Sunday, April 8, 2007

When things go wrong

I previously mentioned something about drives failing while in the posession of the examiner. I mentioned it, not only as a theoretical warning but one brought about from experience.

While working on one incident last year I was acquiring some disk images, putting multiple images on one target disk - which is not an uncommon practice. After a couple of successful images were acquired and the originals were picked up, I was powering down my workstation and all of a sudden I started smelling burning electronics, followed quickly by a metallic chemical smell. If you don't know this smell, it's what happens when a capacitor explodes.

I took pictures of this occurance for various reasons, one was to cover my butt and prove my procedure, the other was to eventually share the information. The time has come to share it.

First, a look at patient X - note the burned metal tray from my external case:

And a nice shot of the blown cap:

Like most normal people I was a little annoyed that this had happened, let alone during an incident and with the only copies of the images on an unusable hard drive. However all was not lost. I ordered a next day replacement for the drive, a 500GB seagate 7200.9 IDE from zipzoomfly.

The first thing I did when the new drive arrived was make sure the date codes for the two drives were close.
06345 - the new drive
06257 - the dead drive

Those dates look pretty close, but what does that actually mean?

Date Code : YYWWD
* YY: fiscal year, beginning on the 1st Saturday of July YY-1
* WW: fiscal weeks from 1st Saturday of July YY-1
* D: days from the beginning of week WW (weeks run from Saturday to Friday)

The new drive was dated as 2006, wk 34, day 5.
The old drive was dated 2006, wk 25, day 7.

Those dates were pretty close, so I went ahead with the PCB replacement. Generally speaking, PCB replacement doesn't always work because the manufacturers like to change code pretty regularly.

The drives shown side by side:

The reverse side, with the bad PCB removed from the dead drive:

After this, it's just a simple matter of pulling the PCB off of the new drive, and placing it on the old one. Just a few screws later I was back in business and promptly made an extra copy of the images.

Some people will look at this and say oh how...fundamental. Well, yes it is, but the people I was turning the disk over to for the examination didn't even know how this was done.

Lesson learned?

Be prepared for the worst, and know how to handle it.