Savings on matches or data recovery from the grating HDD Seagate ST3000NC002-1DY166
State-owned medical institutions are constantly lacking funding from the budget. Therefore, the plan for the purchase of expensive medical equipment is drawn up in such a way as to eliminate all possible additional costs. But in pursuit of economy, things that are obvious to any system administrator are missed.
It happened in one of the hospitals where the X-ray room is equipped with modern equipment, and the cost of the X-ray unit alone exceeded $ 100,000. The important point is that during the cabinet's reconstruction, only the purchase of the equipment itself was taken into account. Any “excesses” in the form of the PC of the radiologist and the implementation of the patient data storage system were not included in this calculation, and the hospital was asked to purchase all the rest necessary for the operation of the office using its own funds.
rice one
')
The hospital’s own funds were only enough to purchase a PC for a radiologist with a single Seagate Constellation CS ST3000NC002-1DY166 hard disk with a capacity of 3 TB. Initially it was planned to use this as a temporary solution, and then, when there is “free money”, implement plans for creating a backup system.
But the plans did not come true. There was still a catastrophic shortage of money for the hospital, and there were a lot of higher priorities. As a result, the temporary solution has become permanent. Days went by, patient data was accumulating on the hard disk, and in some cases human life could depend on it.
Three and a half years later, thunder struck. In the afternoon, the doctor noticed that the computer began to “think”, and the usual operations (viewing and saving X-ray images) began to take much longer than usual, and every hour the situation worsened until the moment when the work was impossible, and interrupt patient admission.
Hospital technicians, represented by a single system administrator working at ½ rate, could only state that the drive is faulty. After several unsuccessful attempts to launch automatic recovery programs, the drive began to tap, and therefore the administrator decided to stop and inform the head physician that he could not recover the data.
With such symptoms, the drive was delivered to our data recovery lab. Seagate Constellation CS ST3000NC002-1DY166 of the Grenada family. The hard drives of this family were sold very widely, and due to the high prevalence they were able to see them in many data recovery laboratories. Not only by us, but also by many other laboratories, the fact was recorded that upon failure of the family of this family, they often end up with severely damaged BMG and washed down plates.
rice 2
In fig. Figure 2 shows a typical case of destruction of plate surfaces, and pollution in hard-to-reach places is also shown. No matter how difficult it is, it is strongly recommended to remove this dust before opening the drive, since at the opening part of it must fall into the HDA.
The causes of this phenomenon worried many. Numerous versions were put forward, some sounded quite convincingly. For example, one of the most common versions, published on Habrahabr " If Seagate was dusty ... ", said that the main reason for the onset of degradation processes was the ingress of dust due to an unsuitable seal between the terminal block and the BMG housing.
This version has flaws. When examining a considerable number of drives of this family with damage at different stages, a loose seal of the seal between the contact block and the hard disk case is not confirmed. In situations where the destruction has just begun, an incomplete failure of one or several heads has occurred, but the final destruction of the plates (gash) has not yet occurred, there are no signs of dust under this compactor, which makes the version questionable. Also, the fact that the destruction does not always start from the zero head does not fit in with this version, although it would be logical for the zero head and the surface of the plate to be degraded in the first place if dust gets from the bottom of the drive. More precisely, the degradation processes on the zero head begin no more often than the degradation processes on the remaining heads.
Modern drives are able to control the height of the flight of the sliders above the surface of the plates by means of a heating element and Seagate Grenada is no exception.
rice 3 (drawing borrowed from a public document)
Analysis of the system of dynamic flight altitude change (DFH) shows that under certain conditions it is possible to obtain a contact of the slider with the surface, which ultimately provokes the onset of degradation processes.
Based on this analysis, it is also possible to give a recommendation in no way to change the boards between the drives of this family without transferring the ROM, since attempts to start with another board (with other adaptive parameters in the ROM) can lead to the contact of the sliders with the surface of the plates. Especially in Seagate F3 architecture drives, attempts to start with a foreign ROM are doomed to failure.
When we see that Seagate Grenada arrives to us, who, according to the client, started tapping, we begin the diagnostic measures with dust removal of the drive and opening in a laminar box. Remove the BMG filter air recycling and carefully examine under the microscope.
