Hi everyone.

I've been lurking this forum (and I must confess HDD oracle) for a while now, and finally I've grown courage to register.

Here's my story.

I've been working on IT for 5 years now, the last 2 the company that I work for started doing some *data recovery* services for our clients.

This was my idea, but we still outsource tons of works. Why ?

a) I'm the only person working in this service.
b) We can't afford the hardware and specially the training needed for harder recoveries. - I'm kinda limited to MHDD(wich allows me to pre-diagnose and give a price range to the client before starting the outsourcing process) Testdisk, DDRESCUE and some other windows tools that basically are never used unless the client has 0 background in IT.
c) I just don't have enough experience and I don't feel well trying new stuff in clients drives.

However we are starting to get WAY more flash drives / ssd's every month then regular hdd's and I really believe, that I could be doing more recoveries if I can persuade my boss to invest in ssd/flash hardware and training.

I'm not looking for a easy DIY solution, I'm looking for guidance on where to start, where to focus before moving on to harder subjects and what backgrounds would be usefull (e.g: soldering skills, electronics, et cetera...)

If it's not asking to much, if HaQue and Sasha could give me their 5 cent's I would be very happy since I've been reading many stuff / work from them.


Sorry for this wall of text, thanks

edit: and Spildit, I've also looked previously at your firmware research for the Quantum drives, I would never knew there was such dr-god in my country, :p

To start, read Rusolut website "cover to cover". from here there will be a metric tonne of stuff that you will need to research further, and the stuff you are not sure about, plug into google and familiarise yourself with it.

Flash is a unique beast in that it look REAL simple.. a < 30cent controller chip, basic circuit board with a dozen or less components and a memory chip or 2. Memory chip *should* be simple as we have ONFI, and protocol is fairly straightforward. But in reality, I have over 500 drives and I would barely have 10 pairs that are alike in every way.

- memory chip personalities that make it interesting to read different chips.
- a huge amount of page structures. many different brands with similar ideas in implementation, but subtle differences.
- the black box of never really knowing what is wrong, just striving for the best result based on experience (there are few manuals)
- 3 players in the tool market, each with their own attributes, support for devices.
- monoliths which can be exactly the same recovery as a flash drive, or much different.
-SSD's, new technology coming out like Modern chips, VNAND, 3d... etc etc.
- different encryption stuff, ecc, BCH, XOR etc
- very crappy TLC NAND chips

So don't be fooled by its simplicity. You will be spending quite a bit of time learning, and you never know what is going to come through the door.

First mistake is to decide to do flash and start collecting data, researching the web looking for flash tutorials, or other help, going through forums etc. Don't waste too much time thinking you will collect all this info, and some time in the future you will be prepared and then can start.

what you can do without tools:
learn FAT32, exFAT, NTFS filesystems, get familiar with HEX and knowing how to parse a Filesystem. Grab DMDE and image a few drives. learn how to navigate the image and extract files from a drive that just have a logical issue.
grab some NAND Datasheets and familiarize your self with the applicable parts of it - pinouts, page/block/plane/LUN meanings and structures.

Tools:
stereo microscope (required)
good soldering and SMD rework station a plus/hot air station/infrared...whatever you feel comfortable with.
flash Tools: VNR from rusolut, ACE Lab PC3K, Soft Center flash extractor. most serious labs have all 3 tools, and if you enjoy dusting and wasting money, get the Salvation Data flash Doctor..
I am biased towards VNR as I know how much work is going into it to support modern chips, so I wont go into the which tool debate.

Time: Flash recovery on any decent scale takes a LOT of time.

you basically just have to start doing in and follow your nose. the 2 VNR books are extremely good in bringing together all the main concepts of flash recovery, with examples. everytime something new or unknow presents itself - learn about it, but don't try to go out looking for the bible on Flash.. it doesn't exist..

HTH

Thank you so much for your reply.

When I did this post I had the feeling that I was looking for a answer with the wrong question , but I have something to put my hands on now.

I already have a soldering / SMD rework station with a hot air gun.

I've been reading about mostly TSOP48, and the tools, I'm breathing VNR at the moment, + they are going to add new adapters soon.

I know the basics about those filesystems, but I'm not good at HEX, however I believe I can find enough info to change that.

Thank you again for the input, it's really sad you are on the other side of the world, would be awesome to outsource some jobs to you.

Being on the other side of the world didn't stop people from US, Netherlands, UK, etc.
also if you have a reader and can read dumps of NANDS, transferring files over has never been easier

for HEX, once you start to "get it" it is not so bad. main points is that you have to use the base number system in the right place.. sometimes it is easier to use dec, sometimes hex.
Example page 21C0, Block 21C000, plane 21C000000, might be easier than 8640, 2211840, 9059696640

when we are talking about pages relating to chips we often say 4k or 8k but in the software, most times it entered in as page size: 2112, 9216, 17664 or whatever.

