By the Numbers: A Breakdown of Gillware’s Data Recovery Case Work
May 23, 2016
recovery results
Data Recovery Case Study: Western Digital WD5000LPVX-75V0TT0 Laptop Hard Drive Failed to Boot
May 26, 2016

Recovery Type: External Hard Drive
Drive Capacity: 1TB
Manufacturer: Western Digital
Model Name: Passport
Model Number: WD10JMVW-11S5XS0
Operating System: Macintosh
Main Symptom: Invalid Partition Table, Platter Damage, SmartWare Encryption
Type of Data: Pictures and Documents
Data Recovery Grade: 9
Binary Read: 99.99%

This client’s hard drive had already been opened up before it had even arrived at Gillware. Usually, when we see a drive that has been “cracked”, it is bad news. When a hard drive has been opened up anywhere but in our cleanroom, we have no way of knowing exactly what has been done to it or what kind of environment it has been exposed to, and so while we treat all of our clients’ hard drives and data storage devices with the great care, an extra layer of delicate and cautious handling is needed for “cracked” hard drives. It’s not unusual for our engineers to discover that a previously-opened hard drive has significant platter damage or mangled read/write heads that can make recovery very difficult and drastically reduce the amount of data that can be recovered. Luckily, when our cleanroom engineer Drew inspected the client’s hard drive, he found the heads to be in good shape and the platters relatively free of damage. While there had been some “dings” as a result of the heads briefly impacting the platters, there was no sign of any visible rotational scoring.

This hard drive was pulled from a Western Digital My Passport for Mac external device, and as such, there were two key differences between it and the common Western Digital hard drive you may find inside your laptop. The first key difference is immediately obvious. The drive’s printed circuit board, or PCB, has been redesigned so that the device can connect to any computer via USB cable instead of SATA cables. Greg Andrzejewski, our senior engineer and Director of Research and Development, goes into greater detail about the differences between an internal hard drive’s PCB and a modern external drive’s PCB in this article about our recovery of an external drive belonging to Vera Goulet, wife of the late singer and actor Robert Goulet. The second key difference is that a Western Digital external drive encrypts and decrypts the data passing through it on a hardware level. My Passport drives have this feature built right into the drive’s PCB, whereas My Book drives have a USB dongle connected to the hard drive that does the same thing. Western Digital refers to their brand of hardware-level hard drive encryption as SmartWare encryption.

While the damage to the hard drive seemed far from catastrophic, another obstacle to data recovery presented itself in the form of the drive’s USB connection. We do not have the same ability to control the performance of a USB drive as we do a SATA drive; the USB connection does not give us the same kind of access and control over the hard drive as a SATA connection does. When a hard drive has sustained physical damage, and there is a chance its condition may worsen, being able to control certain aspects of how the drive reads is can make all the difference between a great data recovery outcome and a mediocre or outright poor outcome. After bypassing the USB connection of the hard drive’s PCB to control it as we would a normal SATA drive, we were able to read 99.9% of the drive’s sectors with our in-house data recovery tool HOMBRE. Despite the damage to the platters, only 8,504 out of the roughly two billion sectors the one-terabyte hard drive contains could not be read.

All of the data we had read from the drive was still encrypted, because we had bypassed the part of the PCB that handles decryption. Luckily, we had the means to decrypt the data, because we had recovered the drive’s SmartWare encryption certificate. Western Digital external drives keep the certificate in two locations on the disk, and the USB PCB or dongle that handles decryption for Western Digital My Passports and My Books looks for this certificate in order to decrypt the data on the drive. The next step in the data recovery process was to clone the encrypted data to one of our healthy desktop hard drives and use it to decrypt the data we had recovered. Upon analyzing the recovered data, we determined that 99.9% of the client’s files had been successfully recovered. We rated this case a 9 on our ten-point scale.

encrypted sector 0

The encrypted sector 0

Portion of the decrypted sector

A portion of the decrypted sector

While there had been some damage to the drive’s platters, it is likely that the initial cause of failure was an invalid partition table, and opening up the hard drive had only caused further problems. When an external USB device’s partition table becomes invalid, it is commonly a result of the drive being unplugged from the owner’s computer before being safely ejected. While plenty of people have been guilty of prematurely unplugging external hard drives and flash drives many times without suffering any negative consequences, there is always the risk that the next time you plug your Western Digital My Passport into your computer, the files you’ve stored on that external hard drive will be just out of reach.

2 Comments

  1. […] Gillware, we deal with encrypted data recovery cases all the time. We deal with everything from SmartWare and FileVault encryption to PGP and EFS encryption. Recovering data from encrypted storage devices […]

  2. […] such as BitLocker and TrueCrypt work. It’s very different from Western Digital’s hardware-level SmartWare encryption. However, it presents many similar challenges to data […]

Leave a Reply

Your email address will not be published. Required fields are marked *