What's new in data recovery, Acelab plans for the future, PC-3000 Portable III, an effective solution for data recovery from modern hard drives, data recovery from NVMe SSD, news on PC-3000 Flash and news in Data Extractor software. This is a brief summary of this year's conference, presented by Jitka Žídková and Elena Shulga.

Hotline
DATA RECOVERY
+420 608 177 773

10 years ago or more in the field of data recovery, we encountered almost exclusively classic hard disks, and encrypting data on them was rather an exception. However, times have changed, and although HDDs are still the most common “operating field” of data rescue specialists today, flash-based media and media encrypted in various ways are also becoming more and more the subject of data recovery. Acelab engineers responded to these challenges and shared their findings with colleagues and customers from around the world during Thursday's conference (in Europe, in the US a day later).

This year, PC-3000 Portable III plays the main part

One universal solution for most common tasks in the field of data recovery. For many specialists in this field, Acelab offer is somewhat confusing, as the PC-3000 Express, PC-3000 UDMA and PC-3000 Portable III products seem to overlap with some functions. And basically yes, these products partially overlap functionally, but the PC-3000 Portable III is intended more as an expansion of the portfolio to almost completely cover all common areas of data recovery. This self-operating and feature-packed forensic case complements the equipment of a specialized laboratory. We already have it in our equipment :-)

Be it USB host, SATA, PATA, NVMe, USB flash, SD and micro SD or Apple MacBook SSD, the PC-3000 Portable III can currently handle these types of media. But that's not the end of the list. Acelab is already working on extensions that will add support for PCI Express and SAS drives to the list of features.

Standalone Mode, Easy Mode, Full-Featured Mode.

The device can be used in three modes. In Standalone Mode, it works independently, without the need to use a computer. It is possible to perform only basic operations with drives, such as basic drive diagnostics, SMART read, drive read test, hash count, data erasure, data copy, but also any need to view individual sectors.
This is often sufficient for use in the field and logs from the performed operations can then be downloaded to a computer.

Easy mode is suitable for beginners or for example for forensic experts who need to use complex functions when time is a priority. In Easy Mode it is possible, among other things, to perform quick comprehensive drive diagnostics, emulate a drive in Windows using Win Disk Utility, work with ATA passwords (drive protection by user password at disk service area level), prepare a binary copy of a drive to another drive or file, generate a report on the status of the drive and many other functions so that they can be performed quickly and without the need for in-depth knowledge of the issue.

Acelab engineer Roman Morozov performed this part of the presentation. In a practical example of working with Easy Mode, he focused, for example, on the above mentioned work with ATA password protection of the drive.The PC-3000 Portable III combined with a software Data Extractor can easily consult a 2TB drive Western DigitalWD20EARS. After starting the process and a few clicks, the data recovery engineer or forensic specialist gets the option to completely disable the password or display it in a readable form. Part of this demonstration also consisted in working with drive heads at software level, where one of the six drive heads was not in good condition. At the end of the demonstration, Morozov used the Data Extractor to generate a detailed report of the work performed with the drive, including clear graphs of the performance of individual heads. For example, this report can show a customer exactly what is happening to their disk and why data recovery is more difficult.

For most data recovery professionals who already use Acelab products, the so-called Full- Featured Mode is well known. This is a working mode where all functions are accessible in the advanced mode and working with them is fully in your hands. Unlike other Acelab products, the PC-3000 Portable III has several tweaks up its sleeve that will be the main reason to buy the product.

USB Host Port

USB Host Port provides a complete operating system independence when working with a USB device. If you work with a USB device using the USB port on the system board, the work is always affected by the computer itself, the device driver and the operating system. This may not be desirable in the case of data recovery, and certainly not at all if, for example, you need to secure forensic evidence from a data medium so that it is completely intact and usable in court.

Full control of device consumption and its analysis, communication using a special driver developed by Acelab, completely immune to OS, direct communication between PC-3000 Portable III and USB device, ability to work with technological commands that may be useful, for example, when working with native Toshiba USB drives, Seagate or Western Digital. However, you can also work with USB drives and SD and microSD cards, the support of which was added by Acelab a few weeks ago. These are the main advantages of the USB Host Port.

