Does merely connecting a hard drive to a computer cause write operations to it?

It's a general principle in hard drive and data recovery that when recovering data from a hard drive, making write operations to the damaged disk should be avoided at all costs in order to prevent the lost data on the disk being overwritten. This is typically accomplished by running read-only data recovery software from a different drive to the one affected.

However, I'm wondering whether the simple act of connecting a secondary drive (i.e. a drive other than the one the OS is booting from) to an OS could allow the OS to make write operations to a drive. Do the Windows or Linux operating systems make automatic, background writes to hard drives they can see - and if so, how can these be avoided? If not, do operating systems generally only write to drives as and when the user expects them to?

Hashim

Posted 2018-03-03T02:29:15.177

Reputation: 6 967

@dsstorefile - Is this a yes? Does this mean that everytime I've gone to pains to recover a HDD using read-only recovery software, Windows and Linux themselves have been writing to the HDD? – Hashim – 2018-03-03T02:41:52.843

@dsstorefile Ah, I see. What's the logic in disabling automount and equivalents then? – Hashim – 2018-03-03T02:59:36.433

1Hmm that's a very good question, I wouldn't think that the OS writes to it on any high-level view (File System transfering things randomly) however I could see SMART writing logs to the disk or maybe some part of the flash which may also be damaged (easier to fix the controller part of an HDD that the mechanical portion however). – Tmanok – 2018-03-03T04:33:40.300

If you want to avoid write operations you should try Kali Linux, when starting from a USB it has a forensics mode wont use the disc, https://docs.kali.org/general-use/kali-linux-forensics-mode

– Chico3001 – 2018-03-03T07:49:52.427

Answers

Yes and no -

The simple act of connecting a drive could theoretically cause stuff to be written by the OS - but in practice - at least under Linux, it does not do this.

From a perspective of not modifying data its safe to connect the drive, but you need to be aware that if the drive is failing, the process of spinning it up and trying to read its contents (eg dd, ddrescue) could make the issue worse.

Also, and I'm speaking outside my domain of knowledge - if you are doing a forensic analysis where the results are going to be used in a court, you might take a hammering on chain on ensuring integrity issues if questioned.

davidgo

Posted 2018-03-03T02:29:15.177

Reputation: 49 152

What do you mean by your last paragraph? – Hashim – 2018-03-03T23:10:58.917

1If you are doing recovery for purposes to do with using as evidence in court, you may have difficulty proving the data was not altered by your processes. – davidgo – 2018-03-04T04:42:05.847

1Several Linux distros have automount enabled so this answer is actually not really correct. – Andrea Lazzarotto – 2018-03-04T14:11:51.533

@AndreaLazzarotto Andrea, do you know which? – Hashim – 2018-03-05T07:20:04.853

1@Hashim, basically all of them except for those born for digital forensics activities. – Andrea Lazzarotto – 2018-03-05T12:42:50.843

Under Linux, unless your Desktop environment is set up to do this (which some Desktop environment think they need to do, copying a bad habit from Windows), extra storage devices are completely ignored. You have to explicitely mount them, and you can mount them read-only if you want.

Which is why I do all harddrive recovery work under Linux. And the first step is to not mount it at all, but make a copy of the complete harddrive, and then a second copy which you can work on to try to restore some of the damaged structure.

dirkt

Posted 2018-03-03T02:29:15.177

Reputation: 11 627

Which Linux distros/versions have you worked with that definitely don't enable automounting? – Hashim – 2018-03-13T23:27:14.970

@Hashim: All distros should do that if you configure them correctly/install the right packages, because automounting is an additional feature provided using udev. Personally, I'm using Debian, with fvwm (no Gnome, no KDE), and a slightly tweaked usbmount (so it does automount, but only when and where I want it to...). And deinstalling usbmount would prevent it from automounting anything at all. – dirkt – 2018-03-14T07:40:20.870