Examples:

good things to know offhand, seems trivial but knowing without thinking about it is a plus and helps you recognise data structures or to quickly see when there is problems in things you are working on:
0x800 doubled is x1000
0x8000 doubled is 0x10000 etc..
512 bytes(sector) is 0x200
counting sectors: 512,1024,1536,2048 or 0x200,0x400,0x600,0x800 etc
common sizes: 1024,2048,4096,8192 or 0x400,0x800,0x1000,0x2000

Windows calculator: enter any hex value with calc options set on "Programmer" and "hex" click dec radio button for instant conversion.

WARNING: when in programmer mode, if multiplying and dividing numbers, they are rounded off. so all of the following produce the same answer:

2048 / 512 = 4
2056 / 512 = 4
2559 / 512 = 4
0x800 / 0x200 = 0x4
0x8E1 / 0x200 = 0x4

get in the habit of hex notation. I try and stick to at least 0x in front of all hex numbers. All offsets of files use 8 digits:

0x0000001
0x0004000
etc

Data structures recognition and knowing when to disregard the ASCII as text and recognise it is a hex number of significance, for instance FAT32 table, you see a, b, c, d etc repeated, but it has nothing to do with "a" or "b".. the significance is that it is the numbers

knowing hex well is powerful

BTW, what does "breathing VNR" mean?

Regards

Breathing VNR means it will be my first choice.

I've really enjoyed the sample cases solution, their support is awesome and well the prices are fair. Even though it seems disturbing at first to spend so much cash in a tool, I clearly understand that the research time and the skills of the team who created the device must be rewarded in order to keep evolving...

thanks!

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/

Just to say hi and thanks for your comment

I'm more intro doing research and learning from experimentations but unfortunatly I'm doing all of my work on "classic" hard drives only (not flash and not SSD) as my skills with soldering and messing with components are not that great .... And my experimentations are mainly aimed at firmware (not replacing head stacks of the drives for recovery).

I do have some other R&D topics that you might want to take a look like the HItachi - IBM drives experiments - http://www.hddoracle.com/viewtopic.php?f=59&t=1236 - but then again i'm not working on data recovery as a professional, i'm doing this just as an "hobby" !!!

Best regards and once again thanks for your comment

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Spildit when are you going to move to the future and work on SSDs? we need someone insanely inquisitive busting open these.. Maxtors? cmon let them join winXP and RIP

lol

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Not that easy without advanced tools to work on SSD, as SSDs are more like HDDs in certain ways.

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts

If you buy the MRT Pro you can buy the card for $360 and you get 1 months access to the software. After this it is $150 every time you top up the software. Usually this lasts 1 month, but if you don't top up you can top up within 90 days to keep the card active. Obviously after 1 month the software stops working, but it is a cheap way to get into recovery.

I think more companies should offer this type of pricing for their products.

Rusolut's VNR is also pretty cheap for what you're getting.

I think both of those products should be within your companie's budget.

I don't work on HDDs often, that's interesting. I was looking at SSDs as just Flash Drives with a superiority Complex. can you elaborate in some of the things that SSD are more like HDDs?


I agree to some extent, but I think a decent toolkit is probably already 1/2 way there in the labs of most people here.. maybe the following:

- Decent logic analyser.
- Microscope.
- JTAG tools and software.
- IDA Pro.
- Docs of relevant specs such as SATA, NAND Chips, Algorithms or other IP used that you can Identify
- Any open source code used in the firmware
- Any research already done by other Hardware Hackers.
- Lots and lots and lots (and lots) of time <-- most important
- Determination/obsession. <-- second most important

Looking through the first SSD Firmware, there is quite a few string where the coder has put things like the before mentioned "Very Bad!", there is debug info, even full paths of the programmers toolchain, compiler strings, use of open source compression libraries for "encrypting" the firmware. I don't think the stuff is any more advanced than anything else.

This may sound silly, and again, escuse me ignorance, but I'm trying to make my way in without financial suport from my company.

I've read this: https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit-WP.pdf

And I've ordered the board and some adapters out of ebay to do some experimenting...

I don't really know if anyone here "wasted" time looking into this, but I'll input feedback once i get my hands on the tsop48 adapter.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/

Many of the tools you suggested are for work at NAND level.
I was referring more to firmware type of problems. In such cases there are no issues with NAND.

As far as the SSD being similar to HDD comment, again, in relation to architecture, ATA command set protocols.

Tools? One example is PC3K SSD.

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts