Digital Forensics for Hard Drives
Hard Drive Forensics
Hard disk drives have been around since the 1950s, and to this day remain the premier form of data storage in the modern world. While flash memory has been making rapid gains, most people still have hard drives inside their computers storing the majority of their data. When a hard drive turns up in your investigation, there can be a massive amount of valuable data living within it. But piecing the data together and answering questions such as what the hard drive was used for, when the data on it was created, and by whom can be difficult—especially if the data has been deleted from the hard drive, the drive has been reformatted, or the user has attempted to physically damage or destroy the drive. An improperly-conducted investigation can also risk destroying critical data on the drive. When you need help with your investigation, our hard drive forensics experts are here for you.
Hard Disk Drives: A Brief Overview
Hard disk drives are a form of magnetic data storage. The hard disk platters containing all of the data on the drive are made of aluminum or glass and coated with thin layers of ferromagnetic alloys. The thin magnetic substrate holds all of the data on the drive. Tiny regions covering the platter surfaces have different magnetic fields representing single binary bits of data.
The drive’s read/write heads—tiny coils of copper wire attached to the ends of long metal arms—detect the presence of a 0 or a 1 in order to read data, and alter the fields’ magnetic charges in order to write data to the drive. Eight of these tiny regions together make up a single byte of data, which can be represented as a single base-16 hexadecimal value.
The bytes of data on the hard disk platters are grouped together into sectors. Each sector has 512 bytes of usable data, plus identification metadata and error correcting codes that usually only the hard drive cares about. Using a hex editor, examiners can take a look at the data on a hard drive one sector at a time. These bytes of data comprise every piece of data, from simple text file to a company’s Quickbooks file.
Hard Drive Forensics Overview
The data stored within each hard drive tells a story. A forensic investigator’s job is to examine the data carefully and piece together the story as accurately as possible. The files on a hard drive and the metadata defining them can reveal how and when the hard drive was used. When were files created on the drive, and when were they modified? Who was using the hard drive? Which devices (such as mobile phones or USB flash drives) were connected to the computer when it was in use? A skilled and knowledgeable forensic investigator can uncover the answers to these questions.
Most of the hard drives encountered by forensic investigators are perfectly healthy. But there are situations in which somebody has intentionally tried to destroy the data on a hard drive, either by deleting it from the drive, or reformatting the drive to erase its contents. An inexperienced individual attempting to examine the data on a hard drive can also lead to unintentional data spoilage. When these things happen, telling the story of a hard drive’s use becomes much more difficult, requiring the aid of experience data recovery professionals to salvage missing data.
Recovering Deleted Data
Data deletion scenarios are common in the forensics world. Whether it’s a disgruntled employee on their last day at work taking a metaphorical ax to the company’s share folder or trying to cover their tracks after making off with some intellectual property, or a suspected perpetrator hiding evidence of a crime, deleting the data from a hard drive can seem like the end of the road.
But for hard drives, deletion is not the end—at least not yet. There are several stages of deletion a file goes through. First, you send the file to the “recycle” or “trash” bin, where it can easily be restored. To further delete a file, you “empty” the recycle bin. Even at this stage, you haven’t actually deleted the file, though. All you have done is tell the hard drive that the space occupied by that file is now available for new data to be written to. Hard drives keep a record of which sector clusters are in use and which are not. When you “permanently” delete a file, you merely tell the hard drive to remove the flag from these clusters marking them as used, and delete the metadata pointing to the file’s location.
Ultimately, the only way to permanently delete a file is to completely overwrite all of its sectors. When a file has been deleted and its sectors marked for reuse, this will naturally happen as the user goes about their daily business using their hard drive. Even booting up the computer can write megabytes of operating system data to the drive, changing a multitude of files and taking actions that can potentially overwrite any deleted data.
