Re: Your experiences with Data Recovery Courses
April 8th, 2009, 16:52
Hi Mr CK,
You are very much strange as an stranger , you dont have any identity but your posts are very good but Mr Scoutt it is not a stranger..you are only having a idindity as CK and the posts are 184 and you are located in lab..and you can say any thing to anybody...is this is resonable good ? as you heart ,any body can, as they are very much respected and honarable and do lot of this industry ,please describe your self what you have done for this data recovery world ,please describe your self...
Best Regards
You are very much strange as an stranger , you dont have any identity but your posts are very good but Mr Scoutt it is not a stranger..you are only having a idindity as CK and the posts are 184 and you are located in lab..and you can say any thing to anybody...is this is resonable good ? as you heart ,any body can, as they are very much respected and honarable and do lot of this industry ,please describe your self what you have done for this data recovery world ,please describe your self...
Best Regards
Re: Your experiences with Data Recovery Courses
April 8th, 2009, 17:09
wow, i've a headache after reading that! Was that your intention?
A lot of people on this forum know who I am and exactly where I am. I've no problem discussing real issues via PM, I don't need to advertise myself here. I haven't done much for the DR world apart from provide good service to my real customers. I don't need to say anymore.
As far as you are concerned, if you are using youtube videos as a basis for developing your tool (cough), then you don't deserve the respect you think you do. I'll certainly be keeping my money in my pocket.
A lot of people on this forum know who I am and exactly where I am. I've no problem discussing real issues via PM, I don't need to advertise myself here. I haven't done much for the DR world apart from provide good service to my real customers. I don't need to say anymore.
As far as you are concerned, if you are using youtube videos as a basis for developing your tool (cough), then you don't deserve the respect you think you do. I'll certainly be keeping my money in my pocket.
Re: Your experiences with Data Recovery Courses
April 8th, 2009, 17:20
Although I don't like SuperFlyFlippingA for giving out information I have to respect him for helping people. The information in his videos is pretty basic and not really a threat to the industry. DIY people will always find the means to ruin their hard drive regardless of Scott’s videos. Ripping on newbie’s is pointless in my opinion as it encourages more DIY. If a newbie is asking a dumb or uneducated question you can always disregard and skip it as I do. If they mess up a drive who really cares? My respect in H.D.R.C.'s tools and support is quite low.
Re: Your experiences with Data Recovery Courses
April 8th, 2009, 17:23
There is nothing to be gained by everyone fighting amongst the group. I understand people being protective about their jobs. I even understand the opinion that by people watching my videos they mess up clients drives. All I have ever wanted to do was share information and get some back in return. It is always so hard to get that one little nugget of info you don't know, or to find a new way to be successful in a recovery.
One of the nicest things I have seen since I started doing this is the explosion of people wanting to do recoveries. The reason this is nice it it creates innovation. If a community has a small base of clients a company could possibly sell to, there is no reason to innovate because they would never make the money back. In the last year I have seen more new innovative products coming out to address problems in data recovery. I think it is awesome that people are trying to create new products because they have a bigger base to sell them to.
Also, to set the record straight, one of the reasons I have not posted, is that for some reason, every time I create an account in my name, it seems to get get deleted, keeping me from posting.
But I would say to everyone, think what you want about me but as I learn more, I will keep releasing videos for free. I will keep trying to do more and more presentations and get more info out there on both recovery and forensics. If you don't want to watch them, then don't. If you want to make a presentation of your own, then do it, put it out there. Even if it is to show something I did wrong, tell me about it and I will put a link and tell people about it. Or you want help of any kind, I will help if you ask and it is something within reason that I can do.
Thanks for taking the time to read this....
Scott A. Moulton
SANS Instructor for SEC606
Forensic Data Recovery
http://www.sans.org/info/37599
One of the nicest things I have seen since I started doing this is the explosion of people wanting to do recoveries. The reason this is nice it it creates innovation. If a community has a small base of clients a company could possibly sell to, there is no reason to innovate because they would never make the money back. In the last year I have seen more new innovative products coming out to address problems in data recovery. I think it is awesome that people are trying to create new products because they have a bigger base to sell them to.
Also, to set the record straight, one of the reasons I have not posted, is that for some reason, every time I create an account in my name, it seems to get get deleted, keeping me from posting.
But I would say to everyone, think what you want about me but as I learn more, I will keep releasing videos for free. I will keep trying to do more and more presentations and get more info out there on both recovery and forensics. If you don't want to watch them, then don't. If you want to make a presentation of your own, then do it, put it out there. Even if it is to show something I did wrong, tell me about it and I will put a link and tell people about it. Or you want help of any kind, I will help if you ask and it is something within reason that I can do.
Thanks for taking the time to read this....
