Preview only show first 10 pages with watermark. For full document please download

When Your Backup Fails

Rating
Date

September 2018
Size

5.3MB
Views

4,769
Categories

Computers & electronics Data storage Data storage devices Solid state drives

Transcript

Data recovery | Data management | Electronic Evidence Data recovery presentation • • • • • 2 Impact of data loss HDD SSD Logical puzzle What can you do yourself Impact of Data Loss Cost of Downtime Enterprise – Average Cost of Downtime Cost-per-hour of critical servers being down (USD) Percentage of server backups tested when testing for recoverability (%) Costs of Downtime and Data Loss • Impact - Why should you care? • IT downtime costs North American companies $26.5 billion cost per year • Companies with an outage lasting for more than 10 days • Will never fully recover financially • 50% out of business within 5 years HDD Recovery Overview – HDD Recovery PHYSICAL DAMAGE Types: Head crashes, failed motors Indicators: Clicking, beeping or scratching Recovery technique: Repair damage part in a Class 100 cleanroom LOGICAL DAMAGE Types: Corrupted partitions, file system or media errors, overwritten data Indicators: Damaged logical structures Recovery technique: Repair logical structures via data recovery software 1 Proprietary | Kroll Ontrack Data Loss Situations Hardware failure 44% Human error 32% Natural Disasters 3% Virus 7% Software malfunctions 14% Source: Ontrack Data International Hard Drive Internals Data Data Microscope view of magnetized bits on a platter  Spinning hard drives look like a record player with one or more disks (platters) and a read/write head on each side of each platter.  Hard drives store data by magnetizing parts of the disks and store data sequentially.  A cleanroom environment is necessary in the majority of recoveries. Anatomy of a Hard Drive (1) Voice coil Magnet Actuator Arm Spindle Motor Flex strip Preamplifier Magnetic Disks RW heads 7 6 Track 0 Track 1 8 5 1 4 2 ECC Data Header Sector Cyl 1 Cyl 0 Carriage Head number 0 1 2 3 4 5 Spindle Return Physical tolerances (1) (2) (3) Read / Write Head Human hair Dust particle Smoke particle Finger print (1)(2)(3)(4) Physical tolerances • 3 TB Hard Disk • • • • • Arial density 444 Gb/Sqin (1) Track density 270.000 TPI Linear density 1.383.000 BPI Flight distance 5 to 10 nm (2) Self-calibration procedure (3) (4) • Environmental characteristics (5) Physical damage, statistics Electronics 16 % Water/Fire 3 % (5) (6) (7) (8) (1) Mechanics 17 % Shock 8% (1) (2) Crash 56 % (1) (2) (3) (4) HDD Roadmap – HDD GAP Performance Increase: • CPU 8-10x • DRAM 7-9x • Network 100x • Bus 20x Capacity Roadmap: • Heat Assisted Magnetic Recording (HAMR) • Bit Patterned Media (BPM) • Shingled Magnetic Recording (SMR) Performance GAP: Disk Drive 1.2x HDD vs SSD Manufacturers: HDD Graphic Source: Chris Ritter, Buzzfeed.com 2 SSD Findings Data Recovery from SSDs PHYSICAL DAMAGE Types: Electronics failure Indicators: Typically no signs of impending failure Recovery technique: This can include decoding complex SSD data structures or specialised controller chips LOGICAL DAMAGE Types: Human error (deletion, formatting, virus), corrupted system area, file system, firmware Indicators: No main signs of impending failure Recovery technique: Dynamic storage means that recovery can take much longer in some cases. With system area corruption, this needs to be repaired before recovery is possible. 2 Types of Flash/SSD Failures • User Error/Environmental Influences • • • • Fire/Water Damage Broken Connector/Physical Damage Deleted Data Virus • Electronics Component Failure • Flash Controller • Flash NAND Memory Chip • Voltage Regulator • System Area Corruption • Erased/Corrupted Mapping Table • Erased/Corrupted Firmware Solid State Drive - SSD Solid State Drive Internals Controller Chip Memory Chips Removed Connector Memory Chips  Solid State Drives have no moving parts.  