SANS Digital Forensics and Incident Response Blog

Starting a Drive Repair/Recovery Lab

by Craig Wright

I have been writing about drive wiping and recovery for a while now. So I thought it about time that I started to go over the basic tools. There are a large number of tools that should be held at the ready if you are doing drive imaging and recovery on a regular basis. I will not get into SEMs and Spin Disk stands in this post, but I will cover the basic tools that are necessary to take a drive apart and do the basics (such as changing a head and manually adjusting a gradient angle of a head stack axis in a drive.

First there are all of the tools such as screw drivers and the connectors.

I will not go into detail here other than to state that you should collect every tool available to human kind. You never know when you will need a pentagonal star security driver. You will need other tools as well (such as soldering irons). The best thing is to use this as an excuse to the spouse as to why you need to purchase everything in the electrical and hardware stores.

Any connectors (IDE, SATA, ...) that you will work with — you will need. Also, raiding a dental supply store comes in handy for mirrors and utensils to grab stuff with.

Next, vision and the look.

Next you are going to have to look at small components. For the smaller budget we have the magnifying glasses on the left above. These can give up to 35 x magnifications and have a handy light to illuminate your work. For really fine work and as the ultimate in geek-chic there are the XGA display glasses. These act as a second (or third) display to a computer. By attaching a camera for the larger work or a digital microscope for the fine work you can look at what you are doing in real detail. This is essential (as well as a steady hand) when working with flash chips).

The image below is a scan of a CD with some of the embedded data from the manufacturer displayed next to the start of the data tracks.

An optical microscope does not have the resolution to display what is on the tracks, but it is more than sufficient to provide the resolution needed to work on a flash chip (such as with USB keys).

Next a set of multi-meters and oscilloscopes comes in handy. You cannot go past the small digital hand-held oscilloscopes if your budget allows. EPROM reader/writers and a flasher also come in handy. These are particularly useful when working on mobile phones and other such devices. As can be seen below, a set of course books from SANS is also essential.

And of course the other thing you will need, copious volumes of Hard Drives. Scouring online auctions is always good for the older models and for the most part newer drives can be ordered as needed.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He is starting his second doctorate, a PhD on the quantification of information system risk at CSU in April this year.

Sign up for the NEW forensic course SEC408 Computer Forensic and E-Discovery Essentials debuting at SANSFIRE 2009.


Posted July 2, 2009 at 7:54 AM | Permalink | Reply

Computer Repair

Thanks for sharing this info post.

Posted July 6, 2009 at 11:23 AM | Permalink | Reply

computer Tech Support

Thanks for this post.