In our case, there was no pronounced damage to the plates, the air recirculation filter did not contain signs of metal particles, the problem was produced by barely noticeable scratches on the slider No. 2. The rest of the sliders did not have any visible damage even at a high magnification. Unfortunately, the capabilities of a microscope camera inserted in place of one of the eyepieces are not enough to show subtle damage to the slider.
Knowing the risks of lavion-like destruction of the plate surface when attempting to read the surface over which a damaged slider is detected, we decide to physically remove the damaged slider and suspension from the BMG. An attempt to use the original BMG is undertaken with the aim of reading the remaining zones with serviceable original heads, since the adaptive parameters of the drive are ideal for them. Obtaining sustained reading by donor heads is not always possible.
We perform the procedure for collecting the drive with one physically removed slider and suspension. Since in the physical absence of one of the heads, the drive will not be able to undergo the calibration procedure, it is necessary to modify the head map in the ROM in order to bypass the calibration step on the head No. 2. To do this, we change the head map in ROM 0, 1, 2, 3, 4, 5 to 0, 1, 1.3, 4, 5. Before writing the modified ROM, we will create several backup copies of the original one with a mandatory comparison of the reading results previous.
With a modified ROM, this drive went into readiness without unnecessary disturbing sounds.
rice four
We make changes to the settings of the drive in RAM: disable all procedures for offline scanning and auto reallocation when reading and writing. We check the ability of these heads to record on a module that is not used by the drive during operation. Making sure that this procedure worked without any complaints, we modify the parameters module so that with further restarts of the drive, unwanted procedures do not start.
We read the contents of sector 0 and find someone's omission there. On a 3 TB disk with a sector emulation of 512 bytes, the classic partition table was used instead of the GPT . There are three sections on the disk.
rice 5 - Partition table
The first NTFS partition (0x07) has an active status and starts from 0x00000800 (2048) sectors, size 0x00032000 (204,800) sectors.
The second NTFS partition (0x07) starts with 0x00032800 (206,848) sectors, size 0x06175800 (102,193,152) sectors.
The third NTFS partition (0x07) begins with 0x061A8000 (102,400,000) sectors, size 0xF9E58000 (4,192,567,296) sectors.
Let's look in the sector 0x100000000 (4,294,967,296). It is completely filled with zeros, there are no signs of the partition table or the boot sector of the partition.
It can be preliminarily concluded that this disk was used only within the boundaries of the first 2TB, the remaining 794.52 GB were not used during the operation.
We create the task of sector-by-sector copying in Data Extractor, build the zone distribution map without taking into account the zones of head 2, since there is no head itself, and instead there is a snag in the map.
rice 6 - Mini Zone Map
The reading process goes without any difficulties, and within several passes we get 4,846 xxx xxx sectors from 5,860,533,160. Unread on 0, 1, 3, 4, 5 heads after 72 readings, 72 sectors are left (36Kb), and all they are concentrated on the surface readable head â„–5. Given that the reading was stable, all zones after the 4,294,967,296 sectors were read. The assumption that the disk was partially not used was confirmed.
Based on the analysis of fragments of the read file systems in the second and third sections, their roles were established. The second section played the role of the system disk, and user data was missing there. In the third section, on the contrary, there were only user data in the form of a file database of patient images.
For a full reading, we need to transplant donor BMH. Considering that this is a Seagate Grenada, we are selecting a donor among similar drives belonging to this family, with the same revision of the switch preamplifier and close adaptive parameters. ST3000NC002, ST3000DM001 are members of the same family. Having picked up the suitable donor, we will execute transplantation of BMG.
rice 7
We write in the winchester patient ROM with the original card heads back. When powering, we hear a little uncertain passing of the calibration test, but, nevertheless, the firmware is loaded and the translation system is initialized. We test the ability to read the head number 2 in areas of different density. Making sure that the reading is present in different zones, proceed to the reading of user data.
View the contents of the boot sector of the third section.
rice 8 - NTFS boot sector
At offset 0x0B is located WORD 0x0200, which means that the sector size is 512 bytes.
BYTE 0x08 is located at offset 0x0D, which means that in one cluster there are 8 sectors, the cluster size is calculated by multiplying the sector size by the number of sectors in the cluster, that is, 0x0200 * 0x08 = 0x1000 (4096) bytes.
At offset 0x30 is located QWORD 0x00000000000C0000 (786 432) it indicates the number of the first MFT cluster.
Analyze the first MFT record, build the MFT chain map of the third section and read the missing fragments. The MFT was read successfully, which allows you to send the drive to sleep mode and conduct a full analysis of the file system on the copy in order to be able to build a map of the location of the necessary data. Reading everything in a similar situation is too much luxury, as there are risks that further degradation will continue when reading the damaged surface.
Based on the analysis data, we build chains of the location of the necessary files on the head No. 2 and combine their chains, which are located within the boundaries of one mini-zone. After this action a little extra data will be added, the reading of which is not specified in the technical task. But this approach will allow to skip the entire mini-zone in case of detection of unstable behavior, which increases the chances of successfully subtracting more data.
This is followed by the stages of localization of large defects on the surface readable by head number 2, and reading with the omission of the most problematic areas. Zones with a large content of defects are read in the last place, since their reading is associated with the risks of the final degradation of the drive without further possibility of reading data.
For two days with constant changes in the reading scenarios, it is possible to complete the subtraction by more than 99.9% of the necessary chains, and this is where the positive dynamics stops, and a gash appears on the defective areas, similar to that in fig. 2
rice 9 - View washed down under a microscope
Unfortunately, there were no other reading options, it was the last chance to read at least one of the damaged areas. When generating a report on files located in problem areas, we see a relatively good picture: out of more than 198,000 files, a little less than 2,000 remain unread. But, moving away from dry numbers, which report about 98.9% of the result, comes the realization that these fewer than 2,000 files cost several hundred living people, whose results of a visit to the x-ray room have faded into oblivion due to petty savings. I'd like to believe that the lost results were not critically important, and their loss did not affect someone’s life.
When issuing this information, the system administrator was consulted on how to monitor the status of hard drives. Drives like this do not degrade in an instant. If you regularly check SMART readings, monitor at least the required minimum of attributes , and not wait for the drive to report “SMART status - BAD” to the command 0xB0 0xDA, then in most cases you will notice an impending threat and take timely action. Of course, there are other problems that are developing much more rapidly, and regular monitoring of SMART indicators will not help. Given the likelihood of adverse events, it is worthwhile to think carefully about the backup system, and control of its work should not be carried out only by a single system administrator.
I would like to hope that after this incident in this hospital, at least something will change in the policy of storing patient data, and such situations will not happen again.
Previous publication: Administrator's Sin or Data Recovery from Knocking Western Digital WD5000AAKX HDD
It happened in one of the hospitals where the X-ray room is equipped with modern equipment, and the cost of the X-ray unit alone exceeded $ 100,000. The important point is that during the cabinet's reconstruction, only the purchase of the equipment itself was taken into account. Any “excesses” in the form of the PC of the radiologist and the implementation of the patient data storage system were not included in this calculation, and the hospital was asked to purchase all the rest necessary for the operation of the office using its own funds.
rice one
')
The hospital’s own funds were only enough to purchase a PC for a radiologist with a single Seagate Constellation CS ST3000NC002-1DY166 hard disk with a capacity of 3 TB. Initially it was planned to use this as a temporary solution, and then, when there is “free money”, implement plans for creating a backup system.
But the plans did not come true. There was still a catastrophic shortage of money for the hospital, and there were a lot of higher priorities. As a result, the temporary solution has become permanent. Days went by, patient data was accumulating on the hard disk, and in some cases human life could depend on it.
Three and a half years later, thunder struck. In the afternoon, the doctor noticed that the computer began to “think”, and the usual operations (viewing and saving X-ray images) began to take much longer than usual, and every hour the situation worsened until the moment when the work was impossible, and interrupt patient admission.
Hospital technicians, represented by a single system administrator working at ½ rate, could only state that the drive is faulty. After several unsuccessful attempts to launch automatic recovery programs, the drive began to tap, and therefore the administrator decided to stop and inform the head physician that he could not recover the data.
With such symptoms, the drive was delivered to our data recovery lab. Seagate Constellation CS ST3000NC002-1DY166 of the Grenada family. The hard drives of this family were sold very widely, and due to the high prevalence they were able to see them in many data recovery laboratories. Not only by us, but also by many other laboratories, the fact was recorded that upon failure of the family of this family, they often end up with severely damaged BMG and washed down plates.
rice 2
In fig. Figure 2 shows a typical case of destruction of plate surfaces, and pollution in hard-to-reach places is also shown. No matter how difficult it is, it is strongly recommended to remove this dust before opening the drive, since at the opening part of it must fall into the HDA.
