Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Disaster Data Recovery method for HDD 
by Dai Shimogaito 
January, 17th, 2014 
 at CODEBLUE in Tokyo
What is Disaster Recovery ? 
1.To Recover Computer System 
which had suffered from natural disaster, like 
tsunami, river ...
Three Failures Lead to Data Loss 
• Logical Failure 
• System failure 
• Data corruption 
• Deletion of data. 
• Electroni...
Features of HDD which suffered from natural disaster 
1. Chips on PCB are gone 
2. HDD falls down and gets stong shock 
3....
After a Natural Disaster, HDD can look like this
What is Data Recovery ? 
Trying to image data from non-accessible HDD sector by sector. 
アクセス不能なHDDから、できるだけ多くのデータをクローンコピー取...
What is Data Recovery ? 
Basically, parts replacement is the way for temporary repair. 
基本的には、故障した部品を交換して、一時的にHDDを復活させます。 ...
What is Data Recovery ? 
100% clone is always preferrable, but the result depends on the type of damage to HDD 
and the da...
Replaceability with Donor Part (ドナー部品との置換性) 
HSA YES [ Head Stack Assembly ] 
Head Map, Capacity, Architecture Family, Mic...
Replaceability with Donor Part (ドナー部品との置換性) 
HSA YES 
SPM YES 
PCB YES 
FW YES & NO 
Disk NO
Replaceability with Donor Part (ドナー部品との置換性) 
HSA YES 
SPM YES 
PCB YES 
FW YES & NO 
Disk NO 
スラスト軸受 
回転方向 
ジャーナル軸受 
回転方向 ...
Replaceability with Donor Part (ドナー部品との置換性) 
HSA YES 
SPM YES 
PCB YES 
FW YES & NO 
Disk NO
Replaceability with Donor Part (ドナー部品との置換性) 
HSA YES 
SPM YES 
PCB YES 
FW YES & NO 
Disk NO 
SA 
Service Area 
UA 
User A...
Replaceability with Donor Part (ドナー部品との置換性) 
HSA YES 
SPM YES 
PCB YES 
FW YES & NO 
Disk NO 
Data is recorded into platte...
Replaceability with Donor Part 
HSA YES [ Head Stack Assembly ] 
Head Map, Capacity, Architecture Family, Microjog 
SPM YE...
The Most Difficult problem is Platter Damage 
3.5inch PATA
The Most Difficult problem is Platter Damage 
2.5inch SAS
The Most Difficult problem is Platter Damage
The Most Difficult problem is Platter Damage
The Most Difficult problem is Platter Damage
For a long time, DR from scratched disk has been impossible 
If the surface is partially damaged, there should be 
recover...
Why is it so difficult to read damaged surface ? 
Let’s take an extreme close look at 
Disk & Head !
Disk Surface & Slider 
Flying Height 
1-3 nm 
Lubricant Layer               1nm 
    潤滑層Diamond Like Carbon Coating Layer ...
The gap between Head and Disk is very small 
Slider 
Flying 
Height 
1-3nm 
PPaarrttiiccllee SSiizzee ooff 
CCiiggaarreett...
How head crash damages the surface 
Slider R/W 
Lubricant Layer 
DLC Layer 
Magnetic Layer 
Head 
Slider R/W 
Lubricant La...
Cause of malfunction of HSA when reading damaged surface 
1. Scratch is not the main cause of 
the bad operation of Head S...
Disk Burnishing Process
NO DUST 
NO PROBLEM
The 1st step of the research completed with a good result 
94% 
UP ! 
0.02% 
Newspaper : Nikkei Business Daily, 
26th Sept...
Precise surface analyzing is required for better recovery 
Optical Surface Analyzer
July 2012, research was started by Prof.Hiroshi Tani 
Prof. Hiroshi Tani 
@ Kansai Univ.
What we can do BEFORE disater occurs 
Physical Damage caused by Software ??? 
ソフトウェアがハードウェアを壊す???
What is the HDD’s Boot Sequence ? 
Let’s go to the finish line 
together with everyone ! 
Start Finish
HDD’s Boot Sequence 
Needs to complete each sequence, 
then can reach to “Ready” mode 
PowerON Ready
