17

I have "zero filled" (complete wiped) an external hard disk using dd, and from what I have heard: people said you should at least "zero fill" 3 times to be sure that the data are really wiped and no one can recover anything.

So I decided to scan the disk once again after I've zero filled the disk. I was expecting the disk to still have some random binary left. It turned out that it has only a few sequential bytes in the very beginning. This is probably the file structure type and other headers stuff. Other than that, it's all zeros and nothing else.

So if we have to recover any file from a zero filled disk, ...how? From what I've heard, even you zero fill the disk, you should still have some data left. ...or could dd really completely annihilate all data?

Karl
  • 621

4 Answers4

16

As you can read here, it is impossible to recover data after you "zero filled" it.

There can be a chance of 56% to recover a single bit correctly, but since you had to recover 8bit to get only one byte, it is very unlikely to recover any data.

Laogeodritt
  • 103
  • 4
david
  • 2,430
11

Be very careful with this information. I work in the HDD industry and I CAN confirm that off-track reads can recover over-written data.

Some recovery methods use this trick to set the head +/-10% off-track, then read, move it off-track a little more, then read. At some point you will be able to recover what was laid down before the zero fill.

Use random when possible. Zero is okay for meta-data and MBR erasure. I recommend several random passes to obliterate the original data.

Also, zero does not mean cleared recorded bits on an HDD. Zero has a bit pattern just like any other number.

Octavian Helm
  • 14,355
Derek
  • 111
  • 2
    This was especially true for HDD technology last century, in fact a single pass of zeros is considered good enough now "vertical write/read" methods are used, the Gutmann method can't hurt though. At the nano level, shaving the disk and scanning the platter for traces are still possible, depending upon how much you are willing to spend. Bill Clinton's erased emails were recovered in this way, but this was some time ago in terms of HDD technology. – mckenzm Jan 27 '17 at 03:01
4

Yeah... But it depends how paranoid you are.

A professional could probably still read some of the data. Government/military standards for "completely wiping" entail several passes including writing random data over the entire drive several times, interspersed with 0-fills and 1-fills. This is because there is magnetic ghosting that sophisticated hardware can analyse and pull out. This is expensive kit that most people won't have access to and therefore just hiring somebody to do the extraction is also prohibitively expensive for most people.

But there's no reason dd alone can't do these multiple passes. You can tell it where to source the raw data it writes so alternating between /dev/random and zero- and one- passes would, I think, qualify it to do pretty substantial damage to data.

Oli
  • 293,335
  • What software a simple user like me could I use to recovery a file zero-filled? – Jack Sep 04 '14 at 02:23
  • 1
    Extremely expensive hardware and experienced personnel are required to recover zero-filled, no such thing as software as you have to modify how the drive works. You might be able to modify the firmware if you were a sophisticated at reverse engineering firmware but modifying the hardware is probably easier. – rollsch Aug 01 '16 at 07:19
  • @rolls So it is possible? How exactly does this hardware method work? – Hashim Aziz Oct 28 '18 at 23:27
  • 1
    Do you have a source for the "magnetic ghosting" claim? How do you know of it? It seems spurious, and this answer and a comment on it is the only evidence I've seen in years of research to even mention it. – Hashim Aziz Oct 28 '18 at 23:30
  • 3
    Here is a link to some discussion which links some papers and concludes it is quite likely it is not possible, or only possible in a very small subset of cases http://www.nber.org/sys-admin/overwritten-data-guttman.html – rollsch Oct 29 '18 at 04:31
2

Update

According to the paper linked to by david, recovering overwritten data was possible with floppy disks but near enough impossible with modern hard drives, so the recovery idea is probably best considered a myth.

I'm leaving my original answer as representing the myth.

NOTE: The "myth" is about recovering data that were physically overwritten. Recovering data that were merely deleted (not overwritten) is a different discussion altogether.

To the best of my knowledge:

When you overwrite data on the disk, the old data are lost to normal system tools. (If they weren't, a read would return a mix of the bits belonging to the old and new data, so your data would be corrupt and you would need a new disk.)

But it may be possible to recover overwritten data using special equipment. The reason is the way a bit is recorded on a magnetic platter: A "bit" is a magnetized area on the disk. The area representing a single bit contains a few hundred magnetic "grains", and reading a bit will return a 1 if enough of those individual grains have the correct orientation.

The trick is that writing is never 100% - overwriting might change the magnetic orientation of perhaps 90% of those grains, which is plenty for reliable reading of the new data. But there is some residual magnetism left in the grains that didn't change orientation. This residue can be read if you have the proper equipment for it, so you could get a (somewhat noisy) representation of the old, overwritten data. Combined with statistical analysis, it is often possible to reconstruct a fair amount of the original material.

But this kind of recovery requires specialized hardware, and as Oli mentioned is prohibitively expensive for most individuals.

j-g-faustus
  • 5,538