Articles

Hard Drive Platters

Platters in physical
The physical material of Platters: Aluminum alloy comprises the physical material of the platter. It is rigid, easy to work with, lightweight, stable, inexpensive and readily available. The speed that the platters spin is increasing to store data much quicker and in intensive tracks, it is creating more demands on the platter material itself. That’s why the first glass Platters of IBM HDD failed to dominate the market;

Media Layer: The physical material (Aluminum alloy) of which the platters are made forms the base upon which the actual recording media is deposited. The media layer is a very thin coating of magnetic material which is where the actual data is stored, typically only a few microinches in thickness. The media layer is usually comprised of a special alloy. That’s why the data will lose or inaccessible by ages of using. It is because the thin media layer become dull or damaged and can’t react the signals from the HDD or commands from a PC;

Does it make any sense to wash Platters with distilled water or alcohol?
You must laugh at my silly question. But it happened, someone told me before that He did wash the platters with pipe water because there are many fingerprints on them, and, huh, according to his words, he had fixed it and that drive got working.

Can we put the hard drive near with some magnetic materials?
People put the hard drive in some antistatic storage and they avoid to put their credit cards and other magnetic cards together.

Protective Layer: The surface of each platter is normally covered with an extra-thin, protective, lubricating layer, on top of the magnetic media layer itself. This material is used to protect the disk from damage caused by accidental contact from the heads or other foreign matter that might get into the drive. That’s why you can use your HDD to store data for years, not for a couple of months;

Platters in Logically
Platters Divisions: The platter is divided into Tracks and Sectors and is read by Zone Recording or Clusters.

Tracks:
Platters are organized into specific structures to enable the organized storage and retrieval of data. Each platter is broken into several thousand tracks, which are   tightly-packed concentric circles. (These are similar in structure to the annual rings of a tree.,see the circle in red of the Picture).

But, you will find that the ones on the outside of the platter are much larger than the ones on the inside–typically double the circumference or more. Since there is a constraint on how tight the inner circles can be packed with bits, they were packed as tight as was practically possible given the state of technology, and then the outer circles were set to use the same number of sectors by reducing their bit density. This means that the outer tracks were greatly underutilized, because in theory they could hold many more sectors given the same linear bit density limitations.

To eliminate this wasted space, modern hard disks employ a technique called zoned bit recording (ZBR), also sometimes called multiple zone recording or even just zone recording. With this technique, tracks are grouped into zones based on their distance from the center of the disk, and each zone is assigned a number of sectors per track. As you move from the innermost part of the disk to the outer edge, you move through different zones, each containing more sectors per track than the one before. This allows for more efficient use of the larger tracks on the outside of the disk.

Hard Drive Platters Read More »

NTFS Master File Table (MFT)

Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT). NTFS reserves the first 16 records of the table for special information. The first record of this table describes the master file table itself, followed by a MFT mirror record. If the first MFT record is corrupted, NTFS reads the second record to find the MFT mirror file, whose first record is identical to the first record of the MFT. The locations of the data segments for both the MFT and MFT mirror file are recorded in the boot sector. A duplicate of the boot sector is located at the logical center of the disk.

The third record of the MFT is the log file, used for file recovery. The seventeenth and following records of the master file table are for each file and directory (also viewed as a file by NTFS) on the volume.

Figure provides a simplified illustration of the MFT structure:

Figure 5-2 MFT Structure

 

The master file table allocates a certain amount of space for each file record. The attributes of a file are written to the allocated space in the MFT. Small files and directories (typically 1500 bytes or smaller), such as the file illustrated in next figure, can entirely be contained within the master file table record.

Figure 5-2 MFT Record for a Small File or Directory:

 

This design makes file access very fast. Consider, for example, the FAT file system, which uses a file allocation table to list the names and addresses of each file. FAT directory entries contain an index into the file allocation table. When you want to view a file, FAT first reads the file allocation table and assures that it exists. Then FAT retrieves the file by searching the chain of allocation units assigned to the file. With NTFS, as soon as you look up the file, it’s there for you to use.

Directory records are housed within the master file table just like file records. Instead of data, directories contain index information. Small directory records reside entirely within the MFT structure. Large directories are organized into B-trees, having records with pointers to external clusters containing directory entries that could not be contained within the MFT structure.

NTFS Master File Table (MFT) Read More »

The basic knowledge about Hard Disk Drive

Firmware files that you can find on a site like this, contain a lot of files. First, there is the ‘loader’ file (*.LDR). This file is the ‘temporary’ firmware code, that’s being uploaded to the RAM (so, it’s not being written to disk). Then, there are a lot of ‘*.RPM’ files. These files represent the different modules, which can be written to the SA. The filenames consist of 8 numbers. The first 4 numbers specify the (hex) UBA and the second 4 numbers represent the hexadecimal module size in sectors (each sector normally contains 512 bytes, so for example, if a filename ends in 0002, then that module is 1024 bytes long). So, in short, after uploading the loader to RAM, the user can start replacing damaged modules by overwriting them with correct ones.BTW, please note that the term ‘firmware’ for the packages on this site is symantically not very well chosen, since these packages contain all needed modules to repair a HDD and not just the firmware (=code) module.
Anyway, if you’re looking for a specific firmware module, you can do 3 things:
1) rip the firmware modules from the SA of an identical HDD
2) get these modules from a friend (or for example, from the files section on this site)
3) use a firmware updater program from the vendor.

About this last option: firmware updates from vendors are pretty rare, since firmware code almost never needs to be replaced. However, Maxtor for example, had some problems with the firmware code on some Diamondmax HDD models. So, they issued a firmware update. This update consists of 2 files:

1) the executable file that issues the ATA ‘download microcode’ command to upload the firmware files to the HDD
2) The firmware code, consisting of the ‘main’ firmware code and ‘overlay’ code modules.

Firmware ‘overlay’ code are specific code functions. Why not just put all firmware code into one section ? Well, since the RAM in the drive is a limited resource, they’ve put some code into ‘overlay files’, so that this specific code can be swapped into RAM when that specific function is needed. When the fuction is not needed, it can be swapped out of ram and some other function can be swapped into it again.

The firmware update files from maxtor (I think the same goes for the other vendors) are not scrambled/encrypted/packed in anyway. In fact, you can find the exact same code in these files also in the ‘*.RPM’ files that PC3K produces for example.

Maxtor distributes their firmware file in a so called “.DMC” file. This DMC file is a package of 4 files, a ‘.Bxx’ file, a ‘.cxx’ file, a ‘.bbr’ file and a ‘.cbr’ file. Like I mentioned, this DMC container is not packed or scrambled in anyway. You can just cut the files out of it. The first 0x150 bytes of this file is the header. This header contains the four filenames, the offsets at which bytes in the package these files can be found, the length of the files and a checksum (not 100% sure about the checksum though). The ‘.bxx’ file is the biggest file and contains the overlay modules. You can find all code overlay modules by looking for ‘MO’ in the file. Right after this 2 byte string, you’ll find the hexadecimal overlay module ID. The ‘.bbr’ file contains the main firmware code. The last 2 files are very small, not sure what they contain, probably some checksums for the firmware and overlay modules.

Like said, the firmware code and overlay modules can also be found in the ‘*.RPM’ files of course, since this represents the firmware code on disk. So, you can look through these RPM files and scan for the ‘MO’ string to find any specific overlay module.

So, in short, if a vendor has released a firmware uploader tool (most vendors have), BUT haven’t released a firmware file for your specific drive type, you could create your firmware, if you have the dumped modules (for example, obtained from this site). You could rip the main code and overlay modules and paste them into an existing DMC package. However, since I don’t know the checksum calculation and the meaning of these .cxx and .cbr files (probably checksums), you’d have to do more research, but in theory, it would be possible to create your own firmware files and flash them with such standard Vendor program to disk, so you wouldn’t need to buy an expensive tool like PC3000 (at least not if your sole goal was to upload a new firmware).

