Russell Chozick: I am Russell Chozick, from Flashback Data, data recovery and computer forensics firm in Austin, Texas.
Robin Miller: So, if I accidentally were to remove the hard drive from this computer and throw it out in the thrash and waste management corporation took it to their landfill, you would go through that landfill and find it for me.
Russell Chozick: I don’t know if I want to go through a landfill, but if that drive is bent in half or completely smashed into millions of pieces, then if we find that thing, I’ll get data from it.
Robin Miller: Okay. Because actually there’s another video interview we did not that long ago with a company that destroys data.
Russell Chozick: Yeah.
Robin Miller: They destroy hard drives.
Russell Chozick: Yeah, we do it sometimes here ourselves.
Robin Miller: So, how destroyed a hard drive can you save?
Russell Chozick: No, there’s varying levels of unrecoverableness that we come across, if the physical platters are destroyed, i.e. the data is actually completely scraped off of them because of a full-on head crash where there’s little filters inside of a hard drive that filter in until no dirty air can get into them and that thing looks black, that means your data just got scraped off of that hard drive platter right into that filter and no one is going to get that back.
As far as lot of laptop drives have blast platters, if you throw that thing on the ground hard enough, that glass shatters, no one is going to get that data, but the stuff we have recovered from that is pretty severe, for example, drives that have been submerged in salt water for a long time after Hurricane Sandy, Katrina, any of the big natural disasters, we’ve recovered from fire damage where that drive looks like it’s completely melted. But we’re still able to save it.
So there’s definite ways to destroy it and obviously the destruction company is ____2:19. I think I looked at their video. They talk about degaussing and when you degauss a hard drive, you also erase the servo track, so not only is it unrecoverable and it’s never even usable again. So then you just got to send it to the recyclers. But what we do here to destroy data is either overwrite it by writing data over the entire portion of the hard drive, but completely overwriting it or we crush them or we send them to a destruction company as well if we’ve done whole lot that we need to get rid off.
Robin Miller: Obviously destroying as a number of people, Slashdot readers, yes, you know, how you are, you guys pointed out, you could have a lot of fun with a sledge hammer instead of spending money to destroy hard drives.
Russell Chozick: Yeah, you got to make sure that thing is good and smashed, because especially with the larger desktop drives and SCSI drives, those things are pretty durable, and you got to really beat that thing up to make a dent in those platters because they’re pretty strong.
Robin Miller: What do you do with SSDs, what do you do with the digital drives?
Russell Chozick: Well, it’s kind of evolved through our business; when we first started we didn’t have the technology to read directly from NAND Flash memory, so what we do and it was fairly common was pretty simple part replacement type stuff where Flash drives controller fails, we would take the actual memory chip itself, find an identical circuit board, take the Flash memory, put it on the new circuit board or make electronic repairs on the actual board itself and then recover the data that way. But it’s evolved quite a bit. So we’ve done a lot of research and development over years and we are pretty much on the forefront of Flash technology where what we started to do is, you know what let’s get a device programmer and start reading the data into the computer raw and see what it looks like.
Now when you look at Flash media read in raw straight from a USB drive, it’s completely mixed up. The way that Flash controllers work is they are constantly reorganizing the data for wear-leveling and encryption and all kinds of different algorithms to make to; one, speed up the Flash memory and two, make sure that you’re not going to wear out certain cells before other cells to make it last long time.
So what you get when you read just the Flash memory is take the controller out of the situation you get, just the whole bunch of scramble data that is not only the data area, but there’s also portions of each sector that contain information about error correction and kind of clues on how the data is reassembled. So what we started to look at was how we can kind of reverse engineer the controllers once we have the raw data read in, and that’s how it’s evolved.
Now what we can do is as long as the data is not encrypted we can pull the Flash memory itself off. The actual data chips, for example, here is an SSD drive and these are the data chips, pull those off and look for markers that – common markers on a file system. For example, we know what FAT32 file system looks likes typically in a linear format. So we may find part of the FAT file system on one chip and part of the FAT file system in another chip, and what we have to do is rearrange the data to where it kind of lines up and gets an order and then the computer can – and then kind of reimage that and then we can use that image to rebuild the file system on the Flash. And it sounds very complicated and
Robin Miller: It sounds expensive actually.
