recovery processes

Recovering from hard disk drives that are encrypted follows the same handling procedures as all other magnetic media. A strict process of handling and documentation starts right at the shipping door upon drive receipt and ends when the drive is shipped back to the customer. In most cases, when working with a top data recovery provider, all recovery processes are logged. This results in an audit trail of the recovery history and serves as verification that the recovery was conducted in a secure, compliant manner. Specifically, you want to ensure the process consists of the following high-level steps:

1. Triage drive; determine faults without opening drive
2. Clean room escalation for physical or electronic damage
3. Secure original media
4. Sector-by-sector copy of drive data
5. User Key used to decrypt data
6. Produce file listing of user file names
7. Repair file system
8. Prepare data for delivery
9. Encryption options for data delivery

After the first four stages listed above, the recovery engineer will begin to map all key file system structures that point to the user files. However, if the hard disk drive is encrypted, then the drive needs to be decrypted in order to proceed.

Decryption
If this is the case, a user key or decryption password is required. Fortunately, encryption software has come a long way over the years. Instead of using a master password for decryption, most professional encryption software provides a technician level pass-phrase that changes on a daily basis. This protects the user’s password and the organization’s master password.

Many organizations are comfortable providing these one-time use pass-phrases so that the recovery work can continue. However, this is not always the case. For some organizations, providing this information to an outside vendor, such as a data recovery provider, is against their security policy.  In these situations, a successful recovery is still possible. There are data recovery vendors that can perform recoveries while leaving the data in its encrypted form throughout the entire process. In this case, the data will be recovered and sent back to the client in its encrypted form; however, the specific results will be unknown until the files are opened by someone with access to the encryption key. Ultimately, this limits the ability for a data recovery provider to communicate the success of the recovery until the recovered data is delivered and opened, thereby placing some burden back on the customer.

As a result, it is clear that significant time and cost savings are associated with allowing your data recovery vendor to access your one-time use pass-phrase codes while attempting to recover your encrypted data. At the same time, it’s critical to ensure that your selected vendor also understands security protocols, is knowledgeable about encryption products and has privacy policies in place.

Resuming Recovery
Following the recovery, preparation for delivering the data begins. Since the original hard disk drive was encrypted, safely securing the recovered data is highly important. The recovered data is backed up to the media choice of the user and is re-encrypted. The new decryption key is communicated verbally to the user; email should not be used, as this could be a security risk. Some leading edge data recovery companies are able to deliver recovered data back to the customer in an encrypted format on external USB/Firewire hard disk drives. From the start of the recovery to the final delivery, data should be secure throughout the entire process.