All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Mirroring drive gives different data
PostPosted: January 7th, 2018, 7:53 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
A customer came to me saying that her external 1TB drive stopped working, after her laptop upgraded itself to Windows 10 recently. I did some quick diagnostic, and can confirm the drive is working (SMART reports no errors, no bad blocks, etc).

When attaching the drive to a SATA-controller, this pops up:
Quote:
Jan 5 22:32:32 dr kernel: [177845.764146] ata5: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
Jan 5 22:32:32 dr kernel: [177845.778246] ata5.00: ATA-8: WDC WD10EADS-11M2B1, 01.00A01, max UDMA/133
Jan 5 22:32:32 dr kernel: [177845.778250] ata5.00: 1953525168 sectors, multi 0: LBA48 NCQ (depth 31/32), AA
Jan 5 22:32:32 dr kernel: [177845.780439] ata5.00: configured for UDMA/133
Jan 5 22:32:32 dr kernel: [177845.780447] ata5: EH complete
Jan 5 22:32:32 dr kernel: [177845.780587] scsi 4:0:0:0: Direct-Access ATA WDC WD10EADS-11M 01.0 PQ: 0 ANSI: 5
Jan 5 22:32:32 dr kernel: [177845.780871] sd 4:0:0:0: [sdc] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB)
Jan 5 22:32:32 dr kernel: [177845.780874] sd 4:0:0:0: [sdc] 4096-byte physical blocks
Jan 5 22:32:32 dr kernel: [177845.780882] sd 4:0:0:0: Attached scsi generic sg2 type 0
Jan 5 22:32:32 dr kernel: [177845.780934] sd 4:0:0:0: [sdc] Write Protect is off
Jan 5 22:32:32 dr kernel: [177845.780965] sd 4:0:0:0: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
Jan 5 22:32:32 dr kernel: [177845.789330] sdc: unknown partition table
Jan 5 22:32:32 dr kernel: [177845.789687] sd 4:0:0:0: [sdc] Attached SCSI disk


"unknown partition table" matches her problem description; Windows said and asked "Drive in unreadable, do you want to format it?".

I cloned the drive with ddrescue and investigated the data. Neither I or DMDE found any valid data, no signatures or anything useful. In fact, the data seems to be completely random, and the first X blocks were zeroed.

So I reattached the drive and re-cloned it, just for the sake of it, and now the first X blocks were non-zero, but still random. Using dd, I copied the first 80MB data from both images and ran md5sum on them. This is the result:

Quote:
$ md5sum chunk*
ad29d704fc0956887d753c0e1ffaa8c1 chunk1
ea26b91aecfb10821c63d30270638e77 chunk2


Can anyone tell me what's going on? I am completely puzzled here as I have not seen this error before.


Top
 Profile  
 
 Post subject: Re: Mirroring drive gives different data
PostPosted: January 7th, 2018, 9:55 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
What happens and what information is read when you access the drive through the original usb enclosure ? Are the sectors in the start zeroed ?


Top
 Profile  
 
 Post subject: Re: Mirroring drive gives different data
PostPosted: January 7th, 2018, 14:01 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Byte 0-1023:

