How to open (mount) BitLocker-Encrypted Drive
25.06.2020
Notebook beeps when turned on or welcome to “Rosewoodland”
30.07.2020
Show all

How NOT worth making money on Data Recovery – ANTI Strategy 2020

T oday we’ll talk about data recovery from the perspective of “entrepreneurs” from the high road. As you probably already guess, we will talk about tricks that are used by unscrupulous individuals (this can be a visiting master, a specialist in a service or a laboratory) to keep a client within their price range. By tricks, we mean a series of actions aimed at temporarily disabling a storage device.In most cases, these are external hard drives or drives pre-installed in laptops or stationary computers (traditional drives or hybrid). There have also been cases when some techniques were practiced on flash drives, sd cards and ssd drives.
The number of such orders decreases every year. What speaks of an unfavorable climate for illegal activities or the migration of fast money lovers to other areas of cyber fraud. For convenience, we will divide this article into several levels:

Disclaimer The purpose of this article is to increase the awareness of users and specialists about possible cases of modifying storage devices. This is not a step-by-step instruction! The information is provided for informational purposes only. It is forbidden to use for illegal and unlawful purposes. What such fun can lead to read here

Level «Runner»

At this level, the caudate will require tape, glue, or any other insulating material. And utilities for editing MBR: Bootice, HDHacker. As well as a standard set of torx screwdrivers, which you can purchase at any store in the country. Filigree and ability to work with small details is welcome.
Any modification of the drive PCB (controller) of hard disk drive may lead to partial or complete loss of data and the drive’s overall performance! Do not try to repeat the cases described on your valuable storage devices!

BMH or motor contact isolation


T his method was common among visiting masters. Since it did not require special skills. And it was easily transmitted from “master to student”. Throughout its history, it has evolved and taken on more sophisticated forms in parallel with the growth of computer literacy of the population. Any adhesive tape, electrical tape used. A little later, began to appear superglue. The essence of the method was to insulate the contact pad of the magnetic head unit or motor. And thereby cause a situation in which the drive would cease to be detected and read the passport. In some cases, discs were brought with sticky heads on the surface of the plates (sticking example) or with gash (example washed down). Which clearly indicated that the modifications were made on the fly, without disconnecting from the power. Which naturally led to similar results.

Taped motor contact area Western Digital WD10JPVT-22A1YT0

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Findings:

As you can observe, thanks to ordinary office utensils, it is possible to fool even an attentive person. And given the fact that most pests make modifications without turning off the power. There is a high probability that such actions can lead to physical damage to the surface of the plates! Which in turn will lead to partial or complete data loss.

Taped motor contact area Samsung ST320LM000

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

BMH adhesive pad Western Digital WD5000LPVX-80V0TT0

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020
The advent of technology TRIM on ssd drives, put an end to data recovery after accidental deletion/formatting or re-partitioning of partitions. Recently, the similarity of the TRIM function can be seen on new hard drives with (SMR). So any rash change in the file system can lead to a complete loss of information on disk! Do not try to repeat the cases described on your valuable storage devices!

Transferred MBR to an arbitrary sector (in this example, 1 sector)

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Edit GPT Partition Table

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Edit Master Boot Record (MBR)


A nother way to block access to data is to edit the master boot record (Master Boot Record). The most favorite method is editing the last 2 bytes (HEX: 55h AAh) in the MBR. Fraudsters change the value of the last 2 x bytes of the 0th sector to arbitrary. As a result, Windows cannot recognize the corrected drive and offers to format it. There were also cases when the MBR was transferred to another sector and caused similar problems. The main nuisance of this method, victims do not click on the “Format disk”. And from that moment, unpretentious businessmen have real work. With which they do not always cope themselves, especially if there are no backups.

Editing the last 2 bytes of MBR (signature 55h AAh)

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Findings:

Working through utilities is no more difficult than sizing contacts. It is not difficult for an attacker to edit mbr and block access to user data. But no matter how simple this method may seem, editing the main boot record can lead to a complete loss of data (sections and folders located in them).


