Data Recovery from a Zero-Filled Drive

[britechguy]

I know that we have a number of regulars who are in the business of data recovery, I also believe that the answer to the question that follows will be, "No."

Is it possible to recover any of the data formerly contained on a drive that has been subject to a "clean all" under diskpart or formatted using the /P:0 switch via command line?

It has been said that certain "state actors" have technologies that allow recovery of drives so treated, but even these may not be anywhere near to entirely successful. Although I'd be curious to hear about what the experts have to say about that, what I'm really thinking about is whether any random person who may be handed a zero-filled-in-a-single-pass drive that was previously used has any chance whatsoever of getting anything back that might have been on it.

 

[GTP]

It's possible but there are many factors to consider.

 

[britechguy]

It's possible but there are many factors to consider.

I emphasize first that I appreciate the response.

But I'll revise to is it even kinda-sorta probable that someone, including a data recovery lab, could recover data that was on a drive prior to having been completely zero-filled. I am of the same belief as the authors of the study quoted in that article:

"This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error."

Even their proviso regarding the small system reserved areas that might not be zero filled doesn't worry me as far as realistic recovery of anything of real use in most real world situations.

This is one of those times where I'm concerned about even kinda reasonable probability, not the remotest of possibility.

 

[GTP]

Are you concerned that someone may recover data from a drive you've zero'd or a clients?
To be absolutely 100% certain that NO data could ever be retrieved take a heavy hammer to it, break it into pieces, burn/melt the resulting scrap then bury the pieces separately in undisclosed locations.

Massive overkill, but you'd sleep soundly.

 

[britechguy]

No, this isn't about a client, it's a general question.

Over the years I have never understood why so many use the "take a sledge to it" technique (and, yes, I have, too) on perfectly useful drives that have what I believe, based on all available evidence, to be a near zero probability of anything, at all, being recoverable if appropriate wiping has been done.

One of the members on one of the blind-centric forums wants to give a number of his HDDs to his brother, but also doesn't want there to be any chance of anything he had on it being recoverable. It's my opinion that low-level formatting with a zero-fill pass more than satisfies that need.

I'm just looking for confirmation, or refutation, of that position from others, particularly those here who are in the data recovery business.

 

[lcoughey]

Short answer, no.

 

[britechguy]

Short answer, no.

Thanks.

 

[DRPCNZ]

The short answer is no not gunna happen. Long winded answer we can delve into how many times has it been over written by other files in the past prior to the zeros, is it a platter or SSD etc etc etc

 

[nlinecomputers]

It's possible but there are many factors to consider.

Only the cache and only if your disk cleaning utility is sloppy.

 

[nlinecomputers]

One of the members on one of the blind-centric forums wants to give a number of his HDDs to his brother, but also doesn't want there to be any chance of anything he had on it being recoverable. It's my opinion that low-level formatting with a zero-fill pass more than satisfies that need.

Unless said brother is a HDD data recovery professional and you do a bad job of the wipe there no chance of data recovery. Even the US military has disavowed the previous multiple pass requirements. ATA secure erase is fine.

 

[Sky-Knight]

As I understand it...

Once upon a time, when hard disks were crap the head would sway a bit as it moved around. This would record magnetic signatures in more of a wave form than a line on the platter. So when you did a secure erase, the new file would be written near to, but never quite on top of the original content. As such there was very expensive equipment that could at times use this residual magnetic signature to rebuild data.

That being said, somewhere along the line HDDs got dense... real dense. And we're now in a place where the amount of data per square inch is so high, that residual signature is effectively not there because that space was used to store another file. Heck data is STACKED VERTICALLY on platters now, via a process that makes my head hurt.

So if you delete a file, and then fill the space it occupied with other data it's just gone. SSDs will page data around as a part of wear leveling, so empty space on those gets overwritten all the time as a matter of use so even normally deleted files on SSDs will get overwritten at some point. That some point varies based on how much of the drive is full, but that means SSDs have a secure erase of sorts baked in.

All of the above comes back to LCoughy's no. If you erase a file, and fill the space it occupies with any new data at all, it's gone.

 

[Joep]

Short answer, no.

Longer answer: Noooooooooooooooooooooooooooooooooooooooooooooo way.

 

[Joep]

I emphasize first that I appreciate the response.

But I'll revise to is it even kinda-sorta probable that someone, including a data recovery lab, could recover data that was on a drive prior to having been completely zero-filled. I am of the same belief as the authors of the study quoted in that article:

"This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error."

Even their proviso regarding the small system reserved areas that might not be zero filled doesn't worry me as far as realistic recovery of anything of real use in most real world situations.

This is one of those times where I'm concerned about even kinda reasonable probability, not the remotest of possibility.

The study is from 2008 so they may not have considered these substantial spaces that can not be LBA addressed. Agreed, 60 GB compared to 8 TB is not a lot, but isn't nothing either. For a forensic investigator it's too much to skip and ignore.

But AFAIK, and apart from the article I mention I found some additional articles that support the conclusion after writing the blog, there's no documented cases of recovering from zero filled (in effect overwritten) data areas from modern hard drives.

But I did feel I needed to add that bit about hidden areas and also one should consider that's it is not theoretically impossible for future (or perhaps even current) firmware of drives that dynamically translate LBA addresses to physical addresses (SMR or flash based drives) to detect zero filled sectors being written and assign dummy or some sort of sparse, virtual sectors and never actually write the zeros. In effect the data you intend to overwrite with zeros is never actually overwritten in that scenario.

Different matter and scenario, but already today one should not assume that a seemingly zero filled storage device does not actually contain data and that recovery of that data requires the resources of a three letter agency. Also already true today; never assume a 'securely deleted' file can not be recovered if you're using an SSD. So one has to be very specific and not generalize: I wrote zeros to it and so it's gone.

Today the most certain way to get rid of all data from a drive is using the secure erase feature built-in to the drive itself.

 

[Diggs]

Over the years I have never understood why so many use the "take a sledge to it" technique

It's so much faster. Writing the complete drive to erase takes hours and hours....... Drives are pretty sturdy really especially the 3.5". Even using a hammer takes quite a bit of effort to be sure the platters break. When tasked with a box of 100+ old/obsolete drives I tend to use a drill press with a large drill bit through the platters. Effortless and quick.

 

[alexsmith2709]

Over the years I have never understood why so many use the "take a sledge to it" technique

To add to @Diggs answer, not only is it much faster, but if your customer wants proof, what better proof then handing them back a smashed up HDD a few seconds later.
Because i used to take old equipment for recycling i would get many customers worrying about their data, some would keep the HDD themselves, others would be fine when i said all data gets securely wiped and others would want proof so i'd either charge them for doing it and provide a certificate of destruction or offer a free service of smashing up the HDD. I had a concrete floor in one of my work areas so smashing was pretty effortless, a couple hits with a hammer and it sounded like sand inside!
Is it wasteful to smash up a perfectly fine HDD? Yes.
I am ever going to put that HDD in another machine? No, probably not.