Data Clinic Ltd specialise in Forensic Data Recovery from unresponsive, damaged and broken mobile phones, tablets, hard disks, CCTV and complex RAID systems.
Most Digital Forensics teams have the capability to perform software based imaging and software based data recovery on media devices; however, if the device’s hardware is damaged, broken or unresponsive, it is unlikely that they will be able to recover the evidence required leading to the device being unnecessarily discounted from an investigation.
Data Clinic Ltd have been providing advanced hardware and software data recovery services since 2002 and consequently have a vast range of knowledge, expertise and available technologies that are not in the public domain. Our methods and techniques for extracting data from phones, hard drives, CCTV equipment and legacy digital storage media are exceptional. We provide data recovery services for the Metropolitan Police, Greater Manchester Police, East Midlands Special Operations Unit, Lancashire, Hertfordshire, West Yorkshire, Northamptonshire and Northumberland police forces.
Data Clinic not only provide the highest level of data recovery for Digital Forensic Investigators, but also fully support forces through excellent customer service. For example,
• Provide a fast track service for serious or time critical investigations, with a dedicated point of contact available 24/7 to initiate and manage emergency data recovery cases and provide regular progress updates.
• Develop and provide tailored processes to suit the individual requirements of a police force, and even tailor responses to individual case requirements.
• Provide a single point of contact for Digital Forensic Investigators.
• Inclusion of security cleared courier services, or collect and return hardware personally.
• Manage a ‘Data Return’ process from seized hardware, where a company or individual makes a request for data unconnected to a case that is held on a device that may be kept as evidence for years.
These comprehensive services are provided with reliability, integrity and security, evidential chain compliance, ISO 17025 compliance (in progress), effective communication, regular updates on case progression, timely reports, statements and invoicing.
Mobile Phones & Tablets
Data Clinic have invested significant research into the repair of handsets and diagnostic techniques to analyse faults and regain access to phone data. With encryption and security on mobile devices becoming ever more complex, this is an area of continuous learning and development.
Data Clinic has specialist equipment to remove eMMC (embedded Multi Media Controller) flash storage chips in the safest possible way. Instead of the conventional method of blasting the chip with heat and lifting it, which frequently causes significant damage, the chip is removed by “digging” it out from the underside of the board thus allowing the chip to be released safely. This method carries a far reduced risk of damage to the chip, so often caused by heat. The chip is then”re-balled’ and cleansed with specialist micro soldering applications. The data can then be extracted using a specialist chip reader and the raw data decoded.
A common issue with mobile devices is a short circuit, and a short circuit to ground on any line of a logic board can render the device useless. We have identified numerous methods for determining whether a line has been shorted and where the source is. A common diagnostic tool used is schematic software specifically designed for this type of analysis. We can determine which of the hundreds of components on the board have been affected. When the appropriate schematics aren’t available, we have the capability, gained through experience, to identify the source of the fault through analysis of certain patterns and traits, for example, using Microscopic inspection, observing power consumption and testing for any other factors such as necessary cleaning.
Data Clinic use micro soldering techniques for a variety of purposes, for example, replacing the FPC (Flexible Printed Cable) connectors of logic boards, replacing failed BGA chips, the chips that deal with power, display, USB connectivity and charging. For these types of recovery, it is essential to use a special type of flux to bring down the melting point of the solder and have an incredibly steady hand with a heat gun.
Physical damage is the number one problem we see with mobile phone recoveries, for example, a broken line, where the connection should travel between the two points; but, due to wear and tear has become disconnected. We use hair-thin jumper wire to re-establish and where necessary, strengthen broken connections. A process of UV curing is then added, a solder mask is applied to our created joint and then solidified beneath a UV lamp, thus ensuring a sturdy connection that shouldn’t break again.
Water Damaged phones are also dealt with as above. Water damage can ‘set in’ and leave serious corrosion that spreads. Putting a phone in rice always makes a board a lot harder to clean properly. We use industry standard ultrasonic baths that are designed with specialist PCB cleaner fluid to remove any traces of contamination.
Imaging drives with media degradation
The most common type of case that we work on involves hard drive media degradation, and because obtaining the best possible image of a drive is critical for evidence retrieval, this has become an area in which we provide unparalleled results. We have a vast array of imaging equipment which serves the majority of cases that we deal with, however, if necessary, we have the capability to ‘custom build’ a technique that ensures that the best possible clone is attained.
