Data recovery after a zero fill

[marianafelix]

Hi everyone,

Due to a HUGE misundesrtanding, my dad erased my external HD!! But not only that... he cleaned it and made a zero fill!!!

Is there any way I can recover my information? Is there maybe any way I can undo the zero fill?

If someone knows, PLEASE PLEASE let me know. I'm desperate.

 

[Consultant]

Nope. You just have to download your pron again. =p

 

[Insulin Junkie]

Ouch dude. I'd go ballistic if someone erased my external HD.
I suppose I'm fortunate to have parents so hopeless at computers, they wouldn't even know how to erase a HD

 

[GimmeSlack12]

The point of a zero fill is so you cannot recover any data. Sorry man.

 

[RandomKamikaze]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20)

Personally I'd get my dad to download it.

"here's a list of film names. Google and download them. Ask no questions"

 

[marianafelix]

is any of this software available for mac?

 

[Guiyon]

is any of this software available for mac?

What software? If you're referring to data recovery software, forget about it. If a zero all data was done when reformatting it's permanently gone, not even professional recovery services can get data from the drive.

 

[marianafelix]

so there's absolutely nothing I can do??

 

[GimmeSlack12]

so there's absolutely nothing I can do??

Correct. You are totally and completely out of luck. I am really really sorry.

 

[Jethryn Freyman]

There's nothing you can do, unless you have a magnetic force microscope.

 

[DeusInvictus7]

There's nothing you can do, unless you have a magnetic force microscope.

Nah, that won't even work. He's gonna need a Time Machine to get his stuff back.

 

[Makosuke]

There's nothing you can do, unless you have a magnetic force microscope.

And even that, it has been argued by a recent paper, wouldn't work on a modern drive. Almost certainly not on bulk data.

Either way that's spy agency stuff, so nothing to do but mourn. Take it as a hard-earned lesson to ALWAYS have a backup of anything important enough to feel sad about losing.

 

[Bobbi Flekman]

so there's absolutely nothing I can do??

You can restore a backup... That's what they're there for...

 

[arjen92]

why would there be an option to write 20x times the same zero. Because if you really want to, you can get some information from, even if zero's are written one time.

I would knock on FBI's door. Maybe they can help

 

[yg17]

why would there be an option to write 20x times the same zero. Because if you really want to, you can get some information from, even if zero's are written one time.

I would knock on FBI's door. Maybe they can help

No, you can't. The 20 pass zero write is to appease the paranoid types in the CIA and FBI who like big numbers and think writing zeros 20 times is more secure than writing zeros one time. One pass zero write is enough to completely wipe the drive clean without any chance of recovery.

 

[angelwatt]

No, you can't. The 20 pass zero write is to appease the paranoid types in the CIA and FBI who like big numbers and think writing zeros 20 times is more secure than writing zeros one time. One pass zero write is enough to completely wipe the drive clean without any chance of recovery.

Actually, it is possible to recover data from a zeroed out disk. See this paper from a very smart guy to see some of the details. A zero out will be more than efficient for most people, as most commercial recovery software isn't sophisticated enough to do the recovery. Though, for people in work areas that deal with highly sensitive or classified material, a 7-pass should really be used. The 35-pass isn't needed really because of the advancements made in HD construction, but wasn't always the case.

 

[InvalidUserID]

My company has sent out emails to Mac users to use the 7-pass on work related material.

<---corporate finance.

 

[mkrishnan]

Actually, it is possible to recover data from a zeroed out disk.

As I understand it, isn't it generally possible to recover small chunks of data here and there from a single pass overwrite, but not the vast majority of the disk contents? Recovering the small chunks would be dangerous if the drive had sensitive material on it, and one might make something of the small chunks, but in this case, it would be generally useless, since it wouldn't typically amount to usable files.

 

[old-wiz]

It's kind of moot discussing theoretical ways to recover from an erase if it's not available to the OP.

The disk might have been wiped multiple pass as well.

 

[angelwatt]

As I understand it, isn't it generally possible to recover small chunks of data here and there from a single pass overwrite, but not the vast majority of the disk contents? Recovering the small chunks would be dangerous if the drive had sensitive material on it, and one might make something of the small chunks, but in this case, it would be generally useless, since it wouldn't typically amount to usable files.

Right, that's why I made sure to phrase it as recovering data, and not recovering files, as it's likely harder to get a completely recovered file. I'm not expert on this, I just read about it some times as I enjoy the topic of computer security.

 

[Makosuke]

See this paper from a very smart guy to see some of the details.

A paper written in 1996, when hard drives had at least two orders of magnitude less density. Yes, I understand your point that it is theoretically possible to recover some organized bits from a wiped drive, but even that paper itself includes the following in the two more recent epilogues:

In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. Conversely, with modern high-density drives, even if you've got 10KB of sensitive data on a drive and can't erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.

...and even more recently:

Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don't see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging.

The point here isn't that it's not hypothetically possible to recover a few KB of data from a one-pass zeroed drive if you have exotic spy agency technology--it may well be. It's that from anything resembling a realistic perspective, it's just not going to happen.

More importantly, someone wrote a theoretical paper in 1996 that was then used directly as the basis for some US government wipe methods (angelwatt's referenced paper is what everything has been based on for about 13 years now). The construction and realities of hard drives have changed drastically since then, but the "voodoo" has stuck, and it's a little sad.

Note, by the way, that a 7-pass erase involves seven passes of random data, whereas the MacOS single-pass just writes zeros. This no doubt hypothetically increases the chances of recovery if you've got a multi-million dollar spy agency disk recoverer on hand vs. a single-pass random data write, but the fact of the matter here is any substantial recovery of bulk data from even a single-pass zeroed modern drive is functionally nil.

I'm not arguing that it's not interesting from a technical and security standpoint, I just wish people wouldn't continue to hold the no-longer-true belief that if you don't 7-pass wipe a disk it's recoverable in any real-world scenario.

 

[mkrishnan]

Right, I think everyone agrees that the OP is SOL.

 

[angelwatt]

The point here isn't that it's not hypothetically possible to recover a few KB of data from a one-pass zeroed drive if you have exotic spy agency technology--it may well be. It's that from anything resembling a realistic perspective, it's just not going to happen.

Right, that's why I stated earlier that a zero wipe would be more than sufficient for most people. My job requires otherwise though.

Right, I think everyone agrees that the OP is SOL.

Yes indeed.

 

[Jethryn Freyman]

Data can be recovered after a zero fill. The largest intact file recovered so far was 4KB in size after a single pass. 7 passes is recommended if you actually have something to hide and someone is looking for it.