Conference Acelab 2019 Prague - Innovation from the Data Recovery Leader Workshop

Acelab conference Prague 2019

Introducing new technologies and procedures for data recovery from spinning hard drives, SSDs, memory cards and mobile phones. 27 years of development and already 17th conference. Acelab is the industry leader and we couldn't miss the conference.

Tuesday 26 April was in the Cubex Palace at Prague Pankrác marked by innovations in the area of ​​data recovery from memory media. 17th Acelab Conference, which focused on technologies in data recovery from modern HDDs, mobile phones, SSDs, NAND flash memory or from the APFS and encrypted partitions, began at 10 am, when the last conference participants arrived and conference hall was almost full.

At the beginning, the moderator mentioned the history of Acelab, which dates back to 1992 and the first PC-2000 Tester, which in 1994 was replaced by the PC-3000 series. This is how Acelab products have been labeled until today and include the latest PC-3000 PORTABLE III or PC-3000 MOBILE products, which were presented at this year's conference.

New version of PC-3000 Portable

The first of the three parts of the conference was dedicated to the PC-3000 Portable III. As the product name implies, it is a solution especially suitable for resolving data recovery cases directly onsite with clients. The ability to connect up to 3 SATA III drives makes this powerful device the ideal addition to the PC-3000 Express, which will be appreciated by data recovery professionals as well as forensic specialists.Some features of the device and Data Extractor software were presented.

An example of how to recover data from new lines of hard drives has been presented. The brand Western Digital and its family of discs called Palmer is one of the PC-3000 HDD (Express, UDMA, Portable) product updates. A common problem of WD drives with their ROM can be solved by resoldering the ROM to a donor’s drive PCB, which increases the chance that the recovery will not be successful due to the destruction of the ROM during soldering. However, current Acelab products allow you to read Palmer drives ROM directly from the drives service area, and then access the user data with "special PCB".

In the second half of the first part of the conference, a frequent problem with Seagate drives and their MediaCache and new extensions to work with MediaCache included in the latest PC-3000 HDD (Express, UDMA, Portable) update were presented. The update is available to Acelab clients from today.

News from Acelab workshop - PC-3000 MOBILE

An interesting new product is the PC-3000 MOBILE, which was presented to visitors in the second part of the conference. Roman Morozov took the floor and the presentation focused on Android devices with eMMC (includes controller + NAND) and eMCP (includes controller + NAND + RAM) chips, which can be used, among other things, with one universal adapter to which reductions are made for a specific chip. This eliminates the need for a variety of adapters.

The indisputable advantage of the PC-3000 MOBILE, however, is the possibility (in some cases) of working with a damaged mobile device without the need to use the so-called "Chip-off" method. The PC-3000 mobile operates in the following modes:

  • Using a standard device interface, ie USB
  • JTAG for partially damaged devices
  • Chip-off, ie direct reading from a memory chip

The mobile device file system is different from file systems, as is known for example from flash drives. Some data is stored in the database (contacts, SMS, phone log ...), other as files. Here comes the PC-3000 MOBILE software, which, using advanced features, can analyze data and save it as a preview, export format, or directly as files known to any smartphone user, as well as in a format designed for further forensic investigation.

UFS chips currently used in higher class Android devices, will be used by other devices in the future, according to Aclab. Their indisputable advantage is significantly higher speed than eMMC and eMCP chips can offer and it is possible to use higher chip capacities.

EZ NAND chips used in older Apple mobile devices (v. 6 and older) and NVMe chips used in newer Apple mobile devices (v. 6S and later) were mentioned only marginally. On the Acelab site, we can read that Apple device support is still in preparation, so we will probably learn more about these devices at some other Acelab’s conference. Similarly, it will most likely be with UFS chips. PC-3000 MOBILE after all, is still under development, and Acelab presented its first mention of the solution at the conference in 2017. We can only hope that the engineers from Acelab will be able to release the product to the production version in a short term.

NAND Flash Media

Another part of the conference included SSDs. In the introduction, Alexander Leonenko mentioned the complex issue of Marvell controllers, specifically talked about SanDisk SSDs that have different technological commands, de facto for each model, and Acelab engineers spent more than 18 months developing and integrating Sandisk support in Acelab products. The issue of SanDisk SSD data recovery was also mentioned when it is necessary to read the NAND chip directly and then reconstruct the data. This process is very time-consuming, and a small block size of modern disks contributes to this. It can take up to tens of hours to read common capacity SSDs and require a powerful computer. The same controller and similar technology commands are currently being used on some WD drives, specifically the WD Blue series.

