DeepSpar is the big name in data recovery, making all sorts of data recovery hardware used by many of the big data recovery warehouses. They've recently ventured into getting their recovery hardware into the hands of smaller operations. A couple of years back, they launched the RapidSpar (reviewed here), which offered a nice little package that enabled smaller shops and small businesses to bring a fair chunk of their data recovery operations in-house. While these tools could also be used for data forensics, that's a 'different crowd' really. Forensic operations want to just be able to plug a drive into a write blocker and hit GO on their imaging software. Write blockers are hardware devices that prevent any write requests from ever reaching the storage device, which lets the forensic shop later prove to the court (if needed) that the evidence (source drive) has not been tampered with. Historically, write-blocking hardware has not implemented data recovery functionality, meaning that a drive that times out with read errors would do the same thing when connected via a write blocker. This equates to added headaches for the data forensics guys that are just trying to get their drives imaged and get on with their cases (digging through the image looking for evidence of system compromise, illegal activity, etc). A few hard drive errors throwing a big wrench into the drive imaging process should be a solvable problem, and DeepSpar has stepped in to take a crack at just that:
Enter the Guardonix. This simple little box sits inline, between the capture PC and the USB device (flash drive, HDD in a USB dock, etc). It naturally performs the typical write blocking functionality expected from the device, but it throws in a round of data recovery functionality as well. Let's look at the simple software interface to help explain further:
Connecting the device to the system the first time mounts a small volume containing software to get up and running. The app handles firmware and driver updates within its own interface, making things simple. DeepSpar recommends using the Asmedia USB3 controller on your system board for best possible compatibility, with the vendor driver installed (don't use the Microsoft InBox driver - download the USB 3 controller driver from your motherboard/laptop vendor). The same Asmedia controller recommendation applies to the use of a USB 3 dock connected to the Guardonix - Asmedia controllers best support the necessary device resets necessary for the data recovery tricks it is capable of.
Once up and running, there is a series of configuration and data recovery options available. Logging options are extensive and necessary for inclusion in forensic reports. The 'PRO' settings (added cost) enable greater control of read timeouts, allow file system mounting, and enable some cool tricks like the ability to fake write attempts instead of replying with 'write denied' errors.
Above is a typical setup showing the whole operation in action. I'm using a simple data recovery app instead of ($$$) dedicated forensic software, but the principles are the same.
Here's a look at the Guardonix output while pushing through a drive containing read errors. Note that once past the errors, we see full speed of the source drive (a 2.5" SATA HDD in this case). The configurable timeouts are 1.25 (short), 4 (medium), and 10 (long) seconds. If the drive fails to come back after each reset attempt, the Guardonix is able to repower the drive a few seconds later. The error handling is definitely robust. I was able to go as far as to remove and reinsert the drive from the dock during imaging, and it just picked right back up from where it left off. Here's the Guardonix demo video:
Pricing and conclusion:
The base Guardonix goes for $320 at the time of this writing, with the PRO add-on features tacking on another $470. This may seem steep, but compared to other write-blocking hardware I've seen in the past, it's about average, with the PRO add-on tacking on some data recovery options capabilities not normally possible with simpler write blockers. So long as you are ok with only USB and docked SATA connectivity, that $470 is actually a good deal compared to the pricier RapidSpar (but not nearly as feature-packed).
*edit* Prices adjusted slightly after publishing. Article updated to reflect current prices.
Overall this is good stuff from DeepSpar. I'm glad to see them venturing into the forensics space, as that arena could stand to benefit from less frustration during their imaging operations. I know it would have saved me a bunch of time and headaches back when I was dealing with data forensics!
Subject: General Tech | April 4, 2017 - 12:26 PM | Jeremy Hellstrom
Tagged: sd card, nand reader, DIY, data recovery
Hack a Day have posted a quick quide on how you can recover data from an unmountable SD card in a safe and fairly easy manner. With the use of sandpaper, solder and enamelled wire you can hook up the VSS and VCC pins to a NAND reader, as long as there is a working controller on the card and no physical shorts. If you don't happen to have a NAND reader, they link to a project that will show you how to build your own, or you can source it from a supplier. Once you have read the data you can flash it to another SD card or learn about how to translate the content if you have the tools. Check out the comments for more and keep an eye out for a follow up article on working with the recovered data.
"If you ever find yourself in need of an SD card recovery tool you could always roll your own DIY NAND reader. We will likely give this process a try just to play round with the concept. Hopefully we’ll never need to do SD card recovery!"