The data is not stored sequentially on the chips so the engineer must re-assemble the data, similar to a Raid recovery. SSD Recovery • Challenge of Flash/SSD Storage Devices • Flash Translation Layer (FTL); Proprietary to OEM • Usable blocks are mapped in controller NVRAM • Wear levelling • Blocks marked for erasure not immediate – garbage collection delay • Corrupt block mapping prevents normal erasure process – leaves data intact and vulnerable Memory Chips - Blocks - Pages 0 = Page [smallest Unit] 4 KB or 8 KB Block [128 Pages = 1 Block] Possible status: > free > filled with data  marked for deletion  bad Smallest Unit to delete! Memory-Chip [ n Blocks = 1 Chip ] n 2 NAND-Flash Type Source: SAMSUNG  SLC = Single Level Cell: Highest endurance; Highest performance; Most expensive  MLC = Multi Level Cell: Moderate cost; Read intense apps; Web server  eMLC = Enterprise MLC: Higher security at moderate cost; Database apps  TLC = Triple Level Cell: Low cost; High density; Consumer Electronics Endurance SSD – Example Server Database Endurance Flash Chips is device related but predictable: Capacity x Write Capacity Write Bandwidth SLC: • (1TB*100.000/500MBps) = 6,3 years eMLC • (1TB*30.000/500MBps) ~ 2 years MLC • (1TB*3.000/500MBps) < 1 year Source: Kurt Gercke, IBM Storage Normaler Büronutzer mit seinem PC 20 – 60 GB/Tag – dh 1TB SSD hält rein kapazitativ/ rechnerisch 400 Jahre SSD in a Server Environment Not Ideal OK Good • High transactions • Application server • System storage • Massive write processes: transaction server, database server • Delivery server: Web-Server, FileServer, Media Server • VM Hosts, Small Business Server > 1000 GB/day Some 100 GB/day < 100 GB/day Types of Flash/SSD Failures • User Error/Environmental Influences • • • • Fire/Water Damage Broken Connector/Physical Damage Deleted Data Virus • Electronics Component Failure • Flash Controller • Flash NAND Memory Chip • Voltage Regulator • System Area Corruption • Erased/Corrupted Mapping Table • Erased/Corrupted Firmware Deliveries HDD vs. SSD in millions Source: Objective Analysis Data 2012, Coughlin and Associates 2012 Development SSD / HDD Data Recovery Jobs 2008-2012 Comparison Media Type vs. Data Recoveries • Conclusion: If you compare the delivered harddisks (HDD vs. SSD) with the amount of data recoveries between 2009 and 2012 no advantage of the SSD technology can be seen. 3 SSD Manufacturers Six Chip Manufacturers but > 200 SSD Manufacturers SSD is easy to build: Controller, Chip, Firmware,… SSD Recovery Challenges SSD Recovery Challenges What? Why? Software/Hardware Proprietary Tools Most people don’t happen to have these tools lying around Time Consuming Need to research the algorithms used to originally store the data Wear leveling (balances usage evenly across all disk sectors) Creates a complication to piece the data back together – we see a lot of file duplicates RAID-like configuration Individual memory chips on devices make data less contiguous and difficult to piece back together Lack of standardized configurations 3 Many recovery jobs bring new challenges and new algorithms The Challenges of Encryption Type of Encryption Risks and Opportunities Encryption done by encryption software e.g. TrueCrypt The master key is in your hands – even when a data recovery from a physically damaged hard disk is necessary the use of the key guarantees access to your stored data. Encryption by SSD controller when saving data on SSD (Self-encrypted drive (SED); AES hardware Encryption) Data is stored encrypted but the master key is only known by the manufacturer – this means when the storage device is damaged there is no way of recovering the data. 3 Logical analysis Logical damage, statistics Virus 4% (Partly)Overwritten 22 % Deleted 7% Consequences of Physical damages 44 % (1) Filesystem 23 % Brief intro to logical structure • • • • • • • Partitions FAT file system NTFS file system Unallocated space Cluster File Reference Fragmented files Partitions • • Primary Partition Extended partition • MBR Logical Partition File System PT File System PT File System FAT Boot Record FAT12 / FAT16 FAT 1 FAT 2 ROOT DATA Boot Record FAT32 FAT 1 FAT 2 ROOT DATA File systems (FAT) • Partition table • Boot record • FAT tables • Root Directory • Data area Boot Record NTFS DATA NTLDR MFT Unallocated space Data Area New User Data / Files Installation Old file system Unallocated Empty Space Space Unallocated Space Cluster Block Block Block Block Block Block Block Block Block Block Block Block Cluster • • Cluster Blocks are usually 512 bytes Clusters can be from 1 to 64 blocks Cluster File Reference • • A directory is a list of files and other directories File Reference contains • File name, File attribute, Creation time/date, Last access date, Last modified time/date, First cluster, File