Data recovery on a cheap SSD laptop
The journey of extracting data from a damaged cheap laptop with memory embedded on the motherboard. Diagnostic, chip-off and reading.
A laptop came in for data recovery : a Thomson THN14B. The laptop do not start and plugging in the charger makes no reaction. Let’s see what’s inside.
The motherboard looks really small for the size of the laptop, more or less like a Raspberry Pi, but it does look ok. First thing, testing for shortcut on the power line. There is one, that explains why it is not booting. Shortcuts can come from many causes (wrong charger, over power, oxydation, component failure). Inspecting with eyes, we do not detect any damage. Let’s have a thermal imaging when plugging in the power:
The thermal image is a not exactly overlayed on the standard one. After readjusting, the Power Micro Integrated Circuit (PMIC) seems to rise really high in temperature (yellow square on middle picture that should be 1cm upper). It is probably damaged. By pure sense of saving the computer, we tried to remove and test some capacitors on the power line, but without success.
As we do not want to change the PMIC and aim for a faster solution, we look at the memory chip. It is a SANDISK SDINADF4–32G, a standard FBGA 153 — ie a pattern with 153 balls to communicate with — eMMC memory. Moreover we do not detect any underfill between the chip and the motherboard. Underfill is quite a blocker. It is used to glue the chip to the PCB (Printed Circuit Board) in order to better dissipate the heat and prevent corrosion. Therefore it is resistant to heat removal (ie. desoldering).
Our memory chip should be therefore easy to chip-off. We protect the surrounding components with heat resistant Kapton. Using our hot air gun and a temperature of 370°C we can remove it properly in few minutes.
Then, we have to clean the contacts using a desoldering wire and some flux, so every pad is flat and uniform.
This is required by our socket reader which has pogo pins to make appropriate eMMC contacts. This socket connects standard eMMC chip pinout to a standard SD card slot. Indeed, they use a similar and compatible protocol — a SD card reader is meant to read any SD or eMMC card/chip.
However, we need to be precautious about connecting our socket to the computer. We do not want it to be mounted by default as a mass storage as we do not want it to be altered in any way. We want to block any mount.
MacOS is not a forensic station by default, as any other system. In order to prevent automatic mount, we use Disk Arbitrator. We can then connect our socket without triggering any write on the medium. The software correctly detects many partitions on the chip which is an excellent sign of good read and functional chip.
Next step is to make a forensic image so we can work on the data without interacting with the chip any more. To save some space we choose to use the forensic sound compressed E01 format. On MacOS we need to install libEWF
brew install libewfThen, using ewfacquire command, we can make a physical (ie sector per sector copy) of the chip.
ewfacquire -t myimage /dev/disk2An interactive command-line will ask for options (compression, encryption, metadata, …). When the acquisition is finished, we have a full copy of all the data present on the chip. But they can be encrypted. Autopsy is an open-source suite for digital forensics and can load E01 digital images to inspect their content. We use this software to dig into the data of our image and can recover several Windows partitions, including user’s one in plain text.
Now the recovery of all the data is complete. We can give it back to the user, or copy them on a new computer.
Stay tuned for other short stories on data recovery, micro-electronic and forensics !
