SANS Digital Forensics and Incident Response Blog

Let's Talk About Data Recovery

A recent spate of messages on a list serve triggered this rather verbose article, so my apologies for its length. Even thus, it barely scratches the surface of the technology. Obviously I can't get into every facet of data recovery, but my goal is to hit the main points, explain some of the things that can go wrong, dispel some of the rumors and things that fly around the Internet, and when I am done with my reasoning, you the reader, can decide how effective freezing a drive, or putting fluid into a hard drive will be.

We have been doing lab level data recovery for about 18 or so years now. We don't just dabble in it, and throw old wives tales attempts at things. Our success rate is at the very high 80% to low 90% (as should any good lab), although this means nothing if your drive is the other 10%!

The Equipment

Among many tools like rework stations, heat guns, soldering irons, oscilloscopes, microscopes, clean stations, finger cots, toolsets, and a boatload of patience, we use extremely specialized tools like head combs, platter removal tools, spindle motor tools, laser measuring tools, etc. Many can be seen at

We also use a tool called PC-3000, PC-3000 Flash, and Data Extractor, which runs with PC-3000 and a tool called Deepspar Disk Imager,

These toolsets all together will set you back in the vicinity of 40-50 thousand dollars. Then there is our hard drive parts inventory. We have over 3000 hard drives in our inventory, and yet probably 30-40% of the time, we will not have the right one for a recovery, and have to order one specifically for a job. As soon as you start asking a company that sells these drives about the revision number and firmware number, they know you are a data recovery company, and that 320 GB hard drive that you need to buy (worth 50 bucks or less) just became $300.00. Why do we have so many? Because unlike what most people think, a drive is NOT a drive is NOT a drive. It is like cell phone forensics. We know it is stupid to say that a cell phone is a cell phone and forensics is the same on all of them. Same with hard drives.

Did I mention that any REPUTABLE data recovery company will provide FREE estimates (except on RUSH jobs), and will have a No Data, No Pay policy for the vast majority of jobs (usually only excluding accidental deletion recovery). If they don't, they are not a very reputable or successful shop. More on that later. CBL, 360, DriveSavers, and many you haven't heard of, like me, absolutely do NOT charge if we don't get your data.

So let's look for a moment at why the cost seems so extreme. Is data recovery costly? Absolutely. Why? Well the equipment, training, parts, and policies should speak to that already. Why don't you do forensics for 25 bucks an hour? Same reason. Also supply and demand. There are about 100 or so clean room equipped data recovery labs in all of North America.

Now a bit of a primer on drive construction. This does not get into everything that goes into a drive, but here are a couple of very important things to know about a hard drive.

Negative sectors/cylinders

Most people think that the hard drive data storage starts at 0 sector, and technically it does. The ADDDRESSABLE data storage starts at 0 sector. But hard drives have something called negative sectors/cylinders. They are counted backward with a — sign, so -1, -2, -3, you get the idea. What the heck is here? Quite simply, the operating system of the hard drive. In the industry, it is referred to variously as firmware area, service area, and negative space, among other names. This area can be Gigabytes in size, and contain hundreds of files, although we don't call them files. They are typically referred to as modules.

The next important thing to note is data that can be found on a ROM chip on the PCB board. This is typically an 8 pin chip (but can be 40+ pin and tied in with motor controller), and will usually contain data singularly unique to the hard drive it is on. This started around the 750 GB drive size territory. For many technical reasons that I won't go into, drive manufactures had to address the vagaries of platter construction on a PER PLATTER basis. As a result, when the drive is built, one of the last functions involves laying the tracks and other geometry onto the platters. This geometry layout, as well as the translators it may create, is unique to that one hard drive in the whole world. This data is now written to the ROM chip I have indicated. Damage or destroy that type of ROM chip, and NOBODY will get your data back. In most data recovery cases nowadays where the PCB is the problem, we must transplant the ROM chip, or where possible, write the data in the ROM chip from the patient drive to the donor drive, in order for data recovery to be possible. Armed with this information, let's apply it.

What Can Go Wrong With Drives - Rotating Media

Corrupted Service Area - Just like Windows, the drive OS (modules) can get damaged or corrupted. Because they control that drive, it would be catastrophic to lose them, so most drives even have 2 separate copies written under 2 different heads, in case one gets corrupted. If you don't repair the modules causing the problem, you can't get at your data.

Corrupted ROM data - Depending on age, make, model of drive, if this goes bad, you are hooped. In other less frequent cases, you can rewrite the ROM data from a donor drive.

Blown TVS - Basically, this is a fuse that can commonly blow on a PCB. It is caused almost exclusively from cheap power supplies in computers, and it works backwards from a normal fuse. You can't bridge the points with tin foil to make it work again. You have to remove the blown TVS to get the drive working again. This is pretty easy to diagnose. The drive won't spin, and it will smell very burnt. You may even see the fuse all burnt up on the board, but not always. By the way, this does not look like a common glass fuse.

Bad Motor Controller - Just as the name suggests. Get one that goes bad, and you have to replace it. Or you can "hot swap" a board, or transplant ROM chip to donor board. The key is that this is very brand and version specific! You can't just swap a board, like so many people believe.

Seized Motor - Bearings can seize up, stopping the motor from turning. VERY uncommon, and can usually be fixed using specialized tools and HEAT, not cold. Statements on the Internet say that if you drip liquid into the screw hole at the top of a drive, it will get it running again. What it WILL do is it gets splattered all over the platters when it spins up. Considering the distance between today's heads and the platter surface area is only marginally thicker than a strand of DNA, this will not work. A fingerprint is thicker than this space. Don't squirt stuff into the drive. There is nothing to be gained.

Stuck Heads - his is most commonly seen on external drives, where you unplug the USB without actually properly ejecting it first. On most hard drives today, the heads move off the platters to a parking ramp before the drive powers down. If you unplug the drive without properly ejecting it, sometimes the heads won't get over to the parking area before the platters spin down (it is the air caused by this spinning that the heads ride up on). If this happens, they fall directly on the platter and stick there because both surfaces are polished so perfectly that you can't pull them apart without proper measures. The sticking (NOT the same as stiction) is strong enough to not allow the motor to spin up. Commonly misconstrued as a dead motor. Can sometimes be indicated by faint beeping of the drive, and no spinning noise.

Blown Heads - Simply, heads that have died and no longer read or write. In most cases, they will have to be changed before you can recover the data. Yes I said most, and not all. But that is far beyond the purview of this article. Suffice to say that data doesn't always live on every platter, not every head is turned on at the factory, and not every platter holds data. A lab can actually turn heads on and off one at a time.

Degrading Platter Surface - If the platter surface degrades or gets dirty, this is the worst, because this is where the data lives. If the sector can no longer be read, that is the end of the game. Having said that, a data recovery lab reads the platter surface much differently than a Windows operating system. Operating systems need the checksum from the ECC sectors to match before it will return data. A data recovery lab can read the sector without first seeing the ECC sectors. With our equipment, we can keep failing heads alive far longer than you can with a normal computer.

What Can Go Wrong With Drives - Solid State Media

No moving parts here, but the controllers can still get corrupted. When this happens, there is basically nothing the end user can do about it. What we used to do is remove all memory chips, dump the data from them raw, then use algorithms to rebuild the interleaving among the data on the different chips. Imagine rebuilding a 16 disk RAID manually. Nowadays, the expensive hardware will allow us to emulate controllers on the drive without removing the chips (but not in all cases). That is the easy SSD problem. The harder one is data leakage. (not like infosec people see!) some labs call it data evaporation, and there are other names. The premise is that if the drive is not powered for long periods of time, the electrons in the cells (the zeros and ones) will reset themselves, (or drift back to zero). Now your data is GONE, never to be recovered. Like shaking an etch-a-sketch. But you don't see it that way. You just plug your drive in and it doesn't work anymore. A data recovery lab can usually recover partial data.

In both cases, spinning or SSD, a lab can tell you (in the case of partial recoveries), what files they can recover and which ones they can't.

Common Misperceptions and Oft Repeated Untruths

Swap out PCB - Lot's of people talk about just swapping out the card with another drive of the same make and model. Most of the stories come from drives back in the era of 10 GB and smaller. With the drives of today, that simply will not work in 99.9% of the cases. If you are not flashing over ROM data, for example, you can swap every card on eBay with ZERO success. Another issue is power. You could take a PCB from a seemingly identical donor drive, and try to swap it onto your bad drive. Because of a revision in the code of the PCB, the voltage to a head, or some other component has been upped just a smidge. You don't know that because you didn't design the board, or even know it was possible. You swap the card, and that donor card blows out your headstack when you put power to it. And you will never know. There are no blinky lights or warning sirens. Just pffft. Done.

