data recovery engineer

IamA data recovery engineer. I get files from busted hard drives, SSDs, iPhones, whatever else you’ve got. AMAA!

Hey, guys. I am an engineer at datarecovery.com, one of the world’s leading data recovery companies. Ask me just about anything you want about getting data off of hard drives, solid-state drives, and just about any other device that stores information. We’ve recovered drives that have been damaged by fire, airplane crashes, floods, and other huge disasters, although the majority of cases are simple crashes.
The one thing I can’t do is recommend a specific hard drive brand publicly. Sorry, it’s a business thing.
This came about due to this post on /r/techsupportgore, which has some awesome pictures of cases we handled.

One of our employees answered some questions in that thread, but he’s not an engineer and he doesn’t know any of the really cool stuff. If you’ve got questions, ask away — I’ll try to get to everyone!

How much of your work is recovering bit coins or other virtual currencies wallets that have been lost?

We have had one case so far, and it was recoverable. The talk at the time was this wallet was worth about $30,000 in Bitcoin, or about 50 bitcoins. We charged $800 for this case, so I think data recovery was a good investment.

Why does it cost so damn much to recover hard drive data?

Big barriers of entry. Any one of the machines in our laboratory would set you back at least $9-10K, and that’s not to mention the clean room, research and development, specialized firmware tools, etc. We also have to source parts for certain hard drives, but that’s a drop in the bucket compared to the other stuff.
It’s also a really specialized service, and while there are a lot of companies that do it, there’s only a handful with the capabilities to treat any type of device.

What can I do to my hard drive so that you (or anybody else) are unable to salvage any information from it?

It’s a fun question. On the physical side, you can open up your hard drive and scratch the magnetic material off of the platters. Drill holes through it, hit it with a blowtorch, or shatter the platters (if they’re made of glass). Don’t just rip off the electronics, that does nothing.
If you don’t want to go that far, you can do a DOD (stands for the Department of Defense’s standards) wipe. There are tons of utilities that do this. It overwrites the data on your drive with various patterns of 1s and 0s. Realistically, any data recovery provider won’t be able to get anything after one full wipe with a random pattern. The random pattern will guard against future technologies that could amplify the magnetic signal to figure out what used to be a 1 and what used to be a 0.
Technically, you don’t need multiple passes, but the biggest issue with secure deletion tools is that software isn’t perfect. With that in mind, I’d advise doing at least three passes.

How’s your work place? I imagine you work in some kind of sterile room to prevent dust from ruining the hardware or something like that…

Yes, there’s a Class 100 clean room. I can’t get a picture of that right now, but we probably have one around here from the last time we tested. I’ll look for it.
It prevents contamination when we’re replacing parts of hard drives. It’s really strictly controlled and we have to wear special clothing when we’re in there.
Outside of the cleanroom, it’s a pretty typical office, except there are tons of workstations everywhere for different types of cases.

What’s the weirdest thing you have ever had to recover, or recovered by accident?

Recovered on accident? Geez, we’re always doing it on purpose. 🙂
Weirdest, we’ve worked on answering machines. You probably mean weirdest in terms of content; people ask us to recover just about anything you can think of. Adult videos, stolen movies, you name it. It’s always weird to me that people don’t just re-download publicly available stuff, but time is money I guess.

I formatted a HDD by accident (right click on drive, click format). What software can I use to get it back?

I’ve got a conflict of interest here, since we currently sell software. Because of that, I’m going to respectfully avoid recommending a specific tool, although I’m sure someone else in this thread will give you a recommendation and I’ll be happy to confirm or deny whether the program’s capable of this type of recovery.
Honestly, most commercial data recovery programs will work, but make sure the program’s designed for your file system. Read the reviews, too.
This should be obvious, but we see it all the time — don’t install the program to the drive with the deleted data. You’ll need to access it with another computer, and you’ll want to recover the data to another drive. Your software should only be accessing the formatted drive, not writing anything to it.
This is probably a very simple recovery, though, depending on your drive’s file system.

I have a clicking hard drive,it has very important stuff that I need to recover.I’ve read that sticking the HD in the freezer for several hours may cause it to work long enough to get some files off of it.
Should I try this?

I would strongly discourage it. I guarantee that someone will post a reply saying that “it works,” but the science doesn’t back it up for modern hard drives.
On older drives (think up to the 2000s) it was actually a technique. The reasoning was that it would shrink the drive slightly and allow a stuck spindle to “unfreeze” (ironically). Newer drives are far too precise for that.
If you stick a drive in a freezer and it works afterwards, it probably would have worked if you’d left it sitting on your counter. Some drives with minor physical issues will work, say, every 5th time you try them, and they might be more likely to work after a long rest, so there’s a correlation =/= causation issue with this myth.
My problem with this technique is that it could cause lasting damage to the drive. If the heads are failed, you’re potentially looking at platter damage, and if you’re not careful, you might even end up with some crystallized moisture from your freezer.

