DeepSpar is the big name in data recovery, making all sorts of data recovery hardware used by many of the big data recovery warehouses. They've recently ventured into getting their recovery hardware into the hands of smaller operations. A couple of years back, they launched the RapidSpar (reviewed here), which offered a nice little package that enabled smaller shops and small businesses to bring a fair chunk of their data recovery operations in-house. While these tools could also be used for data forensics, that's a 'different crowd' really. Forensic operations want to just be able to plug a drive into a write blocker and hit GO on their imaging software. Write blockers are hardware devices that prevent any write requests from ever reaching the storage device, which lets the forensic shop later prove to the court (if needed) that the evidence (source drive) has not been tampered with. Historically, write-blocking hardware has not implemented data recovery functionality, meaning that a drive that times out with read errors would do the same thing when connected via a write blocker. This equates to added headaches for the data forensics guys that are just trying to get their drives imaged and get on with their cases (digging through the image looking for evidence of system compromise, illegal activity, etc). A few hard drive errors throwing a big wrench into the drive imaging process should be a solvable problem, and DeepSpar has stepped in to take a crack at just that:
Enter the Guardonix. This simple little box sits inline, between the capture PC and the USB device (flash drive, HDD in a USB dock, etc). It naturally performs the typical write blocking functionality expected from the device, but it throws in a round of data recovery functionality as well. Let's look at the simple software interface to help explain further:
Connecting the device to the system the first time mounts a small volume containing software to get up and running. The app handles firmware and driver updates within its own interface, making things simple. DeepSpar recommends using the Asmedia USB3 controller on your system board for best possible compatibility, with the vendor driver installed (don't use the Microsoft InBox driver - download the USB 3 controller driver from your motherboard/laptop vendor). The same Asmedia controller recommendation applies to the use of a USB 3 dock connected to the Guardonix - Asmedia controllers best support the necessary device resets necessary for the data recovery tricks it is capable of.
Once up and running, there is a series of configuration and data recovery options available. Logging options are extensive and necessary for inclusion in forensic reports. The 'PRO' settings (added cost) enable greater control of read timeouts, allow file system mounting, and enable some cool tricks like the ability to fake write attempts instead of replying with 'write denied' errors.
Above is a typical setup showing the whole operation in action. I'm using a simple data recovery app instead of ($$$) dedicated forensic software, but the principles are the same.
Here's a look at the Guardonix output while pushing through a drive containing read errors. Note that once past the errors, we see full speed of the source drive (a 2.5" SATA HDD in this case). The configurable timeouts are 1.25 (short), 4 (medium), and 10 (long) seconds. If the drive fails to come back after each reset attempt, the Guardonix is able to repower the drive a few seconds later. The error handling is definitely robust. I was able to go as far as to remove and reinsert the drive from the dock during imaging, and it just picked right back up from where it left off. Here's the Guardonix demo video:
Pricing and conclusion:
The base Guardonix goes for $320 at the time of this writing, with the PRO add-on features tacking on another $470. This may seem steep, but compared to other write-blocking hardware I've seen in the past, it's about average, with the PRO add-on tacking on some data recovery options capabilities not normally possible with simpler write blockers. So long as you are ok with only USB and docked SATA connectivity, that $470 is actually a good deal compared to the pricier RapidSpar (but not nearly as feature-packed).
*edit* Prices adjusted slightly after publishing. Article updated to reflect current prices.
Overall this is good stuff from DeepSpar. I'm glad to see them venturing into the forensics space, as that arena could stand to benefit from less frustration during their imaging operations. I know it would have saved me a bunch of time and headaches back when I was dealing with data forensics!
Introduction, Packaging, and Internals
Being a bit of a storage nut, I have run into my share of failed and/or corrupted hard drives over the years. I have therefore used many different data recovery tools to try to get that data back when needed. Thankfully, I now employ a backup strategy that should minimize the need for such a tool, but there will always be instances of fresh data on a drive that went down before a recent backup took place or a neighbor or friend that did not have a backup.
I’ve got a few data recovery pieces in the cooker, but this one will be focusing on ‘physical data recovery’ from drives with physically damaged or degraded sectors and/or heads. I’m not talking about so-called ‘logical data recovery’, where the drive is physically fine but has suffered some corruption that makes the data inaccessible by normal means (undelete programs also fall into this category). There are plenty of ‘hard drive recovery’ apps out there, and most if not all of them claim seemingly miraculous results on your physically failing hard drive. While there are absolutely success stories out there (most plastered all over testimonial pages at those respective sites), one must take those with an appropriate grain of salt. Someone who just got their data back with a <$100 program is going to be very vocal about it, while those who had their drive permanently fail during the process are likely to go cry quietly in a corner while saving up for a clean-room capable service to repair their drive and attempt to get their stuff back. I'll focus more on the exact issues with using software tools for hardware problems later in this article, but for now, surely there has to be some way to attempt these first few steps of data recovery without resorting to software tools that can potentially cause more damage?
Well now there is. Enter the RapidSpar, made by DeepSpar, who hope this little box can bridge the gap between dedicated data recovery operations and home users risking software-based hardware recoveries. DeepSpar is best known for making advanced tools used by big data recovery operations, so they know a thing or two about this stuff. I could go on and on here, but I’m going to save that for after the intro page. For now let’s get into what comes in the box.
Note: In this video, I read the MFT prior to performing RapidNebula Analysis. It's optimal to reverse those steps. More on that later in this article.