Fw: Atlanta Data Recovery Class
Mike McC (GM)
You know how much I enjoyed your class, I would attend another in a second. If you could somehow arrange training on the PC3000, I would be there tonight!
D
Subject: Atlanta Data Recovery Class
Date: Fri, 4 Jun 2010 16:31:17 -0400
From: SMou...@nicservices.com
To: datarecovery...@googlegroups.com
I know most of you already attended a class of mine, however you never know when someone else might be interested, so I am forwarding this to the list for my Atlanta Data Recovery class next month.
If you are interested in the Data Recovery Forensics topic maybe you would be interested in learning more about repairing damaged hard drives, recovering data for your cases or for a business?
There will be an Atlanta class NEXT month. It is a 5 day boot camp class. It is a very intense class and runs very long days, however, when you walk out you will feel confident that you can recover from even some of the most complex data recovery jobs. We start from the very beginning so that even people that have never attempted anything with recovery will feel comfortable, but it will be advanced enough from the start for even those of us that already have been doing it!
This class will be held on July 12th to 16th. It will be held by the Atlanta Airport at the Drury Inn & Suites Airport Hotel. The class is already 50% Full! SO if you want a seat, you need to act now!! If you sign up and pay BEFORE JUNE 17th you will receive a $300 EARLY BIRD Discount. After June 17th the price will be $3500 per a seat and after July 4th the price will be raised $3700 for having to expedite the material. Sign up now by contacting us by phone or faxing your signed registration in! Fax 770-926-7089 http://www.myharddrivedied.com/seated-class-cc-form.pdf
NEW! There are some new items covered in the class and some special items that can only be covered in the Atlanta class especially since it is my hometown and I can drive equipment to the location. Each table will have a DeepSpar Disk Imager between each pair of students that will be live and able to be used all during the classes and rebuilds. In addition there will also be a soldering lab that will include Air Desoldering and Rework stations. This is essential for PCB board repair and the new SOLID STATE DISKS. Soldering will become a mainstay of data recovery and this is the class where you can learn how to solder and replace chips! There will be three types of Desoldering Stations you can use!
---------------------------------------------------------
To reserve and register, please complete this form and
Return it to me Email: smou...@nicservices.com
Or Fax: 770-926-7089:
http://www.myharddrivedied.com/seated-class-cc-form.pdf
---------------------------------------------------------
The Atlanta Class Hotel:
Drury Inn & Suites Airport - Atlanta, GA
1270 Virginia Avenue - Atlanta, GA, 30344
P: 404-761-4900
https://wwwc.druryhotels.com/PropertyOverview.aspx?Property=0070
$91/night
Ask for “Data Recovery Group” to get the $91 rate.
---------------------------------------------------------
The Daily Schedule:
9:00am Start - Training as below by day
10:30 AM - 20 min Break
12:15PM Break for Lunch for 1 Hour Resume at 1:15
3:15 PM - 20 min Break
5:00 – 15 minute Break
6:00-7:00 PM – End somewhere here depending on when we finish material during day.
The Last Day will end class at 3pm: I have to pack the class room equipment to exit hotel by 5pm
---------------------------------------------------------
NOTE: Bring with you when you come to class, please bring a digital camera so that you can take picture while in the class and hard drive rebuilds. You will understand what I mean when you are doing it.
---------------------------------------------------------
Day One
On day one we introduce you to the basic hardware equipment used by data recovery professionals. We will discuss each tool's purpose, as well as pros and cons of each. This will begin to give you the vocabulary, basic knowledge, and groundwork needed to be able to continue discussions of what is possible in the lecture over the next few days. Some of the tools we will be looking at will be head combs, PC3000, Deepspar Forensic Disk Imager, Atola, and SalvationDATA's Data Compass & Platter Extractor tools.
We will break down the four main phases of data recovery. This will be followed by a discussion of the Myths surrounding hard drives and dispelling some of the existing beliefs, which will help you understand the truth verse marketing or false information.