Scott A. Moulton
SANS Instructor for SEC606
Forensic Data Recovery
http://www.sans.org/info/37599
Re: Your experiences with Data Recovery Courses
April 8th, 2009, 17:42
I frankly still can't understand what's all this fuss about. 
If somebody want the course read by professional - prepare $$$.
You can get MCSE certification for $10,000 attending classes, or for $1,000 paying for the books and tests only.
You can buy "Forensics File System Analysis" for $35 on Amazon, or even skip that and dig inet. Or pay $3000 to Scott.
The issue here is that not everybody are ABLE to study on their own. So please be respectfull for them AND their teachers too.
And if Scott have the knowledge and skills to teach others - kudos to him.
From what I know, not so many people involved in DR business are able to modify MFT record in hex and make it work after that.
I doubt though that he can teach this to otherrs in reasonable timeframe.
p.s I agree that HDRC stuff is 100% crap.
If somebody want the course read by professional - prepare $$$.
You can get MCSE certification for $10,000 attending classes, or for $1,000 paying for the books and tests only.
You can buy "Forensics File System Analysis" for $35 on Amazon, or even skip that and dig inet. Or pay $3000 to Scott.
The issue here is that not everybody are ABLE to study on their own. So please be respectfull for them AND their teachers too.
And if Scott have the knowledge and skills to teach others - kudos to him.
From what I know, not so many people involved in DR business are able to modify MFT record in hex and make it work after that.
I doubt though that he can teach this to otherrs in reasonable timeframe.
p.s I agree that HDRC stuff is 100% crap.
Re: Your experiences with Data Recovery Courses
April 8th, 2009, 18:08
To Scott and all others:
A lot of fussing going on here and not one person actually
answered the original question ( Even you Scott) .
The original poster asked about the distant learning course.
We all know that reading a presentation and hands-on learning are
different. So Scott, in all fairness, why don't you give a detail
of the differences. And if some of your previous online students
want to post to give their opinion, that would be fine too.
Tell how your online course is any different than the presentations
on your website or youtube. Actually tell us and the original poster
what one would expect from the distant learning course.
Also, Scott, you might find that if you become a regular poster here,
people might be more receptive once they get to know you.
A lot of fussing going on here and not one person actually
answered the original question ( Even you Scott) .
The original poster asked about the distant learning course.
We all know that reading a presentation and hands-on learning are
different. So Scott, in all fairness, why don't you give a detail
of the differences. And if some of your previous online students
want to post to give their opinion, that would be fine too.
Tell how your online course is any different than the presentations
on your website or youtube. Actually tell us and the original poster
what one would expect from the distant learning course.
Also, Scott, you might find that if you become a regular poster here,
people might be more receptive once they get to know you.
Re: Your experiences with Data Recovery Courses
April 8th, 2009, 21:02
Steve, that is a great point. I had sent the guy asking the question an email directly with the info he asked for. However I will post the information here. In addition to this on the SANS page here there is 5 pages written up on what the seated class entails. The links are on the right of this page: http://www.sans.org/info/37599
The seated class evolves and continues to add new material and tools each class. The Distance Learning class is a class in a box, the only difference being in that in the distance learning there is a hard drive with all of the days video taped as well as videos of the labs. A $1000 of tools are included in the package so that you can do your own platter swaps, rebuilds, head stack swaps, etc. The primary tool being the platter replacement kit (HPE) from Salvation Data.
This is the basic details from the class covering a very broad set of topics.
Data Recovery Forensics
We perform labs repairing damaged drives, recovering corrupted information from operating systems, and using affordable Windows software tools so you can perform jobs successfully yourself when you leave this class. You will recover information in the lab from RAID 0/5 arrays, NTFS, Mac OSX, and Linux file systems EXT 2/3 and Reiser. Everything will be provided for you in this class including laptops. Every forensics or data recovery specialist needs to know the information that is taught in this class!
Day One
On day one we will introduce you to the basic hardware equipment used by data recovery professionals. We will discuss each tool the purpose as well as pros and cons of each tool. This will begin to give you the vocabulary and basic knowledge, the groundwork needed to be able to continue discussions of what is possible in the lecture over the next few days. Some of the tools we will be looking at will be head combs, the PC3000, the Deepspar Forensic Disk Imager, the Salvation Data's Data Compass, the HPE Platter Extractor tools as well as a few others like the PSI Cyclone and Hammers.
We will break down the four main phases of data recovery. We will then discuss the Myths surrounding hard drives and dispel some of the existing beliefs so that we can start to understand the truth verse marketing or false information.
