Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Spin-Stand Microscopy of Hard Disk Data

I shall be posting a series detailing the additional data not included in the paper [1] on recovering overwritten data in the following weeks.

My thanks to Dave Kleiman (one of the original papers co-author's with myself) for reviewing and adding some details to this post series.

Due to the limitations of peer reviewed papers, much of the detail of a process is commonly lost. This series of posts will endeavor to fill out the areas that are not covered in the paper in any detail and also add some further level of knowledge.

The recovery of data from damaged hard drives has come a long way over the years. Various techniques have been developed using both optical and electron microscopes and leading to the use of Magnetic force microscopy (MFM). MFM is a category of Scanning Probe Microscopy (SPM) and perhaps is the most widely used of these techniques. Of the techniques that can be commonly found, the primary ones are:

  • The Bitter technique where the platter is coated with a thin film of ferro-fluid. This fluid contains ferro-particles which associated most strongly with the field vectors on the drive providing a magnetization pattern. This is known as a "Bitter patterns" and maps to the magnetic field vectors. Depending on the track density, either a high powered optical microscope or a scanning electron microscope (SEM) is used to observe the platters. This technique has become far less effective in recent times due to the increasing drive density. It can be used in the imaging of floppy drives. The technique is invasive and will result in the destruction of the drive platter.
  • Lorentz microscopy uses an electron beam that is fired at the drive platter. Magnetic fields produce an effect known as the Lorentz force. This force deflects the electron beam. These deflections can be measured using a Scanning Electron Microscope (SEM). The SEM will then return the deflection pattern which can be used to "map" the encoded drive image. More recently, Transmission Electron Microscopes (TEM) have been used for this process. This is a slow process that is economically infeasible for use on most modern hard drives.
  • Magnetic Force Microscopy is a variety of imaging techniques known as Scanning Probe Microscopy (SPM). This techniques uses an enormously fine (and expensive to replace) point that is mounted on a flexible cantilever. This tip "raster-scans" the drive platter following the magnetic force vectors. As the reader is coated with a ferromagnetic material, the field interactions attract or repel the tip. These movements are measured through the cantilever allowing an accurate map of the magnetization-induced field to be produced. Magnetic Force scanning Tunnelling Microscopy (MFSTM) is one form of MFM. This method uses the tunnelling currents that are created through the movement of the probe to produce a two-dimensional spatial map of the magnetic field coordinates. This map is used to decode the "bits" on the drive.
Electrostatic Force Microscope (EFM) works in an equivalent manner as the MFM. However, the EFM uses electrically charged probes and samples with a electrostatic structure, like ferroelectrics. Probe and sample form some kind of capacitor. What is really nice is that the EFM tip can write charge structures into the sample. The EFM cantilevers have to be conducting. It is not so easy to make them yourself but the EFM cantilevers can be bought from specialist companies just like the AFM probes.

MFM has many advantages over the other aforementioned techniques in the recovery of hard drive data. As referenced in my


Posted January 28, 2009 at 6:19 PM | Permalink | Reply


Great posting, Craig. Thanks for this followup!

Posted August 17, 2010 at 8:06 PM | Permalink | Reply


Absolutely fascinating!! I always knew we'd get to this level one day!

Hope to see more soon.

Post a Comment

* Indicates a required field.