FAQ
General
What is the advantage of using Atola Insight Forensic compared to other forensic imagers?
We produce the only solution that is specifically designed to support damaged media.
Our users usually start with automatic diagnostics of an evidence drive. It takes a couple of minutes yet saves a lot of time and energy. It detects drive issues such as PCB instability, problems with the motor, a short circuit, firmware errors, degraded or even non-working heads, and physical media surface damage. Afterward, you can decide what to do next with the evidence drive.
Even if you work with a severely damaged source device, the imaging engine enables you to:
- disable damaged heads
- automatically overcome much more serious problems than the so-called ‘software bad sectors’
- track drive state before, during and after imaging
- have every imaging event logged in a forensically sound manner
Atola Insight has file recovery integrated with imaging. By browsing the target image directory tree, you can always see which source file sectors are bad sectors or even were read with the ReadLong ATA command (without ECC).
Last but not least, Atola Insight Forensic can clear any unknown ATA password from the hard disk drive in just a minute.
What are the advantages of Atola Insight Forensic compared to software data recovery tools?
There is a range of advantages. Let’s take ddrescue for example. Here are some of the functions that Atola Insight Forensic provides and that ddrescue lacks:
- For Insight, we have developed a functionality that specifically helps image freezing damaged drives.
- Insight’s diagnostics function identifies damaged heads, while advanced imaging settings allow head selection to perform imaging in a fast and, most importantly, cautious manner to avoid causing further damage to the evidence drive.
- Insight can image to multiple targets at the same time, both hard drives and files.
- Forensic procedures require hash calculation to be a part of the acquisition process. Insight has a very flexible hash calculation functionality: it can simultaneously calculate MD5 and SHA hashes of the source before, during or after imaging, and the target drive’s hash can be calculated in conjunction with imaging or as a separate action. Additionally, Insight has the segmented hashing feature, which can verify an image of a damaged drive, which is impossible with a standard linear hashing.
- Built-in write protection.
- Insight’s in-depth diagnostics helps identify the drive status and, based on that, the right way to handle the drive for successful data acquisition.
- Insight’s overcurrent protection detects when the hard drive draws an abnormal current and stops the hard drive to prevent any further damage to the system and the drive.
- Insight’s automatic password removal function can extract an unknown ATA password and unlock the drive in under 2 minutes with just a few mouse clicks.
- Locate Sectors finds the exact location of specific sectors and detects which files and partitions they belong to. On top of that, it gives you a list of files that were impacted by bad sectors.
These are just some of the key features that Insight has to offer. For more details, see the full product overview.
What are the PC requirements for Atola Insight Forensic?
Atola Insight Forensic software requires a Windows PC. More details are available in the Atola Insight Forensic Manual
Does Insight utilize BIOS and/or Operating System functions in the hardware unit to image data?
Insight's hardware runs a Linux OS with a highly-customized and fine-tuned kernel that allows blocking all BIOS and standard Linux I/O operations for the lowest-level control for SATA, USB and IDE ports.
Does Insight image mobile phones, tablets, IoT devices, etc.?
Atola products are designed to handle HDDs, SSDs and other detachable media. We never developed our systems to support mobile devices like phones or tablets. This approach allows us to be the best at handling the media we focus on and progress fast in developing high-performance imaging and innovative features for our customers.
Does Insight repair damaged drives?
Insight can handle damaged drives with varying degrees of success depending on the severity and type of damage, namely:
- Degraded or damaged head
- Drive freeze after reading attempt
- Scratches on the media surface
- Firmware issues
- Magnetic layer wear-out
- Bad sectors (ECC)
Insight is equipped with various functionality for damaged media:
- Automatic checkup to identify the damage
- Complex multipass imaging algorithms
- Disabling damaged heads for faster and safer imaging
- Control of read look-ahead and other device features
- Calculation of segmented hashes for image verification
- Reset and power cycle commands for imaging of freezing drives
- Overcurrent and short-curcuit protection
- Bad sector recovery for sectors with damaged ECC field
However, the system does not perform drive repair. We advise that a drive's hardware-related problems are forwarded to data recovery labs.
Is Atola planning to discontinue the support of DiskSense units (manufactured between 2014 and 2021)?
Both Atola TaskForce and Atola Insight Forensic are in high demand and have strong user bases. We are not planning to discontinue either of these imaging systems. We have a few years’ worth of new exciting features planned for both systems.
DiskSense hardware units (the first generation of hardware for Atola Insight Forensic imager) will continue to be supported in the foreseeable future and will include the same features as the new, higher-capacity DiskSense 2 hardware units.
