Craigslist Data Recovery Experts

I like Craigslist and I am a happy Craigslist customer. However, buying something, I can see and use is much different than finding an expert to do your data recovery.  IMG_4383We have advertised on Craigslist and many other places.  The difference though is we are a bricks and motors business with a laboratory and certified technicians.  Often we get hard drives that customers have done Do It Yourself repairs and recoveries. Increasingly we are seeing those that are looking for a cheaper recover turn to self-identified experts on social media and places like Craigslist. All we can say is buyer beware.  Anyone offering Data Recovery in these places without a real business location, city and state licenses might not have the skill, abilities and equipment required to actually assist you.

The image included here is showing fingerprints on the inside of a clients hard drive directly on the data platters. This work was done by a “Craigslist Data Recovery Expert”. This expert didn’t have the correct understanding of physical hard drive recovery processes and procedures.

If you do want to get services from someone on Social media sites, you might want to ask them some questions first:

  • What’s your specific background in data recovery?
  • What is your training in the data recovery field?
  • How many hard drives have you recovered data from?
  • How do you diagnose a hard drives issues?
  • Do you have a clean environment to open a hard drive if that is required?
  • How many hard drives have you done a physical recovery on?

This is a short list (and there are potentially many more possible questions), but the answers to these questions as the consumer should be very specific.  Someone responding to these should be complete and detailed.  Anyone avoiding answering the questions might not have the skills you require to be successful.

As always, we give free advice and a free evaluation. If you are still interested in having the Craigslist expert work on your  hard drive, at least you will do so better informed and able to ask the right questions.


Do It YourSelf Data Recovery projects

“I have (Fill in the blank here)…..

 I used free data recovery software I downloaded from the Internet but they all failed and stated “Could not read data, bad sectors”.

 So I attempted to open my (Fill in the blank here)….. which was a bad idea.

 My plan is to buy the same make and model (Fill in the blank here)…..  and replace the PCB (or heads or whatever else they read on the Internet to fix their perceived problem) if that does not work I wanted to know how much it would cost to recover my data? “

Do it Yourself recovery is a common occurrence today in the data recovery industry. Just look at Youtube for the number of DIY recovery videos posted regularly. There are many legitimate data recovery companies offering advice on doing data recovery there but they all recommend if you want your data back contact a reputable data recovery company to get your data back.

So is there any time that DIY recovery can be acceptable? Certainly, but not in every situation and not for every skill level. First of all a data recovery company when it receives a hard drive has to identify where the drive failure is occurring. Watching a Youtube video or listening to it click will not tell the untrained where the exact problem is, and in fact misdiagnosing the issue can lead to doing a DIY recovery method that could make things even more worse then you started.

Data recovery specialists spend a lot of time, money, training and tool acquisition to identify, repair and recover your data. So the next time you decide that a DIY project is a good idea, think about how much the data is worth and can you live without it.

Wiping your data

You decide that you want donate your computer to your local charity or a family member. However, you have read the articles about all the data that remains on your hard drive even if you delete the data. How is it that your personal data can be removed from the drive so no one else can see it?

Early in their use of computers, the U.S. Government recognized that hard drives (and now solid state drives) retain lots of data. Some of this data is easily accessible in the “User” area and some less accessible in the systems areas of the hard drive. Prior to replacing the hard drive the data needs to be permanently removed from the hard drive. The process of destroying the data started with a simple writing of any character over all the data area of the drive. The concept of what we now call “wiping” has developed into a standard employed across the U.S. Government and adopted worldwide a sbest practices for wiping hard drives.  The standard developed as U.S Department of Defense  standard DoD 5220.22-M. It outlined the recommend methodology for destroying data using software methodology. The standard listed suggestions from a single pass of the data area with random characters to 30 passes over the data.  This methodology has changed and most in the field recognize that based on the current hard disk drives configuration a single pass sufficiently destroys all the data for non-classified storage devices.  Classified storage devices are physically destroyed. All of the recommended methods of data wiping are just that, recommendations.  The agency retaining the data has to decide the method and procedure required to destroy the data based on the data’s significance.

The National Institute of Science and Technology (NIST) released in December of 2014 an updated version of its Guidelines for Media Sanitization.  Some of the recommended factors to be considered are included from page 11:

“Organizations should consider environmental factors including (but not limited to):

  • What types (e.g., optical non-rewritable, magnetic) and size (e.g., megabyte, gigabyte,and terabyte) of media storage does the organization require to be sanitized?
  • What is the confidentiality requirement for the data stored on the media?
  • Will the media be processed in a controlled area?
  • Should the sanitization process be conducted within the organization or outsourced?
  • What is the anticipated volume of media to be sanitized by type of media?
  • What is the availability of sanitization equipment and tools?
  • What is the level of training of personnel with sanitization equipment/tools?
  • How long will sanitization take?
  • What is the cost of sanitization when considering tools, training, verification, and reentering media into the supply stream?”

