Many poor quality hard disk drives manage to get to market. This is especially true with "bleeding edge" models. These drives often suffer failures. For the average individual or corporation, this is problematic enough (and worse when a backup has not been made). For the forensic analyst, this can be devastating, at least if you do not know what must be done.
A common problem is a preamplifier failure. This failure will generally result in the drive creating a clicking or hissing noise. Another cause of this sound can come from a head stack failure. In this post I will detail some of the issues and steps associated with the replacement of a drive head or preamplifier.
The first thing is to access the drive internals. This will invalidate your warranty, but when conducting a forensic examination, the ability to have the drive replaced is of small concern. First, ensure that you have a clean work area.
A clean room is not necessary. Dust will cause long term damage to the drive, but this is long term. As long as the level of dust is low (such as in a standard computer room), the issue will not impact the forensic process (contrary to popular belief). You will require a set of Hex drivers or other security drivers (you can see what type is required by looking at the screws on the top of the drive).
Several of the screws will be covered (see figure 1) with the manufacturers label. Do not force the lid off the case, but rather ensure that you have removed all of the screws (and the case will then come off easily). The drive I have used in this post has four hidden screws, some drives have more or less. Rubbing the top of the case with your fingertips will help you locate these.
These will not be the usual screws such as a Phillips or chisel head screwdriver. You will require a selection of screw driver heads (see figure 2). These are readily available from any good electronics or tool store.
Once you have opened the case, you will see the drive internals. Figure 3 (below) has the location of the preamplifier (figure 4) circled in yellow and the head stack (figure 5) circled in green.
The preamplifier is a small integrated circuit chip. This will be attached to the head stack on a small PCB (printer circuit board). To remove this you will most likely need to remove the main PCB. This may require removing the screws on the opposite site of the drive holding the PCB on (more generally in older models). This step will not be required in most cases, but this has been removed in figure 6. The drive used in this example does not require this step, but I find this easier as removing the small metal plates makes removing the magnet (and hence the head) far easier. Like many new drives, the platter is held in place using a strong magnet. This magnet is on the left in figure 7 below.
Take Care: The magnets will pull towards each other and if you slip you can damage the drive.
Ensure that you have a good sized clear and open space to place the components (an anti-static mat is a good idea). Start placing the components and the screws associated with them from the left and work towards the right. This will ensure that you do not miss anything when you reassemble the drive.
Note: Do Not touch the platter and ensure that you use an anti-static band.
Slowly extract the head stack. Take care. If you touch the platters you will damage the data. I have a specialized vice for this these days, but it is possible to do this without one.
I suggest that you buy 20 or 30 old drives (these can be sourced for as little as $5 each). Practice on these until you can remove the head stack without touching the platter or damaging anything. When you have done this, you will be ready to work on a real drive.
Note in figure 5 the location of the preamplifier on the head stack (circled in yellow).
Older hard drives commonly have a pinned chip. Newer drives (such this the example) attach the preamplifier with either conductive adhesive to the contact areas or less commonly by soldering this on. My fingers are far too large and I will personally replace the entire preamp PCB rather than resoldering a preamp. And it is also easier to just do this for a glued chip.
Where do you get the replacement?
Well this is simple (at least in reasoning). Replacement parts are best and most easily obtained from old (but working) drives. Remember, we do not care about the long term. The issue is not getting another year from the drive, but just long enough to image the drive.
The difficulty comes when you can not locate an exact match to the drive, but there is something to repair. In figure 8, a lifted head is displayed.
Head damage is problematic
When a drive head has lifted or broken off, anywhere on the platter that it has touched will lose data (so you will need to image the drive skipping errors).
What if there are no replacement drives is to be found?
Sometimes there will not be an exact match for the damaged drive. This means that you will not be able to replace the head unit as a whole. In this case, similar drives can be cannibalized. I will not include a lesson on soldering here, but this is another skill that requires practice to do well.
The best way to analyze a preamplifier is using a COM-Terminal program. This part is simple (as even hyperterm satisfies this). Finding the pin-out can be difficult (these exist but are not always easy to find). For instance, iHDD.ru has several of these (in Russian). For instance see the link regarding the Seagate (BARRACUDA 7200.7 160G ST3160021A ).
You can also learn the click sequences for selected drives (more on this in a later post). For instance the following preamp failures will result in the following:
- Western Digital: 2 loud clicks and the spindle will stop.
- Maxtor: Continuous clicks for 30 seconds
- Quantum: 2 loud clicks, the spindle will speed up and 4 clicks.
Find the problem and you can fix it.
The final step is to reassemble the entire drive unit and proceed to imaging. The secret to doing this is practice. Old drives are inexpensive, all you need is time (oh and some basic tools).
For additional training on hard drive repair and it's role in digital investigations, check out SANS SEC 606 with Scott Moulton.
Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He is engaged in his second doctorate, a PhD on the quantification of information system risk at CSU.