A Northern California man being pursued by police smashes his own smartphone and throws it into the ocean. The evidence is gone, right? But wait: The police retrieve the phone. Where it goes next, and what happens to it there, is like the geekiest possible CSI episode you’ve ever seen—and a window into the everyday tedium and triumph at DriveSavers, the biggest name in data recovery.
Behind this mild-mannered facade
In a plain beige building in a Novato, California, office park hides a government-grade clean room, multiple layers of security, and a signed photograph from George Lucas. It overlooks a small pond alongside a quiet stretch of road, and most people drive right past without a second glance.
That’s how the folks who work there prefer it. A typical day at DriveSavers Data Recovery can involve resurrecting busted hard drives from Skywalker Ranch or salvaging data from smartphones that went through the wash, but sometimes a special order comes in to recover data from a device that might be used in a criminal investigation. It’s part of a process known as data forensics, and it requires many of the same skills that data recovery engineers employ to salvage pictures of your cats from a broken camera.
How engineers become forensic analysts
DriveSavers’ forensic analysis work isn’t widely publicized. You’re more likely to know the company as a service that can salvage your family photos when you accidentally wipe the wrong hard drive or drop your laptop down a storm drain.
And that’s what the folks at DriveSavers want you to think. Data recovery is a profitable business, after all, and the company was established in 1985 to help external hard drive owners safely recover data from storage mishaps. But that business gradually expanded to include banks, hospitals, and government offices, to the point that DriveSavers now recovers a wide variety of sensitive— and often encrypted—information. Usually it’s hospital patient records or corporate finance reports, but sometimes it’s a hacker’s hard drive.
To that end, DriveSavers engineers run through training programs for Symantec’s PGP and GuardianEdge, Sophos’ Ultimaco, and other encryption systems to understand how data encryption works. They take that training a step further by messing around with encrypted drives to identify exactly which sectors of the drive hold encrypted info. DriveSavers engineers encrypt a test drive with a given encryption protocol—say, PGP—and take a look at the drive before and after to see exactly which sectors are storing the data.
Even with this level of training, no secret keys or back doors actually allow data recovery engineers to split an encrypted drive open like an overripe melon. The best they can do is verify whether or not an encrypted drive is damaged enough to render the data unrecoverable; if it’s not, the engineers simply recover the encrypted data using special techniques (more on those later) and deliver that encrypted data to the customer on a new drive—or hand it off to law enforcement and let them try to crack the encryption.
To maintain its various accreditations and security clearances, DriveSavers employees work under rigorous security policies and submit to annual risk-assessment analysis, penetration tests, and a third-party security audit. A selection of these annual security reports are posted on the company’s website; you can check them out yourself. Every employee also goes through an annual background check, presumably to assuage client concerns that DriveSavers engineers—who regularly handle our most private data—aren’t committing identity fraud on the side. “There’s no better day job for an identity thief than at a data recovery service,” says DriveSavers Chief Information Security Officer Michael Hall. “That’s why we have to run regular background checks on everyone in the building.”
Making dead drives talk
Whether it’s a burnt hard drive or a busted smartphone recovered from a crime scene, every device that gets sent to DriveSavers goes through the same revivification process. The first stop is a designated “triage area,” where every device is subjected to a preliminary examination by data engineers. The lion’s share of storage devices then get sent to the clean room to be disassembled in a dust-free environment. Well, nearly dust-free: The DriveSavers clean room is certified ISO 5, meaning that every cubic foot of filtered air inside the room is guaranteed to contain fewer than 100 particles larger than 0.5 micrometers. For comparison’s sake, a cubic foot of air in your average city contains more than a million particles of that size.
Once a drive is disassembled, engineers do whatever it takes to copy the data to a working computer. Sometimes that’s as simple as replacing the spindle motor in an old Western Digital hard drive to get the platter spinning again. Other times, a certified engineer has to play Dr. Frankenstein and whip out a tiny soldering iron to reattach or rebuild 15 almost-microscopic leads, so a smashed flash drive can be hooked up to a DriveSavers recovery PC. All the data on the busted drive is copied over to a spare from the DriveSavers facility, after which the engineers (gingerly) set aside the original to focus on the copy.
Next, the data is duplicated from the copy onto the DriveSavers network, which sports multiple redundant backups and is safeguarded by a Secure Cisco Self-Defending Network environment that’s verified by an annual third-party security audit. It’s a level of security that poses a real challenge for any hacker trying to trawl through the DriveSavers servers, though most data is wiped from the network on a regular basis.
Once the raw data is safely ensconced in the DriveSavers network, the engineers get to work reassembling it into a machine-readable format. Since the engineers are often tasked with restoring data that’s been deleted—accidentally or otherwise—there’s a certain amount of careful detective work involved as fragments of data scattered across the drive are reassembled into working files. If the data is encrypted, DriveSavers engineers can reassemble it without breaking encryption by rebuilding the original storage volume block by block.
According to DriveSavers Director of Engineering Mike Cobb, most engineers develop unique specialties over time. Some workers are firmware wizards, while others are better suited for the delicate physical work of extracting broken storage media from destroyed smartphones. Some are even more esoteric: Michael Hall claims the enterprise production lead, while Joseph (last name withheld for security reasons) has an innate talent for visualizing how the RAID structure of a storage array ought to look. It’s sort of like how Neo visualizes the Matrix, except instead of seeing computer code he’s seeing stripes of data spreading across 12 different hard drives.
It’s a talent that’s more useful than you’d think. A few years back, when a 12-drive RAID 0 array carrying mission-critical flight readiness reports and inspection records suffered catastrophic failure at Shaw Air Force Base in North Carolina, these data engineers were able to rebuild it and save a bunch of Air Force recruits from having to repeat their training.
Digital forensics works pretty much the same way. A Northern California man being pursued by police smashed his own smartphone and threw it into the ocean. The phone—what was left of it—was given over to DriveSavers engineers as part of a criminal investigation.
Salvaged smartphone sings
Oh, and that smashed smartphone? The engineers rebuilt the phone in the cleanroom using basically the same process outlined above. They salvaged all data from the onboard memory, including photos that implicated the phone’s owner in a brazen robbery. The data was later entered as evidence in a court of law and used to to prosecute the phone-bashing robber. It’s a nice story that elucidates the slightly scary side of data recovery: Skilled engineers can often salvage data we work very hard to destroy.
If there’s one thing to take away from my time at DriveSavers, it’s that our data is a lot more permanent than we think it is. So don’t worry so much about whether your mobile security is up to snuff or if your Snapchat photos are really private. If someone lays hands on a piece of storage media containing your private data (encrypted, deleted, or otherwise), there’s a decent chance they can salvage it if they’re willing to work hard enough. So take logical precautions, encrypt your data, and use a secure backup strategy to avoid having to shell out for an expensive data recovery service.