In connection with the complex recovery of data from the SanDisk SSDs, the SLC cache was also mentioned. This technology uses algorithm in which approximately 10% of the currently used data is stored at the time of SSD failure in SLC cache. The SLC cache is similar to the MEDIA cache on Seagate magnetic disks.

After demonstrating how to work with classic SSDs, the NVMe SSDs came up. In terms of data recovery, it is not only a different interface but also other communication protocols and technological commands, ie de facto development and integration of support for these drives into the current PC-3000 SSD solution.

APPLE HFS +, APFS, Fusion Dive, Virtual Drives Reconstruction

After a short break for lunch, the conference continued with other interesting topics. The presentation was taken by Alexander Leonenko. The third and final part of the conference focused on APFS (Apple File System) and Apple Fusion Drive with HFS + and newly also with APFS. These topics are closely related to encryption methods and methods of recovering data from corrupted encrypted file systems from Apple. In addition, new methods for recovering data from deleted virtual drives and recovering data from corrupted Windows Bitlocker-encrypted file systems were explained.

APFS is a new file system developed by Apple and is primarily optimized for Flash storage media and SSDs. It also comes with a new way of data encryption and thus new challenges for data recovery techniques.

The method used so far for Apple devices, when an additional layer is added to the existing HFS+ file system - Filevault 2 - has been replaced, or better said, supplemented by data encryption at the APFS file system level.

On the day of the conference, new updates are released by Acelab, where APFS support is already included. The APFS partition can now be found in the Data Extractor software. APFS support has also been added to existing encryption support with Filevault, Bitlocker and Truecrypt.

Fusion Drive is a two-drive hybrid (SSD and classic HDD) logical volume that has both drives capacity. The user's view is a single drive. The main advantage of this solution is the significant acceleration of access to frequently used data that is automatically moved to the SSD part of the volume. The first version of Fusion Drive was introduced by Apple in 2012.

With the advent of APFS, changes are also being made to the use of Fusion Drive drives. As mentioned above, APFS is optimized primarily for use with SSDs, since macOS 10.14 Mojave, APFS can also be used within Fusion Drive, a combination of SSD + HDD. APFS Fusion Drive works in a different way with metadata on both filesystem drives and files content, which means that changes are needed in the area of data recovery.

APFS Fusion Drive support is also included in the release of the Data Extractor software update today. However, you must own a license Data Extractor Raid Edition.

Reconstruction of deleted virtual drives when the virtual drive data is fragmented

In the area of data recovery from the storage media useful news, an interesting one is that new version of Data Extractor has implemented the process of reconstruction of the deleted / lost virtual drives.

The standard method of recovering a virtual disk (if virtual disk position metadata is lost) is to use RAW. But the problem is when the virtual drives data is fragmented. For these cases, Acelab has implemented additional procedures, that can significantly save the work of data recovery professionals. The newly added procedures will allow you to automatically find and use unambiguous RAW results and reconstruct the virtual disk map by using them. The new feature uses the detection of jpg, jpeg, png, rar, zip, doc, docx, xls and xlsx files.

As Alexander Leonenko mentioned at the conference, this method may not always be applicable. For example, if a virtual disk contains specific and less common files, the method will not work because it uses for detection the files mentioned above.

New way to recover data from Bitlocker-encrypted partitions

The final part of the conference was dedicated to recovering data from unavailable partitions that are encrypted with Bitlocker. Bitlocker stores meta information at the beginning of the partition in unencrypted form and can be used to identify the partition and find it using RAW. This feature has also been implemented into Data Extractor software and is available on the conference day in released updates. In addition to the partition lookup itself, the AES-XTS decryption feature has been added directly within Data Extractor. Of course, this feature is not absolutely necessary, but in some cases, for example, if a customer is in a hurry, it may be helpful.

At the end of the conference - a raffle

After the conference, there was a little variegation awaiting for the participants - in the form of a raffle. The main prize was an electronic microscope.

The conference was certainly, not only for us, a very beneficial source of new information and new business contacts. Thanks to all of Acelab who participated in the conference and we are looking forward to seeing you again in 2020!

 

 

Author: Frantisek Fridrich, Exalab Luxembourg