We will then start with the anatomy of the drive and begin to break down what each item is, what it is called, and what its function is. A hard drive has an extremely large amount of planning involved with each part and function in it. There is nothing in a hard drive that is extra and that does not have a purpose. We will review each of the physical attributes and how they affect your ability to recover the data from the drive. Items discussed will include the Actuator Assembly, the Voice Coil, the locking pins, the Pre-Amp, The circuit boards, the motor and spindle, as well as the platters themselves that contain your data. We will even discuss the landing zone and the purpose and locations of the parking locations and why they were chosen.
We will review the goals of the labs and display examples of what you will be performing during the lab and what order it will be executed in. There will also be a process for building your own head replacement tools from foil and foam that is better than most head combs that exist.
During the labs you will mount hard drives using USB connectors, format the drive and put data on the drive that you will attempt to recover after you completely break the hard drive down to bare metal. You are going to very carefully disassemble two hard drives during the lab and extract all the parts including the head stack assembly, the printed circuit board, the IC circuit board, and finally the platters themselves. You will then reassemble each piece and attempt to get the drive working again. You will most likely not be successful on the first attempt so over the next two days we will do a total of five drives. At this point you will start to get a better grasp on the puzzle pieces like the locking pin assembly and the spacer for the heads.
While this lab is progressing, I will be walking around helping and mentoring people doing this function. Many times I will give advice to all students and may call people over to look at a particular hard drive, as each drive is different. You will get an assortment of drives so you will get the advantage of seeing variety and the different way each drive is manufactured. This will increase your skills at recognizing processes and parts you learns this process.
After you have experience with the internals of the drive and now have a better grasp of the basics, I will show you a few videos and pictures of drives I have disassembled and repaired and recovered data from.
We will close the day with a display of how to match hard drives for donor drives. This is where you will learn what you need to acquire your parts to rebuild your damaged hard drives.
Day Two
Now that you have a basic understanding of the physical attributes of the drive, we will move to the more logical functions controlled by the drive and the internals of initialization processes done by the drive at the power on cycle.
As we move into the heads and cover those functions, we can discuss the content in each of those items read by the heads. Primarily this is addressed by the contents of the System Area then referred to as the SA area. This will lead us into the UBA blocks, P-Lists, G-Lists, ECC, Zone Tables, and Password tables. As we cross over into the platters we will start with a breakdown of the cylinder structure vs. zone tables. The servo arcs and geographical information surrounding the platters will be affected since we have switched to voice coils over stepping motors.
Now that we know how the data arrives at the heads as it passes though the preamp, we will look at the content that is encoded and built around randomization patterns to be written to the platters as a sector. We cover the content encoded in that sector and each location and what it looks like. This is the introduction to error codes that you will get tied back to the data recovery hardware and software covered in lecture on the first day. We will have in depth information about the servo data, the addresses on the drive and locations in respect to the head, sector, and cylinder boundaries.
As we discuss this content and introduce each type of error, I will break the errors down logically so they can be understood based on the data recovery equipment and software used. This will include the error codes and status flags.
Now that you have an even better understanding of the sensitivity of the hard drive and how everything affects the heads, platters and alignment and how even a small amount of change can affect the drive, you will be given three more rives today. We will do the same functions we did on day one being much more careful. We will format the drives, copy files to the drive for us to recover, then break the drives down to bare metal. Following that we will reassemble and attempt to recover the data we wrote earlier.
Day Three
Beginning on Day three we will put away all the physical rebuilds components and begin to focus on the imaging and logical corruption and repair. We now have the skills to physically repair drives and get it working again, now we need to deal with the content and acquire the data and repair any corruption that might have occurred. We begin the day looking at standard ways of imaging content.
We will also have carefully crafted USB Memory Sticks that contain NTFS file systems (usually on fat us used on small drives) and are corrupted exactly like you will see on drives in your lab. We then begin by using tools like FTK Imager, DriveImage XML and Medial Tools Pro all of which have special advantages and disadvantages. After you have a clear understanding of the way software imaging looks, I will demonstrate a high-end data recovery tool like the Deepspar Forensics Disk Imager and show you the capabilities and what all the functions do. I will educate you on how to do a repair on sectors and copy a damaged drive using this tool on a sample damaged hard drive. This will be followed by an example of Salvation Data’s Data Compass and the functions it supplies on the fly and the protection it offers for damaged hard drives.
We will close out the second phase of data recovery, drive imaging, and move into the third phase, which involves file systems and corruption after the image is made. Again we will use a carefully crafted USB memory stick, which will not properly mount NTFS and we will step though how you can recover or repair and see the content in the MFT using tools and find the location of the files you wish to recover. The major part of this will include discussions of file systems and labs which I will explain the advantages and disadvantages of each tools and show you all the items that are special about the tools.
