Atola Technology

Imaging Drives with Damaged Heads

Hard drives with physical damage require a complex imaging approach. This guide will explain how to retrieve data with the minimal risk of data loss on a drive with a damaged head stack.

If an Automatic Checkup report indicates that there is a problem with the heads, look at the status of each head.

If the status of a head or multiple heads is Degraded or Damaged, the drive will not be able to read all the data. What’s worse, even more sectors may soon become unavailable due to incorrect functioning of the drive’s hardware.

We recommend that you start by imaging the heads, whose status is OK, as soon as possible. To do that:

Step 1. Go to Imaging category of the left-side menu, click on Create New Session link and select the device or file to which the data will be imaged.
Step 2. In the Start new imaging session page go to Heads line and click on Select heads to use link.
Step 3. Unselect the damaged head.
Step 4. Click on Start Imaging button.

2-1 Unselect Degraded Head

As a result, you get as much data from the drive’s viable heads as possible before even beginning to work with the damaged head. This way the risk of losing data on the working part of the head stack is minimized.

3-1 Imaging Result with 3 Good Heads

Now that this data has been successfully retrieved, you have two options:

  • To have the head stack replaced before imaging the remaining data. However, as a result of head stack replacement data on the drive can become unreadable.
  • To attempt Imaging data with the Degraded or Damaged head. Follow the same procedure as with the good heads, only this time, during Step 3 unselect all the working heads and leave only the Degraded/Damaged one(s) before clicking on Start Imaging.

4-1 Unselect 3 Working Heads

Atola Insight Forensic’s sophisticated functionality enables users to retrieve maximum data even from the severely damaged drives.

Now that you have an image of the source evidence including the data copied from the damaged head, you can take the risk and get the head stack fixed. Afterwards, you can start a new session to complete the initially created image with data from previously unreadable sectors.

 

Connecting Seagate Drives to Serial Port

If you need to extract or reset an unknown password or perform drive recovery on a Seagate hard drive, use a Serial cable to connect the drive to the DiskSense unit.

Take a minute to familiarize yourself with the Serial cable’s three connectors. On one side of the cable, there are two connectors. Both are 2-pin RX-TX (receive-transmit) connectors. The slightly larger one has 2.5-mm pin pitch and is used for IDE drives. The smaller one has 2-mm pin pitch and is used for SATA drives.

Serial Cable Connectors Close Up

On the opposite side of the Serial cable, there is a 3-pin TX-RX-GND (transmit-receive-grounding) connector. This connector is inserted in the Serial port on the back side of the DiskSense unit.
DiskSense Back Side

Connecting 3.5-inch and 2.5-inch Seagate SATA drives

When you look at a Seagate SATA drive (either 3.5-inch or 2.5-inch), there is a 4-pin jumper block right next to the SATA port.
seagate sata 3.5
seagate sata 2.5
Connect the 2-mm RX-TX end of the serial cable to the two jumper pins located closest to the SATA port so that the red RX (receive) wire is connected to the pin closer to the SATA port.
seagate sata connected
seagate sata 2.5 connected

Connecting 3.5-inch Seagate IDE drives

Desktop IDE drives have an 8-pin jumper block between IDE port and Power port. For the purpose of this manual, we shall call the pair of pins located closest to the IDE port and used for Master/Slave settings the first pair of pins. The next, second pair of pins is usually used for Cable Select settings. The third pair of pins is the one we will connect the Serial cable to.

Please note that IDE hard drives must be set to Master mode for password extraction and reset or drive recovery. To use the drive in Master mode, place a jumper on the first pair of pins (closest to the IDE port), as shown in the picture below.
seagate IDE 3.5

Attach the 2.5-mm RX-TX connector to the third pair of jumper pins, as shown in the picture below. Make sure that red RX (receive) wire is facing down and the black TX (transmit) wire is facing up. The second pair and the fourth pair of pins must be left open.
seagate IDE 3.5 connected

Connecting 2.5-inch Seagate IDE drives

Similar to desktop hard drives, laptop Seagate hard drives also must be set to Master mode to perform password extraction and reset or drive recovery. Master mode on a 2.5-inch device is set by removing all jumpers.
Seagate IDE 2.5
There is a 3.5″-to-2.5″ IDE adapter included in the package with the DiskSense unit. It consists of the following components:

  • IDE port J1 for IDE interface cable
  • 2.5-inch IDE port J2 to connect the drive to
  • Power port J3 for IDE power cable
  • 4-pin block J4, where each pin is marked with letter A, B, C, and D.

2.5-to-3.5 IDE adapter

Use the adapter to connect the drive to IDE interface cable and IDE power cable. Then attach the 2.5-mm RX-TX connector to pins marked A and C, as shown in the picture below. Make sure that the black TX (transmit) wire is connected to the pin A, and red RX (receive) wire is connected to the pin C.
Seagate IDE 2.5

Please note that to use the 2.5-inch Seagate IDE drive in Slave mode, the 2.5-mm RX-TX connector must be detached from the adapter and instead a jumper must be placed on pins A and B.