We will then start with the anatomy of the drive and begin to break down what each item is, what it is called, and its function. A hard drive has an extremely large amount of planning involved with each part and function, and everything in the drive has a purpose. We will review each of the physical attributes and how they affect your ability to recover the data from the drive. Items discussed will include the Actuator Assembly, the Voice Coil, the locking pins, and the Pre-Amp, the circuit boards, the motor and spindle, as well as the platters themselves, which contain your data. Also examined will be the landing zone and the purpose and parking locations and why they were chosen.
Newer methods of recording to the hard drive, including perpendicular instead of longitudinal recording, will be discussed, and we will address what affect it has on your data and your ability to recover data. You'll hear actual recordings of sounds T sounds that hard drives make and see pictures and examples of the types of damage that has occurred. These steps will help you experience some of the types of problems you can learn about from the drives just by listening to them, feeling them, or examining them.
We will review the goals of the labs and display examples of what you will be performing during the lab and in what order it will be executed. There will also be a process for building your own head replacement tools from foil and foam that is better than almost any head combs that exist.
During the labs you will mount hard drives using USB connectors, format the drive, and put on the drive data that you will attempt to recover after you completely break the hard drive down to bare metal. You are going to very carefully disassemble two hard drives during the lab and extract all the parts, and then reassemble each piece and attempt to get the drive working again. Over the next two days we will do a total of five drives in order to ensure your success.
You will get an assortment of drives, giving you the advantage of seeing a variety of drives and the different way each is manufactured, increasing your skills at recognizing processes and parts. To help cement your understanding, we'll examine photos and videos of actual disassembled and repaired drives from which data has been recovered.
We will close the day with a display of how to match hard drives for donor drives. This is where you will learn what you need in order to acquire your parts to rebuild your damaged hard drives.
Day Two
We have enhanced the class to include more details about the Deepspar Disk Imager and Forensic Disk Imager and will be using these items for diagnostics. Now that you have a basic understanding of the physical attributes of the drive, we will move to the more logical functions controlled by the drive and the internals of initialization processes done by the drive at the power on cycle.
Finally having reached the heads themselves, we can cover the basic types of heads, followed by the content in read by the heads and the way data is actually stored. For this to happen we will need to learn about the contents of the System Area and its tables such as P-Lists, G-Lists, Zone Tables, and Password tables.
Now that you know how the data arrives at the heads as it passes though the preamp, you will look at the content that is encoded in that sector and what each sector actually contains. You'll learn in-depth information about the servo data, the addresses on the drive and locations in respect to the head, sector, and cylinder boundaries.
As we discuss this content and introduce each type of error, I will break down the errors logically so they can be understood based on the data recovery equipment and software used. This will help you understand the types of problems that can cause the "Click of Death" often heard in hard drives, and what exactly the parts are that failed. We will then discuss the possible steps though which one might repair the drives. These will include methods such as live board swaps and SA repairs. We will also cover the ability to repair sectors using reverse imaging.
You now have a better understanding of the sensitivity of the hard drive and how everything affects the heads and alignment, which will help you in your quest to rebuild three more drives. We will format the drives, copy files to the drive for recovery, and then break the drives down to bare metal. Following that we will reassemble and attempt to recover the data we wrote earlier.
Day Three
Beginning on Day three we will put away all the physical rebuild components and begin to focus on the imaging and logical corruption and repair. We now have the skills to physically repair drives and get them working again and need to deal with the content, acquire the data, and repair any corruption that might have occurred. We begin the day looking at standard ways of imaging content.
We will also have carefully crafted USB Memory Sticks that contain NTFS file systems and are corrupted exactly like you will see on drives in your lab. We then begin by using tools like FTK Imager, DriveImage XML and Medial Tools Pro, all of which have special advantages and disadvantages. After you have a clear understanding of the way software imaging looks, I will demonstrate a high-end data recovery tool like the Deepspar Forensics Disk Imager and show you the capabilities and what all the functions do. You'll learn how to do a repair on sectors and copy a damaged drive using this tool on a sample damaged hard drive. This will be followed by an example of Salvation Data's Data Compass and the functions it supplies on the fly, as well as the protection it offers for damaged hard drives.
