ACELab Data Recovery & Digital Forensics Conference 2023
In an era defined by digital transformation, the paramount importance of proficient data recovery and digital forensics stands undisputed. A testament to this industry’s continual evolution was the ACE Lab TECH WEEK 2023, which took place from October 4 to 7 in Málaga. This symposium, envisioned as a nexus for the world’s leading data recovery and digital forensic minds, offered a rigorous examination of both the challenges and innovations at the forefront of the sector.
For our esteemed company, 030 Datenrettung Berlin GmbH, the event presented a golden opportunity. While our experts were poised to engage in academic discourse and delve into the latest PC-3000 technologies, the gathering also served as a unique platform for them to exchange ideas, foster collaborations, and reconnect with long-standing colleagues and friends from the community.
CEO ACELab
Curated by the internationally recognized experts from ACE Lab, the event hosted sessions that aimed to unravel the intricacies associated with diverse storage platforms, be it HDD, SSD, RAID, or Flash systems. One of the pivotal segments of this event was the anticipated round table discussion, tailored to provide a holistic view of the current landscape and potential trajectories in data recovery, augmented by a deep dive into the nuances of modern storage mechanisms. Through such seminal events, ACE Lab has further fortified its standing as an industry vanguard in the domain of data and evidence recovery solutions.
Latest solutions for WD SMR and Seagate HDD
SMR (Shingled Magnetic Recording) technology optimizes disk space usage, enhancing the storage capacity of hard drives. Notably, transitioning to SMR disks won’t necessitate modifications in the interface or the physical size of the drives, ensuring a seamless experience for most users.
However, a minor drawback is that these drives exhibit slightly reduced write speeds compared to conventional PMR (Perpendicular Magnetic Recording) disks. It’s worth noting that while SMR increases storage capacity, it doesn’t necessarily boost the drive’s reliability. If the secondary translator or the media cache tables are lost, data recovery becomes significantly challenging.
In practical applications, Logical Block Addressing (LBA) accounts for sector translations and omits defects (which are concealed in defect lists). Data on SMR drives is written in band clusters. The second-level translator recognizes this pattern, and the hard drive’s firmware presents an organized structure of files and folders. However, if this secondary (SMR) translator malfunctions, all sectors may display as zeros.
ACELabs showcased how to solve cases where the Translator of an WD drive is damaged and how to even retrieve userdata after the drive received a TRIM command and returned zeros.
RAID data recovery when Auto-detection fails
Data loss within RAID systems can manifest due to various factors. Among the prevalent culprits are hardware anomalies, human errors, power disruptions, software malfunctions, natural catastrophes, and other pertinent contributors. Troubles may encompass defective drivers, flawed firmware updates, or instances of physical compromise. Should such adversities befall, data restoration and expeditious restoration of system functionality pose as intricate tasks.
Despite the built-in mechanisms in most RAID configurations to withstand single drive failures and thus avert potential data loss, instances necessitating RAID 5 and RAID 6 data recovery still abound. When the safeguarding of RAID redundancy diminishes, it ushers in the ominous prospect of total data loss. In such dire straits, engaging the services of a professional data recovery entity, equipped with specialized technicians and state-of-the-art data retrieval technologies, becomes imperative for data recuperation from damaged or malfunctioning drives.
Even professional data recovery tools like PC-3000 system can fail to auto-detect the right RAID-configuration either because of severe logical or physical damages to the RAID-metadata or because of hybrid RAID-configurations like SHR, RAID 50 or RAID 10.
ACELab engineers deep insights what can be done in such cases to reconstruct the RAID-Array based for example using entropy analyis or RAW recovery results.
Bypass TRIM in modern MaxioTek SSDs and SanDisk Memory Cards
TRIM is a vital command designed for SSDs, functioning in tandem with the operating system. Introduced as a standard feature from Windows Vista SP1 and Windows 7 onwards, as well as MacOS X 10.6. Its primary role is to streamline the SSD’s performance.
Rewriting NAND memory is inherently sluggish. To circumvent this bottleneck, SSD manufacturers implemented the TRIM command, essentially a behind-the-scenes garbage collector. It proactively clears data labeled as deleted, ensuring that when users later attempt to write new information, the process is expedited because the spot has been pre-cleaned.
In certain situations, SSDs take a simpler route. During a quick format, they might just wipe the translator — a pivotal microprogram that maps physical to logical sectors. Consequently, any attempts to retrieve data result in a series of zeroes. Digital cameras exhibit similar behavior with mSD, SD, and CF cards. Accidentally formatting them inside the camera can wipe the translator, making subsequent data recovery attempts futile, as the refreshed translator remains oblivious to any previous data.