Level «Sad fox»

At this level, shaggy people will need skills to work: with the command line (Windows, Linux, Mac), with a HEX editor (WinHex, HexEditor Neo, HxD, etc.), Bootice utilities and the presence of a hot air soldering station.
Any modification of the drive PCB (controller) of hard disk drive may lead to partial or complete loss of data and the drive’s overall performance! Do not try to repeat the cases described on your valuable storage devices!

TOSHIBA MQ01ABD050V with soldered smd elements

With a complete break in the circuit of the data receiving channel (5pin/B- and 6pin/B+): any operations through the sata-interface will fail. In this case, the drive engine is running. (on the picture)
When breaking one line of the data receiving channel (5pin/B-): the drive gives the passport, reads the modules, but cannot edit them. Reading/Writing a user zone is possible. Drive engine is running.
When breaking one line of the data channel (3pin/A-): the drive gives the passport, reads the modules, but cannot edit them. Reading a user zone is possible. Drive engine is running.
When unsoldering the smd fuse of the power circuit: the PCB (controller) of hard disk drive does not initialize. Drive engine does not work.

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

ST2000LM007-1R8174 with unsoldered smd elements

When breaking one channel line to receive data (5pin/B-): any operations through the sata-interface will fail. In this case, the drive engine is running. (on the picture)
When breaking one line of the data channel (3pin/A-): the drive gives the passport, but at the same time, reading modules or editing the sector is impossible. Drive engine is running.
When soldering the smd fuse of the power circuit: The PCB (controller) of hard disk drive does not initialize. Drive engine does not work.

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Modification of the PCB (controller)


One of the favorite methods of “offended” masters is the extraction of smd capacitors of one of the data exchange channels or all at once. Do not confuse with the access method to the SATA controller bypassing the USB bridge (this method is used in case of damage to the service area or in the presence of poor sectors, when working via the usb interface is impossible. The drive hangs constantly or goes knocking).
Which led to a loss of access to user data and service modules. In a compartment with real malfunctions, this created difficulties in conducting diagnostics. Since the drive could be ready and behave as if nothing had happened (unc-errors when reading is inevitable).


WD20SPZX-22CRAT0 with unsoldered smd elements

When breaking one line of the data receiving channel (5pin/B-): any operations through the sata interface will fail (the drive weighs in BSY). In this case, the drive engine is running.
When breaking one line of the data channel (3pin/A-): the drive is ready, reading the service area is not possible. Reading the user zone is possible, no recording. Drive engine is running.
When soldering the smd fuse of the power circuit: the PCB (controller) of hard disk drive does not initialize. Drive engine does not work. (on the picture)

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

OCZ Vertex 460 with unsoldered smd elements

If there is at least one gap in any of the lines of the data transmission/reception channels: any operations sata-interface will fail.
In the photo, the smd capacitor is unsoldered (3pin/A-)

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Findings:

With a soldering station and straight arms, a similar modification can be done without any signs of interference. In services and laboratories providing data recovery services, in case of such troubles with the electronics board (controller), they simply replace the “buggy” board while the data is being read. When working with solid state drives, you have to make an inspection.
In any case, such a modification of the controller will not lead to anything good. Due to the large number of unc-errors that will certainly appear after modification of the electronics board, the read information will be partially or completely damaged. And if the specialist, in time, does not pay attention to the damage to the controller, there is a chance to ditch the service area.

The advent of technology TRIM on ssd drives, put an end to data recovery after accidental deletion/formatting or re-partitioning of partitions. Recently, the similarity of the TRIM function can be seen on new hard drives with (SMR). So any rash change in the file system can lead to a complete loss of information on disk! Do not try to repeat the cases described on your valuable storage devices!

Hide folders or files

The easiest way to fool that is still used. The name of the original folder is changed to arbitrary, and the attributes of the directory and files themselves are replaced with "hidden" or "system" depending on the operating system. The viruses do the same: replacing the original folders with shortcuts to the executing malicious code program.

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Change security rights (directory/disk)

Another extremely rare and ineffective way. The new owner is visible and without much effort you can change it back (through an audit). But no matter how simple it may be, an inexperienced user can be confused.