We will close out the second phase of data recovery, drive imaging, and move into the third phase, which involves file systems and corruption after the image is made. Again we will use a carefully crafted USB memory stick, which will not properly mount NTFS, and we will step though how you can recover or repair and see the content in the MFT using tools and find the files you wish to recover. This will be accomplished through a combination of discussion and labs in which you will learn the advantages and disadvantages of each tool and what is special about them.
You'll engage in several labs that demonstrate how you can see and recover data from corrupt drives, which includes reviewing partition structures, including the GUID Partition Structure, recovering from NTFS when it won't mount. The labs will include the use of Disk Explorer for NTFS and its special qualities that make it a superb data recovery tool when used in parallel with GetDataBack for NTFS. We will also review a NTFS drive using Testdisk.
Day Four
On day four we will spend the first half of the day finishing up logical structures of the top three operating systems, followed by lecture and lab on assembling RAID 0 and RAID 5 arrays. We start the day finishing up Windows and NTFS with the unusual differences between Vista and XP with regards to data recovery. You'll look at options like Shadow Copy file recovery, changes to the structure of files in the recycle bin as well as info2 files.
Mac OSX HFS+ partitions when Mac OS X can't repair or recover from them. During these sections we will use reference material and discuss the nature of each operating system, touching on its basic format and file structure. Labs during this day will include HFSExplorer where we can see the B* Tree structure stored in the Mac OSX Catalog. We will then move on to examining the basic functions and software available to recover Linux EXT 2/3 and Reiser partitions. There are additional tools used to recover and rebuild Linux that will include tools like R-Studios, Disk Explorer for Linux.
In the afternoon we will begin with an examination of the HPA's (host protected area) effect on JBOD, how to review custom arrays created by different manufacturers, and RAID 0/5 arrays. At this point, our only interest is in addressing the functions necessary to recreate the RAID arrays to be able to retrieve data, not to rebuild them to put the array back in place. With this, you'll be able to deliver that retrieved content back to whomever needs it.
The labs for RAID 0 and RAID 5 will include several premade images, which we will process. I will show you what happens when you have the settings for RAID wrong, quick and easy ways to identify the problems and how to find the correct settings by doing entropy by sight or sound and correcting the issues so you can do a successful recovery. I will also demonstrate how you can do some of these functions faster using other tools like X-Ways Forensics and R-Studios and Raid Reconstructor.
Day Five
On day five we view information about Solid State Drives. We focus on what happens over time to data on solid state drives, and how the solid state drives function. We will cover the lower level functions that are different than a physical hard drive and why that is important to data recovery and forensics. You'll learn about research I have done capturing dd images of solid state drives at different times and what has happened to the data, and you'll be amazed to find out the effect on unallocated and file slack space and defragmentation. This will lead us to discussions about the impact solid state will have on the future of forensics and data recovery and possible issues we may have getting recovered content admitted into court. This will also include a discussion about a newer FAT file system, FAT64, and the purpose that it was developed to solve.
You'll learn new information about the future of storage and changes to hard drives, as well as flash media and introductory information about new technology called Domain Walls or RaceTrack Memory under development by the same designer of the current head technology on the hard drive. The lifespan of current media and shelf life of flash media as a long term storage will be reviewed, and we will discuss alternative methods of keeping data safe and how to refresh the content so it will remain intact if you have to store forensic data for years to come.
During a recovery, there are some issues with security on drives that does not involve encryption such as GUID/SID folder protection. These items will keep you from knowing the data is on the drive, and since it is "invisible" it is possible you might miss extracting important content during data recovery. In this class, you'll learn how to get around this "file protection" in the different operating systems.