The subject of the demonstration was a microSD card from Sandisk, which was detected after connecting to a PC running Windows, but the user did not have access to the data. For comparison, Morozov also tried to access the card using PC-3000 Flash software to tackle the same problem. Direct access to the card via the PC-3000 Portable III, using a standard USB adapter, immediately solved the problem and the data was accessible.

However, it should be noted that in both initial cases, the attempt took place at the level of connecting the card to the OS. The PC-3000 Flash can be equipped with an adapter for reading SD and microSD cards, so the work with the card also takes place outside the influence of the OS. The result would probably be the same as with the PC 3000-Portable III.

NVMe SSD and a bit of history. The protocol is robust, as well as problematic if data recovery is needed.

The first PCI-E drives appeared on the market in the years 2007-2012. However, from today's point of view, they were more or less a bit of a dinosaur. The manufacturers tried to solve the relatively slow reading and writing of the SSDs by squeezing several of them on one PCB, adding a RAID controller, PCI-E Bridge, and that is how the first predecessors of today's relatively miniature NVMe drives were created. These by-products of the SSD world reached speeds of 700-1200 MB/s, which was and still is many times the speed of classic hard drives. However, in addition to the high price, their expansion was hindered by a number of other shortcomings, such as some problematic compatibility with motherboards and operating systems and the absence of any internal optimization (TRIM and others ...). From the point of view of data recovery, the complex internal structure of the disk was indeed problematic.

In the following years, manufacturers focused mainly on the development of SSDs, for which they soon encountered the technological limit of read and write speeds (550/540 MB / s). The logical next step in the evolution of SSDs was a new interface that would break the SATA speed limits and allow the application of the already devised scheme of functionality, but in conjunction with other hardware and operating systems.

Apple was the first to take on the challenge of launching a new interface. But Apple did not think of non Apple hardware. In the years 2013-2014, the first M.2 AHCI PCIe drives Plextor P6e, Sandisk A110 and Samsung XP941 appeared on the market. These are able to communicate with current and older hardware and operating systems without any problems and, thanks to the use of a native PCI-E 2.0 x2-x4 controller, reach speeds of up to 1200 MB/ s. However, the price still prevents their expansion.

In the years 2015-2017, SSDs get rid of the AHCI protocol and continue to follow the NVMe protocol. The advantage, of course, is the use of native PCI-E controllers and the increasing transmission speed. However, a completely new unified protocol without feedback on ATA, AHCI and SAS can be an advantage as well as a disadvantage at a time. We are, of course, talking about data recovery from NVMe SSDs, where the PC-3000 Portable III, which was the main focus of this year's Acelab conference, enters the scene.

Older (but still current) PC-3000 Express and UDMA Acelab products have support for SSDs. However, technologically they fall into the period before NVMe, so we are only talking about SATA SSD.

PC-3000 Portable III offers native NVMe SSD support. Acelab engineers have paid close attention to this new communication protocol, because without its support, rescuing data from the NVMe SSD has often been more of an experiment in recent months and years. Laboratories equipped with PC-3000 Portable III can now offer their clients data recovery from NVMe SSDs.

Apple Fusion Drive

Apple Fusion Drive is a technology developed and used only by Apple, so like other specialties from the Apple gamut, it brings new challenges to the world of data recovery and data rescue. At last year's Acelab conference, Apple Fusion Drive was discussed mainly in connection with APFS. This year it was talked about in connection with the support of NVMe SSD with the new PC-3000 Portable III.

To work with Fusion Drive, you need to have a PC-3000 Portable III in RAID version. If it is purely about a reconstruction of Fusion Drive or Fusion Drive with logical damage and we have a functional NVMe SSD and HDD, then it is really a matter of a few clicks, as Alexander Leonenko demonstrated when working with the 1TB HDD Seagate and 28 GB SSD Apple.

However, the main problem with NVMe SSD so far has been if there is a problem with the controller or firmware. And here the PC-3000 Portable III has the opportunity to show its strengths. The demonstration was performed with an NVMe SSD with a Phison PS5007 controller. The drive was incorrectly detected, showed incorrect capacity and, of course, user data could not be read. Further work under the guidance of a specialist from Acelab seemed easy - load the disk loader, run Data Extractor, automatically reconstruct the translator and user data was accessible. However, the condition is that the drive has already been analyzed by Acelab and is supported within their software.