I do one pass of zeroing my hard drive. I give it to you. What are the odds of recovery? Imagine that price is no factor.

If you’re sure you actually zeroed it out? We wouldn’t have a chance, and neither would any other company regardless of what they say.
In order to recover the data, you’d need to magnify the signal to an extraordinary degree, and that technology doesn’t really exist. That’s not to say that it won’t exist in the future, though.
EDIT: But OK, just to play the game, how would I go about it? I would recommend to the CEO that we get a $2 million dollar deposit with no guarantee of recovery. Then we would hire a team of geologists to use an electron microscope to determine the previous state of each bit. 10 years later, we’ll have your data copied to your virtual block chain drive (bitcoin-based technology that will be invented by then).

If you examine a drive for recovery and determine you are able to get data off of it, do you get the data off immediately and then inform the customer? Or do you tell them you can get data off and then wait for their approval before getting it?

Now this is a sensitive question in the industry. My answer’s sort of in between the extremes. No, we wouldn’t fully recover a drive, because that would be dishonest in my opinion and it would lead to a weird haggling war with the customer. It feels dirty to me.
However, we also wouldn’t just look the drive over and send out an eval. We have to definitively diagnose the problem, and while performing that diagnosis we will see a clear path to a recovery. So yes, you could say that we’re committed to the process of recovery before we send out an eval, but that doesn’t mean that we’ve got the case done.
That means that we occasionally have to tell a customer that their stuff’s unrecoverable after they’ve agreed to the recovery, which sucks, but it’s better than the alternative.
Now, what if we plug in a drive and it starts right up? It’s happened before. In that case, we’ll explain it to the client, and they’ll go tell their friends about it. Free advertising and they’ll usually still ask us to transfer the data to another drive, so we don’t lose money or anything.

What is the hardest, most-time consuming method of data recovery that you regularly have to do?

I once opened a large RAID unit and it had swarms of cockroaches crawling inside. This is the only time I screamed like a girl in our lab. The failure was due to electronics shorted from the cockroach dung.

What are the most exciting innovations in your field in the last few years?

Most exciting innovations are SSDs. Upcoming technology will allow us to recover SSDs that have been completely overwritten with zeros, or wiped. Also innovations to make virtual machine recovery easier have been developed by our programming team. EDIT: I made a mistake regarding software being developed to recover from zeroed SSD -we are not working on this, it was rather only the subject of a coffee break argument, my apologies.
Most time consuming can be a RAID that we have not seen yet. Most of these are from large enterprise SANs containing multiple luns. They are almost always recoverable but sometimes take months of hard work and custom programming. Drobo RAID, while recoverable, can take a long time for us to determine recoverability.

What was your most challenging recovery?

Physically, any of the fire-damaged cases. It’s very difficult to prevent platter contamination, even when you’re working in a clean room. On the software side, larger RAID 5 arrays can get very complex very quickly.

What was your most memorable recovery?

I remember the failures more than the successful ones, but one that’s been on my mind recently is a drive we recovered for the family of a missing person. It was pulled from a lake. The person in question disappeared and is probably alive, and the family is looking for any clues as to where he went. It’s heartbreaking. Out of respect for the family, I won’t give any more details, but we recovered that case for free and I really hope that they find him soon.
On a lighter note, we’ve recovered cases for science research institutions and NASA, and those are always fun because they’re really cool people and they’re doing really amazing work.

What is the most common type of failure?

Most common failure: read/write head crashes by far. If you hear a clicking sound, that’s probably what it is. It’s pretty remarkable that they don’t fail more often when you consider how precise heads are. They’re incredible.

What are the costs involved in a typical recovery?

It ranges from $600-1900 on average. That’s a huge range, but lots of stuff can happen to a hard drive. We try to keep costs down because a happy customer will always talk about your business, especially in this industry. With that said, it’s not a cheap service.

Is an iPhone an easy device to recover from when it’s in recovery mode?

Yes, iPhone recoveries are generally very successful. However, on a related note, if you delete a text message on the newest iOS, it’s gone for good.

How effective is the cipher command in DOS in terms of preventing recovery of previously deleted data?

To my knowledge, we have never had any data recovery scenarios where customers have requested that we recover deleted data after it has been overwritten using the cipher command, so we have not performed any research into the recovery possibilities.
I can say that if the data is truly overwritten with at least one pass, then recovery would be impossible; however, the cipher command does not appear to address slack space or data stored in temporary files that may be related to the content you are attempting to destroy. We would probably start here if we were to start a research project on the recoverability of encrypted data that was wiped using the cipher command.
Do you have any specific examples that include the switches you would use and on what type of data and its encryption state? If so, I’d be interested in looking into it for you. I primarily work with hardware, but I’ll get our software guys on it.

How did you get started in your career? What about education requirements?