Modern hard disks feature an area that contains information that the CPU on the HDD logic board uses to operate the drive. That area is called the “system area” SA. This area contains for example the drive ‘microcode’ (a.k.a. firmware), HDD Configuration Tables, Defect sector tables, SMART information, Security info (drive passwords etc), Disk ID info (serial nr etc) and more. These categories of information are called ‘modules’. So the SA contains a module for the firmware code, a module for the SMART info etc.The SA is stored on ‘negative cylinders’ of the HDD and therefore is not accessible by normal read commands. However, the area can be accessed with other ATA commands. An example of a (more or less) ‘standard’ ATA command that can access info on the SA is the ‘download microcode’ ATA command, which can be used to update information in the firmware code module. However, most of the commands that can be used to access the SA are vendor specific. Since vendors (obviously) don’t want users to mess around with the SA, these commands are generally not made public. However, these commands can be deduced by, for example, reverse engineering the firmware code itself.
This reverse engineering has been done and led to development of tools that can issue these (vendor specific) ATA commands and can read/write almost all sectors in the SA. One example of such tool is PC3000. A tool like this contains tables per HDD model, containing these vendor specific ATA commands and also tables with sector numbers on which the different modules are stored, also per HDD model. SA Sector numbers are counted in “UBA’s”. For example, one specific HDD might use UBA 4 to store the ‘DISK ID’ module, where another HDD model might use another sector for this module.
So in short, to create a tool that can read/write data in the SA, you need to:

A) know (and understand) the (vendor-) specific ATA commands that can be used to access this area and
B) know on which UBA sector the specific modules are stored.

If a drive has damaged data in the SA, for example in the firmware code module, it might become unusable. To repair these disks, the HDD can be switched to a so called ‘safe mode’, by setting specific jumpers on the drive. If the drive is operating in safe mode, it bypasses its own firmware. Instead, it wants the user to upload firmware to its ram. If the user uploads a correct ‘temporary’ firmware to RAM, it starts executing that firmware. If this uploaded RAM code (the ‘loader’) starts operating, the user can then start to issue ATA commands to the drive to modify the damaged modules.

Of course, you could also create your own flasher program, instead of using the one supplied by the vendor. However, since vendors use specific versions of the ‘download microcode’ ATA command, you’d have to do research into this.

Furthermore, you could create a program that does EVERYTHING that a tool like PC3000 does. However, like pointed out, you’ll need very detailed information on the vendor specific ATA commands and the structure of the SA for that specific drive type and since this info is not made public by anyone, this means a LOT of work. “But hey, the PC3000 tool features a special hardware PCI card!” Yes, but as you’ll understand by now, you can think of that card as nothing more than a copy protection. They could have perfectly created the tool without it, but I guess they would have sold quite some copies less. So you really can’t blame them for it, in fact, I think it’s quite a smart move to stop piracy.

So, in short, if you want to mess around with the SA, you have 2 options: invest a lot of time and energy into learning or simply empty your pockets and buy a tool like PC3000.

The basic knowledge about Hard Disk Drive Read More »

What a hard drive looks like?

 To many people, a hard disk is a “black box” of sorts—-it is thought of as just a small device that “somehow” stores data. There is nothing wrong with this approach of course as long as all you care about is that it stores data. It is hard to really to understand the factors that affect performance, reliability and interfacing without knowing how the drive works internally.

If you use your hard disk as more than just a place to “keep stuff”, then you want to know more about your hard disk. For those people who earn their butter and bread by retrieving data from a defect hard drive, it is necessary to know how the hard drives works know more the ticks of store data.

Fortunately, most hard disks are basically the same on the inside. While the technology evolves, many of the basics are unchanged from the first PC hard disks in the early 1980s. Lets have a look at the following pictures of a modern SCSI hard disk, with major components annotated from Western Digital Corporation):

(Original image � Western Digital Corporation)

We look at the various key components, discuss how the hard disk is put together, and explore the various important technologies and how they work together to let you read and write data to the hard disk. My goal is to help you really understand the design decisions and tradeoffs made by hard disk engineers, and the ways that new technologies are being employed to increase capacity and improve performance.

When the first HDD looked like? What was the capacity of it?
5MB Hard Disk in 1956
It’s a hard disk in 1956…. the Volume and Size of 5MB memory storage in 1956. In September 1956 IBM launched the 305 RAMAC, the first computer with a hard disk drive (HDD). The HDD weighed over a ton and stored 5MB of data. Let us start appreciating your 4 GB jump drive!

