Surprise!

Recently, we received a hard drive for investigation as part of litigation.  This drive had come from the work computer of an employee terminated by our client six months prior, now the subject of the litigation.

When we received the drive, it was apparent that it had been tampered with.  Hard drives typically come with stickers over one or more of the case screws.  These stickers are there to allow the manufacturer to void the warranty when the drive is opened by an unauthorized person.  In this case, the sticker was punctured and the screw was exposed.  Most electronic evidence and investigations firms would have to stop at this point and send the drive out for data recovery.  Fortunately, ‘sending the drive out for data recovery’ for us requires walking across the lab – not FedEx.

We moved the drive into our clean room, as is our policy with drives we know to have been previously opened by a third party.  After we removed the remaining case screws, we opened the drive to have a look inside.  The first glance was not encouraging – there  had been a “head crash” – the term for an impact between the delicate read/write heads and the surface of the disk.

In a hard drive the heads hover over the disk, ‘flying’ at an altitude measured in micrometers.  The disk is rotating at extremely high speed; a typical laptop drive spins at 5400 RPM, about three-hundred-sixty miles per hour.  Imagine then what happens when there is a failure and the two come in contact!

In this case, a section of the platter’s magnetic coating had been stripped away by the impact and the heat caused by the friction had caused ‘stiction’ – the drive head had become temporarily fused to the surface of the drive.  There were even human fingerprint smudges on the normally sterile surface of the drive!  Internal mechanical components were replaced, the surfaces were cleaned, the logic board was replaced and we began the electronic evaluation of the drive.

A bit of explanation here will help you understand the rest of the story.  Most hard drives have multiple platters on which data is stored. Additionally, the platters are two-sided.  If a drive has two platters, it has four surfaces on which data can be stored.  These are labeled starting from zero, so a four-surface disk has Surface 0 – Surface 3.  Normally, control of these surfaces is out of a user’s control, but we have the capability to control and read these surfaces independently.

As we began to read from the bottom upward, things began looking better – Surfaces 3, 2 and 1 all read fine and we were able to recover the data from them.  Surface 0 would be the key – not simply because it contained 25% of the useable read of the drive, but because it contained the internal ‘map’ of the drive, the file system and some internal software used to make the drive work.  We might only have one chance to read the data, because another head crash would possibly cause additional damage.

We began the recovery of data from Surface 0 and it was reading, when the dreaded crash of the drive happened.  We had managed to salvage some data, the question was – would it be enough?  We moved the recovered data over to forensics for analysis.

The new drive was connected to our analysis array and powered on.  We looked at the drive using specialized computer forensics software and – lo and behold – we had data.  A quick sort of the data and a bit of analysis later, we had determined that the drive we had received (which should have had data from Spring of 2008 on it) had not been accessed since the beginning of 2006.  The drive had been switched out for a “dummy” drive that was then tampered with.  Someone figured that the drive would be unusable and so nobody would be the wiser.

Surprise!