I Function Summary: Intensive read to realize compulsory recovery of deficient data

Intensive read, also referred to as compulsory read, is the data recovery method that increases the recovery intensity while extracting data from defective hard drives with bad sectors. The increase of intensity is reached through the increase of current, which is only used when necessary data is not accessible using normal method. Due to the fact that this method accelerates the aging of source disk, it is recommended to use this method only when especially important files (such as case-related evidence files and database files) need to be recovered. For instance, intensive read is a perfect solution when important files related to a case could not be recovered properly through normal methods. (In this article all case-involved pictures are replaced by non-related ones.)

1

Picture 1: Picture recovered from bad sectors through normal methods

2

Picture 2: Picture recovered from bad sectors through intensive read

II Process Review: How to realize intensive read step by step

In this section, steps to realize intensive read are introduced in detail by taking a Seagate laptop hard-drive (model: ST94011A; SN: 3KW1AA08) as an example.

(1) Observe the appearance of the hard drive: Observation of the appearance leads to the conclusion that this hard drive has never been opened and that there is no sign of burning of the PCB circuit board.

(2) Connect the drive to a computer: Connect the hard drive to a computer through a read-only device and identification of relevant parameters can be viewed on the bottom of COMS. Yet there was no response from the program, no control of the mouse and no access to system partition, which shows signs of fake crash of the operating system, as shown in picture 3.

3

Picture 3: Fake system crash with no control of mouse and no access to system partition

(3) Detection of bad sectors: Scan the hard drive using detection tools to have a more direct view of its condition and this drive is in bad physical condition, as shown in picture 4.

5

Picture 4: Scanning results of hard-drive ST94011A through bad sector detection

The scanning results show that damage to this hard drive was serious: green blocks indicate low access speed, red ones accessing difficulties, and black ones bad sectors or damaged parts. Analysis of scanning results shows that there was no possibility of recovering data directly from this drive. After setup, an operating system will check all hardware devices and access sector information once a hard drive is found. Such damage will probably cause constant attempt in reading the bad sectors, resulting in fake system crash or totally stuck.

(4) Data recovery: After connecting the hard drive to professional data recovery device Data Compass (referred to as DC hereafter), partitions and corresponding files can be viewed directly in the working interface of upper data recovery. Check all files and begin recovery directly, as shown in picture 5 and 6.

5

Picture 5: DC devices used for connecting to professional data recovery devices

6

Picture 6: Partitions and files viewed in DC upper recovery software

(5) Files partially recovered (picture files incomplete): Detailed review of all recovered files shows that some of the files were damaged and pictures were incomplete. Repeated recovery lead to same results, as shown in picture 7, and information in picture 8 can be viewed by opening the picture through Winhex. Obviously, some of the information is displayed as “4040” and was not successfully accessed, which was caused by bad sectors. Recovery results remained the same even other softwares such as EasyRecovery or R-Studio was used with the drive identified by professional data recovery devices.

7.png

Picture 7: Incomplete display of recovered pictures

8

Picture 8: Partial data displayed as “4040” through Winhex

(6) Check “Intensive read”: Initialize the DC Shadow Control interface, open shadow disc, set all related parameters and check Intensive Read from all options, as in Picture 9.

9

Picture 9: Check Intensive Read

(7) Successful recovery of files (pictures can be displayed properly): Enter DC upper data recovery interface, access file “R0014628.jpg” and open the completed file. The difference was obvious that the picture can be displayed properly, as shown in picture 10.

10

Picture 10: Picture recovered through intensive read

III Case Conclusion: Better results can be achieved using Intensive Read

If important data cannot be recovered through other methods, especially under conditions with incomplete pictures, damaged files and regained access to discs after replacement of defected magnetic heads, intensive read can be the solution.

Tips: If only partial data stored in the drive is inaccessible through normal methods, do not hurry to use the intensive read method. This method will accelerate the aging of the source drive, as mentioned before, and will probably cause inaccessibility of the whole drive after recovering the damaged file. Thus the right process should be: recover other intact data totally, and then use intensive read to recover otherwise inaccessible data.

The Intensive read method introduced in this article is already used in SalvationDATA Data Compass and SalvationDATA Fifth Generation DRS(Data Recovery System) and readers interested in related technology are welcomed to join our discussion.

XLY Salvationdata Technology INC. is China’s leading integrated solutions provider of digital forensics, data recovery, data security and E-discovery. As a pioneer of the industry, SalvationDATA is always committed to providing innovation platform with proprietary technologies for Law Enforcement Agencies, Government, Military Intelligence Agencies, Digital Forensics Laboratories and Corporations, etc. SalvationDATA’s professional engineers and forensic experts are dedicated to providing outstanding service to more than 9,000 customers from over 130 countries around the world.

Click HERE to learn more about DRS.