The meeting of data recovery specialists and forensic experts this time took place in the city of Malaga, Spain. The chosen location and the sunny autumn of southern Europe proved ideal for presenting cutting-edge technologies in data recovery and for subsequent relaxation of participants in the picturesque streets of the historic city. The year 2023 brought a plethora of new information in the field of hard disk technology, SSDs, disk arrays, memory cards, and flash drives. New location, revised concept, networking, workshops, and a whole range of new information and important stimuli sum up the four days of the conference.
Mobile phones, specifically data recovery from mobile phones, were also present in the portfolio. However, in Acelab's portfolio, they tend to take a back seat for most data recovery specialists.
Data Recovery with PC-3000 Products for 29 Years
Acelab has been dedicated to the development of specialized tools for data recovery and forensic analysis for 31 years, while PC-3000 products from Acelab's workshop have been saving data for 29 years. Initially, it was all about hard drives, and they are still most commonly looked after by data recovery specialists in 2023. It might seem like SSDs should dominate this area by now, but that's not the case. However, they do hold a significant share. The world of SSDs is different from that of hard drives (HDD). Disk arrays, memory cards, flash drives, and other data storage devices also hold a minority but not insignificant share in the field of data recovery.
It's no wonder that a large part of the conference was once again dedicated to hard drives. Most modern hard drives use shingled magnetic recording (SMR), have locked access to service data, and use advanced data management features. Manufacturers continue to modify these technologies, thereby affecting the possibilities for data recovery from the disk if a problem arises. Other parts of the conference familiarized participants with new developments in data recovery from RAID, SSDs, memory cards, and flash drives.
Hard Drives and Their Complexities Today and Tomorrow
The dominant position in the hard disk market is held by companies Seagate and Western Digital. Smaller shares are held by brands Toshiba and Hitachi (HGST, which now falls under WD). That concludes the list; no other company is found in this field. All of them have adopted the majority use of SMR (Shingled Magnetic Recording) data writing technology years ago. Therefore, it's no surprise that these disks are increasingly common in data recovery. SMR was one of the key topics of the conference.
In order to work efficiently with a damaged disk, it is primarily necessary to gain access to its service data. Modern disks often block this access. Although this problem is usually solvable with Acelab technologies, the possibility was outlined at the conference that complications could arise at this level in the future. Without access to service data, it is not possible to work, for example, with a second-level translator (T2 - 2nd level translator) on WD disks or with Media Cache on Seagate disks. These are essential for the proper functioning of shingled writing and reading.
Issues related to data recovery, which are unavailable for various reasons, are also linked with the translator. The disk may appear to be functional, but the data is not accessible, or the disk appears to be empty. Solutions for these problems have been gradually integrated into Acelab technologies since about 2019, and new features were announced this year as well. One of them is "Maps of translated and untranslated sectors in LBA and PBA spaces", which we will use when recovering data from WD disks. As the name suggests, the feature analyzes the content of service data and attempts to restore the translation between PBA and LBA.
Seagate SMR disks internally handle writing and reading differently. MCMT (MediaCache Management Table) contains essential metadata for SMR. Seagate disks have an area with conventional recording (CMR), which serves as a cache, and the disk internally processes the data in a way that does not burden or slow down either the computer or the user. A problem may arise when the data platter is mechanically damaged, or when data is deleted or there is an MC error. When mechanically damaging the platters, the disk may increasingly damage the data platters during sequential reading. If the data is deleted or if an MC defect occurs, the disk may appear to be empty. In such cases, the new presented features that will help with data recovery from Seagate disks can be useful.
SED - Self Encrypted Drive - is a technology in the field of conventional hard drives, mainly associated with the WD brand. However, we also find it in hard drives of other brands, but not as commonly used. SED permanently encrypts all data written to the hard drive and does not burden the computer hardware, as the media's own processor takes care of it. The user locks the SED key with their own password, thus keeping the data on the disk safe from unauthorized manipulation. That is, as long as the disk is functional. In the event of disk failure, SED technology can cause difficulties. For example, in modern WD disks, the internal key to the data is created by the disk's processor, ROM, and data platters. So, this topic is also important in the field of data recovery today and in the future.
Alternative methods of data recovery, and for example a new feature on Seagate disks called by Acelab as AFH - Advanced Flying High, formed another part of the presentation of new technological procedures. It is a method that can help read some faulty sectors of the disk, but should serve only as a last resort. The speaker repeatedly emphasized that changing the distance of the reading heads from the disk's data platters can be risky and can lead to disk destruction.