The illustrated NVMe SSD was not part of Fusion Drive, but the important thing is that we would be able to make a binary copy of it and continue working with it.

NVMe extensions for PC-3000 Express and PC-3000 UDMA ? Probably not

Many times, data recovery specialists from around the world have debated in discussion forums whether Acelab will include support for NVMe SSD for current PC-3000 Express and UDMA products. Acelab engineer Alexander Leonenko said during the conference that the PC-3000 Express and UDMA products were created at a time when the NVMe protocol did not exist and those products do not include a PCI-E controller. It is part of only the latest product PC-3000 Portable III and the reduction itself from the M.2 interface is really only a reduction, it does not contain any bridges and everything is solved inside the PC-3000 Portable III device. It can be deduced from this that the PC-3000 Express and PC-3000 UDMA will not be retrofitted with NVMe SSD support.

Support for SAS drives and PCI-E drives is a matter of the near future

SAS drives are not exactly a frequent subject of data recovery, but if we need to work with them, then a separate solution from Acelab - PC-3000 SAS is currently needed. Native PCI-E drives are not yet supported. To bring the PC-3000 Portable III forensic case even closer to its complexity, Acelab decided to add support for the SAS and PCI-E drives they are currently working on. NVMe is becoming (or rather has already become) the standard, so it cannot be overlooked even in the field of data recovery.

SMR: Data Recovery Complications on Several Levels

Hard drive manufacturers have recently used a variety of methods to complicate the work of data recovery companies and charge the customers with a defective drive. SMR is another example. Alexander Leonenko presented new and improved features of Data Extractor software at the conference. He was the first to mention SMR drives, their common problems and possible solutions.

The HDD translator without SMR function briefly translates LBA (Logical Block Address) to PBA (Physical Block Address), it is a so-called single-level translator. However, the SMR drives translator has to do a lot more work so that the user can still access his data, and there are significantly more changes in the service area of ​​the drive where the translator is stored. SMR drives have a so-called two-level translator. Leonenko demonstrated how many changes must be written in the service area if we change a single bit on the drive. More specifically, there were almost 50,000 changed bits in the service area.

One example with a faulty translator was clearly shown on the WD10SPZX-22Z10T0 drive. At first glance, the drive did not contain any data when mounted. The individual sectors contained only zeros, and nothing could be found using RAW. To access the data back, we had to work with module 190, which is a second-level translator for this WD drive, then switch the read from drive to LBA, and the data was reborn. In this context, the data extractor now also has the Lock SA access function, which is a function that locks access to the service area.

Modern Seagate drives, unsupported firmware, work with service area and RAM

No HOST FIS-ReadyStatusFlags and Fault State are drive states reported by the terminal that tell the data recovery professional where to go to access the user’s data. The average user will not see these conditions anywhere. And he won't even see his data. His drive stops communicating with his computer, and whatever he may do, he has lost access to his data.

New functions integrated in the Data Extractor bring improvements, where by working in the drive’s RAM, it is possible to solve some previously difficult cases. The presentation included a practical demonstration with Seagate ST2000DM001-1CH164 and Seagate ST1000LM035-1RK172 drives, the so-called Rosewood (internal designation of these Seagate drives), which is well known among the professional community.

Block Writing - another useful feature for working with modern drives

As the name suggests, Block Writing is a feature that prevents the drive from writing data, specifically to the service area and therefore to some drives to the user data area. This feature can be particularly useful when working with modern drives, which like to work with the service area significantly more than their predecessors, and it is also not possible to apply some procedures with the usual methods. For example, it will solve some problems related to Media Cache and Scratch Pad.

And in connection with the Block Writing function, the focus was again on SMR drives, which write to the service area very often. For example, the usual method of changing the head map is inappropriate for SMR drives, it can be dangerous. The Block Writing function may change this, but as Leonenko mentioned, the head map change function is still under development.

Leonenko summed up the function as follows: If we have the option of using the Block Writing function, we can prepare the drive and set the conditions where it is possible to safely save data. We will prevent any attempts by the drive to change the data stored on it (of course, in relation to certain defects that this presentation was about).

The trusted power of PC-3000 Flash

The part of the conference focused on rescuing data from flash drives and memory cards first focused on forensic specialists. In a demonstration, Leonenko demonstrated how the PC-3000 Flash handles the analysis and recovery of data from reallocated memory blocks, which can be useful in providing forensic evidence from a seemingly completely erased flash drive.