5MB Hard Disk in 1956 – Its a hard disk in 1956…. The Volume and Size of 5MB memory storage in 1956. In September 1956 IBM launched the 305 RAMAC, the first computer with a hard disk drive (HDD). The HDD weighed over a ton and stored 5MB of data.

What a hard drive looks like? Read More »

Information on data recovery

The three most common problems seen today are: 1. The drive makes a repetitive clicking sound when power is applied (this may not always be audible to you). 2. The drive is completely dead, not spinning at all. 3. The computer bios sees the drive, but there is no boot and a boot from a floppy will not gain access or you get an error message that says ‘Invalid media type reading drive X’. Of course there are other issues such as flooding (never turn a wet drive on!), fire and other natural and unnatural disasters all of which require a top-notch data recovery company to work with.

If your drive is making a clicking sound, 9 times out of ten this means that the heads are bad and cannot read the information needed to get the drive to a ‘ready’ state. This can be due to two factors: physical head crash whereas the heads scrape some of the media off the surface of the platters thus destroying the heads in the process or the heads just go bad. The result is the same, the drive clicks. In this type of situation, you can expect an expensive data recovery because of what is needed to extract the data. The drive will have to be opened in a clean room environment, the heads will need to be replaced which requires an identical drive be purchased just for parts, and a skilled engineer will have to perform the difficult and meticulous task of aligning these new heads so they read the data properly. If indeed the media has been scored, there are many cases where there is nothing that can be done about it because so much of the recording material has been scraped off. Keep in mind that drives now sold are spinning at an incredible 7200 to 10,000 rpm, and that with this kind of speed disaster can be swift when it happens.

There seems to be a large number of electrical issues with drives these days, weather it be natural as in lightning strikes or man-made as in power outages and poorly manufactured power supplies. There are also known issues in many models of Maxtor, Western Digital and Quantum drives where a certain chip will simply burn up and cause the drive to stop spinning. About two years ago or more, Western Digital had a 500,000 drive recall as the result of a defective chip used in making many different models of drives. Over the last year or more, Quantum drives of many models had a similar issue, except this time, the numbers of affected drives was much higher. This was the driving force behind the acquisition of Quantum’s hard drive lines by Maxtor! Maxtor is still reeling from the huge numbers of returned drives on a daily basis. One of the big problems is that manufacturers do not put a fuse on the drives’ electronics anymore. You might say, “This would be an easy fix, I’ll just get another drive of the same model and swap the boards myself”. In an ideal world this would be the case but another factor most people do not know is that for each model drive made by a manufacturer, there can be over a dozen different revisions of the electronics even though the model is identical! This fact can make a simple problem very complex. Don’t look to the manufacturers for help with this either, they will not.

If the drive is seen by the BIOS of the computer, and you cannot access it by booting from a floppy in the case of a WIn9X or ME drive this means that for some reason the areas that define the partitions of the drive or the boot parameters have been corrupted. This can be caused by a virus, a computer or software bug, using a third party partitioning software, running Fdisk or a number of other reasons. This type of situation can be an easy fix for a professional or it can be a more difficult one depending on the extent of any additional damage to the file system or data structures. Usually, this type of problem is an easier one to deal with, because the drive at least still works. In the case of an operating system other than Win9X like NT, corruption the NT data structure can be a very complex mathematical problem and can be an expensive recovery as well due to the time it takes to solve. Operating systems like Unix and Novell as well as Spanned sets or Raid drives can definitely be an expensive recovery due to the complexity of these configurations.

It is important that you never run utilities such as scandisk, Norton disk doctor or any other such utility on a drive you suspect has a hardware failure. This can make recovery of your data difficult or even not impossible in some cases. These software tools work best on simpler types of problems and have no way of dealing with hardware issues. If your data is important, and you have doubts on what to do, call a professional. Also beware of technicians running these tools without your knowledge, as the results can be just as deadly.

When a data recovery company receives your drive, if it is possible and the drive is operational, a copy of your data is made sector by sector onto another drive (make image of your DATA) so that your data is not harmed in any way. This prevents mistakes, and allows the engineer to run utilities and make changes to a copy of your drive only and not the original.