The causes of this phenomenon worried many. Numerous versions were put forward, some sounded quite convincingly. For example, one of the most common versions, published on Habrahabr " If Seagate was dusty ... ", said that the main reason for the onset of degradation processes was the ingress of dust due to an unsuitable seal between the terminal block and the BMG housing.
This version has flaws. When examining a considerable number of drives of this family with damage at different stages, a loose seal of the seal between the contact block and the hard disk case is not confirmed. In situations where the destruction has just begun, an incomplete failure of one or several heads has occurred, but the final destruction of the plates (gash) has not yet occurred, there are no signs of dust under this compactor, which makes the version questionable. Also, the fact that the destruction does not always start from the zero head does not fit in with this version, although it would be logical for the zero head and the surface of the plate to be degraded in the first place if dust gets from the bottom of the drive. More precisely, the degradation processes on the zero head begin no more often than the degradation processes on the remaining heads.
Modern drives are able to control the height of the flight of the sliders above the surface of the plates by means of a heating element and Seagate Grenada is no exception.
rice 3 (drawing borrowed from a public document)
Analysis of the system of dynamic flight altitude change (DFH) shows that under certain conditions it is possible to obtain a contact of the slider with the surface, which ultimately provokes the onset of degradation processes.
Based on this analysis, it is also possible to give a recommendation in no way to change the boards between the drives of this family without transferring the ROM, since attempts to start with another board (with other adaptive parameters in the ROM) can lead to the contact of the sliders with the surface of the plates. Especially in Seagate F3 architecture drives, attempts to start with a foreign ROM are doomed to failure.
When we see that Seagate Grenada arrives to us, who, according to the client, started tapping, we begin the diagnostic measures with dust removal of the drive and opening in a laminar box. Remove the BMG filter air recycling and carefully examine under the microscope.
In our case, there was no pronounced damage to the plates, the air recirculation filter did not contain signs of metal particles, the problem was produced by barely noticeable scratches on the slider No. 2. The rest of the sliders did not have any visible damage even at a high magnification. Unfortunately, the capabilities of a microscope camera inserted in place of one of the eyepieces are not enough to show subtle damage to the slider.
Knowing the risks of lavion-like destruction of the plate surface when attempting to read the surface over which a damaged slider is detected, we decide to physically remove the damaged slider and suspension from the BMG. An attempt to use the original BMG is undertaken with the aim of reading the remaining zones with serviceable original heads, since the adaptive parameters of the drive are ideal for them. Obtaining sustained reading by donor heads is not always possible.
We perform the procedure for collecting the drive with one physically removed slider and suspension. Since in the physical absence of one of the heads, the drive will not be able to undergo the calibration procedure, it is necessary to modify the head map in the ROM in order to bypass the calibration step on the head No. 2. To do this, we change the head map in ROM 0, 1, 2, 3, 4, 5 to 0, 1, 1.3, 4, 5. Before writing the modified ROM, we will create several backup copies of the original one with a mandatory comparison of the reading results previous.
With a modified ROM, this drive went into readiness without unnecessary disturbing sounds.
rice four
We make changes to the settings of the drive in RAM: disable all procedures for offline scanning and auto reallocation when reading and writing. We check the ability of these heads to record on a module that is not used by the drive during operation. Making sure that this procedure worked without any complaints, we modify the parameters module so that with further restarts of the drive, unwanted procedures do not start.
We read the contents of sector 0 and find someone's omission there. On a 3 TB disk with a sector emulation of 512 bytes, the classic partition table was used instead of the GPT . There are three sections on the disk.
rice 5 - Partition table
The first NTFS partition (0x07) has an active status and starts from 0x00000800 (2048) sectors, size 0x00032000 (204,800) sectors.
The second NTFS partition (0x07) starts with 0x00032800 (206,848) sectors, size 0x06175800 (102,193,152) sectors.
The third NTFS partition (0x07) begins with 0x061A8000 (102,400,000) sectors, size 0xF9E58000 (4,192,567,296) sectors.
Let's look in the sector 0x100000000 (4,294,967,296). It is completely filled with zeros, there are no signs of the partition table or the boot sector of the partition.
It can be preliminarily concluded that this disk was used only within the boundaries of the first 2TB, the remaining 794.52 GB were not used during the operation.