Russell Chozick: It sounds very complicated than it is, but basically what we’ve done is we’ve built kind of an internal wiki of cases, so once we crack one, we see it again, it’s much easier for us to do it again, and we have thousands of it. I mean, so we see it a lot and so it’s starting to get to the point where the costs are coming down, but new challenges keep arising as new chip form factors start coming out and they keep making these devices smaller, I know you probably seen micro SD cards.
They’re extremely small and there’s actually no independent Flash memory on those. It’s basically a monolithic chip that contains the controller and the Flash in one chip. So in order to recover something like that it requires a lot of patience. We basically have to take sand paper and find all the traces on the device, sand it down until it’s just to its bare traces, and then use a logic analyzer and find out where all the data points are to actually connect straight to the Flash, which now in that example those are the types of recoveries that are extremely expensive right now because it’s a lot of manual work, whereas, if it’s a typical type of NAND Flash memory, those are starting to get where we’ve got nerves where we can get them in and get them out pretty quickly.
Robin Miller: I’m assuming that people who come to you that the data is valuable. I had one ever hard drive failure where I didn’t have stuff backed up, that’s critical, just one and I spent $600 to get my data.
Russell Chozick: And you know that to backup and then back up your back ups. We will FTP people critical information, but we’re not going to let them download 40 gigs of information what they’ve recovered. So what we found now is we started using – any time speed increases happen we started using the newest technology, so anyone that comes in with a MacDrive will it out of whatever enclosure that they have and we’ll put it right in our thunderbolt dock and use thunderbolt to a thunderbolt source and a thunderbolt destination to make sure that we can move data as fast as possible and then all of our systems are – the PCs are all the USB 3 in any status, so we can move data as fast as possible. It’s just going to take very less time for us to move data and get it in the mail overnight than it is to use the Internet . Austin is getting Google fiber here soon, so…
Robin Miller: Isn’t that special. Are you all happy? Why doesn’t Manatee County, where we have more cows than people, Manatee County, Florida, we need that more than you guys….
Russell Chozick: Well, I mean I know the cows use a lot of bandwidth, so maybe that’s why they won’t let you guys. This industry is a bit strange and you really have to be careful on who you use, because your first chance of data recovery is always usually the best. There’s a lot of people out there that claim to do it all and maybe they can and that’s great, and I know there’s lot of great companies out there. But there’s a lot that see dollar signs in this and they maybe can only do low level or logical stuff, logical recoveries recovered from corrupt files systems and things like that, and they can’t work on the stuff that I’m talking about here where I have to wire up memory chip from an Android phone to pull data off of it.
You can’t tell me that a one man shop somewhere is going to be able to have the resources to do that, this is an expensive business to run, we have expensive equipment, we have large lab space, lot of computers, lot of overhead, we have laminate flow benches to open hard drives underneath, we have a huge parts inventory, so there’s just – you just got to be careful on who you use, and there are several reputable companies out there.
Robin Miller: Well, look we can see right behind you, those are some very uncheap looking racks with monitors on top of them.
Russell Chozick: Yeah, I mean, and to be honest, those computers are typical every day computers, but there’s hardware in there for imaging computers that is very expensive, what’s running right back here are we got three different computers all imaging hard drive sector-by-sector and what it does is when it runs into bad sectors, it can dig deeper, it can skip that, it can come back to that later, we could even say it, oh we really want to image everything that’s on one certain surface of the platter of the hard drive and things like that.
So we can get real granular and we could also go forwards and we can go backwards and then we could say, set the time out for a little bit longer. So we can kind of create our own algorithm for how a driver is behaving. And this stage is even after we’ve done the physical work to the drive. So pretend the read/write heads failed on a particular drive, we bring it into our clean room, we do any kind of part replacement that may need to be done to repair, temporarily repair the drive and then it goes to back here where we image the drive.
It’s a non-tech savvy that really just think that the devices are invincible and that or it’s not going to happen to them, but it does, and we do recoveries for a wide range of people anywhere and like you said, the data is got to be valuable, but the most irreplaceable data is sometimes what lot of people would consider not that valuable in a sense of this is going to take my whole business down. It’s more like pictures of your kids since they were a baby and if someone has that only in the digital format that’s the kind of data that it’s not only irreplaceable, you can’t create that again