How to Triage a Hard Drive Guide for Technicians
With data recovery, your main goal is to get the patient drive cloned/imaged to a healthy drive or image file. If you cannot do this with relative ease, it is, for sure, a sign that something is wrong with the drive.
In order to allow us all to be on the same page, let’s define some words that may have different meaning for different readers:
Clone – full sector-by-sector copy from one physical device to another
Image – full sector-by-sector copy from a physical device to a file stored on a formatted device
Backup – file system level copy data from one physical device to another formatted device
Each data recovery lab tends to have their own way of defining various data recovery levels. For this document, we will define three categories:
Logical – file system issues that can be recovered without any hard drive repair. Such cases would include formatted drives, deleted files, bad sectors, corrupt file system (usually caused by bad sectors), etc
External Physical / Firmware – physical issues that can be resolved without the need of opening the drive in a clean room. Such cases tend to be limited to damaged PCB and firmware issues.
Internal Physical – physical issues that require the drive to be opened in a clean room. Such cases would include stuck heads, stuck spindle, damaged heads, surface damage (head slaps or rings on the platters.)
It would be best if the first thing you do is ask your client some questions to help you quickly filter an incoming drive into one of the three categories:
Was the media dropped, in a fire, flood or some other situation that would cause physical damage?
Is the drive making unusual clicking or buzzing noises?
The drive detects in the BIOS, but with incorrect capacity
The drive detects, but gives a high percentage of read errors when trying to clone
Are there obvious signs of damage to the PCB?
Is there a smell of electronic burn coming from the PCB?
Is the OS crashing?
Did files and/or folders randomly disappear?
Does the drive show uninitialized when connected to another OS?
Does the drive stop responding while cloning, but seems to work fine again after rebooting, but never stays alive long enough to complete?
Is the data loss due to formatting, deletion and/or overwriting of the files?
Is this something that you are not familiar with (ie, RAID, NAS, SAS, unknown file system, etc)?
Based on the answers to the questions above, you should have an idea of which recovery level it falls under and then react accordingly. If you are unsure, you can always call your partner data recovery lab for their opinion.
Physical Hard Drive Diagnosis
Physically inspect the drive for obvious damage. Broken connectors burnt out circuit boards, broken hard drive seals.
On your clone system, with a destination drive connected and ready to go, power the drive on.
Prevents system from powering on, disconnect
Makes any unusual noises, power off
Magic smoke and burning electronic smell is bad, power off
Doesn’t detect correctly, power off
Clone/image the drive right away (guide to ddrescue)
Hit a spot of bad sectors, skip ahead
Skipping ahead doesn’t help, flip into reverse
If a high percentage of read errors, power off
After the clone/image is complete, set original aside and read the file system with a data recovery program like R-Studio
If file system looks corrupt, could be encrypted
If file system looks corrupt, could be part of a RAID
If file system looks empty, could be reformatted and require a full scan with the data recovery software
If you are cloning a drive and it looks like it could take a very long time to complete (days or weeks), you definitely should consider talking to your partner data recovery lab and consider outsourcing. A simple firmware fix or the advanced functions of their data recovery hardware might net a cleaner recovery in a fraction of the time.
At any stage in the above steps, you find that it is recommended to power off the drive, this is a good time to stop and contact your partner data recovery lab to ask them what they recommend based on you resources, capabilities and knowledge.
The main difference between the flow above and the natural flow of a technician is that a technician tends to assume (or hope) the drive is healthy and gradually moves it up his chart of complexity as he/she runs into issues, where a data recovery lab assumes the worst and gradually moves it down his/her chart of complexity. The technician’s flow works enough of the time that they tend not to realize that their flow could be the reason why data is not recoverable when their process fails. It only takes one case when they underestimates a failing hard drive when they wish they hadn’t.
If a fireman doesn’t use enough water, the fire gets worse. If he uses too much water, the fire just goes out faster. Of course the analogy fails when you take water damage into consideration.
Don’t already have a partner data recovery lab that you can trust and who provides you with advice, as you need it. Why not give Recovery Force a try the next time you have a data recovery project to work on?
By: Luke Coughey - Recovery Force