We at Atola stand by our products. Remember that your system is covered by a lifetime warranty for as long as you keep your subscription active. The subscription’s other benefits include software updates and fast and effective support from our team of engineers who develop the software and know all the ins and outs of the product.
Imaging and performance
Does write protection work for SATA source drives only?
Write protection works for all source ports: SATA, IDE, USB & extensions.
How do I image an NVMe drive?
Use the M.2 extension module.
How do I image a drive soldered into a laptop?
Insight supports imaging of specific models of MacBooks Pro and Air released in 2016-2017. Here is an article in the manual explaining how to image them using a Thunderbolt extension.
Other than that, Insight does not support remote imaging from a laptop. The product is based on a low-level native IO, which requires that the source drive is plugged into it. The easiest way to image a laptop's soldered-in SSD is to create a boot drive with a forensic boot image with a tool available in the market.
How do I image to split (segmented) raw files?
Segmented imaging into RAW files is supported. You can split the image into segments (chunks) at the home page of the target image port. Follow these step-by-step instructions:
- In the sidebar, click Imaging.
- Click Create New Session.
- In the Target device selection window, click Create image file.
- Click the Select button.
- On the top port panel, select the Image file port.
- Click Edit file options.
- Change Chunk size to a preferred value in the combobox.
- On the top port panel, select the Source port.
- Click the Start Imaging button.
What is the difference between a standard IMG and a preallocated IMGP image file created?
IMGP file contents are identical to those of an IMG file: it is the same raw bit-to-bit source copy. The only difference is that Insight preallocates space within an IMGP file filling it with zeros until the last LBA so that the IMGP file is the same size as the source even before the imaging has begun.
IMGP file is the way to claim the space on a target media. Our customers use it when they have a remote server storing all image files of organization. When image file grows to its final size, it is guaranteed that there will not be a lack of space.
To mount it to any other forensic software, one can just change IMGP target file image extension to .img, .dd, .raw or any other file extensions they want.
To continue working with an IMGP file in Insight after changing extension, one must edit the image file extension back to .imgp.
When should I use All sectors with data and All sectors with metadata imaging options?
These options define the scope of imaging.
All sectors with data is used to image only the sectors belonging to files of all detected partitions. The exception is partitions that Insight cannot parse (rare types, e.g. UFS, ReiserFS), which will be imaged in their entirety.
All sectors with metadata results in a complete directory tree with files without the file data. Partitions store metadata in specific structures (e.g. $MFT for NTFS). Metadata includes file name, access/modification timestamps, attributes and the exact sector numbers of the corresponding file data.
This screencast explains how to make use of metadata imaging.
How do I create or format an NTFS partition on a target drive?
Insight supports creating exFAT partitions (including encrypted ones) on target drives for subsequent imaging to files stored on it. However, we have not supported the creation or formatting of NTFS partitions.
How do I make sure Target HEX Viewer does not save any data on persistent storage?
Here is how Target HEX Viewer internals work. It has two modes:
1. Automatic refresh is performed when Freeze checkbox is inactive. Every time a block of data is imaged, one sector of this block is sent to Windows software via Ethernet. Insight's software receives the sector and shows it in Target HEX Viewer wiping the previous one. So it executes an automatic refresh on-the-fly and does not save any data on persistent storage, i.e. hard drive.
2. Manual Read Sectors can only be run by clicking on the Read Sector... button. It will initiate reading a specified sector from one of target devices. Then the read sector resides only in RAM for a time interval while it is being shown in the Target HEX Viewer. Similarly to the Automatic refresh, no data is saved on any persistent storage during manual read sectors.
How do I decrypt a BitLocker volume in Insight?
For the time being, Insight supports only decryption of APFS partitions with a known password or recovery key.
As for BitLocker partitions, Insight detects BitLocker volumes and displays its GUID and type during imaging and diagnostics. While imaging, Insight immediately adds a log record with the start LBA of a BitLocker volume when encounters it.
How much variation is there in data transfer speed during imaging?
Insight can reach speeds up to 500 MB/sec, but the speed may be as slow as 50 MB/sec (3 GB per minute) when working with older or slower HDD models.
Does Insight always image at the max speeds listed on this website?
The max speeds have been lab-tested for accuracy on modern storage devices.
The speed of imaging always depends on the native speed of the individual devices used in the process. During the drive-to-drive imaging, the slower device will determine the actual data transfer rate because one drive can only receive data as fast as the other can send it, and vice versa. When imaging to or from the network, another potential bottleneck is the bandwidth.