size Fragmented files File 1 File 5 2 File 3 File 5 File 4 File 5 At Kroll Ontrack we recover data with optimal result at minimal risk! Data Recovery Processs Free Consultation 1 Doorloop altijd de checklist data recovery tips 2 Gratis telefonisch consult Evaluation/analysis 3. Opsturen opslagmedium of opzetten van een remote data recovery 4. Vaststellen van het probleem en de ernst van de beschadiging. Duidelijk rapport (VeriFile Report) en prijsopgave Data Recovery 5. Na akkoord daadwerkelijke herstel van de data 6. Uw herstelde data retour op een externe gegevnsdrager Remote Data Recovery Connection  128-bit RSA encryption  Proprietary network protocol wrapped in firewall-friendly HTTP packets  Only screenshots and keystrokes are sent across the connection  The tools are run on the client’s side Data Recovery • Physical recovery • Recover as much raw data as possible from defective drive • Recovered raw data stored on two copies, for security reasons • Logical recovery • • • • Manual inspection and repair of file system Recover as much user data as possible Perform sampling tests / quality check of recovered data Virus scan • Copy to agreed delivery medium Verifile Na de analyse kun je precies zien wat er terug te halen is. DR Service levels Premium service (5 werkdagen) • Prijs voor analyse in Euro excl. BTW is €90,= per disk Express service (24/7 service op werkdagen ma-vr) • De prijs voor de analyse van een enkele harde schijf is €490,=. • Voor multi-disk systemen is de analyse prijs €190,= per disk. Voor express service en emergency service in het weekend en tijdens vakantiedagen , bel ons direct op 0235673030 5 What can you do? First go over the data recovery tips checklist! Always work on a bit for bit copy Always stay with disk in case it crashes 5 Easy recovery software http://www.ontrackdatarecovery.nl/easy-recovery/ Contact Jaap Jan Visser Kroll Ontrack Netherlands Holland Office Center | Kruisweg 825c | 2132 NG Hoofddorp | The Netherlands +31 23 567 3030 | Fax: +31 23 567 3031 | Mobile: +31 6 38925560 [email protected] | www.krollontrack.nl http://www.linkedin.com/pub/jaap-janvisser/16/741/556 6 Data recovery | Data management | Electronic Evidence Return Return Return Return Return Temperature tolerances 700C Cobalt/Chrome, Cobalt/Nickel 300C Iron oxide Soldering 150C Plastic Water & Fire Damages 1. Handling, Logistics and Routines 2. Incident scene, drawings of premises etc 3. Documentation and labelling 4. Decide priority list 5. Time factor 6. Handling, packaging and shipment 7. Ibas personnel on site Return Return Return Return Return Return Physical tolerances • 270000 Track pr. inch 10639 tracks pr. mm. • 1383000 Bit pr. inch 54448 Bit per mm. • One A4 page filled with “m” formatted with Calibri size 11 • This gives 2295 characters – One letter is 8 bit • This gives a total of 18360 bit pr. A4 side • If you cut the media in pieces of 5 x 5 mm. • One data track from this piece will contain 14,8 A4 pages • The whole piece will contain 787286 A4 pages • One A4 sheet is approx. 0.1 mm • If we stack these sheets on top of each other we get a pile that is approx. 80 meters high Return Return Return Return Return Return 7 6 Track 0 Track 1 8 5 1 4 2 ECC Data Header Sector Cyl 1 Cyl 0 Carriage Head number 0 1 2 3 4 5 Spindle Return Head with MEMS • The microactuator is a MEMS (micromachined electromechanical system) device fabricated using semiconductor-like batch processes. The smallest features in this device are four microns in thickness but over 40 microns in height. Return Longitudinal vs. perpendicular LMR places bits lying flat in the plane of the disk PMR configuration uses new heads and disks that record bits perpendicular to the plane of the disk Return Return Return MFM Images MO bits Servo pattern Partly Overwritten Track Return Operating • Ambient temperature • Relative humidity (non-condensing) • Max. wet bulb (non-condensing) • Shock (half sine wave, 2ms) • Vibration (random (RMS)) Non-operating • Ambient temperature • Relative humidity (non-condensing) • Max. wet bulb (non-condensing) • Shock (half sine wave, 2ms) • Vibration (random (RMS)) Return 5° to 55° C 5% to 90% 29° C 15G (11 ms) 1.0 G, all axis -40° to 70° C 5% to 90% 29° C 250G (2 ms) / 75G (11ms) 5.0 G, all axis Return Return

When Your Backup Fails

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.