There exists data recovery software to restore deleted files, but freely available file retrieval software isn’t robust or intelligent enough to recover all lost data. Intelligent analysis tools coupled with knowledgeable human examiners will generally yield much better results.
Where Data “Hides” After a Reformat
Like data deletion, reformatting a hard drive is a common tactic to cover one’s tracks. Reformatting a hard drive means deleting its data on a much wider scale. The end result is a completely fresh and seemingly-blank hard drive. But as with deleting data, there is much going on beneath the surface, unseen by the user, during and after a reformat.
There are two ways to reformat a hard drive: a “full” format and a “quick” format. When a hard drive has been reformatted, the person responsible has typically opted for a quick format.
A full format goes through the entire drive and fills every readable sector with zeroes. This is highly destructive, as there is no way to revert the sectors after they have been altered. However, if any sectors have become too damaged to read normally, or if the drive hiccups during the process and sectors become temporarily unreadable, the full format will skip over them and leave their data unaltered. Thus there may still be trace amounts of data remaining on the drive after a full format. This reformat method is not often used, because it can take a long time to complete (depending on the capacity of the drive).
The quick format is more commonly used, because it only takes a few seconds or minutes to complete. As with deleting files, most of the data still exists on the hard drive, only it is now marked as available space. Key logical volume metadata, such as the partition table or partition superblock, may be overwritten, and each use of the drive after formatting can overwrite some of the old data on the drive. Using powerful forensic hard disk examination tools, most of the data on a hard drive can be recovered after a quick reformat.
Damaged or Destroyed Hard Drive Forensics
Most of the time, forensic investigators are dealing with perfectly healthy hard disk drives. But as a last resort, someone may intentionally break or destroy their hard drive in order to cover their tracks. And, of course, hard drives can be damaged accidentally as well. This is not necessarily the end of the line, though. Using advanced data recovery tools and techniques, it may be possible to recover some or even all of the data on the hard drive.
Hard drives have very delicate parts inside of them—in particular, the hard disk platters containing all of the data on the drive. The read/write heads inside the drive float a scant few nanometers away from the surface of the platters, and they can crash into the platter surfaces if a hard drive is dropped while running or suddenly loses power. If a hard drive’s owner intends to render their data irretrievable, they may attempt to open the hard drive and contaminate or remove the platters—however, this requires special tools. They may also attempt to expose the drive to extreme heat or submerge it in water.
Hard disk platters must be as smooth as possible, since the read/write heads are so close to their surfaces. For reference, the height of a fingerprint left on a platter surface is higher than the fly height of a read/write head, and the size of a mote of dust or strand of hair dwarfs the distance between heads and platters. If debris is allowed to collect on the platters, the hard drive will be unable to function without destroying the read/write heads. In order to salvage data from the platters, special burnishing tools are required to clean the debris off of the platters and smooth out their surfaces. This does not restore any data lost due to damage to the platter surfaces, but allows data recovery and digital forensics experts to salvage the remaining data from the platters.
Hard Drive Forensics Services by Gillware
Gillware has all of the tools and expertise required to salvage data from hard disk drives. Hard drive forensics requires extensive knowledge of the inner workings of hard drives, especially when the drive has been damaged or tampered with. A deep understanding of how hard drives store their data and how to use the data on hard drives to determine how the drive was used, as well as how to repair and salvage data from physically compromised hard drives, is essential for hard drive forensics investigations to produce the best possible results.
We leverage the skill and expertise of data recovery and digital forensics professionals with over 25 years of combined experience, combining state-of-the-art data recovery and digital forensics tools and techniques. Our digital forensics experts conduct full and thorough analyses of the data pulled from hard drives. In cases where data has been lost, our data recovery experts can salvage data from these drives, even if they have been physically damaged. We can also provide expert testimony in order to make sure our findings are clearly and accurately represented. With seasoned experts in the worlds of both digital forensics and data recovery, Gillware has the talent, tools, and techniques to come to your aid when you need hard drive forensics services.