User Area & Service Area 
SA 
Service Area 
UA 
User Area 
SA 
SA 
SA 
SA 
SA SA SA 
SA 
SA 
SA 
SA 
SA 
SA 
SA 
SA SA 
SA...
SA Modules 
• P-List : Primary Defect List 
• G-List : Growth Defect List 
• Translator : LBA access ⇔ PBA access 
• S.M.A...
Defects 
× × 
× 
× 
× 
× 
× 
× 
Defects info = Position of Bad Sectors in PBA
Defects info is Unique to each disk 
× × 
× 
× 
× 
× 
× 
× 
× 
× × × 
× 
× 
× × 
× 
× 
× 
× 
× 
× 
× × 
× 
× 
× 
× 
× 
× 
...
Defects info is Unique to each disk 
P-List : Primary Defect List 
× × × × 
× × × × 
G-List : Growth Defect List 
× × 
× 
...
Number of Defects
PBA(物理アドレス)とLBA(論理アドレス) 
LBA exists logically upon PBA. The following shows good sectors from address 0. 
通常、“アドレス”や“セクタ”が...
Defects Controlling (不良物理セクタの管理) 
物理アドレス → 
P-List Table 
2・・・ 
0 1 2 3 4 5 
論理アドレス → 
0 1 2 3 4
Translator 
Converter function between LBA and PBA 
If the translator is broken, no data is accessible. One of the most im...
SA Modules are loaded into PCB 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Mo...
When SA Modules loading completes fine 
PowerON Ready 
Wow , I did it ! 
I have access to all 
data ! 
やった! 
LBA全域アクセス 
でき...
Damage of SA Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
M...
Damage of SA Module : No LBA Access 
PowerON Ready 
I can’t access LBA zone, 
because there was a SA module 
error. 
The d...
NO SA 
NO DATA
If the SA module error was caused intentionally by ,,,,, 
もし、誰かがわざとSAモジュールに異常を生じさせたら、、、
Intentional Damage to SA module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
M...
Intentional Damage to SA module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
M...
Damage of SA Module : No LBA Access 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
S...
Intentional Damage to SA module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
M...
Damage of SA Module : No LBA Access 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
SA 
Module 
S...
BARUSER 
Let’s see what happens to HDD 
さあ、実際にやってみましょう
BARUSER 
BARUSER = BARUSU + ER
Main Concept of HiDR ( High Integrity Data Recovery ) 
SAモジュールは百種以上! 
このサンプル事例では、 
WD10EADS-22M2B0 を使用。 
SAモジュール数は全部で397 種
Main Concept of HiDR ( High Integrity Data Recovery ) 
このサンプル事例では、 
WD10EADS-22M2B0 を使用。 
SAモジュール数は全部で397 種 
必須かつユニークなのは7 ...
Main Concept of HiDR ( High Integrity Data Recovery ) 
Only 1.76%
Hot Swap Method : ホットスワップ手法 
通電した状態のまま、PatientにPCBを付け替えます。 
通電したまま
Main Concept of HiDR ( High Integrity Data Recovery ) 
未開封、ヘッド交換なしでID認 
識しないHDDでもデータが読め 
る 
必要最低限のモジュールアクセス 
だけで済む 
障害部位を確...
Security or Utility 
Hacked Cracked 
Good for 
Data leakage preventing 
VS Bad for 
Future data use
HDD customization against Future SA Damage 
Head Platter 
Head 5 
Head 4 
Head 3 
Head 2 
Head 1 
Head 0 
Head Map
HDD customization against Future SA Damage 
Head 5 
Head 4 
Head 3 
Head 2 
Head 1 
Head 0 
System Head 
Head Platter
HDD customization against Future SA Damage 
Head 5 
Head 4 
Head 3 
Head 2 
Head 1 
Head 0 
System Disk 
Head Platter
HDD customization against Future SA Damage 
SA exists only on the system disk, h0 and h1 
SA Region for h2,h3,h4,h5 are em...
HDD customization against Future SA Damage 
Utilize the empty zone for SA backup ! 
Head Platter 
Head 5 
Head 4 
Head 3 
...
http://www.disaster-data-recovery.com/ 
Initial Response Guideline 
For Disaster Effected HDD 
1. Do NOT Power ON ! 
電気を入れ...
Prochain SlideShare
Chargement dans…5
×

Preventing hard disk firmware manipulation attack and disaster recovery by Dai Shimogaito

2 746 vues

Publié le

In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation.

Dai Shimogaito

CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan.
Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally.

Trainings : Data Recovery Trainings for NPA and IDF Seminars etc.,
Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments

Publié dans : Technologie
  • Soyez le premier à commenter

Preventing hard disk firmware manipulation attack and disaster recovery by Dai Shimogaito

  1. 1. Disaster Data Recovery method for HDD by Dai Shimogaito January, 17th, 2014  at CODEBLUE in Tokyo
  2. 2. What is Disaster Recovery ? 1.To Recover Computer System which had suffered from natural disaster, like tsunami, river flood, storm, and earthquake Platter Surface Damage 2.To Protect Computer System and get Ready for a large scale crash. AFTER Disaster The most difficult problem for data recovery BEFORE Disaster Physical Damage caused by Software HDD Customization for Platter Damage
  3. 3. Three Failures Lead to Data Loss • Logical Failure • System failure • Data corruption • Deletion of data. • Electronic Failure • Printed Circuit Board (PCB) • On or more of the PCB components • ROM or the System Area data is damaged. • Physical Failure • Sticktion • Spindle bearing is frozen • Head crash (dropped hard drive).
  4. 4. Features of HDD which suffered from natural disaster 1. Chips on PCB are gone 2. HDD falls down and gets stong shock 3. Dirt comes inside HDD 4. Water comes inside HDD Severe Damage ! Normal Data Recovery Process is useless, because the damage level is extremely high
  5. 5. After a Natural Disaster, HDD can look like this
  6. 6. What is Data Recovery ? Trying to image data from non-accessible HDD sector by sector. アクセス不能なHDDから、できるだけ多くのデータをクローンコピー取得を試 みる Copy Broken No access to data (故障でアクセス不能) Good Full Access to data (正常動作するHDD)
  7. 7. What is Data Recovery ? Basically, parts replacement is the way for temporary repair. 基本的には、故障した部品を交換して、一時的にHDDを復活させます。 Fire Accident
  8. 8. What is Data Recovery ? 100% clone is always preferrable, but the result depends on the type of damage to HDD and the data recovery process. できれば100%クローンコピーの作成が望ましいのですが、故障の種類や損傷の 強弱、そして復旧プロセスの違いによっては、回収率が低くなることがあります 。 ←  Low High →
  9. 9. Replaceability with Donor Part (ドナー部品との置換性) HSA YES [ Head Stack Assembly ] Head Map, Capacity, Architecture Family, Microjog SPM YES [ Spindle Motor ] Seizure Problem, Lubricating oil PCB YES [ Printed Circuit Board ] Serial ROM, NV-RAM, Fuse, Resister, Diode, Capacitor, Coil, Microchip / Repairment is also useful FW YES & NO [ Firmware ] Unique module, Non-unique module, Regeneratable module, Essential Module Disk NO [ Platter ] Bad Sector, Scratch, particules on surface
  10. 10. Replaceability with Donor Part (ドナー部品との置換性) HSA YES SPM YES PCB YES FW YES & NO Disk NO
  11. 11. Replaceability with Donor Part (ドナー部品との置換性) HSA YES SPM YES PCB YES FW YES & NO Disk NO スラスト軸受 回転方向 ジャーナル軸受 回転方向 潤滑油 溝 ディスク
  12. 12. Replaceability with Donor Part (ドナー部品との置換性) HSA YES SPM YES PCB YES FW YES & NO Disk NO
  13. 13. Replaceability with Donor Part (ドナー部品との置換性) HSA YES SPM YES PCB YES FW YES & NO Disk NO SA Service Area UA User Area SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA Firmware = Service Modules SA Modules are located on platters
  14. 14. Replaceability with Donor Part (ドナー部品との置換性) HSA YES SPM YES PCB YES FW YES & NO Disk NO Data is recorded into platters. Replacement means nothing.
