WEBVTT

00:00:00.400 --> 00:00:07.359
you'd never know it from the outside but in there through those doors is one of

00:00:04.560 --> 00:00:12.240
the world's oldest and most advanced data recovery companies drive savers

00:00:09.679 --> 00:00:18.160
headquarters here in nevado california features almost a hundred employees

00:00:15.040 --> 00:00:19.920
almost that many security certifications

00:00:18.160 --> 00:00:26.480
and a 2 million iso 5 clean room

00:00:24.080 --> 00:00:31.519
and they sponsored us down here to have a close look at how it is they take

00:00:29.679 --> 00:00:37.559
this and turn it into this

00:00:34.079 --> 00:00:37.559
so let's go inside

00:00:46.079 --> 00:00:52.800
we're gonna kick things off in the museum uh

00:00:50.000 --> 00:00:57.520
as long as our escort says that that's okay

00:00:53.840 --> 00:00:59.199
security is a huge deal at drive savers

00:00:57.520 --> 00:01:04.559
not just on the outside of the building but also throughout it so guests get

00:01:01.920 --> 00:01:09.680
these incredible badges that actually change color over time eventually

00:01:06.960 --> 00:01:15.520
turning red so that anyone who sees it will know to kick me out or call the

00:01:12.080 --> 00:01:18.560
cops and everything in here is on a need

00:01:15.520 --> 00:01:21.119
to access basis with biometric security

00:01:18.560 --> 00:01:26.240
on secure spots and annual background checks for all staff members so these

00:01:23.759 --> 00:01:32.960
guys have recovered data from pretty much everything that you would normally

00:01:29.200 --> 00:01:35.280
think of hard drives phones laptops ssds

00:01:32.960 --> 00:01:39.840
and from a lot of things that you probably wouldn't think of

00:01:37.159 --> 00:01:45.360
defibrillators photocopy machines and even ativo so the museum here contains

00:01:43.040 --> 00:01:49.600
many of their biggest success stories both in terms of the importance of the

00:01:47.520 --> 00:01:54.159
data that was recovered uh they once saved twisted sisters christmas album

00:01:51.759 --> 00:01:58.640
and 12 episodes of the simpsons including the conclusion of the who shot

00:01:56.000 --> 00:02:04.320
mr burns cliffhanger during a national contest to guess who did it

00:02:00.799 --> 00:02:07.280
and in terms of the difficulty so

00:02:04.320 --> 00:02:12.720
run over by an 18-wheeler check lit on fire check buried in a mudslide check

00:02:10.560 --> 00:02:17.200
that too this one that you're looking at right now was actually pulled from a

00:02:14.879 --> 00:02:22.720
sunken cruise ship after sitting underwater for two days it had the

00:02:19.840 --> 00:02:28.560
owners memoirs successfully recovered from it now let's talk about how they do

00:02:25.599 --> 00:02:33.680
it consultation and in some cases even diagnosis with an analysis of what data

00:02:30.959 --> 00:02:37.519
they expect to get back is free so you send in your drive where shipping

00:02:35.440 --> 00:02:43.200
sorts it into a colored bin according to the priority of the job and the uh

00:02:40.239 --> 00:02:48.480
cleanliness of the drive or device and you might think to yourself oh come on

00:02:45.440 --> 00:02:50.800
it's a hard drive how dirty could it be

00:02:48.480 --> 00:02:55.440
but they've actually had to obtain a geiger counter to evaluate the

00:02:52.920 --> 00:03:00.239
radioactivity of drives coming out of nuclear disasters and through some of

00:02:57.920 --> 00:03:05.440
their forensics work they've even seen devices come through here that were

00:03:02.319 --> 00:03:08.239
found on murder victims one phone

00:03:05.440 --> 00:03:13.200
apparently had the camera element gouged out before being placed back on the

00:03:10.800 --> 00:03:18.159
victim's body in an apparent attempt to get rid of the photos