Another novelty in the PC-3000 Flash software is the newly integrated complex operations, which on the one hand save time and can also be useful for beginners with this software. For example, a function called CREATE SUBMAP AND “REREAD” can handle a series of steps to recover data from flash memory, starting with error correction. Another interesting feature will help reconstruct the drive image using information from the file system. It's called RAW RECOVERY AND CREATE DRIVE FROM MAP. It can be useful, for example, when it is not possible to reconstruct a file system using a translator.

The PC-3000 Flash has been further equipped with many new resources, such as new XOR, ECC, new translators for Silicon Motion (SM), Sandisk and Phison, new memory chips have been added, and improvements and enhancements have been added that can be useful not only for experienced experts in the field of data recovery from flash storage media, but also for beginners in this field and forensic experts who often have no time to waste.

Additional maps - entropy maps, map of metadata headers, GREP based maps

Data Extractor creates classic maps of sectors of the data medium, where successfully marked sectors are marked by green color, black means a reading error, etc.
Additional maps work differently.

An entropy map will help solve problems with data media that is completely or partially encrypted, as well as detect RAID parameters. The entropic map expresses the degree of data clutter and is given in values ​​0 - 1. A value close to the number 1 then indicates that the map comes from encrypted or compressed data. In practice, this function can then be used, for example, to determine whether the medium is somehow encrypted, or else completely or partially.

The Map of metadata headers - the name is a good indication of the function that this map performs. But what good is it if I can run RAW recovery and get the same data ? The metadata header map is created during the creation of a binary copy of the data medium. The subject of data recovery is often data media that have a damaged file system for various reasons. With the help of this map, you will get an overview of possible available file systems, as well as an immediate access to file system metadata and their use.

A GREP based map may be useful for example when working with SMR drives. The map is defined by the data recovery specialist himself and can be used to define any GREP information that will be displayed on a special drive map already during the creation of a binary copy of the data medium, which facilitates its analysis.

New data recovery options from NTFS

In the latest version, Data Extractor comes with additional functions for working with NTFS, which is probably the most widespread file system. It can now also work with so-called Volume Shadow Copies, which are created by the Windows operating system or some backup software. When you install new software or at the user's initiative, Windows System Restore and Backup creates a snapshot of the changed data that Windows can then use to return to the state before the software was installed, which can be useful if something fails and the newly installed software causes operating system problems. These snapshots are stored on the root of the drive in the \System Volume Information\ folder. With the help of a snapshot saved in this way, Data Extractor can create a virtual drive that contains the data as it was before a certain change in the operating system.

Other functions of the Data Extractor can work with $LogFile, which contains information about changes made in the system. For example, which files have been deleted, renamed, moved, etc. The new function is called Parse $LogFile and can generate a virtual file system based on the information obtained with a preview of versions of individual files divided into directories, or the same in the so-called Folder view, which allows a preview of the versions of individual files with their original location. The last option to work with the Parse $LogFile function is individual versions of the virtual drive (Virtual Drive “Versions”).

Securely mount a read-write virtual drive ? Windows can now store data in a separate data layer

In previous versions, Data Extractor allowed you to mount a virtual drive in Read-only, Write simulation, and Read and write modes. The first two options do not allow Windows to control the virtual drive, and the third is potentially dangerous or unwanted if the data recovery specialist works with, for example, forensic data.

The function of writing to a separate data layer (Read and write to the additional layer) has been added, where Windows gains full control over the virtual drive, but all changes are saved in a separate layer and the original data remains intact. This feature can be useful, for example, if you need to work with a file system using third-party software to recover data. The new function can save a considerable amount of time that was previously needed to export data to another drive, and if something fails, repeat the whole process. Especially for drives with a larger capacity, this new feature can save days of work.

The raffle could not take place this year, so to finish up the traditional recommendation

Although it sometimes seems that SSDs are the only option that can be purchased for a new computer or laptop today, this is not the case. Classic hard drives still play an important role and are still the most common subject of data recovery. Even today, higher capacity HDDs are a good choice because high capacity SSDs are still expensive. Even at the end of many blog posts, I recommend that clients backup their data regularly. Backup and you can save worries and money in case of data media failure. One day, the conference on data recovery may be pointless :)