How do I achieve the best performance when imaging to the network?
To avoid potential bottlenecks, make sure of the following:
- The network switch supports 10Gbit Ethernet and is configured correctly (if Insight is not connected to a PC directly).
- All the network cables are 5e category or higher.
- For maximum performance, connect Insight to PC's Ethernet adapter without intermediate network switches.
Other things that could affect transfer speeds are network adapter drivers, motherboard drivers, antivirus software and so on. However, complying with the rules above is enough for most cases.
How do I verify the data transfer rate from Insight to the network?
Follow these steps:
- Launch Atola Insight Forensic software.
- Connect a fast SSD (e.g. Samsung 860 PRO/EVO or any other that can image at 500+ MB/sec) to SATA Source port of the DiskSense unit.
- Go to Imaging and select the Imaging to File option.
- In the file selection dialog, enter null file name. This special file name will make Insight read the source at the highest possible speed and skip writing, so that target write speed does not affect the measurement, while data is still transferred through Ethernet.
- Start imaging.
If everything is working properly, the speeds will be between 50 MB/s and up to 500 MB/sec depending on the native speed of the source drive.
Damaged media & File recovery
You claim that Atola Insight Forensic is capable of imaging even bad drives. What does a bad drive mean?
By bad drives, we imply various types of drive issues, namely:
- Scratches on the media surface
- Magnetic layer wear-out
- Degraded or even non-working head
- Drive freeze after reading attempt
- Firmware issues
- Bad sectors
- Short circuit on PCB
How exactly does the Atola Insight imaging process cope with damaged drives?
We have two goals here when dealing with severely damaged source drives:
- Get as much data as possible.
- Decrease the number of failed read attempts to finish imaging with a still-alive evidence drive.
Atola Insight Forensic uses a fast imaging map, thereby enabling us to run the whole process in multiple passes. The tool uses large blocks with short time-outs on the first few passes and then smaller blocks with longer time-outs on the last pass to image the tough areas. This provides the best possible results in the shortest amount of time.
Atola Insight’s ability to disable damaged heads can save your evidence! Other imagers cause further damage to the media during such imaging.
Imagine having seven of eight good heads. You can image data with all of them except the damaged one. Afterward, you can begin analysis of 87% of the acquired data and at the same time try to replace the damaged head. A physical head swap is always a risky endeavor.
The imaging engine contains many automatic rules. For example, it resets or power-cycles the device when a source drive freezes. It can apply a reverse imaging direction in particular cases. Here is something useful when dealing with damaged evidence: Two imaging reports are created before and after the process. Both include not only the imaging information but also SMART tables, thus enabling you to see what happened to the source drive during the process.
Learn more in these articles:
- Multipass imaging of damaged drives
- Imaging drives with damaged heads
- Imaging freezing damaged drives
- Imaging a shorted drive
Does Insight support damaged SSD drives?
Atola Insight Forensic does support damaged SSDs. It can automatically diagnose SSDs very well, creating a nicely designed and well-thought report. Surely Insight's imaging will get any data that is readable from solid-state drives using multipass and read error recovery subsystems. It's fair to say you receive pretty much the same functionality as with standard HDDs. The only exception: unknown password removal and firmware recovery are not supported for SSDs.
In addition to that, Insight Forensic allows working with the custom PCIe SSDs from Apple MacBooks. It works fast via proprietary Atola extension.
Can Atola imagers acquire evidence from damaged SSDs?
As is true with any type of media, the degree of damage will inform how we can help with data recovery from a specific device. SSD failures fall into three major categories: logical errors, hardware issues, and firmware failure.
Atola imagers may be able to image data from an SSD with logical errors or hardware issues (e.g. NAND flash wear-out) using our multipass imaging system. A good predictor of success can be the Media Scan stage of the diagnostics process.
What is the success rate of File recovery?
You can recover up to 100% of files imaged with Insight only if the internal file system structure has been successfully imaged. Follow these steps:
- Select an acquired image on the Target port.
- Go to File Recovery.
- Try to open all the imaged partitions.
- If partitions do not open, use special DR software to recover the files (e.g. R-Studio).
- If the partitions do open, you have two options:
- Select and recover all files. Then use the Create file list button to generate a list of partially imaged files.
- Alternatively, manually select all files with 100% values in Copied column. Some hints for you:
- By sorting the files in Copied column you can group 100% of imaged files from a specific directory.
- Selection of multiple objects is available.
Can you recover data from a deleted file?