Fluid on spindle? - Again, I am straight up saying this is not couched in fact. The fluid and bearing area of the motor are sealed at the factory. Without a drill or dremel tool, you are not getting at that area of the motor. And the sad fact is that most hard drives of the 2.5" variety don't have a screw in the cover on the spindle.

Remove Platters - An often stated, but not tenable, idea. There are very few, and very specific incidents where you would remove platters. In fact, in the data recovery world, that is the last of all possible resorts, for many reasons. The biggest reason is that data is written to the platter surfaces in a cylinder, and not linearly, as many would think. You loosen the platters and rotate one against another even a hair's width, and your data is lost forever. The proper approach is to change everything around the platters. The only need to remove platters is to change a motor or because the housing is damaged.

Freezer Trick - This idea is not without merit, but you need to understand where it came from, why, and how it worked. Back many years ago, (think back to very small drives of 10 GB and under), there was a common problem with a certain brand of drives, whereby when they heated up from use, the PCB would expand, and paradoxically STOP making contact on a certain bus (the little wire paths on a circuit board). Freezing the drive kept it cold enough for long enough to pull data before the components heated up again and expanded. Another situation had to do with flawed material used in the headstack armature that holds the read/write heads. The flaw caused the heads to ride too close to the platters when the assembly got hot, and so freezing caused the arm to flex just enough to create the necessary space again to read data. These were the only two documented issues solvable by freezing a drive that I am aware of. And the conditions of the freezing have to be properly performed. Ziploc bag with as little air as possible. Then put that in another ziploc bag and seal it. Now freeze the drive. 4 hours is plenty. Pull it out of the freezer and push the connectors onto it THROUGH the plastic. Do NOT open the bags. This stops the condensation inside the bag for as long as possible. Better yet, once plugged in, keep everything wrapped with a freezer pack. Now to the comments you read where people suggest the baggie is unnecessary because the freezer is very dry air. To those that would think this, you have clearly never been in a Canadian winter with glasses on. Outside is so dry we have to humidify our houses. I mean much dryer than the inside of a freezer. Go outside and shovel your driveway at -20 degrees for 15 minutes, and then walk into the house. Your glasses fog up instantly. Why? Condensation. Put a hard drive in the freezer (one you don't want), for even a couple of hours. Take it out and put it on your counter, and I guarantee it "fogs" over like a mirror after a hot shower. To think otherwise is to not understand the phase state of matter.

Condensation inside the drive will destroy it every single time. What happens when the condensation dries? It can leave a deposit. That deposit will trash your heads and your platter surface. We are not dealing with a little bit of piston slap from a 1972 Chevy 350 here. This is precision stuff built to incredibly high tolerance.

So let's recap. Outside of those two situations I just mentioned, which are widely known in any data recovery company that has been around more than 15 years, but that won't work on today's drives, how will freezing the drive make it work on any of the other, far more common hard drive failures outlined earlier? How does freezing the drive fix corrupted sectors? Or bad platter surface? Or blown heads? Or corrupted translator? Or seized motor? Or voltage fluctuation?

It won't. And throwing this at the drive as an attempt is a reckless thing to recommend unless you have tried absolutely everything, and understand why you would freeze the drive and what you hope to accomplish.

Then there are those that say, "Well I have done it so I know it works". I submit that many times, it is talking a big game rather than actually having it work. I will also add that if your drive doesn't work, unplug it and plug it in a few times. In many cases, getting the drive to live again long enough to pull data is luck of the draw and you don't know why it happened. So I would also suggest that if someone really did put their drive in the freezer, and really did get it to come to life again afterwards for a short period, they got lucky and the two had nothing to do with each other.


Here are some guidelines to consider when trying to decide what might be wrong and what to do about it. These are not hard and fast, and are not 100% of the time. That is why they are "guidelines".

If the drive is making a knocking noise, what kind of knocking noise is it? (by the way, the click of death is the sound of the headstack armature hitting a park post, and not the heads actually hitting anything.) Is it a cyclic, nonstop knocking that starts immediately when the drive spins up and never changes in tempo? Most likely head stack failure. The only thing that will get your data is a head swap. Freezing it will only ensure that later head swaps will be unsuccessful.

If it clicks intermittently, that may be a sign of failing heads, may be a sign of degrading platter surface, may be a sign of corrupted service area module, could be corrupted G-List, etc. Point being, there is nothing an end user is going to do about this.

Don't leave a bad hard drive running. Some people are told to do this "because you may never get it to come alive again". If you have failing heads or platter degradation, continuing to run it and throw a freely downloaded program or EnCase or anything else at it will not work, and will just hasten the demise of the heads, and or destroy the data to a point of non-recovery. If it is clicking shut it off and get help.

I realize that nobody wants to pay for data recovery, and many think it is a rip off. My thought is this. I am shocked that a user will take their most valued things (baby pictures, corporate data, etc) and not keep it safe (backups). I have a company that makes money in an industry that should not even exist, quite frankly.

And the fly by nights that advertise recovery for 500 bucks? Uh-Uh. They are hoping the problem is logical, low hanging fruit stuff. They do not use "big boy" tools because they can't afford them, and they think a head swap happens in the next Frankenstein movie. You simply cannot change heads for 500.00 bucks and make a living.

At the end of the day, the point here is to know what you are doing and why you are doing it, because otherwise you can destroy your drive irretrievably, and never know it.

If you must have the data, don't mess with it. The most well-meaning efforts can cause the data to never again be retrievable.

If the data is expendable, and/or you don't want to spend the money, then you can experiment, but since your experiments may most likely destroy things along the way, have a reasoned plan and expectations, and apply sound methods that have been thought out. Cold plates get used frequently. Freezers do not. Nor do we pour liquid into our drives.

Some great, extra curricular reading can be had here:


Posted May 23, 2016 at 12:24 PM | Permalink | Reply

Data Recovery

A well written article. One clarification. The freezer trick actually originates much earlier on in hard drive history. Early models of drives encountered issues where the friction of the heads in their parked position was stronger than the motors ability to spin. Techs discovered that by cooling the drive, it was able to break stiction and spin the platters.

Posted May 24, 2016 at 11:10 AM | Permalink | Reply

Paul Andrew

So data wipe is useless? For example 0 pass overwrite method and others like DoD

Posted May 24, 2016 at 1:21 PM | Permalink | Reply

Jared Palmer

The problem is that many people are still attempting to do this on modern drives, sometimes with catastrophic results. I think that most people who subscribe to the freezer trick, just had a case of what I call an "occasional starter" hard drive. I've seen dozens of cases of drives that from a room temperature start will go ready just once, but after a few minutes or a power cycle will start acting up. Going colder than room temp doesn't really make any difference (at least not from my experiments). We just finished up work on a triple head swap 4TB case which on it's third set of heads would read the SA and go ready exactly once per day for about a week before the heads finally died. Got back around 95% of the data in the end. I'm guessing that someone who tried putting this drive in the freezer overnight would think that the trick actually worked, but the reality is it just needed a rest overnight as the heads were reading best for the first couple minutes after a cold start.

Posted May 24, 2016 at 3:36 PM | Permalink | Reply

Kevin Ripa

Thank you for this clarification. I will add this third reason to my explanations I was not aware of this one!

Posted May 24, 2016 at 4:57 PM | Permalink | Reply

Kevin Ripa

I am not sure how your comment ties into the article, but for areas of the hard drive at sector 0 and above, the normal wiping scheme would suffice. I say that a single 0 wipe is sufficient for most everything. The government has their own ideas on things, but for all practical purpose, the notion that anyone is going to extract data from a hard drive that has been wiped once is beyond the pale. As far as negative sectors where the OS of the drive sits (the modules), no wiping scheme can reach that part of the drive. And if it could, the drive would cease to be a drive, and would become a doorstop. In fact you can hide data in these negative areas, but it is not as easy as it sounds, and gets quite expensive to do.

Posted May 28, 2016 at 1:52 PM | Permalink | Reply


Very nice blog post, thank you.
I have a company that makes money in an industry that should not even exist, quite frankly.
LOL This is awesome! I am giving a presentation about NTFS reconstruction to a local Linux Users Group in a week and I am definitely going to put this quote in the slides with a link to this post.

Posted June 13, 2016 at 5:12 AM | Permalink | Reply


At first I would like to commit that this post is really informative''
According to my personal experience''. Data recovery is the process of recovering data from a damaged or corrupted storage media, when it becomes impossible to access it using the regular procedures. Data recovery also involves salvaging deleted files from a storage media.
Data recovery services are usually provided by highly specialized concerns, which have the expertise and know-how to perform this complicated task. Highly skilled data recovery technicians use an array of software and hardware tools that are at their disposal, to retrieve the lost data.
Hope my information is right''
The post above is really huge with all the details that one must be aware before hiring the experts''
Thanks for the share!!