HDD, SSD, RAID, ATA… the list feels endless. There’s no shortage of acronyms in the…
By John Ahearne, Forensic Analyst
When data is is needed for use as evidence, it is imperative that the only people to work on the device are verified experts in imaging a device for digital forensic purposes—preferably digital forensic experts working for a digital forensic service. Otherwise, the device—or the data itself—could be rendered inadmissible. Or worse—gone for good.
Digital Forensic Case Study: Poor Practices
Recently, a law enforcement agency asked DriveSavers to perform a forensic acquisition of a DVR that had been in the possession of a third party for the purposes of extracting digital evidence for a case. This involved performing a sector-by-sector duplication of the hard disk drive (HDD) in a forensically sound manner that protected and preserved the electronic evidence.
There was no mention of any damage, prior attempts at data extraction, or repair on the DVR or its hard drive other than that the data could not be read.
When the package arrived at DriveSavers, we discovered damage done to the DVR enclosure. We removed the drive from the DVR and took notes and pictures to record the damage done to the enclosure. The next steps involved bringing the HDD into our Certified ISO-5 Cleanroom for image extraction while maintaining chain of custody documentation.
The preliminary forensic analysis revealed that the drive was a clicker—a sign of physical damage to the device.
Upon closer inspection, we noted that the drive had been previously opened before its arrival at DriveSavers. There were fingerprints and dust on the surface of the top platter and additional prints on the read/write head actuator.
Oily fingerprints and dust particles are larger than the distance between the read/write heads and the platters, not to mention that the media on the platters can be easily damaged. Based on industry standards and best practices, a hard drive should be opened in a particle-free environment and engineers should wear cleanroom apparel that is lint free as well as non-static gloves. Since the media can be easily damaged, you would want to avoid any temptation of touching the platters or internal mechanics of the HDD. It would appear that best practices were not followed in this case.
The cause of the clicking turned out to be a hairline circular scratch. That scratch revolved around the entire platter as a result of the read/write head contacting the media. The pattern was circular because hard drive platters spin in a circular direction at a high speed while contact of the read/write head occurs. Think of a record player where the needle is stuck and grinds away as the record continues to spin in circular motion. Severe read/write head contact appears as rings on the platters.
The hard drive from this DVR had suffered media damage in what is known as a “head crash.” A head crash is a mechanical malfunction that causes the read/write heads to make physical contact with the surface of the platters inside the drive, causing abrasive damage to the magnetic coating that stores the data, which looks like scratches or rings on the surface.
In this particular drive, all read/write heads are attached to a head stack assembly that operates as a single unit. In this model of hard drive, a scratch or head crash on one platter affects all other platters since all heads work in unison. As the actuator sweeps across the platters—or “seeks”—while trying to access drive information and data, the heads will continue to come into contact with any media damage, causing the entire head stack assembly to fail and thereby rendering the data on all other platters unreadable.
In this case, the drive inside the DVR had been in use for five years—not the shortest lifespan for an HDD but a long time all the same. It’s possible that the drive simply wore out from use. More likely, however, is that the damage occurred as a result of whatever caused the dent in the DVR and/or the fingerprints inside the drive. Without thorough records, proper documentation, chain of custody and best practices, it’s one person’s word against another.
It’s unclear whether or not a forensic image may have been attainable before damage or the attempted repair occurred. However, tampering with the drive outside of a Certified ISO-5 Cleanroom severely limited any possibility of data recovery. With no data, there is no evidence. This is why it is essential, when electronic evidence is at stake, only vetted, trusted experts in the field of digital forensics work on a device. Only experts in the field of digital forensics can provide results that are repeatable and defensible.
Without prior documentation, we can’t tell if the head crash occured before or after the drive was opened. It’s possible that the physical trauma resulting in the dent may have caused the head crash had the device been in operation at the time, but we have no idea if that dent happened before or after the head crash. We do know for sure that the data is unrecoverable and somebody has some explaining to do.
Due to the severity of the damage to the hard drive in this DVR, no data was recoverable. Therefore, no digital evidence was recoverable and, depending on who had possession of this unit before receiving it at DriveSavers, law enforcement will be asking some hard questions. After all, now they have no evidence and it’s possible that they no longer have a case.