Home Articles PC3000 Portable III in Digital Forensics

PC3000 Portable III in Digital Forensics

Comments Off on PC3000 Portable III in Digital Forensics
0
4,491

Introduction

Sooner or later, most forensics experts have to deal with damaged hard drives. It is certain to happen. We deal with them all the time. Such hard drives are either initially damaged when seized from their owners, or they are damaged as a result of violation of the rules for storing and transporting digital evidence. According to our statistics, the number of hard drives that have certain logical or physical defects can reach 40% of the total number of hard drives sent to a forensic laboratory for research.

Despite the difficulties of investigation of such storages, these difficulties have an undeniable advantage: as a rule, a hard drive failure occurs unexpectedly even if the computer worked fine. The computer’s owner just rebooted it and… the hard drive stopped working. Therefore, the situation of the hard drive failure happens suddenly for the computer’s owner and consequently he does no attempts to destroy digital evidences.

We have experience of investigation of the hard drives that have been intentionally destroyed (with electronics board ruined with a hammer etc.), even though we managed to recover the data stored in them.

What to do with such hard drives and how to investigate them? All this will be discussed in this article.

PC3000 Portable III review

For obvious reason, the market of the tools that allow to extract data from hard drives is limited and specific. One of the specialized complexes that allows an expert to work with damaged hard drives is the PC3000 Portable III manufactured by ACELab.

The main advantages of the PC3000 Portable III are:

  • an off-line operation feature (option of creation of hard drive copy);
  • there are a great number of adapters that allow to connect any storage to the device (for example PCIe x16  NVMe, SSD M.2 PCIe NVMe, SD/MicroSD, USB- storages etc.);
  • an option of getting access to the data stored on hard drives locked with ATA- password;
  • user-friendly interface of the program that has a “Simple mode”, which allows even an ordinary user to run diagnostics and fix the software errors on a hard drive;
  • data extraction from damaged SSD-drives;
  • data recovery from damaged RAID arrays;

etc.

Fig. 1. PC3000 Portable III in the operating process

The built-in write blocker protects information stored in the investigated hard drive from accidental or deliberate damage. In addition, it allows an expert to comply with the procedural requirements for digital evidence.

Fig. 2. The switch of write blocker

Common damage of hard drives

As any complex technological device, hard drives have their trouble spots that we will describe in this part of the article.

 Bad sectors

Bad sectors are sectors on the surface of the magnetic layer of a drive with unstable read/write response. They can be found on a new hard drives manufactured at a factory (this is due to the technology of a hard drive manufacturing and writing density used in modern storages) and they can appear on used hard drives during normal operation of these devices.

Hard drive case damage

Hard drive case damage, as a rule, occurs as a result of incorrect handling, which is harmful cause it leads to the damage of a precision mechanics of a hard drive: crash or damage of read/write head, magnetic-head assembly, amplifier winding break or break of base casting contact with the drive board. The read/write head can stuck to the magnetic surface because of damage and it will lead to the scratches on the surface (meaning mechanical damage of the magnet layer of the drive).

Unusual sound from head and disk assembly

Any hard drive makes a certain set of sounds. This is due to the normal operation of the mechanical parts of the hard disk: motor, hard drive spindle, magnetic head unit. Wrong sequence of hard drive operation sounds or unusual sounds indicate the presence of software or hardware defects in the hard drive. However, the absence of any sounds when power is applied to the hard drive board is also a sign by which a skilled technician will immediately name several reasons why the hard drive does not make any noise.

Seized hard drive motor

Mechanical damage of the hard drive can be a reason of seized spindle motor bearings (a shaft that holds the magnetic plates). At the same time, the hard drive does not spin the spindle with magnetic plates or makes a low sound.

Sliders damage or damage of head stack assembly

Another consequence of mechanical damage of the hard drive can be damage to the sliders or to the entire magnetic head assembly. The heads can bend and, with further use, damage the magnetic layer or they may stick to a magnetic surface, making the hard drive impossible to function. Also, sliders or head stack assembly may become invalid as a result of degradation.

Contamination or damage to the magnetic surface

Even minor damage to the magnetic layer of the drive platters makes it impossible to retrieve the data on them.

Lost contact between control board and head and disk assembly

A typical defect resulting from mechanical damage of a hard drive or violation of allowances in the manufacture of hard drives leads to the lost contact between control board and head and disk assembly. This problem shows up as electronic and other parts of a hard drive that are located in the head and disk assembly cannot receive commands or supply current for their normal operation as a result of the lack of contact between the control board and the control-current terminal of the head and disk assembly.

Malfunction of the control board

Malfunctions of the control board can be caused by several reasons: the supply of an increased or abnormal supply voltage can lead to burnout of the protective diodes and, in some cases, to damage to the electrical circuits of preamplifier. Failure of the hard drive control firmware due to errors in its code may block the operation of the device.

Preamplifier breakdown

The preamplifier is located on the block of magnetic heads, which is located in the head and disk assembly of the drive. The damage to the hard drive control board leads to the damage of the preamplifier. The preamplifier is designed so that it cannot be replaced separately from the magnetic head unit.