But now there are some new solutions available to recover the lost data even after cleaning the translator. This is because there are several versions of the translator stored in modern SSDs and msd-Cards like SanDisk. With the help of a Chip-Off Recovery and specialized tools like PC-3000 Flash its now possible to recover most of this data.
Upskilling Data Recovery Workshops
HDD Workshop — All about WD SMR
ACELab Engineers showed the most effective stepts for diagnosing modern Western Digital SMR drives and their recovery. That included how to unlock SED protected WD Challanger hard drives by reading and unlocking the ROM, manage service area access and encryption as well as analysis of translator. They gave many useful hints how to get more stable reading through utility mode and how to work with translator.
The second part was showcasing how to work with a rebranded Seagate drive with firmware locked. Rebranded drives are rare but if they come in for recovery can be hard to deal with because of modified firmware versions and missing drive specs.
SSD Workshop — Heat and Cold
What to do when SSD drive is not detected and they are not supported? What are the most common sources of error / failure of modern SSD drives and how can one solve them? Roman Morozov gave deep insights how to improve readings by applying head and cold to unstable SSD devices to get a better reading or to get the drive alive again. Common failures on SanDisk SSDs were explained in depth and possible solutions discussed.
File System Workshop — APFS and WD MyCloud
Introduced in September 2016 as part of MacOS 10.12 Sierra, APFS is a distinct file system separate from its predecessor, HFS+. It doesn’t merely extend the capabilities of HFS+ but rather replaces it, eliminating specific HFS+ files like the Catalog file, Attributes file, Allocation file, and Extents overflow file. APFS offers a unique approach to maintaining secure modifications within the file system. Central to APFS is the concept of the “container”, a domain that houses both metadata and data relating to files, folders, and other structures.
As the APFS filesystem is quite different to other systems there are also other steps involved in the data recovery process. The workshop showed how to deal with common errors in APFS as well as the new FileVault encryption that works quite different compared to older versione (HFS+ Fusion-Drive FDE vs. per File Encryption). The possibility to restore data from older APFS versions was also showed.
The second part of the workshop was dedicated to Western Digital MyCloud Systems where the metadata of userfiles are stored in a database and not in a natural filesystem structure. This makes a data recovery from these NAS Systems more complex because its not possible to just recover the userdata out of the filesystem. To get the folderstructure and filenames the engineer has to analyse the database and extract the metadata information to recompile the filesystem out of it. With professional tools at hand this process is often even possible if the database is lost or damaged.
Round table discussion — Future data recovery industry
ACELab presented current situation of the data recovery industry based on their experience and feedback from their customers. After an extensive dialogue about the present and impending challenges within the realms of data recovery and forensics, data recovery specialists shared insights on several pressing topics. These included the emergence and implications of helium-filled hard drives, the intricacies of locking mechanisms found in both traditional hard drives and SSDs, and the innovative application of drones in IT forensics.
Helium-filled hard drives, for instance, represent a significant shift in storage technology, offering potential benefits in terms of storage capacity and energy efficiency but also introducing unique challenges for data retrieval. Similarly, the advent of sophisticated locking mechanisms in storage devices is a testament to the growing emphasis on data security, but they present their own set of recovery challenges.
The conversation also touched on the role of drones in IT forensics. As drones become increasingly prevalent in various sectors, understanding their data storage, transmission, and potential vulnerabilities becomes paramount for forensic experts.
In wrapping up the discussion, a common theme emerged: the landscape of data recovery is rapidly evolving. While the overall number of data recovery cases continues to grow, there’s a marked shift towards more complex cases. This rise in complexity can be attributed to factors such as the introduction of SMR hard drives, the application of SED encryption techniques, the widespread adoption of SSD drives, and the continuous growth in hard drive capacities as well as complex NAS devices (QNAP, Synology). These innovations, while advancing the field of data storage, also bring forth new challenges for data recovery professionals.
Nevertheless, despite the challenges, there was a shared optimism among the experts. The industry, they felt, is not just reacting to these changes but is also innovating and adapting, ensuring that data recovery remains efficient and effective in the face of evolving technology.
We would like to extend our sincere appreciation and gratitude to our partner, ACE Lab. Their tireless efforts and dedication in organizing this exceptional event not only surpassed our expectations but also showcased the remarkable expertise and passion they bring to the industry. It was an honor to be a part of such a significant occasion, and we eagerly anticipate further collaborations and shared experiences in the future.