We will have several labs that you will do that demonstrate how you can see and recover data from corrupt drives. That includes reviewing partition structures including the GUID Partition Structure, recovering from NTFS when it won’t mount. The labs will include the use of Disk Explorer for NTFS and its special qualities that make it a superb data recovery tool when used in parallel with GetDataBack for NTFS. We will also review a NTFS drive using Testdisk.
Day Four
On day four we will spend the first half of the day finishing up logical structures of the top three operating systems followed by lecture and lab on assembling RAID 0 and RAID 5 arrays. We start the day finishing up Windows and NTFS with the unusual differences between Vista and XP with regards to data recovery. This included options like Shadow Copy file recovery, changes to the structure of files in the recycle bin as well as info2 files.
Mac OSX HFS+ partitions when Mac OS X can’t repair or recover from them. During these sections we will use reference material and discuss the nature of each operating system touching on its basic format and file structure. Labs during this day will include HFSExplorer where we can see the B* Tree structure stored in the Mac OSX Catalog. We will then move on to examining the basic functions and software available to recover Linux EXT 2/3 and Reiser partitions. There are additional tools used to recover and rebuild Linux that will include tools like R-Studios, Disk Explorer for Linux.
In the afternoon we will begin with an examination of the HPA’s (host protected area) effect on JBOD, how to review custom arrays created by different manufactures and then crossover into RAID 0/5 arrays. We are only addressing the functions necessary to recreate the RAID arrays to be able to retrieve data from them, not to rebuild them to be able to put the array back in place. We are only interested in the ability to acquire data from the drives and be able to deliver that content back to whomever needs it.
The labs for RAID 0 and RAID 5 will include several premade images, which we will process. Rebuilding these arrays can be done several ways and will require a lot of time. I will show you what happens when you have the settings for RAID wrong, quick and easy ways to identify the problems and how to find the correct settings by doing entropy by sight or sound and correcting the issues so you can do a successful recovery. I will also demonstrate how you can do some of these functions faster using other tools like X-Ways Forensics and R-Studios and Raid Reconstructor.
Day Five
On day five we view information about Solid State Drives. We focus on what happens over time to data on a solid state drives, and how the solid state drives functions. We will cover the lower level functions that are different than a physical hard drive and why that is important to data recovery and forensics. I will display some screen shots of some research I have done capturing dd images of solid state drives at different times and what has happened to the data. You will be amazed to find out the effect on unallocated and file slack space and defragmentation. This will lead us to discussions about the impact solid state will have on the future of forensics and data recovery and possible issues we may have getting recovered content admitted into court. This will also include a discussion about a newer FAT file system, FAT64 and the purpose that it was developed to solve.
I will have some new information about the future of storage and changes to hard drives, as well as flash media and introductory information about new technology called Domain Walls or RaceTrack Memory under development by the same designer of the current head technology on the hard drive. The lifespan of current media and shelf life of flash media as a long term storage will be reviewed and we will discuss alternative methods of keeping data safe or how to do refresh the content so that it will remain intact if you have to store forensic data for years to come.
In addition, during a recovery, there are some issues with security on drives that does not involve encryption such as GUID/SID folder protection. These items will keep you from knowing the data is on the drive and since it is “invisible” during the data recovery phase it is possible you might miss extracting important content. We will discuss ways to get around this “file protection” in the different operating systems.
As we wind down to close the fifth day we will cover a few of the unique items that are functions of the drive that might affect your ability to get an image such as TPM, hard drive passwords, flash updates to the drive, translator tables, and secure erase wiping tools built into the motherboard and drive for high speed wiping. How the HPA can be used for many other functions such as Lo-Jack for laptops, or resizing a drive to limit software recovery.
Scott A. Moulton
SANS Instructor for SEC606
Forensic Data Recovery
http://www.sans.org/info/37599
The seated class evolves and continues to add new material and tools each class. The Distance Learning class is a class in a box, the only difference being in that in the distance learning there is a hard drive with all of the days video taped as well as videos of the labs. A $1000 of tools are included in the package so that you can do your own platter swaps, rebuilds, head stack swaps, etc. The primary tool being the platter replacement kit (HPE) from Salvation Data.
This is the basic details from the class covering a very broad set of topics.
Data Recovery Forensics
We perform labs repairing damaged drives, recovering corrupted information from operating systems, and using affordable Windows software tools so you can perform jobs successfully yourself when you leave this class. You will recover information in the lab from RAID 0/5 arrays, NTFS, Mac OSX, and Linux file systems EXT 2/3 and Reiser. Everything will be provided for you in this class including laptops. Every forensics or data recovery specialist needs to know the information that is taught in this class!