Translator failure

Translator is a subprogram of a hard drive that acts as a hypervisor, which provides interaction between the computer’s operating system and the drive’s firmware. It translates the physical addressing of the data location, which the operating system understands, into the virtual one, which is necessary for the hard drive to accommodate a large amount of data. Damage of translator or translation table is guaranteed to lead to the loss of data on the device, since the drive will not know what data belongs to what.

Hard drive diagnostics

Before examination or cloning of a hard drive, its diagnostics is carried out, which includes several stages.

Stage 1: Visual analysis. The purpose of the stage is to detect the physical damage of a device. If the damage was detected, the damage estimation is conducted: whether the drive case, control board or connection interfaces are damaged. The detected damage is to be fixed.

Stage 2: Diagnostics of the device operation when the supply current is applied. The hard drive response when the supply current is applied is evaluated. The sounds that the hard drive makes are diagnosed, an attempt is made to read the passport and the main system modules of the drive.

Stage 2.1: If the hard drive does not work, additional examination and testing of the control board components and connection interfaces is carried out. An attempt is made to diagnose the drive using a specialized utility. If the utility can be launched, the diagnostic procedures and recovery of the drive are performed.

Step 2.2: If the hard drive works correctly, an attempt is made to read the data and save it to the created forensic image. If bad sectors are found in the process of reading data, an attempt is made to read data from them.

Fig. 3. Evaluation of the current consumption when the supply voltage is applied to the hard drive.

Fieldwork

Quite often, experts have to visit the client in order to copy information storages. Sometimes it has to be done within a limited time frame. In this case, a damaged hard drive can become a huge problem for an expert as copying such storage not only takes significantly longer than copying an ordinary hard drive, but also takes up valuable equipment used for copying hard drives.

Using PC3000 Portable III you can do both off-line copying (drive-to-drive) and create a forensic image on a connected laptop (personal computer) of the expert. In case of hard disk defects are detected, this complex can be used to perform preliminary diagnostics of the drive.

Fig.4. Data coping from one drive to another.

Hard drive serial number identification

There is an uncommon problem, but the one that occasionally happens, it is a hard drive serial number identification.

Such problem can occur when the sticker on the hard drive is damaged or got unstuck. The serial number of the hard drive is stored in the SMART and can be read via PC3000 Portable III without any problems.

Fig. 5. Hard drive’s passport.

As you can see from the screenshot, the serial number of the connected hard drive is Y9SMNGTAS.

Cloning of the damaged hard drive.

A typical stage of a damaged hard drive investigation is data extraction from it and creation of forensic copy.

The procedure of forensic coping of damaged hard drives is different from the traditional hard drive coping procedure. For example, a damaged hard drive can allow to read different amount of data when you try to read it for a second attempt of coping, multiple attempts to read data from a bad sector can lead to the fact that the data will be read. Or, on the contrary, multiple attempts will lead to hard drive failure or destruction of the magnetic surface. Therefore, when coping such hard drives it is recommended to follow the procedure of information record, taken to living systems.

As it can be seen on the example (Fig. 6), the hard drive connected to PC3000 Portable III has defects. The coping of this hard drive via professional forensic tools is impossible.

Fig. 6. Passport of the connected hard drive. As you can see from it, the drive has problems of access to the data stored on it.

However, there will be no difficulties of forensic image creation of such device via complex of data recovery.

Fig. 7. The process of forensic copy creation of the damaged hard drive.

As the result of the coping, an expert will get a forensic copy, which an expert can investigate via traditional forensic tools or it can be analyzed via the PC3000 Portable III software: get information about the logical partitions, copy files or recover deleted files.

Fig. 8. Files viewing in the PC3000 Portable III software interface.

Symbiosis of PC3000 Portable and Forensic tools.

Forensic images that were extracted from damaged hard drives via PC3000 Portable III can be processed via your favorite forensic tools. For this, they can be added to the program as a RAW (DD) image.

For example, a forensic image received earlier was added and processed via AXIOM (Magnet). You can see the result on Fig. 9.

Fig. 9. The result of analysis of forensic image processed via AXIOM.

In order to load the image in Encase, you need to choose option “Add Raw Image” in the “Add Evidence” section.

Fig. 10. Adding of forensic image to Encase.

PC3000 Portable III supports import of retrieved hard drive images into forensic formats with hash sum calculation. The image can be saved in the following formats: Advanced Forensic Format, Encase Forensic Format, RAW image, DE Forensic Format. Theses formats are supported by Data Extractor – a built in PC3000 Portable III utility using which an expert can conduct preliminary analysis of the extracted data.

Conclusion

It is impossible to describe all the functionality of PC300 Portable III within one article. However, we should mention the features of SSD storages recovery, both SATA and PCIe (NVMe) that have damaged firmware of translator, problems with service area or main firmware.

We can say with reasonable confidence that the tool significantly expands potential of experts in collecting and analyzing data from various damaged storages (hard drives, flash drives, SSD drives, RAID arrays, etc.), which allows you to obtain an expanded evidence base as law enforcement authorities, courts, and corporate lawyers.

Load More Related Articles
Load More In Articles
Comments are closed.