Data Recovery from SSD, Compared to HDD
The next part of the conference focused on SSDs, which often suffer from memory chip errors, firmware failures, as well as issues with electronics and construction. These media have been in Acelab's portfolio for a shorter time compared to hard drives, and covering the broadest range of these media remains a significant challenge for Acelab.
SSDs struggle with memory chip errors, firmware failures, electronic issues, or inadequate construction durability. These issues are not limited to cheaper SSDs but also affect more expensive models from reputable manufacturers.
A common issue for both older and newer SSDs is firmware failure, usually termed as controller failure. For most current SSDs, it is not possible to directly access user data via the memory chip. Data is internally encrypted, and without a functional controller, access to the data is not possible. However, if an SSD firmware failure occurs, it prevents the SSD from initializing, causing loss of access to user data.
Acelab has a solution to this problem, but it's not a universal fix for all SSDs. A specially modified loader is required for the specific type of SSD or firmware version. This loader is loaded into the SSD's RAM in technological mode, and by modifying the SSD's service data, access to user data can be gained. The loader used is a modified SSD firmware optimized primarily for data recovery purposes. In this context, Maxiotek controllers (formerly Jmicron) were mentioned, which currently power some SSDs from Adata. Maxiotek controllers are relatively new to the market, and their support is gradually being integrated into Acelab's technologies. We can expect their broader support in the near future.
One of the topics discussed was the TRIM feature, which helps in data management but can be a significant obstacle in data recovery. TRIM is not only applicable to SSDs but also to mobile phones, some SD cards, flash drives, and even SMR hard drives. For hard drives, it's not called TRIM, but in some aspects, hard drives handle data similarly to SSDs. TRIM mainly prepares the media for future data writing so that it occurs swiftly, ensuring the user doesn't have to wait. This also prevents the possible recovery of deleted data. Therefore, stopping this process during data recovery attempts is crucial.
There are countless SSDs on the market. Exaggerating a bit, anyone could start their own SSD brand because making an SSD from available components is not that complicated. This makes SSD fundamentally different from HDDs. Various construction and firmware variations are and will continue to be a significant challenge for Acelab's developers.
Data Recovery from RAID
Data recovery from RAID and NAS is also crucial, although not apparently as frequent as from the previously mentioned individual media. In relation to data recovery from RAID, Acelab presented advanced techniques for assembling individual disks into a functional array when auto-detection of disk positions is not possible.
The easiest method of detecting individual disk positions is probably through the use of metadata. However, this method may not always be possible. In such situations, advanced algorithms and analyses are needed to enable disk array reconstruction even without the presence of available metadata. These methods rely on data pattern and signature analysis of individual disks in the array.
A specific procedure was presented using entropy map analysis and RAW recovery. This allows you to determine the block size, RAID type, number of RAID members, the relationship between individual RAID members, and other parameters that will help to assemble a functional disk array.
Data Recovery from NAS, WD Cloud, and APFS
Western Digital has long been one of the world's largest data storage manufacturers. It's no wonder that their NAS designed for household use is popular among users. Part of the presentation of Date Extractor also focused on reconstructing the file system used in WD Cloud devices. In the event of a failure of the NAS device itself, the data in the internal storage is not stored in the manner we would expect. Data Extractor can easily handle connecting the proprietary file system and database, and will assemble a virtual file system that already contains data in the form we expect. Practical examples also included scenarios where the proprietary file system is damaged or when the WD Cloud device has been reinitialized, everything works correctly, but user data is not available.
Data recovery from APFS - Apple's file system - can also be specific. APFS uses COW (Copy-On-Write) technology, where modified data is not directly edited, but is specifically stored as a new version, while the original version remains intact. Up to 141 versions of a single file can be stored in APFS. From the perspective of data recovery from APFS, this means the need for comprehensive metadata analysis, much of which is no longer relevant. The practical demonstration also covered APFS Fusion Drive and APFS File Vault. These modern technologies are completely different from the older HFS+ and therefore engineers at Acelab must pay proper attention to these technologies.
PC-3000 Portable III - The Most Versatile Technology for Data Recovery from HDD and SSD
Data recovery from HDD, SSD, and RAID are the most critical topics of the Acelab conference, especially since they are key subjects for every company in the world that offers a comprehensive range of services in this field. PC-3000 Portable III is the only technology from Acelab that offers a comprehensive solution not only for hard drives and SATA SSDs but also for PCIe NVME and AHCI SSDs. Additionally, it allows, to a certain extent, the recovery of data from USB drives and memory cards.