Day One
On day one we will introduce you to the basic hardware equipment used by data recovery professionals. We will discuss each tool the purpose as well as pros and cons of each tool. This will begin to give you the vocabulary and basic knowledge, the groundwork needed to be able to continue discussions of what is possible in the lecture over the next few days. Some of the tools we will be looking at will be head combs, the PC3000, the Deepspar Forensic Disk Imager, the Salvation Data's Data Compass, the HPE Platter Extractor tools as well as a few others like the PSI Cyclone and Hammers.
We will break down the four main phases of data recovery. We will then discuss the Myths surrounding hard drives and dispel some of the existing beliefs so that we can start to understand the truth verse marketing or false information.
We will then start with the anatomy of the drive and begin to break down what each item is, what it is called, and what its function is. A hard drive has an extremely large amount of planning involved with each part and function in it. There is nothing in a hard drive that is extra and that does not have a purpose. We will review each of the physical attributes and how they affect your ability to recover the data from the drive. Items discussed will include the Actuator Assembly, the Voice Coil, the locking pins, the Pre-Amp, The circuit boards, the motor and spindle, as well as the platters themselves that contain your data. We will even discuss the landing zone and the purpose and locations of the parking locations and why they were chosen.
We will review the goals of the labs and display examples of what you will be performing during the lab and what order it will be executed in. There will also be a process for building your own head replacement tools from foil and foam that is better than most head combs that exist.
During the labs you will mount hard drives using USB connectors, format the drive and put data on the drive that you will attempt to recover after you completely break the hard drive down to bare metal. You are going to very carefully disassemble two hard drives during the lab and extract all the parts including the head stack assembly, the printed circuit board, the IC circuit board, and finally the platters themselves. You will then reassemble each piece and attempt to get the drive working again. You will most likely not be successful on the first attempt so over the next two days we will do a total of five drives. At this point you will start to get a better grasp on the puzzle pieces like the locking pin assembly and the spacer for the heads.
While this lab is progressing, I will be walking around helping and mentoring people doing this function. Many times I will give advice to all students and may call people over to look at a particular hard drive, as each drive is different. You will get an assortment of drives so you will get the advantage of seeing variety and the different way each drive is manufactured. This will increase your skills at recognizing processes and parts you learns this process.
After you have experience with the internals of the drive and now have a better grasp of the basics, I will show you a few videos and pictures of drives I have disassembled and repaired and recovered data from.
We will close the day with a display of how to match hard drives for donor drives. This is where you will learn what you need to acquire your parts to rebuild your damaged hard drives.
Day Two
Now that you have a basic understanding of the physical attributes of the drive, we will move to the more logical functions controlled by the drive and the internals of initialization processes done by the drive at the power on cycle.
As we move into the heads and cover those functions, we can discuss the content in each of those items read by the heads. Primarily this is addressed by the contents of the System Area then referred to as the SA area. This will lead us into the UBA blocks, P-Lists, G-Lists, ECC, Zone Tables, and Password tables. As we cross over into the platters we will start with a breakdown of the cylinder structure vs. zone tables. The servo arcs and geographical information surrounding the platters will be affected since we have switched to voice coils over stepping motors.
Now that we know how the data arrives at the heads as it passes though the preamp, we will look at the content that is encoded and built around randomization patterns to be written to the platters as a sector. We cover the content encoded in that sector and each location and what it looks like. This is the introduction to error codes that you will get tied back to the data recovery hardware and software covered in lecture on the first day. We will have in depth information about the servo data, the addresses on the drive and locations in respect to the head, sector, and cylinder boundaries.
As we discuss this content and introduce each type of error, I will break the errors down logically so they can be understood based on the data recovery equipment and software used. This will include the error codes and status flags.
Now that you have an even better understanding of the sensitivity of the hard drive and how everything affects the heads, platters and alignment and how even a small amount of change can affect the drive, you will be given three more rives today. We will do the same functions we did on day one being much more careful. We will format the drives, copy files to the drive for us to recover, then break the drives down to bare metal. Following that we will reassemble and attempt to recover the data we wrote earlier.
Day Three
Beginning on Day three we will put away all the physical rebuilds components and begin to focus on the imaging and logical corruption and repair. We now have the skills to physically repair drives and get it working again, now we need to deal with the content and acquire the data and repair any corruption that might have occurred. We begin the day looking at standard ways of imaging content.
We will also have carefully crafted USB Memory Sticks that contain NTFS file systems (usually on fat us used on small drives) and are corrupted exactly like you will see on drives in your lab. We then begin by using tools like FTK Imager, DriveImage XML and Medial Tools Pro all of which have special advantages and disadvantages. After you have a clear understanding of the way software imaging looks, I will demonstrate a high-end data recovery tool like the Deepspar Forensics Disk Imager and show you the capabilities and what all the functions do. I will educate you on how to do a repair on sectors and copy a damaged drive using this tool on a sample damaged hard drive. This will be followed by an example of Salvation Data’s Data Compass and the functions it supplies on the fly and the protection it offers for damaged hard drives.
