Good HDD Forensics tool on BT5

[Deadpool614]

So I've recently started looking into digital forensics and was wondering which tool on BT5 that EH would recommend for data recovery for HDD. I currently have a 750Gb laptop HDD that recently crapped out and I wondered if it was possible to recover data from it?

[jimbob]

Hi,
If the disk is failing but still working i.e. you can read the raw data from the disk then you could image the disk with a tool like ddrescue and try to recover the data. If the disk does not power up, is not recognised or you cannot transfer data from it then you're most likely out of luck.

You can check out this article on BT5 forensics for some ideas and examples.

http://technology-flow.com/articles/backtrack-5-complete-tut/forensics/

Regards,
Jimbob

[millwalll]

Yah it really does depends on the state of the HDD if its failing to boot it could just have a bad sector on it that pretty easy to repair. Most of the good tools I came across you need to pay for sadly.

[Deadpool614]

Jimbob:

I'll have to give that article a look over. I purchased the Laptop about 8 months ago and the HDD crapped out about month 7 :/ I did some basic troubleshooting and what I could gather from the HP website was that the HDD failed (not so helpful). I have recently come into poession of the cables needed and a forensic bridge to hook it to my other laptop to try to rip the data.

Jamie:

Yeah, I had found a few tools but they were all kinda $$$ I know at some point I'll break down and purchase one eventually but I'd rahter do it once I have a better grasp of what's out there. At this point the laptop won't even go to the BIOS screen. I feel the HDD attempt to spin up but then it just stops. It sucks because I had a good amount of music and documents on there :/

[3xban]

If the laptop doesn't get to BIOS then there are other issues most likely, easy test on whether the rest of the hardware is good is to use a bootable CD/DVD/USB image.  This will ensure the MoBo and other hardware are functioning.  Bad drive will not prevent the BIOS from posting.  But a bad MoBo, RAM or CPU will.  Bad RAM or CPU will usually cause error beeps unless the CPU is really fried.

For the drive I typically keep an IDE/SATA to USB adapter handy.  This lets you connect the drive as if it was an external one.  If it is accessible then like Jamie said, you probably just have some data corruption.  If it is not accessible and you don't hear it spinning up, then you might have a mechanical failue and there isn't much you can do with your limited budget.  If you store the drive in the freezer (in a zip lock freezer bag) for a couple hours, that sometimes helps getting it to spin up enough to get data off it.

Good luck!

[sil]

Just download FTK imager (http://accessdata.com/support/adownloads) and go from there. Not necessarily a fan of forensics tools on a pentesting OS. FTK Imager's sole purpose is data recovery.

[Deadpool614]

Well after doing some more looking into it I'm pretty sure the mobo is fried. I swapped RAM with a buddy's laptop and still nothing. I also tried my USB copy of BT4 with no luck

Just download FTK imager (http://accessdata.com/support/adownloads) and go from there. Not necessarily a fan of forensics tools on a pentesting OS. FTK Imager's sole purpose is data recovery.

Thanks, I'll have to look into this one when I have some free time later.

[Joshsevo]

You may be out of luck all together and the HDD is just bad and nothing can read it or even see it.  I had this 2 wks ago with a case I am working on.

It was a USB external drive.  I tried it with Encase, FTK, a Knoppix boot CD, a Tableau TD1 and even a Tableau USB Bridge.  Nothing worked.  The computer wouldn't even see it so we had to write a NO Findings report on it.