How Not to Be Subtle
We recently received a hard drive turned over by a former employee of our client. The drive would not work and had been sent in for data recovery. Indeed, when we brought it into the lab, the drive was not powering on. It was time to do a little investigation.
Examining the drive connectors, we noted some deep scoring on the connectors that was not consistent with any accidental scratches we might expect to see if a drive had been improperly disconnected. A photograph of the scratches can be seen at right. The scratches have been marked in the right-hand frame.
Having determined that there had been some deliberate and intentional damage done to the drive, we continued to investigate – this time, with a keener eye for other intentional damage that may have been inflicted on the drive.
When we removed the logic board, there was very apparent damage to the connecting pins. Several were bent in odd directions and folded over.
There was also significant strike damage to the plastic housing the pins sit in, with a chunk missing and a large abrasion on the outward-facing edge.
We also noted some chipping of the metal in the area adjacent to the damage on the pin housing. The damage was consistent with a small screwdriver, like one might have in an eyeglass repair kit, being slid underneath the logic board and repeatedly being rammed back and forth.
Turning over the logic board and inspecting the area which contacts these now-bent pins under a micr
oscope was startling. It confirmed our hypothesis regarding the damage. The strike path of the screwdriver is defined by the scrapes on the soft board and the chipping away of the thin metal on the pin contacts. Here we see at least four distinct strike paths, which caused a great deal of damage to the logic board. With these contacts damaged, the drive’s internal hardware would be unable to connect to the processors on the board.
More inspection of the logic board indicated that not only had some circuit paths been severed, but an entire resistor had been violently snapped off and gone missing! There was also pin damage on the semiconductor (seen at left – follow the arrow marked “path of screwdriver” all the way to the large chip and note the damage in a straight line across the entire board.)
That settled it. This board would never work again.
But wait! Our database indicated we had a similar drive in our parts inventory. A quick check indicated a perfect match. Ten minutes later, we began forensic imaging of the drive evidence. Not only had the former employee left mounds of evidence regarding intentional destruction of evidence, but it hadn’t actually gained him anything. The recovery was 100% successful and productive and our client has even more evidence to use against the former employee in court.