Portable III is thus the ideal starting solution if you want to offer data recovery from the mentioned media to your customers. It is also an ideal expansion for labs already equipped with PC-3000 products.
Memory Cards and Flash Drives - Increasing Capacity and More Complex Data Recovery
Technologically similar to SSDs, memory cards and flash drives often suffer from similar problems. The capacity of flash drives and memory cards is increasing. With it, the complexity of data recovery is also increasing because these media often use more advanced data management technologies.
To meet the growing demands for capacity and fit dozens and hundreds of GB into the miniature body of a memory card, today's memory cards are manufactured using TLC and QLC technology, utilizing 3 and 4 bits per memory cell, respectively. More bits in one memory cell also mean faster wear and tear, leading to a shorter lifespan, which may be further reduced depending on the quality of the memory chip. Functions such as Wear Leveling, ECC, and others aim to extend the lifespan of the memory card. With modern SD cards, we can also encounter the TRIM function, which is more often associated with SSDs and internal storage in mobile phones. The TRIM function was mentioned in connection with data recovery from Sandisk SD cards, which was presented at the conference.
Data recovery from Sandisk SD cards after formatting in a camera or camcorder may no longer be a trivial task. A simple quick format by the camera or camcorder can make the card appear as though it is entirely empty, showing only empty sectors throughout its capacity. After formatting, it's not just the file system metadata that gets erased, as would happen with, for example, Windows, but the memory medium's translator is reset. The data on the memory card still exist; it's just not accessible in a straightforward manner anymore.
The solution is not trivial, and without specialized hardware, software, and the necessary knowledge, data recovery is not possible. The firmware card, or its controller, must be excluded from the process, and direct access to the data must be made using the technological pins of the NAND interface. The same applies to SD cards or flash drives of other brands. This step also eliminates the aforementioned TRIM function. SD cards and presumably Sandisk flash drives also store older copies of the translator—a crucial module that defines the mapping between the logical blocks seen by the operating system and the physical blocks of the NAND chip. Thanks to the possibility of obtaining older copies of the translator, data can be restored, including its original structure, resulting in almost flawlessly recovered data.
The conclusion of this part of the conference focused on data recovery from USB flash drives based on the SM3281 chipset. This chipset from Silicon Motion is currently their flagship product, making it a frequent case for data recovery specialists. The chipset comes with a range of technologies that can complicate data recovery from a damaged USB flash drive. Multiple planes for each CE, each plane has its own position for Bad Bytes, each plane uses its own page size, each plane has its own XOR and can use up to 8 different XORs within CE. 3D NAND TLC or QLC of low quality and high capacity are also a frequent source of problems due to their low lifespan.
Acelab presented new methods associated with data recovery from flash drives based on SM3281. Data recovery from flash drives, not just with dynamic XOR, can be a challenge even for seasoned specialists with years of experience.
Advanced Features of PC-3000 Mobile Now Only for "Law Enforcement"
A few years ago, Acelab introduced the PC-3000 Mobile technology designed for data recovery from mobile phones. It offers a range of advanced features that can recover data from mobile phones even in seemingly unsolvable scenarios. One of the most interesting features was (is) "Hard Key," which can extract the data key directly from the phone's processor. This feature is useful, for example, in cases where the memory chip is partially damaged.
However, the technology could serve not only for recovering data from the phone of the legitimate owner but could also be used for purposes contrary to good morals or laws. Starting with version 1.6, the full version of this technology, labeled as PRO, is offered exclusively to law enforcement agencies. Companies and organizations that are not involved in law enforcement or criminal proceedings can only access the basic (Basic) version of the PC-3000 Mobile technology.
Exalab Offers a Comprehensive Data Recovery Portfolio
Specialists who take data recovery seriously attended the Tech Week 2023 conference in southern Spain. Therefore, Exalab could not be absent. We aim to provide our clients with top-level services both now and in the future. In a dynamic field like data recovery, continuous education and development are key.
The information mentioned above is not a complete summary of the conference. These are just some of our observations that we've decided to use in our blog. We thank all the experts from Acelab and the conference organizers for giving us the opportunity to expand and refresh our knowledge, meet a lot of interesting people from around the world, and also combine business with relaxation of various types in the streets of Malaga. Special thanks also go to our colleagues from the Prague-based company Datahelp, without whom our evenings and nights wouldn't have been perfectly balanced with the consumption of local delicacies and exquisite beverages :-) We are already looking forward to the conference in 2024!