00:03:15.200 --> 00:03:22.319
so yeah drive savers got that back good work idiot hope prism's treating

00:03:20.000 --> 00:03:26.159
you well from shipping your bin travels to one of a few different places and

00:03:24.080 --> 00:03:31.440
we'll go through those in a minute but everything will eventually get the

00:03:28.480 --> 00:03:34.959
cloning treatment and that starts here drive savers keeps a huge inventory of

00:03:33.920 --> 00:03:38.720
spare wiped donor drives because you

00:03:36.959 --> 00:03:43.680
dramatically improve your chances of recovery if you're working with a bit

00:03:40.640 --> 00:03:46.239
for bit digital copy of your data set it

00:03:43.680 --> 00:03:49.680
gives you the time to analyze more than just

00:03:47.040 --> 00:03:54.480
what files were there and then dig into who accessed them when what did they do

00:03:53.280 --> 00:03:57.840
these kinds of things can be particularly important in cases of

00:03:56.480 --> 00:04:02.159
corporate intellectual property protection for example where there might

00:03:59.760 --> 00:04:06.720
have been some attempt to destroy data or cover up a data access

00:04:04.640 --> 00:04:11.280
the folks in this room also do the initial analysis of raid arrays using

00:04:09.360 --> 00:04:15.840
software tools like the one you're looking at here to rebuild the array

00:04:13.360 --> 00:04:20.880
logically and determine which drives are probably working fine versus which ones

00:04:18.160 --> 00:04:24.880
will likely need physical repairs before making a cloning attempt and they've got

00:04:22.800 --> 00:04:30.720
the hardware for everything from reconstructing a four drive home nas

00:04:27.759 --> 00:04:36.800
array to this over here this is a 45 drive jbod that's on standby waiting for

00:04:34.240 --> 00:04:40.560
i don't know maybe another 96 drive server that got gallons of water dumped

00:04:39.120 --> 00:04:44.560
on it due to a sprinkler system malfunction because yeah

00:04:42.800 --> 00:04:48.639
that was a thing that happened but as you saw in the museum a lot of the hard

00:04:46.960 --> 00:04:52.639
drives that come through here need a lot more than a little bit of software

00:04:50.479 --> 00:04:58.160
reconjiring so welcome to

00:04:54.240 --> 00:05:00.080
the clean room or strictly speaking this

00:04:58.160 --> 00:05:04.000
is the inventory room and the clean room is on the other side of the glass but

00:05:01.600 --> 00:05:08.800
but this stuff's cool too in here they've got basically every hard drive

00:05:06.160 --> 00:05:13.600
you could imagine they've got two and a half inch they've got three and a half

00:05:10.960 --> 00:05:18.880
inch they've got uh the latest helium sealed drives and all the way from the

00:05:16.000 --> 00:05:23.520
latest to look at these clunkers i mean look at this this is called a

00:05:21.680 --> 00:05:30.240
mini scribe i guess you know relative to this guy

00:05:27.680 --> 00:05:33.759
it is pretty mini but basically the point is

00:05:31.520 --> 00:05:39.720
whatever the text on the other side of the glass inside that iso 5 clean room

00:05:37.039 --> 00:05:45.280
so that is less than 100 000.1 micron particles per cubic meter

00:05:43.120 --> 00:05:48.880
10 000 times cleaner than a normal room whatever they need

00:05:46.960 --> 00:05:52.960
they put a request onto this little card it comes out here we load it up we fire

00:05:50.960 --> 00:05:58.080
it back in there and whether it's a brand new drive or an ancient one they

00:05:54.960 --> 00:06:01.280
start the process of rebuilding one

00:05:58.080 --> 00:06:03.600
working drive from the donor and the

00:06:01.280 --> 00:06:08.560
recipient now they did put away some of the proprietary equipment that they use

00:06:06.160 --> 00:06:14.080
for example they found a way to work on helium seal drives which won't function

