Hello,

This is Claire here. Would just like to start out by saying that I am not involved in the recovery business in any way, and so I apologise if this is the wrong place for a layperson like me to be posting. I see that most posts here and from and for technically knowledgable folks from within the highly intricate world of data recovery, but I am at a loss in a particular situation and my lack of knowledge is the very reason I am here, so would greatly appreciate someone helping me out. I am describing my current conundrum below.

I am a photographer who had data lost in an external Hard Disc due to water damage in my office in May of 2020. I did have a backup, but unfortunately, made the cardinal sin of keeping it in the same physical room, and hence both copies were damaged - one more than the other. While one HD was completely beyond help since it was in a low storage unit, the other was kept on a desk and was only partially in water. Both were external Hard Discs.

MODEL NAME - Western Digital 4TB My Passport Portable External Hard Drive, Blue - with Automatic Backup, 256Bit AES Hardware Encryption & Software Protection purchased in FEBRUARY of 2020 (attaching a screenshot of image of HD)

I immediately contacted a recovery team which asked me to send over the disc, which I did. They took a few days to run tests etc, then gave me a two month timeline for recovery. It has now been nearly a year and all I have received from then on have been more timelines saying that the data is all secure and there, just that there is an issue with the decryption. I have left the disc with them since I know one thing about such situations - the more hands it goes into, the more chances of something going wrong. I don't want to take it to a team to tinker with something, then say they can't help, then go back to the original guys and for them to say "well the other team has done something we can't fix now". This is where the matter rests.

I apologize for the long post but I will try and get to the point
All I want is for someone with technical knowledge in the field to help me, by just deciphering the technical jargon and PLEASE just letting me know - am I being led on or is there any legitimacy to what these guys are saying?

Without making this any longer, I will try and attach as much informational stuff as and quote their emails to me below.

_________

Mail sent on MAY 16th 2020

Dear Madam,
The submitted hard disk has undergone a lab testing process for data recovery.

Lab Test Results:
1) HDD had small noise from the disk without detection in any computer & data recovery equipment.
2) Hard Disk is analyzed for head defects which will read & write data from the magnetic platters. Head assembly is defective.
3) Data recovery to be processed on the drive by replacing working head assembly from similar donor / spare hard disk with firmware, re-alignment & data extraction by using disk imaging technology.

Estimated Recovery %: Undetermined

Recoverable Data: All Available Data

Estimated Time for Recovery: 20 Business days

We require an email approval from your end to go ahead with data recovery. We shall start the process by purchasing spares required for recovery.

Drive condition after recovery: Tampered and non usable.

Require a backup hard drive after completion of data recovery for data backup purposes.
Payment Terms: During submission of data backup.

_______________________________________________________________________________

Since a lot more time passed, I asked them for an update.

____________________________________________________________________________

Mail sent on July 25th 2020

Dear Sir,
The current hard drive had issues with readable heads, we have already shifted the reading heads on the hard drive. The Lab work is successful, we have the complete drive online with capacity and parameters. We are facing the issue with the firmware codes of the hard drive. Since the disk is manufactured in Sep 2019, the codes of these drives are Locked by manufacture ie. Western digital. Hence no sectors are readable from the entire drive.

We are working with our tool manufacturer and the Western digital team (as Western digital will never provide any support for data recovery) to get the codes to unlock the drive and access data.
Since it is a very complicated process to reverse engineer the drive locking mechanism, it is taking time. We shall update the final status in 10 days of time.

_______________________________________________________________________________

Then a follow up

Mail sent on August 11th 2020

Dear Team,
All above mentioned issues are resolved and disk imaging is completed. The current drive sector readings are completely accessible, and we have taken the complete disk image of the drive with starting to ending sectors.
We are only facing one final issue with Decryption, the original PCB board has WD Hardware encryption on the fly, for this new 2019 model of the drive called "Spyglass 2" the solution for decryption is not yet released. Expected to get the updated release in coming 2 months. The data recovery is possible once the decryption parameters are provided by the tool manufacturer.

We are closing the case currently, as soon as the decryption is available we will be able to get the data from the drive.