Even if a user deletes a file from a computer or even the Recycle Bin, it does not mean that all file data has been erased from the drive. While the record of the file in the filesystem has been removed, the data from the file remain in the sectors to which it had been recorded.
However, over time, the old data may be overwritten with new files and their data. Therefore the more the drive is being used, the less probability there is that data from a deleted file remains intact.
Here is how Insight can help you in retrieving this data:
If you know any details from the file contents, search for the keywords or other artifacts in Insight’s Artifact Finder. Unlike most other forensic analysis tools, Insight’s Artifact Finder parses data not on the file system level but on the sector level. This gives you the advantage of finding data from deleted files.
The File Recovery module includes the capability to recover deleted files in these file systems: NTFS (all versions), FAT16, FAT32, HFS, HFS+, HFSX.
Modern SSDs wipe the sectors belonging to the deleted files at the command of an operating system (Windows, Linux, MacOS) shortly after the files have been deleted:
- The operating system sends the Trim command to the sectors belonging to the deleted files.
- The SSD controller decides when to wipe them.
- The trimmed sectors are replaced by new ones from the over-provisioning zone.
- Trimmed sectors are then shortly used for new data.
This means that SSDs provide a much lesser chance of recovering such data from deleted files.
How do I identify which of the imaged files contain bad sectors?
- Select the target device or image file. Alternatively, on the Imaging results screen, click Analyze target image button.
- Go to File Recovery and open the partition.
- Click Create file list and select All files.
- Select Files that were partially imaged and click Create for the list to be saved in .CSV file.
NB If the imaging session was interrupted or the range of sectors scheduled for the session did not cover the whole partition (and therefore some of the files), the list of partially imaged files may contain both files with bad sectors and those not covered by the imaging session.
How do I find where the bad sectors are located within a file?
When imaging, Insight automatically creates a Media Map that reflects the status of all sectors imaged during a given session, namely:
- imaged sectors
- unimaged sectors (with errors or those beyond the imaged range)
- sectors imaged without ECC
To look up the Media Map:
- In the Imaging results screen, click Analyze target image button. Or select the target device or file.
- Go to File Recovery and open the partition.
- By clicking the individual files, look up an individual File Map and see which of the sectors have or have not been successfully imaged.
When coming across bad sectors on the source drive in the course of imaging, how does Insight deal with the corresponding sectors on the target drive?
Such sectors can be either left alone (skipped) or filled with a pattern. The default pattern that is used to fill the sectors that are not readable is 00. However, it is possible to enter any other pattern or even load the pattern (of any length) from a file. To use this option:
- Go to Imaging > Create New Session.
- Select your target device.
- On the imaging settings screen, in the Preset section, click the Show settings link.
- On the Error handling tab, select the Fill unreadable sectors with the following pattern (HEX) option.
- Leave the default pattern as it is or enter/upload a new one.
- To make this new pattern the default one, click the Save settings button. Or, should it not be the case, simply click the Start imaging button.
Does Insight support mounting of a damaged APFS partition?
Partition search in Insight is quite advanced; it is more than just looking into MBR/GPT records and involves our unique heuristic algorithm.
It means that Insight should be able to find a partition, and the partition should not be damaged. For cases of damaged partitions, our customers use forensic software that performs file carving or DR software (e.g. R-Studio).
The only File Recovery functionality that works when there is data missing, is finding deleted files in several partition types including NTFS, HFS, FAT.
How do I compare the files on a source and a target using their hashes?
To compare the files on the two devices:
- Select the Source device.
- In the sidebar, go to File Recovery.
- Click Hash all files.
- If the hash column is missing, it can be enabled in Preferences > File Recovery.
- Select all the files.
- Click Create file list and select All files.
- Select Show file hash option.
- Repeat steps 1-5 for the target drive.
In the end, you get two complete file lists and can compare them using third-party software, for example Compare++.
How do I use black and white hash lists to filter data?
Watch this screencast about using hash lists in Insight.
For the full step-by-step guidance, see Hash lists to filter good & bad files.
Also, you can find two use cases in White/Black hash lists section in our blog.
When should I use reverse imaging option and is there a downside to it?
Normally, reverse imaging is beneficial when there is a spot/scratch resulting in a number of bad sectors on the surface area. Reverse imaging (from the inner to the outer tracks) on one of the imaging passes helps you narrow down the bad area faster. It also allows getting more data from the good areas of the drive before entering the damaged zone and digging into it to retrieve data.
