“Is it possible to retrieve data from an HDD that’s been zeroed out?”

(Answer requested by Shane Zimmerman)

Actually, yes! (And I’m not talking about recovering a long, useless string of zeros!)

Zeroing (or One-ing) out a drive — filling it with all Zeros or all Ones — will make it unrecoverable to consumer gear, but maybe not to specialized equipment.

Here’s why: A One laid on top of a Zero has a very slightly different overall magnetic charge than a One laid atop another One, or a Zero laid over another Zero.

It’s below the level that the drive can detect, obviously, but sensitive equipment can measure the difference and reconstruct what was likely to have been each magnetic domain’s previous data —- especially if all you have to do is mathematically cancel out the top “layer” of all-Ones or all-Zeros.

It’s more secure to overwrite a drive with random Ones and Zeros, which really does make it extremely difficult — next to impossible — to recover previous data from the drive.

A couple passes of random ones and zeros, and no one will be able to sort out any faint traces of the original data from the blizzard of false, random data.

Permalink: https://langa.com/?p=3055

[seperator]

COMMENT / QUESTION on THIS ITEM? See the Comment box at bottom of this page!

NEW QUESTION?
Ask here!

(Want free notification of new content? Click here!)

4 Replies to ““Is it possible to retrieve data from an HDD that’s been zeroed out?””

  1. Hi Fred,

    This is a topic that has interested me for some time:

    Is it possible to recover data from a drive overwritten with zeros once?
    https://tinyapps.org/blog/201107170700_once_is_enough.html

    The wide consensus is no, even for three letter agencies armed with magnetic force microscopes.

    As for the origin of the theory that such recovery might be possible (Gutmann’s 1996 paper “Secure Deletion of Data from Magnetic and Solid-State Memory”) Daniel Feenberg concludes that “Gutmann’s claim belongs in the category of urban legend.”

    A later comment attributed to Gutmann on the Bugtraq mailing list stated “even if you’ve got 10KB of sensitive data on a drive and can’t erase it with 100% certainty, the chances of an adversary being able to find the erased traces of that 10KB in 80GB of other erased traces are close to zero.”

    I can say this for certain: I tried hiring all three Western Digital Platinum Data Recovery Partners in the Americas (namely, Datarecovery.com, DriveSavers Data Recovery, and Ontrack) to recover data from a hard drive following a single pass of zeroes:

    Can data be recovered from a zero-filled hard drive?
    https://tinyapps.org/docs/recovering_data_from_zero_filled_hard_drive.html

    It was not possible.

    Aloha,

    Miles

  2. Sorry to be so chatty – forgot the two most important citations:

    Guidelines for Media Sanitization, NIST Special Publication 800-88, September 2006
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-88.pdf
    “[F]or ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.”

    Guidelines for Media Sanitization, NIST Special Publication 800-88, Revision 1, Decemeber 2014
    https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-88r1.pdf
    “For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.”

Comment? Question? Reply...?