Client: Bruce Hettema
Originally published by Wired.
Written by Mat Honan
DriveSavers data recovery engineers working in one of its secure clean rooms. PHOTO: MAT HONAN
After GETTING EPICLY HACKED and having my computer wiped remotely, I was left with the world’s saddest MacBook Air. My useless machine came back to me from the Apple Store with a new OS installed on a 6GB partition, and what appeared to be a locked 250GB big blank slate on the other. But in the nothingness of that blank slate, I hoped, were the pictures, movies, and documents that I foolishly and lazily had failed to back up.
I considered trying to recover the data myself. There are a lot of at-home data-recovery tools, and, well, it would make a better story — or at least, a story that made me look better. But after just a little bit of research, I decided I wasn’t about to try.
The MacBook Air uses a solid state drive (SSD), which offers faster performance while using less physical space than a traditional hard drive. But an SSD has unique recovery problems. And my data was too valuable to me to entrust to, well, an idiot like me. So I packed up my machine and shipped it off to DriveSavers, a Novato, California, company that specializes in data recovery. They called me on a Monday to say that the drive had arrived, then again the following day to let me know that they were finished and that they had been able to retrieve nearly all of my important data.
Instead of having them ship everything back to me on a new drive, I drove out to Novato the next day to see how these guys work.
The facility is straight up CSI. Clean rooms lead to cleaner rooms, which lead to even cleaner rooms, and so on. The workspaces range from federal standards of 100,000 to 100. (The rating is a measure of the number of 0.1-micron-sized airborne particles per square meter.) Additionally, all employees undergo annual background checks, due to the company’s contracts with government agencies like the DOD and FBI. DriveSavers also has to meet crazy data-security requirements — like HIPAA certification to do work for hospitals and GLBA for financial institutions. Basically, the company has to meet all of the same security standards its clients do.
Visitors have to go through a set of security doors with a video-surveillance system to get into the building, and then a second secure entry to actually get into the office. Throughout the hallway and the office are burned-out and wrecked computers in all sorts of terrifying states. These, it turns out, are success stories.
When a drive arrives, it goes to a clean room to be removed from its enclosure so that the machine it’s on never needs to be powered up. Often, damage to a drive — especially in the case of a standard hard disk drives (HDD) that have spinning platters — comes from physical damage to the machines themselves — laptops doused with coffee, external drives dropped on concrete, desktops caught in fires, and iPhones dropped in the toilet. (Oh, so many iPhones in the toilet.) So powering them up can worsen the damage, since circuits could be fried or disk platters further wrecked.
This is also true of solid state drives, like the kind found in a MacBook Air or ultrabook. One of SSDs’ performance benefits is the way they constantly reallocate data. SSDs can’t overwrite existing data, like an HDD can. They have to erase data first, then write. So they automatically do something in the background called garbage collection — constantly copying, moving, and then erasing blocks of data. The process is basically like defragging a disk at the physical level. But if an SSD has been damaged for some reason, or, like mine, is in the process of being wiped, the trash is still getting taken out but that new data isn’t taking its place. So again, the drive is removed to prevent damage from spreading.
Once the drive is out, a team of engineers drops it into proprietary custom adapters running specialized software that allows for superfast data transfers. DriveSavers says it has custom adapters to fit more than 20,000 drive models. In fact, the place is awash in specialized hardware and software and engineers who can handle both. Everyone is cross trained, so the facility can run 24/7. Lab guys in cleansuits can manipulate firmware, swap out platters, print circuit boards, and crack passwords. All this means the facility can handle everything from cellphones to SSDs to ancient hard disk drives from the ’80s (think: government computers) to basically any drive made in the past 30 years.
The inventory room, where all kinds — almost every kind — of data device is stored to be used as a target recovery drive. If they don’t have it, they’ll get it. The next step is to image the drive, or copy all the data exactly as it is found. The idea is to quickly duplicate the original to prevent further degradation of a damaged system. “We never want to work off source,” explains Mike Cobb, director of engineering for DriveSavers.
Even imaging is complicated. Since data contamination could mean someone else’s stuff winds up on your drive, the company “slicks” its storage mediums. That means securely overwriting drives, even brand-new ones, with zeroes to make sure that any data that appears on a copy could have come only from the original.
Once the lab techs have copied the drive, they look to see if there is any data to salvage. This is a purely exploratory stage. Often, there are no intact files or file systems, just raw unstructured data. That’s fine. But problems arise when a disk is physically unreadable or has been zeroed out. Take my SSD, for example. The first 26 percent of the drive, 64 GB, had been overwritten with zeros. There was no way to get back what was no longer there. There are other situations that can make SSDs unrecoverable as well. If the drive is encrypted, and there’s no key, the data exists but is indecipherable. Because the vast majority of SSDs now do encryption, if that key has been lost or destroyed, the data is effectively gone.
Hard drives can be unrecoverable too, typically due to a catastrophic head crash. Hard drives look a little bit like record players. There’s a spinning platter with a thin magnetic film, where data lives. Like the needle on a turntable, a disk head reads and writes data by moving across the platter. But unlike a turntable, the head isn’t supposed to make contact with the platter. The two are separated by mere nanometers, but they’re separated. When they come together and the disk continues to spin, the crash can become catastrophic, completely destroying the magnetic material beyond the point of redemption.
Typically, however, the techs find something on the drives, even in cases of house fires. And if they can find data, odds are they can recover it.
An operating system will basically give up and move on when it hits damaged or unreadable sections of a drive. Mac OS, for example, didn’t recognize that my drive had any data on it at all in that second partition — even though there were some 190GB of data hidden there. The data wouldn’t even show up if I booted up my machine in target disk mode. For all practical purposes, that information was lost. DriveSavers uses specialized software to route around that damage and restructure raw data into file types.
Before I sent my drive off, I explained what kinds of files I was hoping to get back — photos, documents, e-mails, and the like. I didn’t particularly care about recovering my apps. So the engineers began scouring the drive for that information.
Remarkably, they were able to get nearly all of that vital, irreplaceable data. Even the exif data in my photos was intact. Basically, the files came back to me in the exact same condition they had been before my drive was wiped. It was pretty remarkable.
I left with an encrypted external hard drive full of data I once thought was gone forever, and a pretty enormous bill ($1,690) that was worth every penny.