00:06:11.199 --> 00:06:16.960
at all in regular air that's seven times more dense and so they wouldn't show us

00:06:16.160 --> 00:06:21.600
like i don't know how they either reseal them

00:06:19.520 --> 00:06:27.919
or put them in a helium chamber or something but this place is still

00:06:24.240 --> 00:06:31.120
incredible so thanks to the 34 filtered

00:06:27.919 --> 00:06:33.680
fans air is circulated in here so

00:06:31.120 --> 00:06:39.039
quickly that it's not only clean but they can actually do soldering work

00:06:36.240 --> 00:06:42.080
anywhere in this room without disrupting anyone else's sensitive recovery

00:06:41.039 --> 00:06:47.520
operation incredible and

00:06:44.319 --> 00:06:50.720
an operation it is they actually agreed

00:06:47.520 --> 00:06:52.639
to let us do an actuator swap so stay

00:06:50.720 --> 00:06:56.720
tuned for that video because i'm super stoked for you guys to see it anyway for

00:06:54.560 --> 00:07:01.599
now let's continue our journey so then with the drive physically working

00:06:59.039 --> 00:07:05.039
i mean it's copying data they can just send it back to you right

00:07:04.000 --> 00:07:11.919
wrong so this guy right here is working but it

00:07:08.720 --> 00:07:14.160
is not reliable drive savers wouldn't be

00:07:11.919 --> 00:07:18.479
able to keep their warranty approved service status with every major hard

00:07:16.479 --> 00:07:22.960
drive vendor for very long if they pulled that kind of a stunt

00:07:20.560 --> 00:07:28.800
so the next step then is logical recovery where maybe not all but some of

00:07:26.319 --> 00:07:33.599
the data should be recoverable even in cases of severe physical damage like we

00:07:31.440 --> 00:07:38.160
saw downstairs in the museum and we're going to head over there but first we

00:07:35.680 --> 00:07:42.720
need to make a quick stopover in flash memory town now hard drive recovery is

00:07:41.360 --> 00:07:47.440
complicated flash memory

00:07:44.960 --> 00:07:52.880
well that's a whole other ball game son so what you're looking at here is raw

00:07:50.000 --> 00:07:57.919
ones and zeros off a flash chip so you can think of it kind of like a qr code

00:07:55.599 --> 00:08:03.360
except that there is no app for your phone to read it and making matters even

00:08:00.479 --> 00:08:07.440
more difficult this middle spare area part right here well that contains

00:08:05.680 --> 00:08:12.800
information about where the block numbers are where your ecc belongs etc

00:08:10.319 --> 00:08:18.479
really good stuff except oh wait that gets intentionally scrambled in many

00:08:15.120 --> 00:08:21.039
cases as a security measure so figuring

00:08:18.479 --> 00:08:25.520
out which bites are bad and getting the whole thing to turn green takes a lot of

00:08:23.520 --> 00:08:30.319
knowledge and then to do it quickly takes years of experience and even

00:08:28.400 --> 00:08:35.760
getting it to that point isn't trivial in many cases flash memory chips require

00:08:33.120 --> 00:08:40.959
proprietary not to mention expensive readers and they come from devices that

00:08:39.039 --> 00:08:48.480
don't always want to give them up easily including everything from standard apple

00:08:43.839 --> 00:08:50.800
or m.2 ssds and computers to camcorders

00:08:48.480 --> 00:08:56.399
mp3 players like what year is it i know right and even bare flash chips that are

00:08:54.000 --> 00:08:59.680
soldered onto the motherboard like in some of the latest macbooks thank you

00:08:58.800 --> 00:09:05.440
apple and the craziest part is coming back to

00:09:02.399 --> 00:09:08.240
device security again on a device with a

00:09:05.440 --> 00:09:12.720
security module like an iphone for example so you can see in this footage

