- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
select a course
San Diego, CA - May 7 - 15, 2010
- Vendor Events
- Special Events
- SANS @Night
- Brochure (PDF)
I think this course changed my life.
-James Welcher, LBNL
Security 606
Evening Bootcamp Session
Evening hands-on session that allows students to utilize the knowledge gained throughout the course in an instructor-led environment.
5pm - 6pmCourse days 1, 2, 4
5pm - 7pm
Course day 3
Course PDF
Drive and Data Recovery Forensics
Saturday, May 8, 2010 - Wednesday, May 12, 2010Scott Moulton, SANS Instructor
39 CPE Credits
The data recovery world and the forensics world are very close in relation. This class discusses topics valuable to both forensic and data recovery professionals alike and touches on data recovery topics relating to forensics topics where they can be applied.
Our primary goal is clear:
To produce valid disk images and recover the data from marginally operative or defective media for use in data recovery or forensics.
The processes and methodologies taught in this class will train you to collect an image on damaged evidence where standard forensic imaging would have failed. You will learn to understand what kinds of problems hard drives have and what your options are to recover the contents. Specialized data recovery trade secrets that are used in these processes specifically will be discussed so we can acquire data from damaged disks. We will perform some exciting labs, where you will format a hard drive, put data on the drive, disassemble the drive down to the bare metal, and then "successfully" reassemble the drive and recover your data from it.
You will learn things about GMR Heads, sectors and how data is stored by the heads physically on the platters. In addition you will learn about passwords on hard drives and what it takes to clear them, and you will find out what the G-list and the P-list are, what can happen when a disk is wiped, and what data is left behind when they are not taken into consideration. You will also find out how the locations of partition structures affect the speed of your system and its relationship to zone tables.
This class will highlight the tools that work well with corrupted file systems, both in demonstration and in the lab exercises, and students will learn the basics of file systems and logical recoveries. There will be information regarding FAT, NTFS, Mac OSX HFS+ hard drive formats, as well as EXT3 and Reiser recoveries and what to do when there is damage, and there will be examples of each in labs. Students will also perform logical recoveries where we will use software and specialized data recovery equipment to image memory sticks, hard drives, and image files.
After we are done with our basic understanding of file system recovery, we will move on to dealing in depth with the methods of reviving RAID 0 / RAID 5 / JBOD configurations. There will be lab exercises that will be used to demonstrate how to reconstruct RAID 0 and RAID 5 Arrays. The final portion of the class will discuss solid-state drives, the direction of storage in the future, and what challenges they propose when introducing evidence into court.
If you would like five bootcamp days of training and learning about trade secrets of the data recovery profession, this is the class for you. It will consist of lecture and labs with mentoring on disassembly and reassembly of the hard drives. Usually by the second day, the majority of students are able to rebuild a hard drive and recover data from it. However, this class is about process and methodologies, teaching the techniques used in data recovery labs so that you can understand and build on those skills.
- A Sampling of Topics
- Going over the basics and parts of a hard drive
- Data Recovery With Forensic Drives
- Clean Room Basics
- Data Recovery Equipment Basics
- Tools and Software for Data Recovery
- Sounds that Damaged Drives Make with Examples
- What problems you can tell by listening to the drive
- Basics on success rates and possibility of repair
- Opening a Drive and Disassembling it
- Reassembling and rebuilding a Damaged Drive
- Mechanical Operations on Drives
- What is the System Area stored on the hard drive
- What a Sector Actually Looks Like Encoded on the Drive
- PCB Board Issues and Live Board Swaps
- Forensic Logical Recoveries
- Rebuilding forensic drives maintaining the state
- FAT/NTFS/Ext2/Ext3/Mac OSX File System Recovery
- Imaging Damaged Hard Drives
- Data Recovery using File Headers
- We will also cover the basics of tools like:
- Deepspar Disk Imager
- Ace Recovery PC3000 (basic introduction)
- Salvation Data HPE Platter Tool Kit
- Example of Other Platter Tool Kits
- Head Combs and how to make your own
- In Addition we will have HANDS ON LABS that cover:
- Repairing a Damaged Drive
- Imaging a Damaged Hard Drive
- Five Hard Drives YOU Rebuild!
- Hard Drives Mechanical Operations
- Operations Rebuilding a Hard Drive Physically
- Mounting a Damaged Drive on PC
- What an encoded Sector actually looks like
- PCB Board Matching Issues and Review
- RAID 0 Rebuilds
- RAID 5 Rebuilds
- Fat/Ntfs Logical Rebuilds
- Mac Osx Rebuilds
- Linux Ext/Reiser Rebuilds
- Pre-Requisites:
- SANS encourages you to attend SEC508 (Computer Forensics, Investigation, and Response) prior to attending this class.
- Extra Items Needed:
- Digital Camera is helpful for the students to have during disassembly of the Hard Drive. A camera is helpful for documenting the process and knowing how the parts fit together after they are disassembled.
- Who Should Attend
- Anyone that has ever tried to image a hard drive with bad blocks only to have it fail and never be able to get a good image of the drive. This class teaches you what your options are and how to avoid that situation as well as training for the tools.
- Corporations that hand large amounts of data and hard drives.
- Corporation that have a mobile force that uses laptops that have had damaged drives that needed to recovery data from.
- Sensitive locations where a drive might not be able to be sent out to a recovery firm and you are required to recover the data from the damaged or corrupt drive.
- System administrators and incident handling personnel who are looking for an understanding of how a hard drive actually works and are interested in reassembling one from the ground up. This will help strengthen your forensic knowledge and give you a fundamental knowledge about how hard drives work and how to fix one.
- Anyone who wants to understand the technical side of hard drives and the data existing on the drive and how to rebuild or put one back together again.
- Anyone who wants to learn how to do data recovery on a damaged hard drive and to collect best evidence.
- To learn the basic tools and functions of data recovery to analyze Windows, Mac OSX and Linux systems with damaged hard drives or corrupt data.
- Anyone who wants to learn how files systems are structured and store their data so that they can understand where evidence exists on any type of hard drive.
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy