Client: Bruce Hettema
You’d never know it from the outside but in there through those doors is one of the world’s oldest and most advanced data recovery companies. DriveSavers headquarters here in Novato California features almost a hundred employees, almost that many security certifications and a two million dollar ISO 5 cleanroom. And they sponsored us down here to have a close look at how it is they take this [holds up burned drive] and turn it into this [holds up new drive]. So let’s go inside.
We’re gonna kick things off in the museum…ah…as long as our escort says that that’s okay. Security is a huge deal that DriveSavers, not just on the outside of the building but also throughout it. So guests get these incredible badges that actually change color over time, eventually turning red so that anyone who sees it will know to kick me out or call the cops. And everything in here is on a “need to access” basis with biometric security on secure spots and annual background checks for all staff members.
So these guys have recovered data from pretty much everything that you would normally think of—hard drives, phones, laptops, SSDs—and from a lot of things that you probably wouldn’t think of—defibrillators, photocopy machines and even a TiVo.
So the museum here contains many of their biggest success stories, both in terms of the importance of the data that was recovered—they once saved Twisted Sisters Christmas album and 12 episodes of The Simpsons, including the conclusion of the “Who Shot Mr. Burns” cliffhanger during a national contest to guess who did it—and in terms of the difficulty. So—run over by an 18-wheeler? Check. Lit on fire? Check. Buried in a mudslide? Check that too.
This one that you’re looking at right now [showing laptop] was actually pulled from a sunken cruise ship after sitting underwater for two days. It had the owner’s memoirs successfully recovered from it.
Now, let’s talk about how they do it.
Consultation and, in some cases, even diagnosis with an analysis of what data they expect to get back is free.
So you send in your drive where Shipping sorts it into a colored bin according to the priority of the job and the..ah…cleanliness of the drive or device. And you might think to yourself, “come on! It’s a hard drive. How dirty could it be?” But they’ve actually had to obtain a Geiger counter to evaluate the radioactivity of drives coming out of nuclear disasters. And, through some of their forensics work, they’ve even seen devices come through here that were found on murder victims. One phone apparently had the camera element gouged out before being placed back on the victim’s body in an apparent attempt to get rid of the photos. So, yeah, DriveSavers got that ____ back. Good work, idiot. Hope prison’s treating you well.
From shipping, your bin travels to one of a few different places—and we’ll go through those in a minute—but everything will eventually get the cloning treatment. And that starts here. DriveSavers keeps a huge inventory of spare wiped donor drives because you dramatically improve your chances of recovery if you’re working with a bit-for-bit digital copy of your data set. It gives you the time to analyze more than just “what files were there?” and then dig into “who accessed them? When? What did they do?” These kinds of things can be particularly important in cases of corporate intellectual property protection, for example, where there might have been some attempt to destroy data or cover up a data access.
The folks in this room also do the initial analysis of RAID arrays using software tools, like the one you’re looking at here, to rebuild the array logically and determine which drives are probably working fine versus which ones will likely need physical repairs before making a cloning attempt. And they’ve got the hardware for everything from reconstructing a four drive home NAS array to this over here. This is a 45 drive JBOD that’s on standby waiting for—I don’t know—maybe another 96 drive server that got gallons of water dumped on it due to a sprinkler system malfunction? Because—yeah, that was a thing that happened.
But, as you saw in the museum, a lot of the hard drives that come through here need a lot more than a little bit of software re-kajiggering. So welcome to the cleanroom! Or—strictly speaking, this is the inventory room and the cleanroom is on the other side of the glass. But this stuff’s cool, too!
In here, they’ve got basically every hard drive you could imagine. They’ve got two and a half inch. They’ve got three and a half inch. They’ve got the latest helium-sealed drives. And—all the way from the latest to—look at these clunkers. I mean, look at this! This is called a Mini Scribe. I guess, you know, relative to this guy, it is pretty mini. But, basically, the point is: whatever the techs on the other side of the glass—inside that is an ISO 5 cleanroom. So that is less than 100 thousand 0.1 micron particles per cubic meter—ten thousand times cleaner than a normal room. Whatever they need, they put a request onto this little cart. It comes out here, we load it up, we fire it back in there. And whether it’s a brand new driver an ancient one, they start the process of rebuilding one working drive from the donor and the recipient.
Now, they did put away some of the proprietary equipment that they use. For example, they found a way to work on helium sealed drives which won’t function at all in regular air that’s seven times more dense. And so they wouldn’t show us, like, I don’t know, how they either reseal them or put them in a helium chamber or something. But this place is still incredible.
So, thanks to the 34 filtered fans, air is circulated in here so quickly that it’s not only clean but they can actually do soldering work anywhere in this room without disrupting anyone else’s sensitive recovery operation. Incredible! And an operation it is! They actually agreed to let us do an actuator swap. So, stay tuned for that video because I’m super stoked for you guys to see it. Anyway, for now, let’s continue our journey.
So then, with the drive physically working, I mean it’s copying data, they can just send it back to you, right? Wrong. So, this guy right here is working but it is not reliable. DriveSavers wouldn’t be able to keep their warranty-approved service status with every major hard drive vendor for very long if they pulled that kind of a stunt. So, the next step then is logical recovery, where maybe not all but some of the data should be recoverable even in cases of severe physical damage like we saw downstairs in the museum. And we’re going to head over there.
But first, we need to make a quick stopover in Flash Memory Town.
Now, hard drive recovery is complicated. Flash memory…well, that’s a whole other ballgame, son. So, what you’re looking at here is raw ones and zeros off a flash chip. So, you can think of it kind of like a QR code except that there is no app for your phone to read it and, making matters even more difficult, this middle spare area part right here? Well, that contains information about where the block numbers are, where your ECC belongs, etc. Really good stuff. Except—oh wait—that gets intentionally scrambled in many cases as a security measure. So figuring out which bytes are bad and getting the whole thing to turn green takes a lot of knowledge. And then, to do it quickly takes years of experience.
And even getting it to that point isn’t trivial. In many cases, flash memory chips require proprietary—not to mention expensive—readers. And they come from devices that don’t always want to give them up easily, including everything from standard Apple or MDOT to SSDs and computers to camcorders, mp3 players (like, what year is it? I know, right?) and even bare flash chips that are soldered onto the motherboard, like in some of the latest Macbooks—thank you, Apple. And the craziest part is—coming back to device security again—on a device with a security module like an iPhone, for example (so, you can see in this footage they’re taking apart an iPhone X for us that might later be used as a known good for a customer recovery attempt), you could actually need at least four components to even hope to pull data off of it: the NAND flash itself, which needs to be desoldered from the board and the baseband IC, the controller, which you can actually see from this disassembled A8 chip actually sits under the RAM with contacts on the top and bottom, and the ROM. So four parts. Which means that, if you were to hope to pull data from a badly damaged one of these, you would need to desolder, clean, re-ball and resolder all of these four components—successfully—to a donor phone. And, did I mention by the way that even the couple generations old A8 processor already had 1,100 contact points? So they apparently haven’t attempted an operation like this with the X yet but they think that it might be possible!
Finally, we’re in Logical Land. Now, stuff without any physical damage to the hard drive itself may end up coming straight here. Like…let’s say, for example, you plug the wrong power supply into your external drive enclosure like this and it released all of its magic blue smoke (Pella). He actually sent this drive to DriveSavers four years ago but ended up opting not to go forward with the recovery service. So, as you can see from what we pulled off of this drive, it’s clear that for some people it’s not necessarily going to make sense necessarily to pay for data recovery if all you’ve got that’s not backed up somewhere is clips from a Cheech and Chong live concert.
With that said, even around here at DriveSavers, where their bread and butter is failed or corrupted devices, they still absolutely preach the principles of data backup. Because the cold hard truth is: even if you are an extremely skilled data recovery engineer, there are still things that can take out your storage permanently. So, I think a perfect example of that is our host today, Mike, ended up losing pretty much all of his data in the Santa Rosa fires. So, even though he’s an executive here at DriveSavers, there was nothing he would have been able to do about that if he hadn’t had an off-site backup.
So, at the end of the day, that’s the takeaway, guys: make backups of your data. The three, two, one principle should never be ignored. But in the event that something goes terribly wrong, DriveSavers has got your back.
I want to thank them for making this video possible. I want to thank you guys for watching. And you can check out the link to DriveSavers in the video description.