As for the downsides, reverse imaging leads to a speed decrease because HDD's heads have to make additional moves to perform it, and caching is impossible.
How do I change timeout in the imaging settings on-the-fly?
Changing timeout is only possible when you are creating a new session. Here is how to go around it:
- Pause the current imaging session by clicking the Pause button.
- Click the Add New Session link.
- Open imaging settings and change timeout of the following pass(es).
NB The new imaging session will complement the previous one and will only attempt retrieving data from the sectors that have not yet been copied.
Some of the imaging pass settings can be adjusted on the fly: e.g. enabling reverse imaging on the following pass.
How do I look up a drive's G-List with Insight?
Firmware recovery has not been our focus for many years now; therefore Insight has a limited firmware recovery functionality. While some models may give out information about the G-List (see 3. Full firmware access), G-List is not a kind of information you automatically see on the screen. You would need to manually find G-List among firmware modules, which requires a certain level of data recovery knowledge.
Diagnostics
How does diagnostics work and how accurate is it?
The automatic diagnostic function applies a sophisticated system that analyzes electrical currents as they enter and leave the hard drive, examines the hard drive’s responsiveness to low-level commands and incorporates firmware information (if it is accessible). Our studies had shown that this approach is accurate in pinpointing malfunctions in at least 95% cases.
How do I analyze electrical currents from the oscilloscope if I received no training?
Some data from the oscilloscope is straightforward to understand (for example, when HDD power fails, the lines go flat). Users can learn to understand more complex oscilloscope information by seeking advice from other data recovery technicians, seeking professional training, or simply through gaining experience in the field.
While current monitoring technology plays an important role in the Insight’s operation, no specific skills are required because the system performs current analysis automatically.
How does Insight detect the capacity of hybrid drives?
There are two types of hybrid drives.
- Dual-drive hybrid systems. In this case, Insight shows the total capacity, which is a sum of the volumes of both drives. All sectors are addressable and readable.
- Solid-state hybrid drive (SSHD). For such drives, Insight detects and displays only the capacity of the HDD because the internal SSD is designed to be inaccessible without SSD chip off. Hybrid drives of this type use NAND memory (small SSD) for cache. The cached data resides in both the HDD and the NAND chip. What is cached and how it is cached depends on the drive model and its firmware's algorithms.
Can RAID arrays be diagnosed as a single HDD?
Insight can diagnose only the drives that are directly connected to the hardware unit. Hard drives from RAID arrays must be diagnosed and recovered individually.
Atola TaskForce is capable of automated assembly RAID drives in a single virtual device even when RAID configuration is unknown.
Why is there a difference in the quantity of errors and performance between Media Scan and Imaging?
The short explanation: Imaging uses different commands and level of reading thoroughness rather than Media Scan.
Imaging reads data and sends it over data cable (SATA, PATA, USB). At the same time, Media Scan utilizes low-level Verify command that checks a block of sectors for an error with no data transfer involved.
The two operations are not equally thorough. Media Scan verifies drive surface block by block (2048 sectors per block). It does not dig in searching for specific bad sectors in a 2048-sector error block.
As opposed to that, the imaging engine has a goal to image as much data as possible. The multipass system is used during imaging.
However, if linear hashing is enabled, imaging switches to one pass with a 4096-sector block size by default using this algorithm:
- Read 4096 sectors.
- If a read error occurs, re-read the sector range using 256-sector block.
- Read the first 256 of 4096 sectors.
- If there is a read error, re-read 256-sector range sector by sector.
- Read the first sector of 256 (of 4096).
Hashing
How do I calculate hash during imaging and do I need to use both linear and segmented hashing
Hashing is disabled in the default settings. Select the Hash source during imaging option in the Default (5 passes) preset.
Here are the guides about calculating linear hash during imaging and segmented hashing.
Segmented hashing is the only tried and proven way to verify an image of a damaged source drive. Segmented hash can be calculated during a multipass imaging, which allows getting more data while covering all imaged intervals with a set of hashes, and this ability has proven crucial for our customers in courts.
Besides, with segmented hashing, image remains usable even if some of the data gets corrupt over time (due to people, other buggy software, hardware, power losses etc.): it allows you to identify the segment of data that got corrupt and continue using the good parts of the image.
Do courts of law accept segmented hashing as a proper way of verifying data?
Yes, segmented hashing has been a principle forensic examiners successfully follow in their work. This principle is well laid out in academic works and is also widely used in cryptography and secure data modification. Meanwhile, in digital forensics, several vendors who support AFF4 image files have adopted the same principle. Among them X-Ways, Magnet Axiom, GetData Forensic Explorer, Encase Forensic, etc.