We'll wind down by covering a few of the unique functions of the drive that may affect your ability to get an image such as TPM, hard drive passwords, flash updates to the drive, translator tables, and secure erase wiping tools built into the motherboard and drive for high speed wiping. We'll also cover how the HPA can be used for many other functions such as Lo-Jack for laptops, or resizing a drive to limit software recovery. You will also get to see a demo of other tools such as MHDD and Victoria and look at how you can recondition a drive and purge or kill bad or slow sectors, making the drive faster and more useful. Finally, we will cover some software items such as zone tables and tools for testing the speed of drives or RAID arrays.
The data recovery world and the forensics world are very close in relation. This class discusses topics valuable to both forensic and data recovery professionals alike and touches on data recovery topics relating to forensics topics where they can be applied.
Our primary goal is clear:
To produce valid disk images and recover the data from marginally operative or defective media for use in data recovery or forensics.
The processes and methodologies taught in this class will train you to collect an image on damaged evidence where standard forensic imaging would have failed. You will learn to understand what kinds of problems hard drives have and what your options are to recover the contents. Specialized data recovery trade secrets that are used in these processes specifically will be discussed so we can acquire data from damaged disks. We will perform some exciting labs, where you will format a hard drive, put data on the drive, disassemble the drive down to the bare metal, and then "successfully" reassemble the drive and recover your data from it.
You will learn things about GMR Heads, sectors and how data is stored by the heads physically on the platters. In addition you will learn about passwords on hard drives and what it takes to clear them, and you will find out what the G-list and the P-list are, what can happen when a disk is wiped, and what data is left behind when they are not taken into consideration. You will also find out how the locations of partition structures affect the speed of your system and its relationship to zone tables.
This class will highlight the tools that work well with corrupted file systems, both in demonstration and in the lab exercises, and students will learn the basics of file systems and logical recoveries. There will be information regarding FAT, NTFS, Mac OSX HFS+ hard drive formats, as well as EXT3 and Reiser recoveries and what to do when there is damage, and there will be examples of each in labs. Students will also perform logical recoveries where we will use software and specialized data recovery equipment to image memory sticks, hard drives, and image files.
After we are done with our basic understanding of file system recovery, we will move on to dealing in depth with the methods of reviving RAID 0 / RAID 5 / JBOD configurations. There will be lab exercises that will be used to demonstrate how to reconstruct RAID 0 and RAID 5 Arrays. The final portion of the class will discuss solid-state drives, the direction of storage in the future, and what challenges they propose when introducing evidence into court.
If you would like five bootcamp days of training and learning about trade secrets of the data recovery profession, this is the class for you. It will consist of lecture and labs with mentoring on disassembly and reassembly of the hard drives. Usually by the second day, the majority of students are able to rebuild a hard drive and recover data from it. However, this class is about process and methodologies, teaching the techniques used in data recovery labs so that you can understand and build on those skills.
---------------------------------------------------------
To reserve and register, please complete this form and
Return it to me Email: smou...@nicservices.com
Or Fax: 770-926-7089:
http://www.myharddrivedied.com/seated-class-cc-form.pdf
---------------------------------------------------------
Thank you,
----------------------------------------------------------
Scott A. Moulton / CCFS CCFT CDRP DREC
Certified Computer Forensic Specialist
Certified Computer Forensic Technician
Certified Data Recovery Professional
Data Recovery Expert Certification Instructor
http://www.myharddrivedied.com/presentations_classes/
----------------------------------------------------------
Forensic Strategy Services, LLC &
My Hard Drive Died, DBA
----------------------------------------------------------
601b Industrial Court, Woodstock, Ga 30189
Phone: 770-926-5588 Fax: 770-926-7089
DATA RECOVERY UPDATES VIA TWITTER: @scottamoulton
DATA RECOVERY Videos on YouTube:
http://www.youtube.com/user/SuperFlyFlippingA#p/p
Google Groups on Data Recovery
http://groups.google.com/group/datarecoverycertification
----------------------------------------------------------
--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. Get busy. --
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.