We will close out the second phase of data recovery, drive imaging, and move into the third phase, which involves file systems and corruption after the image is made. Again we will use a carefully crafted USB memory stick, which will not properly mount NTFS and we will step though how you can recover or repair and see the content in the MFT using tools and find the location of the files you wish to recover. The major part of this will include discussions of file systems and labs which I will explain the advantages and disadvantages of each tools and show you all the items that are special about the tools.
We will have several labs that you will do that demonstrate how you can see and recover data from corrupt drives. That includes reviewing partition structures including the GUID Partition Structure, recovering from NTFS when it won’t mount. The labs will include the use of Disk Explorer for NTFS and its special qualities that make it a superb data recovery tool when used in parallel with GetDataBack for NTFS. We will also review a NTFS drive using Testdisk.
Day Four
On day four we will spend the first half of the day finishing up logical structures of the top three operating systems followed by lecture and lab on assembling RAID 0 and RAID 5 arrays. We start the day finishing up Windows and NTFS with the unusual differences between Vista and XP with regards to data recovery. This included options like Shadow Copy file recovery, changes to the structure of files in the recycle bin as well as info2 files.
Mac OSX HFS+ partitions when Mac OS X can’t repair or recover from them. During these sections we will use reference material and discuss the nature of each operating system touching on its basic format and file structure. Labs during this day will include HFSExplorer where we can see the B* Tree structure stored in the Mac OSX Catalog. We will then move on to examining the basic functions and software available to recover Linux EXT 2/3 and Reiser partitions. There are additional tools used to recover and rebuild Linux that will include tools like R-Studios, Disk Explorer for Linux.
In the afternoon we will begin with an examination of the HPA’s (host protected area) effect on JBOD, how to review custom arrays created by different manufactures and then crossover into RAID 0/5 arrays. We are only addressing the functions necessary to recreate the RAID arrays to be able to retrieve data from them, not to rebuild them to be able to put the array back in place. We are only interested in the ability to acquire data from the drives and be able to deliver that content back to whomever needs it.
The labs for RAID 0 and RAID 5 will include several premade images, which we will process. Rebuilding these arrays can be done several ways and will require a lot of time. I will show you what happens when you have the settings for RAID wrong, quick and easy ways to identify the problems and how to find the correct settings by doing entropy by sight or sound and correcting the issues so you can do a successful recovery. I will also demonstrate how you can do some of these functions faster using other tools like X-Ways Forensics and R-Studios and Raid Reconstructor.
Day Five
On day five we view information about Solid State Drives. We focus on what happens over time to data on a solid state drives, and how the solid state drives functions. We will cover the lower level functions that are different than a physical hard drive and why that is important to data recovery and forensics. I will display some screen shots of some research I have done capturing dd images of solid state drives at different times and what has happened to the data. You will be amazed to find out the effect on unallocated and file slack space and defragmentation. This will lead us to discussions about the impact solid state will have on the future of forensics and data recovery and possible issues we may have getting recovered content admitted into court. This will also include a discussion about a newer FAT file system, FAT64 and the purpose that it was developed to solve.
I will have some new information about the future of storage and changes to hard drives, as well as flash media and introductory information about new technology called Domain Walls or RaceTrack Memory under development by the same designer of the current head technology on the hard drive. The lifespan of current media and shelf life of flash media as a long term storage will be reviewed and we will discuss alternative methods of keeping data safe or how to do refresh the content so that it will remain intact if you have to store forensic data for years to come.
In addition, during a recovery, there are some issues with security on drives that does not involve encryption such as GUID/SID folder protection. These items will keep you from knowing the data is on the drive and since it is “invisible” during the data recovery phase it is possible you might miss extracting important content. We will discuss ways to get around this “file protection” in the different operating systems.
As we wind down to close the fifth day we will cover a few of the unique items that are functions of the drive that might affect your ability to get an image such as TPM, hard drive passwords, flash updates to the drive, translator tables, and secure erase wiping tools built into the motherboard and drive for high speed wiping. How the HPA can be used for many other functions such as Lo-Jack for laptops, or resizing a drive to limit software recovery.
Scott A. Moulton
SANS Instructor for SEC606
Forensic Data Recovery
http://www.sans.org/info/37599
Re: Your experiences with Data Recovery Courses
April 8th, 2009, 22:32
OK so I'll finally poke my head into the Lion's den here. Been lurking for a couple of years, finally created an account a couple weeks ago so I could PM someone who came looking for info and got the typical noob treatment - as I'm sure I will.