Here is some more Tech News from around the web:
- Conductive gel framework helps make better batteries @ Nanotechweb
- Microsoft's in-store Android looks desperate but can Google stop it? @ The Register
- Samsung's Linux-based Tizen OS is 'riddled' with security flaws @ The Inquirer
- Security Drive-by Wi-Fi i-Thing attack, oh my! @ The Register
- Transcend DrivePro Body 52 Body Camera @ Kitguru
Introduction, Packaging, and Internals
Being a bit of a storage nut, I have run into my share of failed and/or corrupted hard drives over the years. I have therefore used many different data recovery tools to try to get that data back when needed. Thankfully, I now employ a backup strategy that should minimize the need for such a tool, but there will always be instances of fresh data on a drive that went down before a recent backup took place or a neighbor or friend that did not have a backup.
I’ve got a few data recovery pieces in the cooker, but this one will be focusing on ‘physical data recovery’ from drives with physically damaged or degraded sectors and/or heads. I’m not talking about so-called ‘logical data recovery’, where the drive is physically fine but has suffered some corruption that makes the data inaccessible by normal means (undelete programs also fall into this category). There are plenty of ‘hard drive recovery’ apps out there, and most if not all of them claim seemingly miraculous results on your physically failing hard drive. While there are absolutely success stories out there (most plastered all over testimonial pages at those respective sites), one must take those with an appropriate grain of salt. Someone who just got their data back with a <$100 program is going to be very vocal about it, while those who had their drive permanently fail during the process are likely to go cry quietly in a corner while saving up for a clean-room capable service to repair their drive and attempt to get their stuff back. I'll focus more on the exact issues with using software tools for hardware problems later in this article, but for now, surely there has to be some way to attempt these first few steps of data recovery without resorting to software tools that can potentially cause more damage?
Well now there is. Enter the RapidSpar, made by DeepSpar, who hope this little box can bridge the gap between dedicated data recovery operations and home users risking software-based hardware recoveries. DeepSpar is best known for making advanced tools used by big data recovery operations, so they know a thing or two about this stuff. I could go on and on here, but I’m going to save that for after the intro page. For now let’s get into what comes in the box.
Note: In this video, I read the MFT prior to performing RapidNebula Analysis. It's optimal to reverse those steps. More on that later in this article.
We’ve probably all lost data at some point, and many of us have tried various drive recovery solutions over the years. Of these, Disk Drill has been available for Mac OS X users for some time, but the company currently offers a Windows compatible version, released last year. The best part? It’s totally free (and not in the ad-ridden, drowning in popups kind of way). So does it work? Using some of my own data as a guinea pig, I decided to find out.
The interface is clean and simple
To begin with I’ll list the features of Disk Drill as Clever Files describes it on their product page:
- Any Drive
- Our free data recovery software for Windows PC can recover data from virtually any storage device - including internal and external hard drives, USB flash drives, iPods, memory cards, and more.
- Recovery Options
- Disk Drill has several different recovery algorithms, including Undelete, Protected Data, Quick Scan, and Deep Scan. It will run through them one at a time until your lost data is found.
- Speed & Simplicity
- It’s as easy as one click: Disk Drill scans start with just the click of a button. There’s no complicated interface with too many options, just click, sit back and wait for your files to appear.
- All File Systems
- Different types of hard drives and memory cards have different ways of storing data. Whether your media has a FAT, exFAT or NTFS file system, is HFS+ Mac drive or Linux EXT2/3/4, Disk Drill can recover deleted files.
- Partition Recovery
- Sometimes your data is still on your drive, but a partition has been lost or reformatted. Disk Drill can help you find the “map” to your old partition and rebuild it, so your files can be recovered.
- Recovery Vault
- In addition to deleted files recovery, Disk Drill also protects your PC from future data loss. Recovery Vault keeps a record of all deleted files, making it much easier to recover them.
- Disk Drill For Windows - Free download here
The Recovery Process
(No IDE hard drives were harmed in the making of this photo)
My recovery process involved an old 320GB IDE drive, which was used for backup until a power outage-related data corruption (I didn’t own a UPS at the time, and the drive was in the process of writing) which left me without a valid partition. At one point I had given up and formatted the drive; thinking all of my original backup was lost. Thankfully I didn’t use it much after this, and it’s been sitting on a shelf for years.
There are different methods that can be employed to recover lost or deleted data. One of these is to scan for the file headers (or signatures), which contain information about what type of file it is (i.e. Microsoft Word, JPEG image, etc.). There are advanced recovery methods that attempt to reconstruct an entire file system, preserving the folder structures and the original files names. Unfortunately, this is not a simple (or fast) process, and is generally left to the professionals.