00:09:10.160 --> 00:09:17.760
they're taking apart an iphone 10 for us that might later be used as a known good

00:09:15.600 --> 00:09:24.000
for a customer recovery attempt you could actually need at least

00:09:21.200 --> 00:09:28.560
four components to even hope to pull data off of it the nand flash itself

00:09:26.800 --> 00:09:34.720
which needs to be desoldered from the board and the baseband ic the controller

00:09:32.720 --> 00:09:40.320
which you can actually see from this disassembled a8 chip actually sits under

00:09:37.839 --> 00:09:44.399
the RAM with contacts on the top and bottom

00:09:41.200 --> 00:09:46.320
and the rom so four parts which means

00:09:44.399 --> 00:09:52.640
that if you were to hope to pull data from a badly damaged one of these you

00:09:49.360 --> 00:09:55.760
would need to desolder clean re-ball and

00:09:52.640 --> 00:09:58.959
re-solder all of these four components

00:09:55.760 --> 00:10:00.640
successfully to a donor phone and did i

00:09:58.959 --> 00:10:07.120
mention by the way that even the couple generations old a8 processor already had

00:10:03.440 --> 00:10:09.040
1100 contact points so they apparently

00:10:07.120 --> 00:10:15.920
haven't attempted an operation like this with the 10 yet but they think that it

00:10:12.160 --> 00:10:15.920
might be possible

00:10:17.200 --> 00:10:25.839
finally we're in logical land now stuff without any physical damage to the hard

00:10:23.120 --> 00:10:29.360
drive itself may end up coming straight here like

00:10:27.040 --> 00:10:34.480
let's say for example you plug the wrong power supply into your external drive

00:10:31.760 --> 00:10:37.360
enclosure like this and it released all of its magic blue smoke

00:10:36.320 --> 00:10:43.360
pella he actually sent this drive to drive savers four years ago but ended up

00:10:41.680 --> 00:10:47.839
opting not to go forward with the recovery service so as you can see from

00:10:45.760 --> 00:10:52.560
what we pulled off of this drive it's clear that for some people it's not

00:10:50.720 --> 00:10:57.760
necessarily going to make sense necessarily to pay for data recovery if

00:10:56.000 --> 00:11:03.839
all you've got that's not backed up somewhere is clips from a

00:11:00.800 --> 00:11:05.920
chichen chang live concert with that

00:11:03.839 --> 00:11:10.959
said even around here at drive savers where their bread and butter is failed

00:11:08.480 --> 00:11:17.440
or corrupted devices they still absolutely preach

00:11:13.200 --> 00:11:20.800
the principles of data backup because

00:11:17.440 --> 00:11:23.519
the cold hard truth is even if you are

00:11:20.800 --> 00:11:29.760
an extremely skilled data recovery engineer there are still things that can

00:11:26.720 --> 00:11:31.839
take out your storage permanently so i

00:11:29.760 --> 00:11:36.720
think a perfect example of that is our host today mike ended up losing

00:11:34.720 --> 00:11:42.480
pretty much all of his data in the santa rosa fires so even though he's an

00:11:39.600 --> 00:11:47.680
executive here at drive savers there was nothing he would have been able to do

00:11:43.839 --> 00:11:48.880
about that if he hadn't had an off-site

00:11:47.680 --> 00:11:55.600
backup so at the end of the day that's the takeaway guys

00:11:52.720 --> 00:12:01.200
make backups of your data the 321 principle should never be ignored but in

00:11:58.240 --> 00:12:05.680
the event that something goes terribly wrong drive savers has got your back i

00:12:04.000 --> 00:12:08.720
want to thank them for making this video possible i want to thank you guys for

00:12:07.200 --> 00:12:14.399
watching and you can check out the link to drive savers in the video description

00:12:12.639 --> 00:12:20.240
yeah no no no i think i can i think i can do it no problem okay you get better

00:12:16.480 --> 00:12:20.240
angles okay