Editor’s notes: Firmware is the software system initially written to a hard drive when it’s manufactured. It allows the hard drive to operate correctly, when an HDD boots up, it needs to immediately access firmware on its platters and controller board. When the firmware is damaged or corrupted, we will not be able to access the data stored on the hard drive, which could be a catastrophe for a digital forensic investigation.
In this article, SalvationDATA forensic experts will share a way to forensically extract data from an unidentified Seagate HDD with the professional firmware recovery utilities integrated into Data Recovery System (DRS).
Forensic Diagnostics
Before we start to work on the problem, let’s follow our standard forensic recovery procedures and run some diagnostics with DRS to locate the root cause of the hard drive failure.
As shown in the picture, DRS detected a system area (firmware area) malfunction, and the capacity of this drive is displayed as ‘0’. This is a typical Seagate HDD firmware corruption issue, and this is why an operating system is unable to identify this hard drive. So we must fix this firmware corruption before we can extract any evidence data from this hard drive. Let’s continue and see how it is done with the help DRS.
Firmware Recovery
Step 1. Connect the serial command cable to your PC. Any firmware operation on a Seagate hard drive is realized by a serial command cable, so we must connect the target drive to the PC with it. Use the JP4 adapter for SATA Seagate drives.
Step 2. Go to the Seagate firmware recovery module, choose the com port which the serial command cable is connected, and open the serial port.
Step 3. After the com port is opened, power up the drive. Then load from disk. Remember, only continue to this step after the drive is in the ready status.
Step 4. Wait until the loading process is complete, then switch to the ‘Other Options’ tab and click ‘Fix Capacity Error’ to automatically fix the firmware corruption.
Step 5. When the recovery is done, reboot the drive and go to sector view to verify if firmware corruption is fixed. If data can be freely accessed in sector view, it means firmware is now functioning and we can proceed to our forensic extraction.
Step 6. Back to the main menu and enter ‘File Recovery & File Carving’. Choose a scanning mode to scan the target hard drive. To recover lately deleted files, choose ‘Quick Scan’. To recover lost files from a formatted partition, choose ‘Deep Scan’. If the file system is Completely corrupted, choose ‘RAW Scan’.
Step 7. Browse the files extracted from the target hard drive, export the files of interest and generate a forensic report if needed.
Conclusions
In this article, we introduced an easy solution to forensically extract data from a firmware corrupted Seagate hard drive which cannot be identified by the operating system. Normally, a firmware recovery operation requires professional knowledge and experience. But the situation with DRS is a little bit different. Unlike some other forensic data recovery tools in the market, DRS offers not only professional firmware recovery utilities but also many one-key solutions to common firmware corruptions. This makes it possible for non-technical digital forensic investigators to collect evidence from firmware damaged hard drives.
For more information, please check out our website: www.Salvationdata.com
Or contact us at [email protected]
SalvationDATA Blog 