These are all good things to consider in a small business and may still be relevant in our personal decision making process.  The NIST guide describes types of data deletion as Clearing, Purging or Destruction.  Clearing and Purging relate to the actual overwriting of the data on the drive and Destruction is the physical destruction of the hard disk drive.

For the average computer user the most likely question becomes what is the intended use of the hard drive after the data destruction.  Its generally that you want it to work after the data is removed or you don’t. If you want it to work, a data wiping program is the most useful tool or technique. In this case the data is destroyed and the hard disk drive can be reused. Physical destruction is just that, the data drive is no longer accessible due to the physical destruction of the hard disk drive. The government’s consideration of destruction is usually the use of a large shredder or destruction device capable of dealing with hard drives. However, most physical destruction to the drive (hammering in until its flat) will make the data unrecoverable for the average persons intentions.

Another old school method of destruction is the use of a Degausser (commonly used in destroying data on tape). Degaussing as defined by NIST is:

“To reduce the magnetic flux to virtual zero by applying a reverse
magnetizing field. Degaussing any current generation hard disk
(including but not limited to IDE, EIDE, ATA, SCSI and Jaz) will
render the drive permanently unusable since these drives store track
location information on the hard drive.”

The magnetism required has to be sufficient enough to change the magnetic field on the drives platters. Smaller older Degaussers can render the drive inoperable but may fail to destroy the data on the drives platters. The NSA has an approved list of degaussing tools that can be found in their Deagausser Evaluated Products List.

Something you may want to consider also is getting a certification of the data destruction. Once the data is destroyed verifying the destruction is a normal part of the process. Using data wiping tools the person or company verifying the data destruction can look at the data storage space and see that the data was destroyed. Using physical methods such as shredding, the drive owner can see that the drive is physically destroyed.  Degaussing as a method is the only one that has a difficult level of determining the data’s destruction.  Providers of data destruction services can provide letters or documents of the destruction.

Whether it is a personal decision or for implementation in a small business your decisions about data wiping are:

1) What is the intended use of the hard drive after the data is destroyed?,
2) What method of destruction should I use?, and
3) What will the cost be for destroying the data?
4) Do I need certification of the data’s destruction.

Any full service data recovery company can assist you with your decision making and will offer one or all of the types of destruction processes mentioned and should offer a certification of the destruction.

Counterfeit Flash Memory

Counterfeit media is not new to the flash memory market. However, the increase in the number of counterfeits chips we have been seeing is notable. Counterfeit chips to the untrained eye look exactly like the real one. They may have even come out of the same factory. But there is usually identifiable differences in the media upon closer examination. If the media is functioning there are methods of identifying the whether the chip is real our not.

Commonly the counterfeiters will use a smaller sized storage chip then listed on the packaging and loop the code in the chip to respond as if it is a much larger size. If the chip is not responding correctly, examining the physical device, controller chip and storage chip can give the data recovery specialist  ready identification of the counterfeit. The counterfeiter often will have spent a lot of time trying to make the exterior of the product, such as flash media (SD card or thumb drive) look like the original. However, the coding on the chips will be wrong or non-existent.

The manufactures information imprinted on the chips is something that data recovery specialists use to identify the chips and how they are designed. Without this information, it can be very difficult to recover the data. With the correct information, the data recovery specialist can run the chip make and model through various websites to acquire the correct chip design and layout to aid in the clients data recovery.

Music Server Recovery

Its not unusual to see odd data recovery jobs walk in the office. This one was one where the client had a music server that stopped working and needed to recovery his 450 gigabytes of music back. This was odd in the fact the company making the music server had gone out of business and could not longer support the product. The client had tried to recover the data himself but the drive was not recognized by his Windows computer.

As always we conducted an initial analysis and examination to identify any possible mechanical or electrical issues with the drive. IN this case the drive was functioning properly. A review of the data area initially revealed no file system or data.  A review of the partition table in a hex editor found no normal partitions. There was data in the normal location that the partitions should exist but it was not in the correct location or normal format. We were able to identify the partition naming convention uniquely used by the manufacturer and ultimately found that the drive had old FAT16 and FAT32 partitions. Following the end of one partition entry to the beginning of the next we were able to chain the partitions together and identify the four partitions (of the eight) that held the customers data. Using X-ways forensic tool we rebuilt the partitions and identified the file structure and the data files. This of course was not the end of the work.  The music server company had applied a unique formatting to the individual music files. The first sector of the file contained information about the author, song name and album. Then there were three empty sectors before the correct music file header information was located. Cutting these first four sectors and saving the file allowed the music file to play properly.  We did this for one file, but remember there was 450 gigabytes of music files.  In house we built a script to recursively go through each file, open the file, cut the first four sectors and save it again. The script was able to correct the file headers so we could provide the data to the client.