Code:
$ hexdump -n 1024 -C chunk2
00000000  31 3e 35 5f 55 16 87 a6  2d 76 e6 f6 68 c5 c7 c3  |1>5_U...-v..h...|
00000010  60 c2 eb 76 d4 8e 92 b1  02 c9 fe c6 1e 96 a2 8f  |`..v............|
00000020  bf 7c f7 cf 39 02 99 a1  6e bd f9 63 cb 97 ec 63  |.|..9...n..c...c|
00000030  c4 c5 a4 7a e6 a6 92 23  75 a8 14 9a f8 b0 b9 5d  |...z...#u......]|
00000040  b1 0c de 98 5f 96 94 7c  ea 75 e8 c2 ab c4 eb e5  |...._..|.u......|
00000050  4b 53 3c 6b 48 47 84 4e  5f 98 72 cc f4 15 81 36  |KS<kHG.N_.r....6|
00000060  e9 5c d6 14 80 95 10 82  aa 43 4d dd 68 74 32 08  |.\.......CM.ht2.|
00000070  44 80 a0 66 93 98 30 22  83 4c 9d 58 35 b5 46 77  |D..f..0".L.X5.Fw|
00000080  b1 12 70 0c 79 af a5 41  db ca 09 e3 d5 3a 13 88  |..p.y..A.....:..|
00000090  a8 c4 cc 51 cb ac 01 b5  9a aa d4 8d 44 e8 ed 1f  |...Q........D...|
000000a0  57 00 10 fa 39 af 16 6f  fe 35 63 d9 1c bc 1c 2a  |W...9..o.5c....*|
000000b0  72 ce bf 75 3a 33 41 76  0e ef 2f 3c 27 72 01 45  |r..u:3Av../<'r.E|
000000c0  2d 26 a1 f7 12 6e ae f5  00 cc 2d 63 6f 86 37 8f  |-&...n....-co.7.|
000000d0  e0 bc bb 16 a0 6c 5a f4  3e 36 f4 ec 23 e7 ba 12  |.....lZ.>6..#...|
000000e0  e6 69 42 38 34 db b5 cf  36 13 32 0c a8 30 a5 24  |.iB84...6.2..0.$|
000000f0  26 74 27 62 a7 c9 a9 9f  d8 cf 38 6d af 33 19 7a  |&t'b......8m.3.z|
00000100  a2 5d 59 4d 8b 98 23 f1  70 e1 18 51 bd 6f 41 26  |.]YM..#.p..Q.oA&|
00000110  5c c9 d7 24 ca 38 00 7a  5b fd 0f ef cb 99 13 ac  |\..$.8.z[.......|
00000120  b9 38 3d bc 98 0b f9 13  e2 c6 a6 ee 72 fe e3 28  |.8=.........r..(|
00000130  ff ae 76 2a 04 77 0b 2d  31 67 14 3e 4f 01 c0 e4  |..v*.w.-1g.>O...|
00000140  64 aa 82 ab 83 e4 70 9a  a6 b0 22 e0 00 96 78 a7  |d.....p..."...x.|
00000150  49 b4 f6 fe ef de 11 2b  87 95 87 eb 1a 62 81 ba  |I......+.....b..|
00000160  1c 16 39 1c 0c 8f 88 1d  49 68 bc 47 ac df 96 a2  |..9.....Ih.G....|
00000170  c6 31 22 73 26 5c 0a ce  9b 80 93 74 7b d3 0d 3b  |.1"s&\.....t{..;|
00000180  de 45 a2 9c 0d 2e 77 56  18 74 87 79 06 27 35 9a  |.E....wV.t.y.'5.|
*
000001b0  c2 a5 ee c7 b6 09 d3 dc  ea 3a fd 17 5e d1 b2 44  |.........:..^..D|
000001c0  99 40 2f b8 a3 f7 41 7f  55 06 03 2b 0d dd 4b 82  |.@/...A.U..+..K.|
000001d0  de 45 a2 9c 0d 2e 77 56  18 74 87 79 06 27 35 9a  |.E....wV.t.y.'5.|
*
000001f0  ed 0b b7 f3 b3 8d 98 43  94 8c 4c 38 06 bf ec 50  |.......C..L8...P|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400


rogfanther wrote:
What happens and what information is read when you access the drive through the original usb enclosure ? Are the sectors in the start zeroed ?

I tried to run the drive using the enclosure, but it won't even start-up properly. The drive chugs and is on the verge spinning up but doesn't manage to do it properly, and repeats ad infinitum. I will try another drive with the enclosure and see if the behaviour is the same, or changed. The enclosure PCB looks undamaged, so does the drive PCB.

My systems are all clean, and the customer is still using her laptop (which she used with this drive) and it works without any hassle. I can ofcourse not rule out any encrypting malware since I haven't investigated the laptop, but other than that I don't know.


