Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

After a hack: The process of restoring once-lost data

Brandon Butler | Aug. 23, 2012
Mat Honan, a reporter with Wired magazine, thought almost his entire digital life had been lost, but a team of recovery engineers were able to restore most of it by diving deep into his compromised laptop. Here's how they did it.


On the first Friday in August Mat Honan, a tech reporter with Wired magazine, got home after work and realized that almost his entire personal digital life had been hacked.

His laptop, phone and tablet had been wiped and his Google, Amazon, Apple and Twitter accounts had been compromised. His pictures, videos and other memories, including photos of his newborn daughter and of relatives that had since passed way, were feared gone forever because he had failed to back them up.

But it wasn't so. Honan brought his MacBook Air to DriveSavers, which specializes in data recovery, and after a 24-hour process of engineers diving deep into Honan's laptop, an estimated 75% of the data on his computer that he thought he lost ended up being recovered.

Here's how DriveSavers did it.

DriveSavers has been around for 25 years and has recovered data from a broad range of situations, anything from an iPhone that was dropped in a toilet to a hospital server that has 20,000 confidential patient records on it failing. Getting a personal device that a customer believes has been completely wiped is nothing new for DriveSavers and its team of engineers. Each case is different though, and it's tough to tell how much, if any, information can be recovered from each unique case until engineers get their hands dirty in examining the device, says Chris Bross, senior enterprise recovery engineer with the company.

A few days after Honan's hacking, he brought the device into DriveSavers. The first step is a detailed discussion with the customer, in this case Honan, of exactly what happened and a prioritized list of what workers should focus on recovering, which in Honan's case were photos and videos that he had not previously backed up. "He basically asked us to recover all the data that we could possibly recover," Bross says.

Engineers began by disassembling Honan's MacBook and getting to the heart of where the engineers would do their work: the 250GB Samsung-manufactured solid-state drive (SSD) inside the laptop. Engineers extracted the disk and immediately made a clone of the SSD, along with a backup, so that engineers wouldn't be working directly on the tampered disk.

When making the copy, DriveSavers workers transferred data at the physical layer of the disk, which Bross describes as the lowest layer that includes everything on the disk, both files that have been formatted as well as any empty space that was on the disk. This proved critical later in the recovery process.

The hackers had used a feature in Apple products called "Find My," which is meant to allow users to remotely wipe their Apple devices if they are lost. Using a social engineering attack, they called into the customer service departments of Amazon and Apple posing as Honan, eventually getting his password changed and giving them access to wipe his devices.


1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.