mhdd advanced-diag
TRANSCRIPT
By Sco' A. Moulton / www.MyHardDriveDied.com
ì Data Recovery Diagnostics
By Scott A. Moulton / www.MyHardDriveDied.com
ì Who is Scott Moulton
ì I own two companies; forensics and data recovery: ì MyHardDriveDied.com ì Forensic Strategy Services, LLC.
ì Skills ì Produced hundreds of videos and podcasts for DIY. ì Performing Data Recovery and Forensics for 10 Years. ì Speaking on topics at major conferences for at least seven
years. ì Wrote & Teach a “Data Recovery Forensics Class”.
ì Goals: Identifying Problems
Is the problem a: ì Firmware Problem? ì Head Damage? ì Board problem? ì Motor Problem? ì Pla'er Damage?
ì Details of the Hard Drive
ì Two Types of Recovery
1. I -‐ Physical: Drive Failure, Controller Failure, Passwords or EncrypVon, and CorrupVon
2. II -‐ DeleVon: Purposeful or Accidental
ì Five Phases of Data Recovery
1. DiagnosVcs of the drive is the first step. If the drive can be imaged go to step 3, otherwise conVnue with step 2
2. Repair the hard drive so it is running in some form, usually requiring hardware or special equipment
3. Image, Copy, or Recover the physical drive and sectors primarily by bit stream imaging. If the drive is funcVoning, it is possible to do this with so[ware; however, there are some hardware soluVons that work very well with damaged drives
4. Perform Logical Recovery of files, parVVon structures, or necessary items; usually this is by so[ware and is the most common type of applicaVon sold
5. Repair files that might be corrupt or have existed in damaged space or sectors to recover what is possible. This is usually the requirement in Forensics, to be able to re-‐assemble data to display what was there, whether full or parVal data is present
ì FIRST MISTAKE!
Thinking about swapping parts?
STOP, UNDERSTAND FIRST!
ì Our Recovery Goal!
Imaging/Cloning the SECTORS is the most
important process and can be
used for diagnosVcs.
Forget about files!
(Well, for the most part)
Necessary Fundamentals
ì Four things you need to see…
I. Serial Number II. Model Number III. Geometry (Size of the Drive) IV. Drive to Come Ready
ì Does the Drive come Ready?
ì BASICS: What about???
ì Topics to get out of the way…. ì DiagnosVc Tools like Microscope, & Vendor Tools.
ì What about so[ware repairs tools like SpinRite?
ì Commercial Imaging Tools?
ì USB Devices?
ì Doesn’t SMART tell me if the drive is bad?
ì Claims to be Diagnostics
ì Microscope and QT, etc. other tools: ì They don’t do much to tell you anything if the drive is not
funcVoning.
ì Vendor Tools ì They are easy to use, straight forward test, but usually
even the tech support people from the drive manufacture don’t know what the error messages mean!
ì There are Error Codes for Each Sector
ì Oscilloscope Current Monitor
ì Absolutely Never…
ì ..run any uVliVes on original or unVl a[er you image (it will only get worse) your drive:
ì Chkdsk
ì Fixmbr
ì fixboot, or whatever other OS tools
ì JUST SAY NO TO SPINRITE!
ì They are all useless on damaged drives and can possibly do more damage.
What’s wrong with these next Items?
QuesVon:
h'p://disk-‐imaging-‐so[ware-‐review.toptenreviews.com/
ì On damaged hard drives….
Most Off the shelf imaging uVliVes usually
FAIL! i.e.: dd, SelfImage, Ghost, Acronis, FTK Imager…
ì Imaging with USB??
ì USB does not work for data recovery!
ì You are relying on some cheap Chinese boards or chips made by the lowest bidder of the day that got installed in that device you have.
ì You cannot talk directly to the hard drive unless you have control of the ATA Adapter, which does not happen in USB drives.
ì Get a good ATA Controller, or at least connect directly to motherboard and will solve some of your issues!
ì Adaptec 1200a Controller
ì What can can help imaging?
ì Be'er ATA Controllers, or even using one if you are trying to do things over USB! Use tools that talked to the ATA Controller instead of through the BIOS.
ì See Status with MHDD / Victoria (and copy sectors)
ì h'p://www.benchmarkhq.ru/english.html?/be_hdd.html ì eSATA works with Victoria for Windows w/Driver Installed
ì PIO Mode instead of UDMA – even sepng it in Windows can help with recovery of some drives.
ì Reverse Imaging i.e. ì ddrescue & Media Tools Pro, or X-‐Ways Replica
ì Hardware Imagers, i.e. DeepSpar, PSIClone, Ninja, etc.
ì SMART BAD STATUS
ì SMART SELF TEST
ì Why S.M.A.R.T. doesn’t work
ì Smart compares parameters to predict failure
ì SMART lacks standards and much is le[ up to the manufacturer
ì The BIOS SMART warning only does basic SMART test and is only capable of a simple OK Status
ì SMART and its tests are usually turned off in most hard drives / motherboards due to the fact It decreases boot Vme considerably
ì SMART TABLE PROBLEMS – Can actually causes errors making the drive fail!