Most importantly, with the forensic examiner’s proper understanding of the concept and ability to demonstrate it to the court, segmented hashing is as good a verification method as any.
How does hashing work in parallel with imaging?
When Insight images and calculates hash in parallel, here is how our imaging engine works:
- Read block A from source to RAM.
- Hash block A + Write block A to target + Read block B from source - all these three actions execute in parallel.
- Hash block B + Write block B to target + Read block C from source...
- and so on
Two important rules:
- If read block fails with error/timeout, the block is replaced by unreadable pattern (it can be set by the user).
- If write block fails, Insight stops imaging and reverts hash state one block backwards.
Fill/Erase
Why do I need to wipe/erase target before imaging data onto it?
Certain forensic evidence acquisition or data recovery scenarios require the target hard drive to be wiped/erased prior to imaging. It ensures that the software being used to recover files won’t extract old data that was previously on the destination HDD.
How does write verification work in Fill/Erase?
Here is how the algorithm used during the wiping process in Insight:
- 100 individual sectors selected evenly across the range are filled with verification pattern Atola Insight.
- The whole drive or a selected range of sectors on it are wiped applying the method selected by user (erase with pattern by default).
- the 100 sectors filled with Atola Insight during the first step are read to ensure that none of them contains the pattern.
How does SSD Trim work and does it wipe a drive completely?
SSD Trim doesn't instantly wipe sectors (NAND memory cells) of a drive. It instructs SSD's firmware which sectors can be wiped by marking them as 'dirty'.
Time of erasure of 'dirty' sectors depends on the SSD manufacturer and firmware. For instance, recent Samsung SSDs have a so-called foreground garbage collection. It wipes any erased file almost immediately thanks to a TRIM command proactively executed by the operating system. In older SSDs, trimmed sectors can remain intact for minutes or even hours.
The most secure way to erase an SSD entirely is using one of the following methods:
- Secure Erase - for SATA drives
- Format NVM - for NVMe drives
Case Management
How do I copy Insight database to another PC?
Yes, it is possible: Go to Cases > Export and select All cases. A single file will be generated, which can later be imported via Cases > Import.
How can I tell who worked with the drive if I am working on a previously created case?
You can open any operation performed with a hard drive by clicking on the corresponding link in the case history. In the report header, you can see which computer was used, and thus you can deduce which user worked on this phase of the case.
How do I add notes to the case history after a case was closed?
The quickest and easiest way is to open case history Cases > Search/Open and click Add note.
Can 2 hard drives share the same case number if they are related?
Yes, it is possible to assign the same case number to multiple hard drives. It helps keep track of hard drives related to the same investigation.
Device Recovery
Password Removal. How do hard drives become locked with ATA passwords?
ATA passwords can be set through computer’s BIOS or by using special products like the Insight.
Password Removal. Which hard drives is password removal supported for?
Automatic password removal works for most hard drives available on the market. For more details, see Supported drives.
Can Atola imagers retrieve data from water-damaged hard drives?
Depending on many factors, the impact on the drive can vary considerably. The kind of contact (it can range from sprinkles to complete submergence) and the duration of such impact and even the composition of the water (if there is residue in the form of salts). Additionally, the disk might have been damaged before the drowning, so water could not be the only problem.
Therefore, we recommend that you bring such drives to a cleanroom. At the cleanroom, engineers will perform drying, the initial damage assessment, repair, and cleaning. When drying, it's better to keep the temperature at a reasonable level, such as 100-200 Celsius. Do not heat the PCB to the point where the solder or plastic starts to melt.
Firmware Recovery. Which hard drive models does the Insight support firmware recovery for?
There are two ways in which Insight provides firmware recovery: by automatically repairing firmware and providing direct access to firmware files for manual repair.
Different sets of hard drive models are supported for each of these approaches due to differences in firmware design by the hard drive manufacturers. For a complete and up to date list of supported hard drive models for firmware recovery, see Supported drives.
Firmware Recovery. How commonly do modern hard dives experience firmware corruption?
Less than 10% of data recovery cases with modern hard drives involve firmware corruption. Occasionally, a manufacturer will release a hard drive with flawed firmware and data recovery labs will see a spike in firmware recovery jobs for a period of time.
Firmware Recovery. What is the difference between firmware files stored on the HDD platter and ROM/EEPROM/NVRAM?
This depends on the HDD manufacturer and hard drive model. Each hard drive has its own preferences for where firmware data is stored.