No method is applied blindly: it's the diagnosis that names the layer at fault and the order of interventions. All share one invariant: we act on an image of the device, never on the device itself, except for the physical actions strictly needed to make the original readable — and even those precede immediate imaging.
We distinguish three layers: physical (the device won't read), firmware (the device reads but lies to itself), logical (the device reads, but the data's organization is lost).
1 · Physical methods
When the device can't be read as is, we repair it at the hardware level, in an ISO 5 cleanroom when platters or chips are exposed.
Head transplant (HDD)
Replacing the head stack with one from a strictly compatible donor drive. The reference action after a head crash or tired heads — detailed in part I.
PCB swap & ROM transfer
Replacing the circuit board, transferring the original ROM (which holds the drive's unique parameters). Without this transfer, the drive stays inaccessible.
Micro-soldering & desoxidation
Repairing traces and components under a microscope (connectors, PMIC, blown circuits); ultrasonic cleaning of water-oxidized boards. The heart of mobile and drive/card recovery.
Chip-off & CPU swap
Desoldering the memory chip (NAND, eMMC) for a raw read; transplanting the processor and its bound memory onto a donor board, when the original board is unrecoverable. Extreme actions, reserved for cases where no other route exists.
2 · Firmware methods
The device powers on and responds, but its internal tables are corrupt. We then dialogue with its firmware.
Service Area access (HDD)
Repairing the firmware modules in the platters' reserved zone: Translator reconstruction, defect lists, unlocking a drive stuck in "Busy".
Reverse FTL (SSD, drive, card)
Software reconstruction of the translation table linking logical addresses to NAND pages. Without the original firmware, we rebuild this mapping from residual metadata — an essential step to make sense of the data read by chip-off.
3 · Logical methods
The device reads perfectly; what's missing is the organization of the data. Everything then happens on the image.
File-system reconstruction
Repairing NTFS, APFS, ext4, Btrfs, ZFS, exFAT structures: allocation tables, metadata trees, journals. When it succeeds, files and folder tree come back intact, with names and dates.
RAID de-striping (XOR operation)
Logical reconstruction of an array by identifying stripe size, disk order, parity rotation and offset. RAID 5/6 parity follows an XOR operation: knowing n-1 blocks of a stripe, we recompute the n-th, virtually reconstructing a missing disk. Method developed in context in the RAID & NAS chapter of the Guide.
Snapshot exploitation
On Btrfs/ZFS, read-only snapshots allow rolling back to an earlier state — including before a ransomware attack, without paying a ransom.
Signature-based data carving
When the metadata is entirely gone, we recover files by recognizing their binary signatures (JPEG, RAW, MP4, MOV headers, documents). The original names are lost, but the content is saved — including 4K video rebuilt from fragments.
4 · The inviolable principle
Whatever the method, one rule allows no exception: the original is never the working device. We image, verify the hash, work on the copy. This is what lets us retry an approach after a failure, preserve evidence, and never turn a chance into permanent loss.