ì BUT: what SMART can tell you…
If Smart can be read it means you probably made it though the System Area, which means the board, probably the firmware
and the System Area Head are good!
(there are a few excepVons)
ì Add one that could help…
I. Serial Number II. Model Number III. Geometry (Size of the Drive) IV. Drive to Come Ready
V. + Any SMART data?
Diagnostics
ì Goals: Identifying Problems
Is the problem a: ì Firmware Problem? ì Head Damage? ì Motor Problem? ì Board problem? ì Pla'er Damage?
ì Special Exceptions To Know
ì 3.5” Seagate ì F3 Firmware – 7200.11 and 7200.12
ì Serial Port and you can read status like Head Mask Error
ì CPU Usage – Problems with Pending Bug, reads every other sector, slowly
ì 3.5” WD ì Head Alignment Issues if lid removed
ì Serial chip such as the U12 or U5 need to be soldered swapping boards
ì Royal Board Problems – Need firmware copied – Reads Half the drive
ì All Can Have ì Bad Heads
ì Stuck Heads
ì TVS Chip Problems
ì Motor Problems
ì Board Problems
ì Scratched Pla'ers
Seagate
F3 Firmware – 7200.11 and 7200.12 Serial Port Status
CPU Usage – Problems with Pending Bug
ì F3 7200 Firmware Bug
hDp://bit.ly/TFrZC
ì Seagate Serial Cable
h'p://bit.ly/nZik5
ì Seagate Serial Cable
Orange Wire
Yellow Wire
ì Example: Seagate Head Mask Error
ì Example: Seagate Pending Bug
Seagate 750 7200.10 drive and terminal – Processor Lock Bug CE Log ErrCode=37 LBA=1e9f69 Type=5 Add To Pending 1e9f69 AT Er 00 Nwt Er 43 RdWr 000c2.06.02ce ATA St 50 Er 00 Op ec a,0000/0/00,00 00 00 Niwot: 9ff79ff7 b6 9ff79ff7.3.640 0000 005f 0000 0000 CE Log ErrCode=43 LBA=1e9f70 Type=4 Remove from Pending 1e9f70 AT Er 00 Nwt Er 37 RdWr 000c2.06.02d2 ATA St 50 Er 00 Op ec a,0000/0/00,00 00 00 Niwot: 9ff79ff7 b6 9ff79ff7.3.640 0000 005f 0000 0000 DiskAccess ReadSector EC=43 at 0000c2.06.02d2
ì Exampole: Seagate Pending Bug
Western Digital
Head Alignment Issues if lid removed Serial chip such as the U12 or U5 need to be soldered
swapping boards Royal Board Problems – Need firmware copied – Reads
Half the drive then starts to fail
ì WD: Alignment Issues
ì WD: Head Alignment Tool
ì WD: Resolder U12/U5 Serial Chip
ì WD NEWER BOARDS
ì Atola Firmware Recovery
Head Damage
ì Sounds Tell You A Lot
ì Clunking vs. Clicking Heads ì Might also take 3 to 4 minutes to come ready
ì Clunking Sounds for a Bad Head
ì Tools That Can get Around Bad Heads ì Problems if you change the heads before someone else does an
image
ì Hardware to control the heads i.e. Deepspar Disk Imager
ì Do you have a bad head?
ì What a bad head looks like!
ì Zone Tables
ì Zoned Constant Angular Velocity Test
h'p://www.coker.com.au/bonnie++/
Motor Problems
ì Does the Motor Spin?
ì If Not then Look At: ì Do you hear Phasers?
ì Does it have TVS Chips?
ì Are electronics or a chip burnt?
ì Does it smell burnt, even with no visible damage?
ì If it does then: ì Does the Motor Sound Correct?
ì Or whine?
ì Special Tool for Stuck Platters
ì Repairing Motor Problems
ì Drilled Hole for Lubrication
ì Lubing up for the Recovery
ì Star Trek Phaser Sounds
Testing a Board
ì Cover Pins from PCB Board Head
ì Hotwire a hard drive
Board Problems: Does it have TVS Chips?
Transient Voltage Suppressor (TVS)
ì Transient Voltage Suppressor (TVS)
ì Transient Voltage Suppressor (TVS)
ì Burnt TVS Resistor Replacement
ì The End and Information Links
Other Damage to Drives
ì Damaged drive?
ì Does the Drive come Ready? ì Can I see Serial Number or Smart InformaVon? ì Does the Drive Click? Or Clunk?
ì Does the Motor Spin? ì Does the Motor Sound Correct? Or whine? ì Do you hear Phasers? ì Electronics or chip burnt? ì Does it smell burnt? ì Does it have TVS Chips?
ì Does it make a sound? ì Is it scraping? ì Check the Silver Label?
ì Heads Seeking System Area
ì Motor Problems
ì Damaged System Area
ì The End and Information Links