0

In terms of data recovery, what is the actual technical need for dedicated hardware such as Atola, PC3000 or Deepspar? What are these devices doing that I cannot achieve using regular Hex/Digital Forensic methods?

I am deeply worried about the prices tbh.

These devices especially PC 3000 are quite famous in the world of data recovery.

"The PC-3000 allows you to diagnose the HDD, fix damaged HDD modules, switch off defective heads, block access to the damaged area of magnetic surfaces, get access to the user data and many other functions."

I was wondering if I really need them for data recovery or is it just marketing? I'm just thinking that some of the functions can be achieved from CLI/Linux. I am not fully aware of the way devices are actually working.

schroeder
  • 123,438
  • 55
  • 284
  • 319
geminus
  • 1
  • 1
  • Could you describe what these devices are doing so that readers don't have to go through each documentation? It is hard to evaluate what you want to know. – Tom K. May 07 '18 at 12:42
  • The HDD/SSD controller contains many instruction that typical OS will not touch, while such product build in software may be able to tweak with those soft switches to recover apparently irrecoverable data bit – mootmoot May 07 '18 at 16:53
  • Example of low level hd I/O such as this ;-) https://link.springer.com/content/pdf/10.1007%2F978-0-387-73742-3_11.pdf – mootmoot May 07 '18 at 16:56

2 Answers2

1

Data recovery uses

  • Hardware can send instructions that a PC may be unable to normally
  • Drives can be cooled to keep them colder, which may help with recovering data from overheating drives
  • The power supplied to the drive may be isolated from the power for the connected computer, so a dying drive cannot damage the computer

Legal evidence uses

  • Hardware blockers can be certified so that it can be said that no editing took place
  • Automatic imaging can speed up downloading large amounts of data
  • Hashes can be automatically recorded when an image is made, for use in comparisons later
  • Some forms of malware designed to attack analysts machines can be detected before they do damage
jrtapsell
  • 3,169
  • 15
  • 30
1

The technical need depends on the cases you deal with and your area of work.

For simple imaging, you may use Deepspar which is able to detect and copy the drives if they are too slow to detect and the BIOS and OS are not allow access to them.

For logical issues, it's better to choose between Atola and PC3000. Atola insight is primarily aimed at forensic examiners. It is limited on what it is capable of doing (as far as I understand it can handle only simple tasks if drives are healthy). PC3000, in turn, is able to work with different firmware and file system issues.

Regarding physical issues, with pc3000 you may get the partial data without cleanroom and donors if the drive has bad heads or bad blocks on the surface and you believe that there are no other damages from the inside. But if you want to go in for data recovery and earn some bucks, you will need to get the clean room or box anyway.

tayordo
  • 11
  • 1