Protected: SUMURI EDR Tools

0 of 2 lessons complete (0%)
Exit Course

HDD Data Recovery in Digital Forensics – Lesson 1

Lesson 1 – Part 1

This is a preview lesson

Register or sign in to take this lesson.


HDD Data Recovery in Digital Forensics – Lesson 1

In these training sessions we’ll discover how a Hard Drive works physically and logically. This information is not easily available on the internet but is vital in order to understand how to diagnose or even understand if a drive was tampered to prevent access to the data area

Topics:
  • Hard Drive Parts and Functions
  • Electronic Board
  • Mechanical Parts
  • Magnetic Heads Positioning System
  • How are Bits Stored
  • Magnetic Recording Methods
HDDs are an example of mechatronics, where electronics and mechanics are fused together. Understanding how the interfacing of mechanics by electronics works allows us to understand the possible causes of data loss, as well as possible anti-forensics techniques to prevent a forensic investigationWe will start by dividing the HDD into 2 main parts:
  • HDA – Head Disk Assembly
  • PCBA – Printed Circuit Board Assembly

PCBA:

Is the mainboard, its aim is to make the drive load its own firmware and communicate with the PC through a controller
Main components
  1. MCU
  2. ROM
  3. SPINDLE CONTROLLER
  4. BUFFER
  • PCBA: EMBEDDED VS EXTERNAL ROM
  • [1] Western digital laptop drive embedded rom
  • [2] Western digital laptop drive external rom
ROM:

Inside a ROM chip we can find

  • Code
  • Modules
    • Adaptive data
    • Head map
    • Boot flags
    • Techno overlay modules
    • Modules directories
  • Is ROM worthy to analyze?
  • Which kind of data can be stored?
  • Should ROM be tampered with?
  • Is ROM somehow hashed in standard forensic acquisition?
HDA

Includes the external case with all the magnetic and mechanical parts

  1. SPINDLE MOTOR
  2. AIR FILTER
  3. HEAD STACK
  4. BOTTOM MAGNET
  5. TOP MAGNET
  6. SPACERS
  7. HEAD RAMP
HEAD STACK

Includes the external case with all the magnetic and mechanical parts

  1. R/W heads
  2. Preamp chip
  3. Head sliders
  4. Head stack connector
  5. VCM Voice Coil Motor
HEADS:

Read element and write element

  1. Load/unload tip
  2. Reader/writer/heater connectors
  3. Read/write element
    1. Air bearing contour
  4. Micro actuator
The HDD is not sealed.
  • Air is needed to let the heads “fly” over the platters
  • Air must be filtered
Importance of clean environment
  • To open an HDD we need to work in a clean environment, such as a flow laminar clean bench.
  • We normally use an ISO5 flow hood.

CONTAMINATION VS FLIGHT HEIGHT

  • FINGER PRINT .00062 in.
  • DUST PARTICLE .0015 in.
  • HUMAN HAIR .003

Positioning system : Head map

Downloadable Materials:

Scroll to Top