I can't speak to Scott's distance learning class, but his classroom instruction is exactly what he says it is - an introduction to DR techniques. Everyone knows leaviing there is a long learning curve but at least you leave with a head start and some real experience under your belt. It is a stepping stone. I wish I had taken the class the same time as Craig another one of those guys I would like to hang out with since you can probably learn something from him just by being in the same room
Why so many 'new users'? Probably like me, they know the first time you post - the flames and attitude are coming, so they too sat back, read the forum, and extracted the occasional nugget of useful information that does make it above the signal to noise ratio. This is not the friendliest forum on the net guys. I certainly hope some of you don't respond to your new customers the way you respond to new users here.... of course that may be WHY certain members want to keep all the information black arts. That way their customers have to deal with the surly guy locked away in the clean room 14 hours a day who has no people skills.
This sin't the first business to change, to expand, and to bring new people in in different ways. Television news used to be a three person crew shooter, soundman, and reporter - now many are one man bands. The quality may not be quite what it was, but the job gets done, the customers ( viewers ) don't really notice the change. But there are still shooters out there who want it to remain where it was - it's easier than looking at the way they work and making any changes. If you are feeling the pressure from increased competition, then maybe it is time to look not at your skills, but the way you apply those skills and the way you structure your business.
Anyway, flame away, call my post spam, whatever..
Bud
I can't speak to Scott's distance learning class, but his classroom instruction is exactly what he says it is - an introduction to DR techniques. Everyone knows leaviing there is a long learning curve but at least you leave with a head start and some real experience under your belt. It is a stepping stone. I wish I had taken the class the same time as Craig another one of those guys I would like to hang out with since you can probably learn something from him just by being in the same room
Why so many 'new users'? Probably like me, they know the first time you post - the flames and attitude are coming, so they too sat back, read the forum, and extracted the occasional nugget of useful information that does make it above the signal to noise ratio. This is not the friendliest forum on the net guys. I certainly hope some of you don't respond to your new customers the way you respond to new users here.... of course that may be WHY certain members want to keep all the information black arts. That way their customers have to deal with the surly guy locked away in the clean room 14 hours a day who has no people skills.
This sin't the first business to change, to expand, and to bring new people in in different ways. Television news used to be a three person crew shooter, soundman, and reporter - now many are one man bands. The quality may not be quite what it was, but the job gets done, the customers ( viewers ) don't really notice the change. But there are still shooters out there who want it to remain where it was - it's easier than looking at the way they work and making any changes. If you are feeling the pressure from increased competition, then maybe it is time to look not at your skills, but the way you apply those skills and the way you structure your business.
Anyway, flame away, call my post spam, whatever..
Bud
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 4:08
WOW! What an overwhelming response! 50 responses!
My intention was to ask a simple question: Has anybody gone Scotts course, was it worth it or do you know some (cheaper) alternatives.
Most of the people here must just think that it are only stupid people that ask questions on this forum and their answers are adapted to that level (or lower). After the first 10 answers about Donald Duck etc. finally some serious answers came in, both in the forum and PM’s.
Well, let me introduce myself. First of all: I don’t think that I am THAT stupid. Not THAT intelligent either, just medium. I managed to get a degree in electronical engineering and I am probably older than most people on this forum which would give me at least SOME credit in experience too (and disadvantage in learning-speed…).
However, I never continued specializing in hard disks so most of you have undoubtly much more knowledge on datarecovering than me.
Thank you all for your responses. I think I have got a good impression and my conclusion is that Scotts courses must be quite good if they cause so strong reactions in so many people. If they where mediocre nobody would care.
Thanks again and Happy Easter to all!
Edsel
My intention was to ask a simple question: Has anybody gone Scotts course, was it worth it or do you know some (cheaper) alternatives.
Most of the people here must just think that it are only stupid people that ask questions on this forum and their answers are adapted to that level (or lower). After the first 10 answers about Donald Duck etc. finally some serious answers came in, both in the forum and PM’s.
Well, let me introduce myself. First of all: I don’t think that I am THAT stupid. Not THAT intelligent either, just medium. I managed to get a degree in electronical engineering and I am probably older than most people on this forum which would give me at least SOME credit in experience too (and disadvantage in learning-speed…).
However, I never continued specializing in hard disks so most of you have undoubtly much more knowledge on datarecovering than me.
Thank you all for your responses. I think I have got a good impression and my conclusion is that Scotts courses must be quite good if they cause so strong reactions in so many people. If they where mediocre nobody would care.
Thanks again and Happy Easter to all!
Edsel
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 6:44
Hi scott moulton,
WELL SAID
!!
WELL SAID
!!
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 9:48
your not offering help. Your just making a quick buck from people who have no clue.