Top
 Profile  
 
 Post subject: Re: Mirroring drive gives different data
PostPosted: January 7th, 2018, 15:12 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Now I tried the enclosure with another power supply, and the disk is magically detected as if nothing happened:

Quote:
Jan 7 20:09:40 storage kernel: [37364249.440248] usb 1-2: new high-speed USB device number 92 using ehci_hcd
Jan 7 20:09:40 storage kernel: [37364249.573939] usb 1-2: New USB device found, idVendor=1058, idProduct=1110
Jan 7 20:09:40 storage kernel: [37364249.573952] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jan 7 20:09:40 storage kernel: [37364249.573962] usb 1-2: Product: My Book 1110
Jan 7 20:09:40 storage kernel: [37364249.573969] usb 1-2: Manufacturer: Western Digital
Jan 7 20:09:40 storage kernel: [37364249.573976] usb 1-2: SerialNumber: 574341563533343231343130
Jan 7 20:09:40 storage kernel: [37364249.575470] scsi95 : usb-storage 1-2:1.0
Jan 7 20:09:41 storage kernel: [37364250.574489] scsi 95:0:0:0: Direct-Access WD My Book 1110 1030 PQ: 0 ANSI: 4
Jan 7 20:09:41 storage kernel: [37364250.575610] scsi 95:0:0:1: CD-ROM WD Virtual CD 1110 1030 PQ: 0 ANSI: 4
Jan 7 20:09:41 storage kernel: [37364250.576596] scsi 95:0:0:2: Enclosure WD SES Device 1030 PQ: 0 ANSI: 4
Jan 7 20:09:41 storage kernel: [37364250.578751] sd 95:0:0:0: Attached scsi generic sg5 type 0
Jan 7 20:09:41 storage kernel: [37364250.582244] sd 95:0:0:0: [sdf] 1952151552 512-byte logical blocks: (999 GB/930 GiB)
Jan 7 20:09:41 storage kernel: [37364250.585253] sd 95:0:0:0: [sdf] Write Protect is off
Jan 7 20:09:41 storage kernel: [37364250.586868] sr0: scsi3-mmc drive: 51x/51x caddy
Jan 7 20:09:41 storage kernel: [37364250.588239] sr 95:0:0:1: Attached scsi generic sg6 type 5
Jan 7 20:09:41 storage kernel: [37364250.588584] scsi 95:0:0:2: Attached scsi generic sg7 type 13
Jan 7 20:09:41 storage kernel: [37364250.668128] sdf: sdf1
Jan 7 20:09:41 storage kernel: [37364250.687378] sd 95:0:0:0: [sdf] Attached SCSI disk
Jan 7 20:09:41 storage kernel: [37364250.691025] ses 95:0:0:2: Attached Enclosure device

$ fdisk -l /dev/sdf

Disk /dev/sdf: 999.5 GB, 999501594624 bytes
255 heads, 63 sectors/track, 121515 cylinders, total 1952151552 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0002ae3f

Device Boot Start End Blocks Id System
/dev/sdf1 2048 1952151551 976074752 7 HPFS/NTFS/exFAT


Interesting.

So the enclosure PCB/firmware does something fishy with the actual data.


Top
 Profile  
 
 Post subject: Re: Mirroring drive gives different data
PostPosted: January 7th, 2018, 15:41 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
I'm rage-cloning the drive at this very moment! ;)


Top
 Profile  
 
 Post subject: Re: Mirroring drive gives different data
PostPosted: January 7th, 2018, 16:38 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
These lines look like encrypted zeros:

Code:
00000180  de 45 a2 9c 0d 2e 77 56  18 74 87 79 06 27 35 9a  |.E....wV.t.y.'5.|
*
000001d0  de 45 a2 9c 0d 2e 77 56  18 74 87 79 06 27 35 9a  |.E....wV.t.y.'5.|
*

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Mirroring drive gives different data
PostPosted: January 7th, 2018, 17:48 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Why would any manufacturer make such a solution that encrypts the drive?

If someone steals the whole enclosure there won't be any problems reading the contents, since it decrypts on the fly.

And, if the controller burns, you (the owner) are toasted since you obviously can't read the data using a hdd-dock.

So, again; /why/ would anyone make such a solution?


Top
 Profile  
 
 Post subject: Re: Mirroring drive gives different data
PostPosted: January 7th, 2018, 18:02 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
bos wrote:
So, again; /why/ would anyone make such a solution?

http://www.hddoracle.com/viewtopic.php?f=3&t=1974&p=12048#p12048

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Mirroring drive gives different data
PostPosted: January 7th, 2018, 18:09 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
That made sense. Thanks.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 69 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group