Tuesday, May 10, 2016

HDD Reverse Imaging Ft. Forward Imaging using Deepspar Disk Imager

Hi all  , After installing Deepspar Disk Imager  I have to try it with its great features for the first case my friend’s damaged hard disk drive which have more than 3000 bad sectors in HDD Regenerator so I decided to recover data from it the first phase as I learned in Scott Moulton Course the first step is to image the HDD but when I tried to image it with the normal process imaging from LBA0 to MAX LBA but it shows many skipped sectors due to ECC Errors , Bad sectors so it must be failed you know that when you tried more read/write process it will kill hard drive  so what should I do ??

we have 2 types of imaging the first is forward imaging which drive make sense to ECC i.e. Buffer Ram as imaging from LBA0 to MAX LBA from Outside to inner ring .There are many softwares and hardwares doing this like FTK Imager and DDI but when you find problems like I faced you should try the type 2 Reverse Imaging,
Reverse Imaging images HDD from MAXLBA to LBA 0 but what the difference is that there is no cache memory on HDD  caches only data forward imaging is from inner ring to outside but this is 5x slower than forward imaging but this imaging can be of a high quality and can recover more data than forward imaging .
When imaging you can see in status bar some words which are hard disk status like: BSY, ERR.
These error codes and Diagnostic info this is from Drive Status Register which are:

  •  BSY - drive busy
  • DRDY - Drive ready to accept commands
  • ERR - The Last Result was an Error 
  •  DREQ -exchange data with host 
  •  UNCR-Uncorrectable Error
  •   WRFT - Write Fault
  •  IDNF- Sector ID Not Found. If the sector that holds this information is corrupt there is no way for the hard drive to locate this sector and it will return the result IDNF.
  • AMNF-Address Marker Not Found. This is similar to the IDNF but relates to the data. If there is an error and this marker is corrupt then the data for this sector cannot be located. The data in this area is 512 bytes of user data
  •   ABRT- Command Aborted. - is an abort error and it will discontinue trying to read that block
  •   TONF - Track 0 not found

References:
1-      Deepspar Disk Imager User Manual.
2-      Forensic Hard Drive Data Recovery By Scott A. Moulton .
3-     Hard drive physical sectors architecture and data reading process.
Posted by at 1 comment:

Tuesday, April 26, 2016

P-list and G-list .. where you can find your bad sectors

Hi all back with new article hope it useful for you.  Nowadays I install our data recovery lab in EG-CERT. You know you should learn more about tools you install especially if it likes from ACE Lab. During my study in DR in Scott Moulton course specifically some words stopped me I feel I must know more and more so if I learn I will share so let’s begin:
In HDD there are SA which is responsible for all info stored in it from manufacture what is G,P lists in it . We all know that SA has two lists called P-list and G-list. System area has many, modules as I described there. But what about these lists let’s know:
firstly we must know that the two lists contain bad sectors so what is bad sector? Why bad sector in G not in P? . Bad sector is a sector which is either unwriteable or inaccessible because of physical damage or any other failure so if we had a HDD has 100 sectors it will be :
0,1,2,3,4,5,6,7,8,9,10 ==> SA (system area) .
11,12,13,14,15,16,17,18,19,20,………………………90 ==> user data .
91,92,93,94,95,96,97,98,99. ==> reserved area or spare sector pool .
If sector from 11 to 90 is bad by any reason it will remapped by HDD translator to another sector from reserved area from 91 to 99. So say 51 is a bad sector it will remapped to 91. so user data in this area will 48,49,50,91,52,53 and so on user won’t know about this this is remapped by translator of HDD and you will see everything is normal but wait why two lists ?
P-list:
It is primary defect list which contains bad sector created after testing HDD at the factory when hdd is made it was tested by factory in this testing process bad sectors created so it will be in this list (P) but user never know anything about these bad sectors as it was remapped by translator to sector from reserved area and HDD is working good. testing must be made by factory but when you buy a hard disk 3 TB it will be 6 billion sectors if 1000 sectors are bad in P-list this is only small proportion of the total capacity . Remapping these sectors is done by translator as the above example :
11,12,13,14,15,16,17,18,19,20,………………………90 ==> user data .
91,92,93,94,95,96,97,98,99. ==> reserved area or spare sector pool .
 if sector number 13 is bad it will be marked in p list and  remapped to 92 so it will be :
11,12,92,13,14,15,16,17,18,19,20,…………………..90 .
so p list contains bad sectors which result from testing process at factory .
G-list:
It is grown defect list which contains bad sectors generated from life of your hard disk we all install, remove, read and write and so on. Bad sectors generally appear all the time but it can be fixed if not it will remapped to new sectors from reserved area and marked in G-list. but reserved sectors are limited so at some time some sectors will be marked as bad and there are no new sectors to be replaced and G-list will grow and grow, SMART will set a flag indicating check your disk, hdd will be slow so you need to recover these sectors or backup your data or keep hdd till you lose it and your data :P . Remapping these sectors like this as the above example:
11,12,13,14,15,16,17,18,19,20,………………………90 ==> user data .
91,92,93,94,95,96,97,98,99. ==> reserved area or spare sector pool .
during life of your hdd assume that sector number 19 is bad so it will be replaced by 98 like :
11,12,13,14,15,16,17,18,98,20,………………………90 .

You will notice that in p-list sector is shifted but in G-list sector is replaced for that reason there are two lists. you can recover data from sectors in G-list directly but in some cases can’t be recovered as recovery process has more values must be considered to recover data J  .
You can access these lists by special hardware like PC-3000.
Disk drive addressing LBA map and sectors here .

References :
1-                  https://www.mjm.co.uk/articles/bad-sector-remapping.html
2-                  https://en.wikipedia.org/wiki/Bad_sector
3-                  http://myharddrivedied.com/data-recovery-training/distance-learning
4-                  http://hdrconline.com/online_course_content.php







Posted by at No comments:
Subscribe to: Posts (Atom)