  15. 15. Replaceability with Donor Part HSA YES [ Head Stack Assembly ] Head Map, Capacity, Architecture Family, Microjog SPM YES [ Spindle Motor ] If unique parts are corrupt, Seizure Problem, there Lubricating is no way oil to recover data PCB YES [ Printed Circuit Board ] Serial ROM, NV-RAM, Fuse, Resister, Diode, Capacitor, Coil, Microchip / Repairment is also useful FW YES & NO [ Firmware ] Unique module, Non-unique module, Regeneratable module, Essential Module Disk NO [ Platter ] Bad Sector, Scratch, particules on surface
  16. 16. The Most Difficult problem is Platter Damage 3.5inch PATA
  17. 17. The Most Difficult problem is Platter Damage 2.5inch SAS
  18. 18. The Most Difficult problem is Platter Damage
  19. 19. The Most Difficult problem is Platter Damage
  20. 20. The Most Difficult problem is Platter Damage
  21. 21. For a long time, DR from scratched disk has been impossible If the surface is partially damaged, there should be recoverable data in the areas which were not damaged. 部分的にしかキズが付いていないなら、 それ以外の部分にはデータは残っている はず、、、、、、
  22. 22. Why is it so difficult to read damaged surface ? Let’s take an extreme close look at Disk & Head !
  23. 23. Disk Surface & Slider Flying Height 1-3 nm Lubricant Layer               1nm     潤滑層Diamond Like Carbon Coating Layer   コーティング 層 Magnetic Layer                    磁性層 3nm Disk Rotation Direction → 1 ~3nm Slider スライダ R/W Head
  24. 24. The gap between Head and Disk is very small Slider Flying Height 1-3nm PPaarrttiiccllee SSiizzee ooff CCiiggaarreettttee SSmmookkee 110000--11000000nnmm
  25. 25. How head crash damages the surface Slider R/W Lubricant Layer DLC Layer Magnetic Layer Head Slider R/W Lubricant Layer DLC Layer Magnetic Layer Head Slider R/W Lubricant Layer DLC Layer Magnetic Layer Head
  26. 26. Cause of malfunction of HSA when reading damaged surface 1. Scratch is not the main cause of the bad operation of Head Stack Assembly 2. Particles on the surface stick to sliders. 3. Slider’s flying becomes unstable because of the particles on the surface of the disk and the sliders. So, Let’s clean the surface !
  27. 27. Disk Burnishing Process
  28. 28. NO DUST NO PROBLEM
  29. 29. The 1st step of the research completed with a good result 94% UP ! 0.02% Newspaper : Nikkei Business Daily, 26th Septempber 2013
  30. 30. Precise surface analyzing is required for better recovery Optical Surface Analyzer
  31. 31. July 2012, research was started by Prof.Hiroshi Tani Prof. Hiroshi Tani @ Kansai Univ.
  32. 32. What we can do BEFORE disater occurs Physical Damage caused by Software ??? ソフトウェアがハードウェアを壊す???
  33. 33. What is the HDD’s Boot Sequence ? Let’s go to the finish line together with everyone ! Start Finish
  34. 34. HDD’s Boot Sequence Needs to complete each sequence, then can reach to “Ready” mode PowerON Ready
  35. 35. User Area & Service Area SA Service Area UA User Area SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA SA
  36. 36. SA Modules • P-List : Primary Defect List • G-List : Growth Defect List • Translator : LBA access ⇔ PBA access • S.M.A.R.T. Self-Monitoring Analysis and Reporting Technology
  37. 37. Defects × × × × × × × × Defects info = Position of Bad Sectors in PBA
  38. 38. Defects info is Unique to each disk × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × ×
  39. 39. Defects info is Unique to each disk P-List : Primary Defect List × × × × × × × × G-List : Growth Defect List × × × × × × × × × × × ×××
  40. 40. Number of Defects
  41. 41. PBA(物理アドレス)とLBA(論理アドレス) LBA exists logically upon PBA. The following shows good sectors from address 0. 通常、“アドレス”や“セクタ”が指す対象は論理アドレスのこと。 下図は、欠陥セクタが無い正常なセクタが連続している領域の状態を示していま す。 Physical Block Address 物理アドレス → 0 1 2 3 4 5 Logical Block Address 論理アドレス → 0 1 2 3 4 5
  42. 42. Defects Controlling (不良物理セクタの管理) 物理アドレス → P-List Table 2・・・ 0 1 2 3 4 5 論理アドレス → 0 1 2 3 4