This is a really specialized industry, and there’s no clear path in terms of education. I have a bachelor of science in computer management and information systems, but it doesn’t really play a huge role in my job; I was hired here for another position and learned data recovery over the course of several years.
That’s not typical. We also have employees with degrees in nuclear engineering, electronics engineering, and programming. It’s a good mix, because if one of us can’t figure out a problem, chances are good that someone else can.
If you’re interested in working in data recovery, I’d recommend either an electronics engineering degree or a programming degree if you want to work on the software side. You will probably learn most of the actual craft on the job.
We also do computer forensics and electronic discovery. Those specialists have certifications, but I don’t know too much about that, it’s out of my area of expertise — even so, a certification in computer forensics will almost certainly get your foot in the door.

What do you think of The Great Zero challenge: recovering data from a hard drive that has been overwritten with zeros once with the dd command?

I may be living under a rock, but I just heard of it. Here’s my problem with it, from what I can find, and excuse me if this info is old.
The prize is $500. It would take hundreds of thousands of dollars or even millions of dollars in research to come close to developing that technology. Who would take that challenge? It’s nuts.
I highly doubt that we’ll ever be able to recover a drive that’s been intentionally zeroed out. There’s a pretty massive technical barrier there.

What’s the weirdest personal data you came across?

Nothing comes to mind. Sorry to bore you, but we don’t go snooping through people’s stuff unless they ask us to. The cases I remember are the ones where we get to work on something really exciting or important. We recovered stuff for rescue personnel after September 11th, so that’s a really powerful memory, but that’s definitely not super-personal data.

How often do you save the porn/nude pics you find on people’s hard drives or cell phones?

Haha, never. We couldn’t if we wanted to (and believe me, with our day-to-day case loads, we’re more interested in returning your files as quickly as possible than ogling your pictures, I don’t care if you’re the most attractive guy/girl on Reddit).
We’re not allowed any removable media in the laboratory. We even debated allowing the smartphone camera in for the verification pictures. The devices we use to store recovered data aren’t accessible through the Internet, and all recovered data is securely wiped with three passes after we transfer it and send it back to the client.
Security’s a huge issue around here, and we don’t really look at data except for verification purposes.
On a related note, we have had people ask us to recover adult content, in which case we’ve had to open the requested files, but believe me, it’s less tantalizing than you think.

Would you rather have an SSD failing or a magnetic drive failing? What lifetime are we seeing with SSDs?

Most SSDs that we receive actually fail due to electronic issues, not memory wear. Memory wear would be a more severe issue, but SSDs are still new enough that we haven’t received a ton of drives with this problem to my knowledge. Hard drives usually fail due to mechanical wear, firmware issues, and electronic problems.
As a data recovery engineer, I’d rather see a hard drive case than an SSD case, but the recovery rates are high for both. As a consumer, I’d rather use an SSD for a plethora of reasons.
The jury’s out on SSD failure rates, but it’s really important to note that they’re not all equal. Some are much better than others in terms of the quality of their memory, their memory wear leveling processes, etc. If you want to buy an SSD, do your research! Don’t go for the cheapest option. It’s a better return on your investment in the long run.
I can’t recommend a specific brand, but it’s not hard at all to figure out the best ones.

Is it possible to recover data from any phone and not just smart phones?

Yep. They all store data. An older phone might actually be more difficult then a newer phone, since we know what data structures look like on smartphones; with some rarer older phones, we might need a little more time, but it can certainly be done.

What has been the best example of data recovery in TV or Movies?

Probably that episode in Star Trek where they almost lost Data in the transporter

Do you work with law enforcement or do they tend to have in-house recovery? Have you ever had a client that insisted on being present during recovery?

Yes we work with law enforcement, especially with cell phone cases. We have had people ask to be present during the recovery. At an off-site recovery at Fort Bragg NC military base, I was escorted everywhere -even to the bathroom.

What is the most morally questionable material you have been asked to recover? Did you recover it?

We will recover anything and keep all data completely confidential unless it’s extremely illegal. And by “extremely illegal,” I mean that we don’t care about your pirated movies.
My job isn’t to make moral judgments, and it’s something we’re really careful about here given the sensitive nature of our work. Sorry if that’s a cop-out answer.

Why data recovery is so expensive? What are the things behind the scene that elevate the cost? Can we expect a lower price point in a near future?

I think we’re rapidly moving towards a lower price point, but that’s just my opinion.
The technology is improving to the point where internal component repairs are less and less common. We work with firmware a lot now, so our costs are going down.
With that being said, it’s still a really specialized industry, which is why you still see high prices. We have to pay a ton of money for the hardware we use, the credentials we get, advertising, and all of the normal costs of running a business. The barrier for entry is huge right now.
If you see a company offering data recovery for $300-500 right now, they’re probably not equipped to handle the process. However, I think we’re moving towards that, and I wouldn’t be surprised if we (or another major company) offered a lower price point in the near future.