If a sector or track is badly degraded then it is not necessarily lost, and we are able to manipulate firmware, replace heads, create custom imaging configurations such as head mapping and in some cases even increase head temperature to read previously damaged or unreadable sectors.
Interface Conversion and Bypass
Many modern hard drives have USB interfaces that are directly attached to their PCB (Printed Circuit Board); whilst this is great for consumers, it is unhelpful for data recovery, imaging and firmware manipulation. We have vast experience in using conversion boards for these models and are able to tap into a hard drive’s SATA data channels before the USB conversion is completed, therefore allowing us to manipulate the service area, clone the drive efficiently and bypass any potential interface issue.
Modern hard drives are equipped with complex service areas that contain hundreds and in some cases thousands, of firmware modules dedicated to controlling all aspects of a hard drive. These modules range from simple SMART modules that report operational parameters, to complex, critical modules such as P and G-Lists, translators and control areas. Sometimes these modules become corrupted, damaged or can overflow with unreadable sectors, causing a variety of issues which may prevent user data access. Our expertise, equipment and skills facilitate communication with these non-user accessible service areas and allow us to diagnose, repair and in some cases replace damaged modules to regain access to allow imaging. These procedures include:
• ATA password unlocking
• WD composite module read and module re-location
• Removal of WD SED lock
• WD Slow responding fixes
• Seagate Rosewood Media Cache repair
• Advanced Seagate translator diagnosis, repair and rebuild
• Bypass Seagate ROM locks
• Full read/writing for almost all models
• Defect list diagnosis, reading, writing and repair
• WD kernel access
CO2 snow cleaning is a powerful technique that involves the formation and acceleration of small dry ice crystals onto the hard drive’s platter surface. The resulting physical and chemical interactions lead to particle and organic contamination removal. Snow cleaning is a residue-free and non-destructive cleaning method, and particle removal has been observed for sizes ranging from visible to less than 40 nanometers.
Because hard drive read/write heads are too delicate for snow cleaning, we use ultra-high magnification stereo microscope and acetone medical grade cleaning swabs to remove particles from hard drive heads. Sometimes hard drives with the classic symptoms of head failure (the familiar ‘click click click’ noise when the drive is powered on) are actually heavily contaminated with particle debris that can be removed through this process.
Many popular external hard drives and NAS (Network Attached Storage) solutions sold by Western Digital are hardware encrypted, including the USB attached hard drives that have been converted to SATA as mentioned above. Our imagining equipment is able to read the encryption modules and then decrypt sectors to bypass such encryption and produce an image for forensic analysis.
Working with the Head Stack Assembly
Imaging a hard drive relies on the read/write heads being functional, if these have become defective through misuse or degradation then the forensic examiner or recovery technician has no option but to replace the head stack assembly. This is a complex task and relies on sourcing the correct compatible parts, the experience of the technician, and in some cases the manipulation of the hard drive’s ROM and Service Area modules to complete successfully.
For example, it isn’t possible to match a donor hard drive simply using the label information on a modern WD hard drive. Specific values associated with each head need to be obtained from the ROM and a compatible donor hard drive found. The donor drive will need to match the values of a pre-researched range for each head: too high or too low a value will cause significant read errors or prevent reading from the disk surface or drive altogether. Data Clinic maintain a large library of donor hard drives and can quickly match head parameters accurately. These rules also apply to Seagate hard drives; head map and pre-amp values have to ‘match’ before a drive is compatible. This information isn’t readily available and specialist tools and analysis are required to gain such information. Sometimes even these processes aren’t sufficient to provide a drive reading, and additional ROM and firmware manipulation may be necessary.
RAID and Complex Multiple Disk Systems
Multi disk systems such as home and business servers running RAID configurations can present complex and unique problems to digital forensic examiners. We can help piece the data back together from across multiple sources – you can read more on our RAID data recovery page.
In summary, where Digital Investigators are unable to obtain evidential data from any digital device, Data Clinic will support them comprehensively and effectively, and provide the key for successfully accessing the device and retrieving the data. We are constantly updating and evolving our capabilities and are keen to widen our expertise and services to support digital forensic investigations requirements.
To discuss any forensic data recovery requirements please contact us.