Outstanding Data Recovery Experience

A few months back I had the outstanding pleasure of attending a Data Recovery class put together by Scott Moulton from MyHardDriveDied.com. If you have ever popped a hard drive cover off a “dead” drive in the past, just to see what is what, you may have unknowingly opened a recoverable drive.

My favorite kind of classes are “Tools and Tricks” styles, while this class covers much-much more it definitely provided a bucket load of cool tricks for the trade. One of things I quickly learned was those of us who thought we knew all of this, are the ones who were surprised that we learned the most. Now from reading about Scott’s class I thought it would have minor worth in the Forensic field, but as each day went by I found ways to apply what I learned to the forensic process. If nothing else, about 70% of drives I used to send out for recovery, I now was comfortable recovering on my own. Additionally, Scott took the time to demonstrate the various tools and techniques for successfully removing of HD passwords, which is claimed to work with about 90% of modern hard drives. Now I personally know I see requests for help with HD passwords at least once a week on the LE lists such as IACIS. This alone to me was worth the price of the class, and makes me think this would be an excellent advanced course for the annual IAICS training.

Scott leaves nothing to need from the students, except your full attention. Those of us who run our own business and think you will have time to run out and email clients, will quickly find yourself not wanting to miss one second of the class (heck I contemplated bringing a bottle for bathroom breaks). Scott provides all the tools, snacks, drinks, lunch, and one above-excellent learning experience.

The class was truly a good mixture of various Information Technology personnel from all over the world. There were regular IT persons, data recovery shops, well seasoned data forensics persons (I had the pleasure of meeting some of my online friends from IACIS and HTCC), some just breaking into the forensics field, and I felt very honored to have, in my opinion, the master of E-Discovery, Craig Ball, in the class I attended.

Day 1 starts with Data recovery case studies and the two types of data recovery: “Drive Failure – Controller Failure – Corruption”, and “Deletion: Purposeful or Accidental”. Going over the history of hard drives, components, and the tool for true secure erasing hard drives (the sure fire way to include the bad blocks). Scott’s teaching style is unique and educational, and I must add his animated presentations are off the charts. See: http://www.myharddrivedied.com/toorcon.html

The second half of day 1 puts you right in the heart of tearing down and reassembling drives. I would say the class I attend had about a 40% first day success rate. I really like they way Scott mixed things up, the hands-on truly captured the audience. I must admit I was not among the 40% first day successes.

Day 2 was in-depth coverage of breaking down the hard drive and learning every component and various terminologies for each. We got into how and what is really written to the hard drive and different indications of damage and how to recognize them. Then it was tearing down drives again. Day 2 proved to be much more successful for me with 100% success rate on the 4 drives I was able to work with. (Golf clap please)

Day 3 is the data recovery laws, with top 2 being “Do NOT be Emotionally Attached” and “Do NOT be in a hurry; recovery is not a fast job”, with plethora of DOs and DONTs. He follows this with an excellent overlay of File Systems and Data Recovery. I would opine this is the best 1 day refresher I have seen on file systems in a long time. Scott covers all facets of partition information, cylinder structure, GUID file systems, Fat12, Fat16, Fat32, exFat (Fat64); Windows NTFS, Mac HFS, HFS+, Linux EXT 2/3 & Reiser. We did not just touch on them; we went over the good, the bad, and the ugly of structures, short and long file names, MAC times, fragmentation, B*-Tree data structures, HFS+ Catalog File and so on. We even jumped into recycling and info2 records for a bit. Then we touched on all the software recovery tools, and used them all hands-on to do recovery. We ended the day with hands-on RAID recovery.

Day 4 begins with in-depth hard drive information. Power on routines, system area, UBA block area, bad block basics, P-List and G-list, ECC Error Information, Cylinder Structure Layout, Multi-Platter Cylinders, Longitudinal Recording and Perpendicular Recording, just to name a few. We then covered the various noises HDs make, and the different indicators they represent.

Day 5 – Let us leave something to surprise…..

Scott brings many different data recovery hardware solutions (PC-3000, DeepSpar etc.) and thoroughly demonstrates them over the length of this course. I was surprised when I jokingly said I would just use Scott’s hardware if I ever needed, without hesitation he replied, come up whenever you want, if I am not using whatever you need, I will set you up to use and learn with it. Now that is what I call instructor dedication.

All in all on a 10-scale I would have to give this class a 10 overall, a 10 on the data recovery subject, and 8 on the forensic subject, and 10 on the instructor and class setup. I cannot see how anyone, with the exception of data recovery expert (such as John Wiechman), could not learn much in this class. I would even bet if someone like John were to attend the class, he would probably swap excellent ideas and techniques with Scott, as Scott has clearly stated every data recovery is a learning experience. Now that would be a class I would like to attend, a bunch of data recovery experts in a data recovery class, it would have to be an outstanding experience.

My one critique, I wish the class was longer as there was a lot to cover, and some items I personally would have liked to spend days on. This is not to say Scott’s classes lacked anything, probably more of my own selfishness wanting to have one-one training with each of the tools. In Scott’s defense, he says, and actually does stay every day after dinner to 10-11-12 at night with anyone who has questions or just wants to play around with the cool toys. (I stayed with him every night except one that I was just completely too exhausted to think).

This class was worth every penny! You can read more about the class here: http://www.myharddrivedied.com/data-recovery-training

This entry was posted in Computer Forensics. Bookmark the permalink.