Hard drives these days are worse than ever. You may find this a surprising statement, but it is true. Due to slimmer margins, and high competition, manufacturers are making drives as inexpensively as possible and more failures are the result. As of this moment, Fujitsu has top marks for reliability in desktop hard drives followed by IBM. In notebook drives, IBM and Toshiba have top billing. An important point to note is that Hitachi makes the absolute worst notebook drives in the industry with the highest catastrophic failure rate followed by Fujitsu. Dell has just decided to go exclusively with Hitachi now in their new notebooks, so beware!

Here is my old standby: Make believe that tomorrow when you turn your computer on that it is not going to work, and what is it that you want today that you will have to do without tomorrow! Back it up!

Information on data recovery Read More »

Seagate Malfunctions (Barracuda IV, V and 7200.7)

A very common flaw is disruption of protective diode along the +12V circuit and resulting outage of the computer power supply unit. In that case the external look of that component does not allow identification of the damage, because its case remains unaffected. An attempt to connect a drive so damaged to an operable power supply for diagnostics will most likely result in breakdown of the latter. Therefore if such a drive is brought for repair then first of all you should probe the 0 and +12 V circuit with a regular tester to check for a short circuit.

The protective diode originally designed using the “transil” technology at SGS Thomson is intended for protection of electronic circuitry from short power supply peaks not greater than 10 – 20 microseconds. But in that case their common failures demonstrate that HDD designers did not expect to encounter so poor quality of power supply units. Thus drive operation can be resumed after simple removal of that damaged element from its circuits but we cannot guarantee flawless HDD operation without that component.

Seagate Malfunctions (Barracuda IV, V and 7200.7) Read More »

SSD Flash Hard Drives Data Recovery Video

How Solid State Flash Hard Drives work and how to rebuild them for data recovery. This presentation was at Shmoocon 2008 given by Forensic Expert Scott Moulton from My Hard Drive Died, and Forensic Strategy Services.
Part 1:httpv://www.youtube.com/watch?v=l4hbdZFWGog
Part 2:httpv://www.youtube.com/watch?v=mglEnIPnzjo
Part 3:httpv://www.youtube.com/watch?v=3psy_d-pyNg
Part 4:httpv://www.youtube.com/watch?v=pKeZvhDd5c4
Part 5:httpv://www.youtube.com/watch?v=9XMBdDypSO4
Part 6:httpv://www.youtube.com/watch?v=LY36SWbfQg0

SSD Flash Hard Drives Data Recovery Video Read More »

Advanced Hard Drive Data Recovery Video

New different material! This is a new video on advanced data recovery by Scott A. Moulton. This is from August 2007 at Defcon 15 on how to do your own hard drive recovery.
Part 1: httpv://www.youtube.com/watch?v=vCapEFNZAJ0
Part 2: httpv://www.youtube.com/watch?v=w2FGKD4u8TU
Part 3: httpv://www.youtube.com/watch?v=jAUtv6kOCGE
Part 4: httpv://www.youtube.com/watch?v=5xdboKrOllE
Part 5: httpv://www.youtube.com/watch?v=MydSI4Jv2EI

Advanced Hard Drive Data Recovery Video Read More »

Hard Drive Recovery Video

Hard Drive Recovery presented at Toorcon by Scott Moulton of Forensic Strategy
Services, LLC. Very detailed info on rebuilding hard drives and recovery of your own data.
Part 1:httpv://www.youtube.com/watch?v=Kx-D1nJcv0k
Part 2:httpv://www.youtube.com/watch?v=Tg0Uli2_rwI
Part 3:httpv://www.youtube.com/watch?v=Cayzw1iThjM
Part 4:httpv://www.youtube.com/watch?v=1_sNdPoQdcM
Part 5:httpv://www.youtube.com/watch?v=eOvZZakhihM
Part 6:httpv://www.youtube.com/watch?v=CH6pKDsggZc
part 7:httpv://www.youtube.com/watch?v=TNhajraPuWY

Hard Drive Recovery Video Read More »

Scroll to Top