Device triage

From datarecoverywiki.com
Jump to navigation Jump to search

Data Recovery Resources

Background information

Device triage is critical to ensure that you as a data recovery technician know exactly what you're working with, and ensure that the device isn't further damaged by your actions (be is accidental or incompetence)
If you're aware of the phrase "measure twice, cut once" then you're aware of the importance of triage. And if you're not, then, "it's better to spend more time looking at a problem than rushing in and making it worse". Due to the fact I'm in the UK the following is based of the UK forensic science regulator(FSR)
Key sections of the FSR's Code of Practice March 2023 Version 1 are

  • FSA – DIG 100- Data capture,processing and analysis from digital storage devices
  • Section 32.1.3 - Risk assessment of control over data
  • 108.1.1 - Techical records


Other relevant frameworks include

  • ACPO Good practice guide section 2-ACPO principles
  • ISO/IEC 17025:2017 - Testing and calibration of laboratories
  • ISO/IEC 27001:2022 - Information security/management
    • 1. Get Device
      • 1.1 Log it
      • 1.2 Photograph device condition/any damage
      • 1.3 Record make/model/serial info
      • 1.4 Tag device with internal tracking ID
    • 2. Damage Assessment
      • 2.1 Visual inspection
      • 2.2 Identify damage type: casing, port, power, water, etc.
      • 2.3 Is it safe to handle/turn on
      • 2.4 What level of damage
        • Minor/cosmetic - note and image drive
        • Unstable drive – note and use of drive stabler (Atola), image important parts first (e.g. files client as requested)
        • Storage inaccessible – note and try alternative methods (ISP, JTAG, external connector, chip off)
        • Severe damage (internal damage) – note and assess further in a clean environment (laminar flow hood, clean room)
    • 3. Risk Assessment
      • 3.1 Will powering on cause further damage?
        • 3.1.1 Yes – note and avoid powering on until repaired
        • 3.1.2 No – note and proceed to disk imaging
    • 4. Repair Disk (start with the simplest fixes first)
      • 4.1 PCB/connector repair
      • 4.2 JTAG, ISP, Chip off
      • 4.3 Internal repairs (head swap, platter swap, spindle motor swap)
    • 5. Image Disk (if possible)
      • 5.1 Image the areas with critical data first (user data, not OS settings)
      • 5.2 Verify the data was extracted correctly (checksums)
      • 5.3 Note what was recovered (if anything)
    • 6. Verification and Report Writing
      • 6.1 Verify the correct data was extracted
      • 6.2 Write a report on the process (what was the issue, techniques used, what data (if any) was recovered)
    • 7. Packaging and Shipping
      • 7.1 Photograph and document the disk/data prior to shipping
      • 7.2 Photograph how it is packaged

    What tools you will need

    Items are not listed in any particular order

    Required

    • Test

    Optional but useful

    • Test

    Step-by-step guide with images

    Insert step-by-step walkthrough with images and summary text here

    Flow chart of order of operations

    Insert a flow chart of steps and actions for each task (create using diagram)

    Troubleshooting/tips and tricks

    Fixes to any common issues that were encountered or could be easily encountered

    Related Topics

    Topics such as desoldering to chip off or firmware dumping for disk PCB repairs

    Further reading

    External references in wiki references can just be cited through the keyword link

    1. Reference 1: FSR'S Code of Practice March 2023 Version 1
    2. Reference 2: ACPO good practice guide section 2
    3. Reference 3: ISO/IEC 17025:2017
    4. Reference 4: ISO/IEC 27001:2022

Retrieved from "https://datarecoverywiki.com/index.php?title=Device_triage&oldid=1025"