In the photo, the user "ALL" is replaced by "UDMA", which leads to the error "No access to H:\" when connecting to a computer under another user.
How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Administration Elements and Utilities


Every IT employee from school years has heard about user rights and hidden directories. But not everyone thought that these skills could be used to divorce the innocent username. Nevertheless, it is! Blocking access to folders or disk by replacing access rights. Hiding directories and partitions by adding the “$” character (for Windows environments) or “.” for (for unix environments) before the name. These are the most popular virus methods and ransomware programs of the past.
Also in the arsenal of repairmen from the high road, there are various utilities with which it is possible not only to treat, but also to cripple.

Editing LBA maximum disk size

This focus was made possible thanks to utility WDMarvel. Even in the free version you can find useful “buttons”. Changing the value of the maximum LBA, the drive after rebooting will no longer display the actual size of the space and partitions. Such pranks can lead to very sad consequences, since the owner can simply format the disk. And with the new realities (trim), this will lead to partial or complete loss of data.

In the photo, the maximum lba is reduced from 976773168 to 13773168. As a result, the size of the disk’s working space has decreased, and the partition is not displayed correctly.
How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Findings:

To the great happiness of the victims, the above examples are reversible! The main task of these “methods” is to frighten the victim, and then how it goes. And here the main thing is not to succumb to panic, but to try to figure out what happened. Consult a familiar IT professional. Perhaps your situation is really like that, or vice versa they decided to deceive you.


Level «Greedy owl»

This level implies that the feathered possesses or has access to ACELAB, MRTLab complexes with the ability to edit service modules. As well as the presence of a hot air soldering station.

Micro-JOG editing

Micro-JOG - this parameter is responsible for the offset (distance between the read/write head) of the slider relative to the track. Since the donor block of heads has its own values, the “fit” of these parameters is simply necessary. If you change the factory settings on a working drive, then this will lead to read/write errors or a complete loss of the drive’s ability to become ready!

In the photo, the micro-JOG values for 0 head were changed, which caused the drive to freeze when accessing the partition table located on it.

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Editing a head map in ROM

Another method for diagnosing a hard disk in case of head malfunction, which has become a way to impose its conditions. What will happen if we take an absolutely functional drive and “disconnect” the head on it? That's right, it will no longer be detected correctly in the system, and in the PC3000 complex we will see reading errors when accessing the paired head.

The photo shows a map with paired 1 and 2 heads. As a result, we observe an incorrect display in Windows Explorer, and in the PC3000 complex, when reading 1 head, read errors.

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020

Modification of the service area


U nfortunately, even among doctors there are "dishonest". So in our sphere, there are those who can behave dishonestly. And taking into account the fact that even at the initial level of training a data recovery specialist or a disk repairman, there is enough knowledge on work and improvement of the service area, then for "experienced" this action is done automatically, during diagnosis. And so, we will consider the most common cases that we have encountered in practice - modification of service modules of the “firmware” of the drive. Most of the cases described are part of the diagnosis or adaptation of donor spare parts, which, however, is used by beginners for quicker and easier profit!

Translator Modification

Editing a translator or defect lists is a fairly common phenomenon among "new/old artists." And a deadly unpleasant moment for new families of hard drives based on tiled magnetic recording. Got a more characteristic look since the apogee of the cult of the "fly" - when every sneeg of Seagate's hard drive was considered a firmware problem and nothing else! Since that time, drives with a characteristic problem went rampant - a broken translator (the module responsible for the location of user data). When, as a matter of fact, no flies already crawled. But cunning “specialists” could always hide behind such a concept, and so that the client did not go far, this unfortunate module was corrected and the drive fell into a stupor or issued a distorted version of the information located on it. So the next specialist, who would have been able to diagnose this hard drive, issued the same diagnosis. But it was not always possible to repair this module. Which led to sending the client back where he came from.

In the photo, after adding 1 record (with the starting address of the folder 2268) to the defect list, in Windows Explorer, the folder stopped opening, and in the PC3000 complex it is partially displayed, accompanied by a large number of reading errors.

How NOT worth making money on Data Recovery – ANTI Strategy 2020How NOT worth making money on Data Recovery – ANTI Strategy 2020
P.S.: Now, such cases practically do not bring, due to the difficulties that arise when working with a dynamic translator.

Findings:

Without an original copy of the ROM or service area, it will not be so easy to restore functionality, but the chances of successful recovery of information still remain. True, with the amendment, that on modern drives, these chances tend to zero.