Secure Computing: Sec-C

My friend, Xenon, recently pointed me to an article on digitial forensics.

According to the report, the conviction of an accused rapist was dependent on the recorded testimony of one of the victims. Unfortunately, the recording was saved on a DVD, and the disk was damaged. As a result, the prosecution was unable to provide the testimony.

The judge had his hands tied. The court could not allow the victim to testify in person. The rational was that her testimony was disputed and she might change her story. The only option for the prosecution: recover the data from the disk!

After many failed recovery efforts, the prosecution eventually went to i365 -- Seagate's data recovery division. Seagate Recovery Services (SRS) successfully recovered the data.

Following the testimony in court, the defense plead "guilty", and not "no contest".

Forensics Matters

It is easy enough to say that critical data should be backed up. But in reality, mistakes happen. And they usually happen at the most inopportune times.

The DC3's Jim Christy once told me about a case with a damaged floppy disk. Basically, some guy went into the interrogation room and was waving around a floppy disk saying that it contained everything needed to lock the suspect away for a very long time. Then the investigator left the room... The suspect pulled out some scissors and cut up the disk! "Uh oh!" Yes: they really left the suspect alone with the only evidence. Jim came up with a method for taping the disk back together and recovering the data.

Occasionally there are cases where data from damaged media must be recovered in order to proceed with a case. This happens with floppy disks.. and DVDs. Data recovery is one of the fun parts of computer forensics. Unlike other experimental sciences where you may not be 100% certain, when you successfully recover data from damaged media, you know that you really did it.

An Alternate Solution

The solution for this damaged DVD was to find the right outfit that could carefully recover the data. However, that isn't necessarily the only solution.

The DC3 Forensic Challenge provides real-world problems for contestants to solve. In 2006 and 2007, the challenges included damaged media. In fact, the 2007 challenge included DVDs and CDs with scratches. The challenge: get the data off. The challenge's toy problems were actually harder than the reported DVD-testimony problem. Knowing that, I think I have an easier solution than going to i365 -- and it only requires a screwdriver.

According to the report, the inner ring of the DVD was corrupted. This was probably due to a scratch or crack. CDs and DVDs are recorded on a long spiral from the inside-out. This is very similar to those old-fashioned record players that played from the outside-in. There is just one long consecutive stream of data.

With CD and DVD media, the inside ring is the single most important part. It includes things like the type of media and disk's geometry. The report actually says, "damaged lead-in portion of the DVD" -- that's the inside of the disk. With this kind of damage, no DVD player will recognize the media... which is why you need a screwdriver.

Here's an easy way to recover data from a CD or DVD that has a damaged inner ring:

1. Open the computer, pull out the DVD drive, and remove the cover from the drive. (Hence the screwdriver.) Be aware: doing this will invalidate your drive's warranty.
   
   At this point, the drive should be powered on, connected to the computer, and open and accessible to you.
   
   
2. Find another copy of the same media. For example, if the DVD is a "Verbatim 4x DVD-R DL", then get another "Verbatim 4x DVD-R DL". This new disk can be blank or used -- it really does not matter. The only thing that matters is that the disk works.
   
   As an aside, you may be able to use any kind of similar media. For example, a DVD for a DVD, or a CD-ROM for a CD-ROM. However, I have had some failures with "similar" disks, but the exact same type of media seems to always work.
   
   
3. Place the working disk in the DVD drive. The drive's firmware will read the disk's media type and geometry.
   
   
4. Now for the fun part: without ejecting the disk or pressing the "open" button on the drive, remove the working DVD and replace it with the broken one. This also requires a screwdriver. The catch is to remove the disk -- either through the top or by popping the drive door -- without triggering the door-open sensor.
   
   With my DVD drive, I can actually remove the drive's front and simply slide the disk out the opening. With other drives, you may need to remove the mechanics and pull the disk out of the top of the drive. And some drives may only need you to block the optics of the door-close sensor. It all depends on the model of drive you are using.
   
   Oh, and wait for the drive to stop spinning first.
   
   
5. Now you have the damaged disk in the drive, but the drive thinks it is the good disk. The type of media and geometry is already loaded into the firmware. You should be able to recover the data using 'dd'. However, sectors that cross the damaged portions of the disk may be corrupted, so use 'dd conv=noerror,sync bs=2048" to recover the entire disk.
   
   
6. The recovered image may still be corrupted, but you should be able to repair the damaged image. In the case of this rape trial evidence, the data was all good -- only the very beginning of the disk was corrupted and it was repairable.

By understanding how the media works, most innocent mistakes are recoverable.