  43. 43. Translator Converter function between LBA and PBA If the translator is broken, no data is accessible. One of the most important module. 論理アドレスと物理アドレスの変換テーブル このデータが読めなければ、プラッタ上の全ての磁気データを読み出すことができたとしても、ファイル やフォルダは一切復旧できません。SAモジュールの中でもトップクラスの重要度です。 PBA 物理アドレス LBA 論理アドレス 0001 0687 1968 3786 9821 0001 0508 3544 9871 0051 Access Request From Host ホストからの Access to the physically アクセス要求 Assigned position プラッタ上の指定 エリアにアクセス
  44. 44. SA Modules are loaded into PCB SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Complete (^o^)
  45. 45. When SA Modules loading completes fine PowerON Ready Wow , I did it ! I have access to all data ! やった! LBA全域アクセス できるぞー! LBA Zone
  46. 46. Damage of SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Error! Can’t Read Or Module is corrupted ABORT
  47. 47. Damage of SA Module : No LBA Access PowerON Ready I can’t access LBA zone, because there was a SA module error. The data should be in LBA Zone, but I can not access LBA 0 SAモジュールに異常があった から、LBA領域にアクセスで きない。HDDにはデータある はずなのにな。 LBA Zone
  48. 48. NO SA NO DATA
  49. 49. If the SA module error was caused intentionally by ,,,,, もし、誰かがわざとSAモジュールに異常を生じさせたら、、、
  50. 50. Intentional Damage to SA module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module
  51. 51. Intentional Damage to SA module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module
  52. 52. Damage of SA Module : No LBA Access SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Error! Can’t Read Or Module is corrupted
  53. 53. Intentional Damage to SA module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Error! Can’t Read Or Module is corrupted
  54. 54. Damage of SA Module : No LBA Access SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Error! Can’t Read Or Module is corrupted ABORT
  55. 55. BARUSER Let’s see what happens to HDD さあ、実際にやってみましょう
  56. 56. BARUSER BARUSER = BARUSU + ER
  57. 57. Main Concept of HiDR ( High Integrity Data Recovery ) SAモジュールは百種以上! このサンプル事例では、 WD10EADS-22M2B0 を使用。 SAモジュール数は全部で397 種
  58. 58. Main Concept of HiDR ( High Integrity Data Recovery ) このサンプル事例では、 WD10EADS-22M2B0 を使用。 SAモジュール数は全部で397 種 必須かつユニークなのは7 種 7 ÷ 397 ≒  1.76%
  59. 59. Main Concept of HiDR ( High Integrity Data Recovery ) Only 1.76%
  60. 60. Hot Swap Method : ホットスワップ手法 通電した状態のまま、PatientにPCBを付け替えます。 通電したまま
  61. 61. Main Concept of HiDR ( High Integrity Data Recovery ) 未開封、ヘッド交換なしでID認 識しないHDDでもデータが読め る 必要最低限のモジュールアクセス だけで済む 障害部位を確実かつ詳細に把握し 、尚且つデバイスの特徴を予め研 究調査しておくことで、より安全 かつ多くのデータを回収すること ができる。 クリーンエア環境下とはいえ、開 封時には異物が混入することは避 けられない。クリーンルームが絶 対にキレイとは限らない。 Non-Destructive Method even for HDD which doesn’t give its device ID. The least access to the magnetic disk for its booting is enough for data recovery. It is good to know the details of SA modules because the integrity of data recovery process becomes very high. Do not rely too much upon clean rooms because inside of the clean room is not always clean.
  62. 62. Security or Utility Hacked Cracked Good for Data leakage preventing VS Bad for Future data use
  63. 63. HDD customization against Future SA Damage Head Platter Head 5 Head 4 Head 3 Head 2 Head 1 Head 0 Head Map
  64. 64. HDD customization against Future SA Damage Head 5 Head 4 Head 3 Head 2 Head 1 Head 0 System Head Head Platter
  65. 65. HDD customization against Future SA Damage Head 5 Head 4 Head 3 Head 2 Head 1 Head 0 System Disk Head Platter
  66. 66. HDD customization against Future SA Damage SA exists only on the system disk, h0 and h1 SA Region for h2,h3,h4,h5 are empty Head Platter Head 5 Head 4 Head 3 Head 2 Head 1 Head 0
  67. 67. HDD customization against Future SA Damage Utilize the empty zone for SA backup ! Head Platter Head 5 Head 4 Head 3 Head 2 Head 1 Head 0
  68. 68. http://www.disaster-data-recovery.com/ Initial Response Guideline For Disaster Effected HDD 1. Do NOT Power ON ! 電気を入れない! 2.Do NOT Dry before cleaning ! 洗浄前に乾燥させない! 3.Sea Water should be removed ASAP ! 海水で腐食は待ったなし! ガイドラインを多言語化(英語・日本語・ロシア語・中国 語)

×