Skip Links

After a hack: The process of restoring once-lost data

Reporter Mat Honan was the victim of a hacking incident that he thought wiped his laptop, but data recovery engineers were able to restore many of his files

By , Network World
August 22, 2012 11:15 AM ET

Network World - Mat Honan


On the first Friday in August Mat Honan, a tech reporter with Wired magazine, got home after work and realized that almost his entire personal digital life had been hacked.

His laptop, phone and tablet had been wiped and his Google, Amazon, Apple and Twitter accounts had been compromised. His pictures, videos and other memories, including photos of his newborn daughter and of relatives that had since passed way, were feared gone forever because he had failed to back them up.

But it wasn't so. Honan brought his MacBook Air to DriveSavers, which specializes in data recovery, and after a 24-hour process of engineers diving deep into Honan's laptop, an estimated 75% of the data on his computer that he thought he lost ended up being recovered.

Here's how DriveSavers did it.

IS THE CLOUD SAFE? Recent cloud critics, including Wozniak, intensify debate

DriveSavers has been around for 25 years and has recovered data from a broad range of situations, anything from an iPhone that was dropped in a toilet to a hospital server that has 20,000 confidential patient records on it failing. Getting a personal device that a customer believes has been completely wiped is nothing new for DriveSavers and its team of engineers. Each case is different though, and it's tough to tell how much, if any, information can be recovered from each unique case until engineers get their hands dirty in examining the device, says Chris Bross, senior enterprise recovery engineer with the company.

A few days after Honan's hacking, he brought the device into DriveSavers. The first step is a detailed discussion with the customer, in this case Honan, of exactly what happened and a prioritized list of what workers should focus on recovering, which in Honan's case were photos and videos that he had not previously backed up. "He basically asked us to recover all the data that we could possibly recover," Bross says.

Engineers began by disassembling Honan's MacBook and getting to the heart of where the engineers would do their work: the 250GB Samsung-manufactured solid-state drive (SSD) inside the laptop. Engineers extracted the disk and immediately made a clone of the SSD, along with a backup, so that engineers wouldn't be working directly on the tampered disk.

When making the copy, DriveSavers workers transferred data at the physical layer of the disk, which Bross describes as the lowest layer that includes everything on the disk, both files that have been formatted as well as any empty space that was on the disk. This proved critical later in the recovery process.

The hackers had used a feature in Apple products called "Find My," which is meant to allow users to remotely wipe their Apple devices if they are lost. Using a social engineering attack, they called into the customer service departments of Amazon and Apple posing as Honan, eventually getting his password changed and giving them access to wipe his devices.

The wipe began by deleting index data and installing a new operating system but, luckily for Honan, it didn't get all the way through the wipe before it was stopped. Upon Honan realizing his accounts were being compromised, he turned off his home router, disconnecting his laptop from the Internet, a move that Bross believes may have ultimately saved his data. Still, when Honan later turned his laptop back on after the attack, none of his files were there. Even the recovery experts initially were worried the data may be lost. "We saw a lot of zeros when we first started scanning the drive," Bross says.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News