Editor’s note: This issue covers the fourth technique application case study conducted by SalvationDATA forensic experts — data recovery through the opening of a WD 1TB external hard drive. The hard drive involved in this case study was badly scratched and double-secured (hard drive firmware encryption + USB firmware encryption), which makes this case study a typical one. Recovering data from this hard drive is quite different and much more difficult because normal hard drives can generate the image file and access data after changing the magnetic head, but this one cannot. To recover data from the double-secured hard drive with USB port, we needed to have its circuit board changed twice and obtain the key for decrypting the hard drive through initiating WDunlocker by simulating data needed for decryption. No data can be recovered from the image file of said hard drive unless the hard drive is decrypted.
External hard drives usually use USB ports and have the following features: large capacity, small size, high speed, and convenience in use. Many external hard drive manufacturers use outstanding encryption methods to ensure data security. Western Digital (WD), for example, equips its series (picture 1) with hard drive firmware encryption and USB firmware encryption (using WDunlocker software to secure data). Although double encryption improves data security and protection, it also adds to the decryption problem during hard drive data recovery when hard drive failures occur.
Picture 1: WD Hard Drive My Passport Ultra series
1. Target Drive:
1TB WD external hard drive, My Passport Ultra series, USB port, with intact enclosure and no obvious damage. This hard drive uses double encryption (hard drive firmware encryption + USB firmware encryption).
2. Preparation (3 hard drives):
(1) Target disk A: the damaged external hard drive stored with data that needed to be extracted(USB port)
(2) Image disk B: for imaging
(3) Spare disk C: necessary for head and circuit board replacement (a normal drive that has the same firmware version as A)
The hard drive couldn’t be detected and made an abnormal sound when powered on.
4. Failure Detection:
A group of SalvationDATA forensic experts were assigned the task of data recovery for target drive.
Observe: Through observation of the target disk A, it is concluded that there was no obvious damage, including the most vulnerable sides and corners.
Listen: Connect the drive to DRS(Data Recovery System-picture 2) to conduct electrical detection and abnormal sound can be heard.
Picture 2: DRS can pre-diagnose health condition of drives
Examine: According to the description, data stored in the target drive is highly confidential; thus the drive uses both hardware encryption and USB firmware encryption with WD built-in program WDunlocker.
Diagnose: After changing circuit board of the target drive A, it still makes the abnormal sound when powered on, which excludes the possibility that the circuit board causes the sound. Drive opening in the dust-free studio (level: double hundred) reveals that head #1 of disk #0 is badly scratched (picture 3).
Picture 3: Red arrow indicates scratches (can be observed on the physical disk)
Drive detection leads to the conclusion that data recovery is possible(30%) using special methods.
5. Forensic Data Recovery
5.1 Drive opening and head replacement. The operation should be conducted in the dust-free studio and replace the head of the target drive A with the one from drive C, specifics have been explained in issue 1 and will not be explained here.
5.2 Circuit Board Changing (ATA port). Replace the circuit board of target drive A with the one from drive C (ATA port). Changing of the port is necessary because USB ports cannot handle situations when complicated defections occur.
5.3 Creating image files with selective head imaging. Direct access to data is not possible with head #1 of disk #0 badly scratched for the damage it may cause to the head and other disks. SalvationDATA technicians use ‘selective head imaging’ function in DRS (picture 4) to avoid scratched sections on the disk during imaging data from target drive A to image disk B.
Picture 4: Selective Head Imaging
(This picture is only to demonstrate this function and not related to this case; H1 to H8 in this picture are available options)
5.4 Decrypting with special methods: Although data has already been transferred to image disk B, it is still inaccessible because target drive A is double-secured. Decryption is necessary to access data stored on the drive, which is also one of the difficulties of this case study.
Different from hard drives that have only hard drive firmware encryption and can be decrypted directly through DRS, this target drive A is double secured and requires to have decoding dialog box of WDunlocker enacted before decryption. Moreover, the target drive A is a defective drive with scratched disk and secondary damage or access failure may occur when it is activated the with the computer.
In order to deal with the above-mentioned situation that is common in data recovery, SalvationDATA forensic experts developed an integrated and effectual plan and changed the circuit board for a second time to pop up the dialog box (procedure specifics are not covered here). This method protects the hard drive from secondary damage and activates the decryption dialog box at the same time (picture 5).
Picture 5: decryption dialog box
5.5 Recovering data. After the former four steps, data stored in both target drive A and image drive B can be extracted through data extraction functions of SalvationDATA DRS(Data Recovery System). DRS automatically bypassed bad sectors of the target drive A and accessed data in image drive B, and successfully recovered data in the target drive (picture 6).
SalvationDATA forensic experts explained two difficulties of the case: first, complicated management of defect situations with USB port hard drives (selective head imaging); second, activation of decryption dialog box without PC.
These two problems were addressed by SalvationDATA forensic experts using independent R&D methods and the former problem, which is common in data recovery, can be dealt with using selective head imaging with DRS. Procedures like decryption through board replacement need to be done manually and requires the operator to be skillful and experienced, otherwise will lead to failure in data recovery.