I'm going to start dental practice courses .. 3000 USD and show them how to pull a tooth
I'm going to start dental practice courses .. 3000 USD and show them how to pull a tooth
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 9:58
Also looks like a giant advert...
each to their own I guess
each to their own I guess
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 10:26
Hi,
In this class do you use PC 3000 tool ?
And the disk for working do you use WD disk marvel , it looks like this disk have some questions about the aligment point´s.?
Thanks
ZeBong
In this class do you use PC 3000 tool ?
And the disk for working do you use WD disk marvel , it looks like this disk have some questions about the aligment point´s.?
Thanks
ZeBong
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 12:21
Guru has some point here - it IS an INTRODUCTORY course.
There's no way you can REALLY put into "normal" person all that info Scott mentioned in 5 days.
I have a first-hand experience attempting that. 90% will be washed away because people just overloaded with info they can't grasp or process.
And 8hrs/day is a very rigorous pace.
40 hrs is enough to train a Junior Tech, but not in 5 days.
You need a month (at least) doing it no more than 2 hrs/day with additional continuous on-job training from senior peers.
After that you can start giving them easy cases.
From other hand, $3000 for a week is an absolutely normal price for US.
And there's no real alternative exists either.
There's no way you can REALLY put into "normal" person all that info Scott mentioned in 5 days.
I have a first-hand experience attempting that. 90% will be washed away because people just overloaded with info they can't grasp or process.
And 8hrs/day is a very rigorous pace.
40 hrs is enough to train a Junior Tech, but not in 5 days.
You need a month (at least) doing it no more than 2 hrs/day with additional continuous on-job training from senior peers.
After that you can start giving them easy cases.
From other hand, $3000 for a week is an absolutely normal price for US.
And there's no real alternative exists either.
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 12:33
Well, I have to reply to this topic too.
Several days ago I called to ACE Laboratory, and asked them about courses.
They will open Data Recovery courses soon.
Their price will be about 3000 eur. But as all pros know they are LEGEND of dara recovery and genius founders of this scientifical direction.
Let's choose, what will be the better, to learn from ACE or Scotty Mould?
Several days ago I called to ACE Laboratory, and asked them about courses.
They will open Data Recovery courses soon.
Their price will be about 3000 eur. But as all pros know they are LEGEND of dara recovery and genius founders of this scientifical direction.
Let's choose, what will be the better, to learn from ACE or Scotty Mould?
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 12:42
I vote for ACELABS secrets.
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 15:00
Knowing the quality of their (PC-3000) documentation, and especially on English, I wouldn't be that enthusiastic 
Unless they are going to outsource it to somebody.
2nd thought - I can suspect that their course will be more about PC-3000 usage for DR, not DR in general.
Unless they are going to outsource it to somebody.
2nd thought - I can suspect that their course will be more about PC-3000 usage for DR, not DR in general.
Re: Your experiences with Data Recovery Courses
April 9th, 2009, 15:35
Pupok wrote:2nd thought - I can suspect that their course will be more about PC-3000 usage for DR, not DR in general.
And I AM SURE the other course is a live documentary about storage , not DR in any way IMO.
Accept that someone else that run real life business and has started and is doing it without this kind of things, have a different thought.
Re: Your experiences with Data Recovery Courses
April 11th, 2009, 2:45
IMHO I don't think that Acelab will be much good... Going by their current SW I would say
1: It will be out of date
2: It will be 1/2 in Russian 1/2 English (LOL)
3: If you want ask them questions it will be 800-900 Euro extra and they will need ask developer
4: You will have to use their online activation tool to register your interest (May take several months LOL )
5: As soon as you have finished your course they would update it ONE month after your initial training therfor needing to pay another 3000 Euro's for something that is not interesting
6: need I go on and on and on and on??????????
I couldn't be bothered with all the documentation to teach recovery skills. I would probably just do a hands on kind of job.. Here is a BIG BOX of drives... Lets go recover them kind of thing
1: It will be out of date
2: It will be 1/2 in Russian 1/2 English (LOL)
3: If you want ask them questions it will be 800-900 Euro extra and they will need ask developer
4: You will have to use their online activation tool to register your interest (May take several months LOL )
5: As soon as you have finished your course they would update it ONE month after your initial training therfor needing to pay another 3000 Euro's for something that is not interesting
6: need I go on and on and on and on??????????
I couldn't be bothered with all the documentation to teach recovery skills. I would probably just do a hands on kind of job.. Here is a BIG BOX of drives... Lets go recover them kind of thing
Re: Your experiences with Data Recovery Courses
April 11th, 2009, 8:16
In any case IF we are talking about REAL DATA RECOVERY hands on Hdds, the amount of useful info on Ace class vs. that one - according to the 'program' posted is incomparably higher. So the target, too.
Powered by phpBB © phpBB Group.