Tuesday, May 10, 2016

HDD Reverse Imaging Ft. Forward Imaging using Deepspar Disk Imager

Hi all  , After installing Deepspar Disk Imager  I have to try it with its great features for the first case my friend’s damaged hard disk drive which have more than 3000 bad sectors in HDD Regenerator so I decided to recover data from it the first phase as I learned in Scott Moulton Course the first step is to image the HDD but when I tried to image it with the normal process imaging from LBA0 to MAX LBA but it shows many skipped sectors due to ECC Errors , Bad sectors so it must be failed you know that when you tried more read/write process it will kill hard drive  so what should I do ??

we have 2 types of imaging the first is forward imaging which drive make sense to ECC i.e. Buffer Ram as imaging from LBA0 to MAX LBA from Outside to inner ring .There are many softwares and hardwares doing this like FTK Imager and DDI but when you find problems like I faced you should try the type 2 Reverse Imaging,
Reverse Imaging images HDD from MAXLBA to LBA 0 but what the difference is that there is no cache memory on HDD  caches only data forward imaging is from inner ring to outside but this is 5x slower than forward imaging but this imaging can be of a high quality and can recover more data than forward imaging .
When imaging you can see in status bar some words which are hard disk status like: BSY, ERR.
These error codes and Diagnostic info this is from Drive Status Register which are:

  •  BSY - drive busy
  • DRDY - Drive ready to accept commands
  • ERR - The Last Result was an Error 
  •  DREQ -exchange data with host 
  •  UNCR-Uncorrectable Error
  •   WRFT - Write Fault
  •  IDNF- Sector ID Not Found. If the sector that holds this information is corrupt there is no way for the hard drive to locate this sector and it will return the result IDNF.
  • AMNF-Address Marker Not Found. This is similar to the IDNF but relates to the data. If there is an error and this marker is corrupt then the data for this sector cannot be located. The data in this area is 512 bytes of user data
  •   ABRT- Command Aborted. - is an abort error and it will discontinue trying to read that block
  •   TONF - Track 0 not found

References:
1-      Deepspar Disk Imager User Manual.
2-      Forensic Hard Drive Data Recovery By Scott A. Moulton .