavi said:

SSD disk encryption without the key (formatted) - foolproof?

Formatting an SSD or any drive that was encrypted is a damn sure way to not get your data back. Though there still may be a chance. However, if you simply overwrite the first 100k-1mil sectors of a drive that was encrypted you are done. Not a chance in hell that could be recovered. 


I need to also expand on this. An SSD with TRIM enabled is a damn sure way to cause yourself hell. An SSD without TRIM you may still have a chance.

[BlueChinchillaEatingDorito]

30 minutes ago, Pickles von Brine said:

Governments are paranoid so they overdo things. The absolutely best way is complete platter destruction. If it is a 2.5 inch drive you can put a screw driver through the drive where the platters are. They will shatter since 2.5" drive platters are made of glass. 

We totally don't send drives that cannot be zero'ed out to a secret location for destruction. I don't know what you're talking about /s 

[Pickles von Brine]

An interesting video of doing file recovery from an SSD. But it also goes into SMR drives. 
 

Keep in mind I have been out of the game for a few years now. 

 

[Pickles von Brine]

2 minutes ago, BlueChinchillaEatingDorito said:

We totally don't send drives that cannot be zero'ed out to a secret location for destruction. I don't know what you're talking about /s 

HA! Most government sites have shredders on hand or have someone come and shred the drives. Iron Mountain is one of those such companies. They keep your data in a god damn mountain AND they can shred your drives on site. 

[Zodiark1593]

12 hours ago, bmx6454 said:

i've shot drives before, but that was for fun, not really for practical data destruction lol

I’d probably use a ramset if I needed to ensure data wasn’t recoverable. 
 

If I was doing data destruction for clients, I wonder if a jig with built-in ramsets would provide rapid and reliable destruction? Would be easy enough to build the setup in one of those white vans to perform the destruction on-site. 

[Zodiark1593]

11 hours ago, Pickles von Brine said:

HA! Most government sites have shredders on hand or have someone come and shred the drives. Iron Mountain is one of those such companies. They keep your data in a god damn mountain AND they can shred your drives on site. 

I’m thinking a jig with multiple ramsets built-in would be quite effective for rapid on-site destruction. But a giant shredder sounds good too. 

[NineEyeRon]

Does Gibby really bite?

[Pickles von Brine]

34 minutes ago, NineEyeRon said:

Does Gibby really bite?

Depends. Did Gigi take his food?

[JoJamBean]

On 7/27/2022 at 3:52 PM, Pickles von Brine said:

Hey folks,

In light of the recent LTT video I figured I would put up an AMA from my time in data recovery. 

I will answer questions to best I can.


I forgot to mention. I have been out of the data recovery realm since 2018. The company I worked for got bought out and moved to another state. I didn't wanna move with them. 
I still do some data recovery on the side, but nothing like I use to do. 

I get “failed” drives back from Linux based CCTV NVRs (Ext4 file system) and would appreciate a hierarchy of tools/tests to use to assess the recoverability of the data.

[Pickles von Brine]

3 hours ago, JoJamBean said:

I get “failed” drives back from Linux based CCTV NVRs (Ext4 file system) and would appreciate a hierarchy of tools/tests to use to assess the recoverability of the data.

That is a very broad question.  What do you mean by "failed? Can you be more specific? What are you seeking? I can do my best to give you a summary but you are asking a lot. narrowing down your needs will be helpful. 


 

[da na]

On 7/27/2022 at 7:20 PM, Pickles von Brine said:

Yeah, I think also that the older drives may have been easier to recover? I am not sure. This kind of stuff goes so far over my head because you start getting into actual drive engineering, material properties, theory, etc. You don't need a PHD to be good at recoverying hard drives. I mean, I understand how a hard drive works, but when you get into that bit of detail, you understand HOW a hard drive works. If that makes sense. 

You're the expert here but I will say, I've found older drives much easier to repair. We're talking mid 90s-early 00s, few hundred mb through 120gb drives. Usually, as long as the density is lower than 40gb/side on a CMR platter, they're quite easy to open up and repair since a single piece of dust can't wreck the whole drive nearly as easily. In my improvised clean area and with a pair of cheap gloves I've fixed 4 or 5 drives with stuck heads, either to the platter or to some melted rubber bit. Anyway what I'm getting to is, the actual platters are about 33-50% thicker than a modern drive, likely having more coating. They were cut down in size to reduce costs, less weight = less motor power needed, same reason why HDD magnets are disappointingly small now. Old platters range in weight, the 800mb drive I have the platters feel like a soda can - that sort of material. A 40gb IDE drive yielded the heaviest platters I have, then the multi hundred GB drives are back to being lighter. The composition of the actual base material changes over time. The coating on the platter has also changed over time as well - there are 3 very distinct shades of platter in my collection.

 

A question I'd like to ask is, anything different about recovering SMR drives if you have to actually open it up? Does its, well, SMR nature complicate anything? 

[Kotonoha]

chkdsk fucked up my folder how do i retrieve data

i have disabled chkdsk ever since that day

[Dabombinable]

@Pickles von Brine

Did you deal with many laptop drives with shattered spindles, and was the data ever recoverable?