We create the task of sector-by-sector copying in Data Extractor, build the zone distribution map without taking into account the zones of head 2, since there is no head itself, and instead there is a snag in the map.
rice 6 - Mini Zone Map
The reading process goes without any difficulties, and within several passes we get 4,846 xxx xxx sectors from 5,860,533,160. Unread on 0, 1, 3, 4, 5 heads after 72 readings, 72 sectors are left (36Kb), and all they are concentrated on the surface readable head â„–5. Given that the reading was stable, all zones after the 4,294,967,296 sectors were read. The assumption that the disk was partially not used was confirmed.
Based on the analysis of fragments of the read file systems in the second and third sections, their roles were established. The second section played the role of the system disk, and user data was missing there. In the third section, on the contrary, there were only user data in the form of a file database of patient images.
For a full reading, we need to transplant donor BMH. Considering that this is a Seagate Grenada, we are selecting a donor among similar drives belonging to this family, with the same revision of the switch preamplifier and close adaptive parameters. ST3000NC002, ST3000DM001 are members of the same family. Having picked up the suitable donor, we will execute transplantation of BMG.
rice 7
We write in the winchester patient ROM with the original card heads back. When powering, we hear a little uncertain passing of the calibration test, but, nevertheless, the firmware is loaded and the translation system is initialized. We test the ability to read the head number 2 in areas of different density. Making sure that the reading is present in different zones, proceed to the reading of user data.
View the contents of the boot sector of the third section.
rice 8 - NTFS boot sector
At offset 0x0B is located WORD 0x0200, which means that the sector size is 512 bytes.
BYTE 0x08 is located at offset 0x0D, which means that in one cluster there are 8 sectors, the cluster size is calculated by multiplying the sector size by the number of sectors in the cluster, that is, 0x0200 * 0x08 = 0x1000 (4096) bytes.
At offset 0x30 is located QWORD 0x00000000000C0000 (786 432) it indicates the number of the first MFT cluster.
Analyze the first MFT record, build the MFT chain map of the third section and read the missing fragments. The MFT was read successfully, which allows you to send the drive to sleep mode and conduct a full analysis of the file system on the copy in order to be able to build a map of the location of the necessary data. Reading everything in a similar situation is too much luxury, as there are risks that further degradation will continue when reading the damaged surface.
Based on the analysis data, we build chains of the location of the necessary files on the head No. 2 and combine their chains, which are located within the boundaries of one mini-zone. After this action a little extra data will be added, the reading of which is not specified in the technical task. But this approach will allow to skip the entire mini-zone in case of detection of unstable behavior, which increases the chances of successfully subtracting more data.
This is followed by the stages of localization of large defects on the surface readable by head number 2, and reading with the omission of the most problematic areas. Zones with a large content of defects are read in the last place, since their reading is associated with the risks of the final degradation of the drive without further possibility of reading data.
For two days with constant changes in the reading scenarios, it is possible to complete the subtraction by more than 99.9% of the necessary chains, and this is where the positive dynamics stops, and a gash appears on the defective areas, similar to that in fig. 2
rice 9 - View washed down under a microscope
Unfortunately, there were no other reading options, it was the last chance to read at least one of the damaged areas. When generating a report on files located in problem areas, we see a relatively good picture: out of more than 198,000 files, a little less than 2,000 remain unread. But, moving away from dry numbers, which report about 98.9% of the result, comes the realization that these fewer than 2,000 files cost several hundred living people, whose results of a visit to the x-ray room have faded into oblivion due to petty savings. I'd like to believe that the lost results were not critically important, and their loss did not affect someone’s life.
When issuing this information, the system administrator was consulted on how to monitor the status of hard drives. Drives like this do not degrade in an instant. If you regularly check SMART readings, monitor at least the required minimum of attributes , and not wait for the drive to report “SMART status - BAD” to the command 0xB0 0xDA, then in most cases you will notice an impending threat and take timely action. Of course, there are other problems that are developing much more rapidly, and regular monitoring of SMART indicators will not help. Given the likelihood of adverse events, it is worthwhile to think carefully about the backup system, and control of its work should not be carried out only by a single system administrator.
I would like to hope that after this incident in this hospital, at least something will change in the policy of storing patient data, and such situations will not happen again.
Previous publication: Administrator's Sin or Data Recovery from Knocking Western Digital WD5000AAKX HDD
Source: https://habr.com/ru/post/332004/
All Articles