Configuring the Baud rate

Once the Seagate hard drive is connected to the unit, follow these instructions to configure the Baud rate of Seagate Terminal, which allows you to use an extensive set of commands on a Seagate drive:

  1. If there is only one source drive connected to the DiskSense unit, it will automatically be identified and displayed in the Source disk port. However, if there are multiple hard drives connected to the DiskSense unit as Source drives, go to Source category of the top level menu, click on Select Source and choose the Seagate drive.
  2. Power down the selected drive.
  3. In the Windows category of the top level menu click on Terminal and in the COM Port Settings window select the Baud rate compatible with the drive. Please note that for Seagate 7200.10 and older Baud rate will be 9600; for 7200.11 and newer Baud rate will be 38400 (Atola Insight Forensic will suggest the baud rate by setting a default value in the Terminal window for the drive connected to it).
  4. Then click OK. But do not close the Terminal window just yet.
  5. Power on the drive again. There must be a valid output in the Terminal window (see the picture below).

Terminal output

Should there be no output in the Terminal window or should it consist of random symbols, try to change the Baud rate until you get a good response.

Now proceed with password extraction or send Seagate Terminal commands to the drive.

Clip Target Drive to Source Evidence Size

When you image data from a drive involved in an investigation case, and the target drive will be holding a 1:1 clone of evidence data, in many cases it is critical that the target drive’s capacity is identical to that of the source drive. Should there be a difference in size between the source and the target devices, their hashes will be different too.

However, if your SATA target drive has a larger capacity, you can limit its size to that of the source drive using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools as well as the end user.

To do that:

  1. Go to Imaging category of the left-side menu and click Create New Session link
  2. In Preset line click the Show settings link.
  3. In Miscellaneous tab tick the box next to Limit target disk size to source size using HPA (SATA target ports only) option.

Enabling HPA

You can now proceed with the Imaging process by clicking Start Imaging button.

When Imaging is complete, you will see that target disk port now contains an HPA indicator, thus informing you that HPA has been enabled on this drive. There will also be a report created in the Case History.

Target Drive Port

This report will contain information about the time when HPA was enabled, a detailed device description and how this action was initiated. It will also indicate the initial max address as well as the current one.

HPA Report

Now you can calculate hashes on both disks to make sure they are identical.

Please note that enabling HPA is an option available only for SATA target drives.

Seghash – Open-source tool for segmented hashing

We have released Seghash, an open source tool that does two things:

Supported hash types: MD5, SHA1, SHA224, SHA256, SHA384, SHA512

Seghash is written in Go and released under MIT license. It works on Windows, Linux, and macOS. You can download the source and pre-built binaries from our Github account.

By releasing this open source tool we would like to encourage wide adoption of the segmented hashing algorithm by all software vendors who want to provide their users with a superior hashing option.

Segmented hashing tool

What is segmented hashing?

It is a hashing concept created by our company and implemented in Atola Insight Forensic.

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges (chunks) of the image. The sum of these LBA ranges represents the entire image, just not necessarily in sequential order. By validating all hashes in a set, you can still prove that the entire image was not modified.

All segment hashes are saved in a CSV file with the following simple format:

Hash,start LBA,end LBA

Example:

75c92419e86ce82734ef3bbb781e6602,0,8388608
e2c7fc5264bae820e46c50b0502236d3,8388609,16777216
42718e48b5adb59563c98727cbce0619,16777217,25165824

… And so on until the last LBA.

 

Atola Insight Forensic 4.7 – Segmented hashing

Atola Insight Forensic 4.7 is released!

This release comes with the new hashing concept which protects you from damaged target images and works in parallel with the multi-pass imaging engine.

The full list of Atola Insight Forensic 4.7 changes can be found here: Atola Insight Forensic Changelog.

How is segmented hashing different from regular hashing?

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges (chunks) of the image. The sum of these LBA ranges represents the entire image, just not necessarily in sequential order. By validating all hashes in a set, you can still prove that the entire image was not modified.

All segment hashes are saved in a CSV file with the following simple format:

Hash,start LBA,end LBA

Example:

75c92419e86ce82734ef3bbb781e6602,0,8388608
e2c7fc5264bae820e46c50b0502236d3,8388609,16777216
42718e48b5adb59563c98727cbce0619,16777217,25165824

… And so on until the last LBA.

Segmented hashes for multi-pass imaging

Conventional hashing algorithms prevent imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Enabling segmented hashing allows the use of multiple passes and more efficient handling of damaged drives, while still hashing all good areas.

Hashes are calculated only for the imaged regions, while all bad sectors are excluded from the calculation.

Segmented hashing in Imaging

Better resiliency

Another reason to use segmented hashes is to provide for better resiliency against target image data corruption. If your acquired evidence image is damaged at some point in the future, with regular hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only one hash from a set becomes invalid.

Example – imaging with segmented hashing enabled

Here are imaging results with the link to segmented hashes file.

Imaging results with segmented hashes

Segmented hashes are saved in a CSV file with the simple “Hash,start LBA,end LBA” format:

Segmented hashes in CSV file

Example – verification of segmented hashes

There is a new operation added to Atola Insight – Verify Segmented Hashes. It is an automated way to take existing CSV files containing segmented hashes and verify all of them against the target image.

Let us take a closer look at the example to see how it works.

Step 1. First, let’s simulate a change of the evidence image. We can do so by selecting the target image and changing one byte at sector #35,000,000.

Change one byte in Disk Editor

 

Step 2. Now we go to Verify Segmented Hashes. Select the file with segmented hashes calculated during imaging and click Start.

Start segmented hash verification

 

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress

 

Step 4. Hash verification finishes with the proper case report automatically created.

Segmented hash verification report

 

If you want to learn more about other 4.7 changes, visit this page: Atola Insight Forensic Changelog.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

 

P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.