Possibility of recovering files from a dd zero-filled hard disk

dd data-recovery external-hdd 10.10

I have "zero filled" (complete wiped) an external hard disk using dd, and from what I have heard: people said you should at least "zero fill" 3 times to be sure that the data are really wiped and no one can recover anything.

So I decided to scan the disk once again after I've zero filled the disk. I was expecting the disk to still have some random binary left. It turned out that it has only a few sequential bytes in the very beginning. This is probably the file structure type and other headers stuff. Other than that, it's all zeros and nothing else.

So if we have to recover any file from a zero filled disk, ...how? From what I've heard, even you zero fill the disk, you should still have some data left. ...or could dd really completely annihilate all data?


As you can read here, it is impossible to recover data after you "zero filled" it.

There can be a chance of 56% to recover a single bit correctly, but since you had to recover 8bit to get only one byte, it is very unlikely to recover any data.


Be very careful with this information. I work in the HDD industry and I CAN confirm that off-track reads can recover over-written data.

Some recovery methods use this trick to set the head +/-10% off-track, then read, move it off-track a little more, then read. At some point you will be able to recover what was laid down before the zero fill.

Use random when possible. Zero is okay for meta-data and MBR erasure. I recommend several random passes to obliterate the original data.

Also, zero does not mean cleared recorded bits on an HDD. Zero has a bit pattern just like any other number.


Yeah... But it depends how paranoid you are.

A professional could probably still read some of the data. Government/military standards for "completely wiping" entail several passes including writing random data over the entire drive several times, interspersed with 0-fills and 1-fills. This is because there is magnetic ghosting that sophisticated hardware can analyse and pull out. This is expensive kit that most people won't have access to and therefore just hiring somebody to do the extraction is also prohibitively expensive for most people.

But there's no reason dd alone can't do these multiple passes. You can tell it where to source the raw data it writes so alternating between /dev/random and zero- and one- passes would, I think, qualify it to do pretty substantial damage to data.


Update

According to the paper linked to by david, recovering overwritten data was possible with floppy disks but near enough impossible with modern hard drives, so the recovery idea is probably best considered a myth.

I'm leaving my original answer as representing the myth.

NOTE: The "myth" is about recovering data that were physically overwritten. Recovering data that were merely deleted (not overwritten) is a different discussion altogether.

To the best of my knowledge:

When you overwrite data on the disk, the old data are lost to normal system tools. (If they weren't, a read would return a mix of the bits belonging to the old and new data, so your data would be corrupt and you would need a new disk.)

But it may be possible to recover overwritten data using special equipment. The reason is the way a bit is recorded on a magnetic platter: A "bit" is a magnetized area on the disk. The area representing a single bit contains a few hundred magnetic "grains", and reading a bit will return a 1 if enough of those individual grains have the correct orientation.

The trick is that writing is never 100% - overwriting might change the magnetic orientation of perhaps 90% of those grains, which is plenty for reliable reading of the new data. But there is some residual magnetism left in the grains that didn't change orientation. This residue can be read if you have the proper equipment for it, so you could get a (somewhat noisy) representation of the old, overwritten data. Combined with statistical analysis, it is often possible to reconstruct a fair amount of the original material.

But this kind of recovery requires specialized hardware, and as Oli mentioned is prohibitively expensive for most individuals.

Related

How do you use a shell other than bash at a terminal as default?
How to open a particular port in ubuntu?
GParted merge unallocated space to ext4 partition [duplicate]
What is the difference between the *.ubuntu.com wikis?
BIOS contains WGDS but no WRDS
How do I back up Thunderbird emails?
Python 3.5 has just been released, can I get it as a package for Ubuntu 15.4?
Donations to ubuntu? Fiscal deduction?
What tools do I need to use to report a bug in a developers PPA?
Hit Ctrl+c during do-release-upgrade. Did I break it?
How to set default opening folder for Nautilus file manager?
What does the 'grep' command do?