____________________________________________________________________________________

This is where the matter rests. I try and get in touch every month or so to get updates and get told the same thing - "the tool manufacturer has yet to release the update which would have your solution" or something very similar. They claim there worldwide, there is no solution available, but it SURELY will come out. Whether its a week from now, or 6 months from now, they can't say.

I really don't know what to make of the situation and whether these are just random terms being thrown at me to make me believe there's still a chance, or whether there is actual hope.

I would be really grateful to anyone who could get some real information from the above mails, and give me an opinion on whether the recovery team seems to know what they're talking about and is there such a situation with this particular Hard Disc.

In case it's relevant, they haven't charged me anything so far, which is all the more reason I can't imagine they would be making all this up instead of just saying "we can't do this, sorry".

Thank you for your time.

Best,
Clare.

There's enough which tracks in the reply to confirm you're not being conned, if that was your concern. They are all legitimate issues and problems they now face having cloned the drive without an encryption key.

Whether or not they should be facing them I couldn't comment on.

They should be able to return the original drive with it's original PCB as they have a clone of your drive to work with. You can then send this to someone else to try a recovery.

_________________
Data Recovery Services in the UK.
https://www.usbrecovery.co.uk/

Thank you so much for the reply. It helps me greatly to know that it appears their efforts and issues are legitimate. I also could not find the exact model number at the time of posting, which I have found now, so attaching the same below :

Model Number - WDBPKJ0040BBL

Is there any way for me, or others in the data recovery field to simply find out if these decryption keys have legitimately not been released? Wouldn't they be common for all Hard Disks of this model, and if they are all encrypted in the same key, it seems quite impossible that none of them, worldwide have been decrypted after recovery in the past 1 and a half years or so.

Just wondering.

Each device has unique keys, which is why your original hardware is important the keys are in it, the encryption is there to stop exactly what you're trying to do.

Google will tell you how many possible combinations AES 256bit has and how much time it would take to brute force. The answer being a lot for both

_________________
Data Recovery Services in the UK.
https://www.usbrecovery.co.uk/

Oh ok. I was somehow given the impression that the particular model has one "key" which has to be released by the manufacturer or provided by a "tool manufacturer", because the recovery team has been saying that "there is no solution worldwide". Hence I assumed that this HD Model doesn't have a decryption key and anyone trying to decrypt it is waiting for it to be released.

Thank you for clarifying that. So basically, whoever this team is dependent on are trying to decrypt each HD separately, using brute force, and it's just a matter of how long it takes? Also, there is a fair chance that once that DOES happen, the data should be there? Because they've been saying "each and every sector is readable".

One last question. Isn't there any way for me to get in touch with WD and tell them that I need this to be done, since I'm the legitimate owner of the device, not like I'm trying to "hack" into it or steal data. Basically, if they want, can WD solve this for me, or would they also be unable to?

Thank you for your time, once again.

Hell will freeze first. They provide no help at all, because if they did, they would have to stop selling them, as they would be known to have a design flaw backdoor.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/

Your recovery company is waiting for the recovery software provider (probably Ace Labs) to find an exploit, brute forcing modern encryption isn't practical.



That's impossible to judge, reading a sector without errors and reading the correct data from the sector aren't always the same thing. Example of a similar drive https://forum.hddguru.com/viewtopic.php?f=1&t=41032 as soon as SED is involved things get complicated very quickly.

_________________
Data Recovery Services in the UK.
https://www.usbrecovery.co.uk/

Translation:
Ace hasn't released SED v.2 decryption solution, so they aren't able to work with your drive.

As others said, this is a legit problem nowadays for most DR labs, however there is a solution to get your data back. As Lardman said, since they've imaged your drive, there is no real reason for them to keep it, is there?

As I see it, you have two options:
a) Wait for Ace to release the v.2 solution (it should be out sometime) and then they will hand you your data
b) Get the drive back in a decent condition and send it over to someone who knows how to tackle the encryption.

It's all a matter of how urgent your job is. If it's not urgent, i'd go for option a) to be honest.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

So there is a copy of the MCU key somewhere in the SA?


Will this "someone" transfer the MCU to a donor PCB, or are there people who can recover the key and use it to decrypt the data?

_________________
A backup a day keeps DR away.

If the drive's original board is good, then there are some other things to attempt.

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts

That's the right answer.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners