tinyapps.org / docs / Can data be recovered from a zero-filled hard drive?

(A followup to Is it possible to recover data from a drive overwritten with zeros once?)

The Great Zero Challenge of 2008 may have been inconclusive, but there is significant support for its central claim that a single pass of zeros is sufficient to render data on a hard disk irrecoverable:

• Guidelines for Media Sanitization, NIST Special Publication 800-88, September 2006 - "[F]or ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack."

• Guidelines for Media Sanitization, NIST Special Publication 800-88, Revision 1, Decemeber 2014 - "For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data."

• Can Intelligence Agencies Read Overwritten Data? - "The references Gutmann provides suggest that his piece is much overwrought. None of the references lead to examples of sensitive information being disclosed. Rather, they refer to experiments where STM microscopy was used to examine individual bits, and some evidence of previously written bits was found."

• Overwriting Hard Drive Data - "Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible. This was true both on old drives and has become more difficult over time."

However, having stumbled onto claims of recovering overwritten data (here and here) by individuals professing to be in the industry, I emailed Western Digital's Platinum Data Recovery Partners in the Americas (namely, Datarecovery.com, DriveSavers Data Recovery, and Ontrack):

Dear Company,

Is it possible to recover data from a drive that has been completely filled with zeros by dd?

Aloha,

Miles

All three responded the next business day (it was a holiday), ignoring the question and instead either asking me to send in my drive (Datarecovery.com) or offering to set up a case (DriveSavers and Ontrack).

Ontrack set up the case quickly by email.

DriveSavers initially asked me to reply via email or to call, but in their subsequent response requested that I call, which I did, reaching a data recovery advisor within minutes. I asked him whether data could be salvaged from a zero-filled hard drive; after briefly consulting with an engineer he advised me that it could not.

I prepared two identical, used WD Blue 1TB (WD10EZRZ-00HTKB0) hard drives like so:

1. Executed ATA Enhanced Security Erase command via hdparm --security-erase-enhanced

2. Executed ATA Security Erase command via hdparm --security-erase

3. Verified zeros via hexdump /dev/sdx

4. Created a primary partition consisting of the entire available space, formatting as FAT32

5. Mounted the partition, created a directory ("DCIM"), and wrote 1,000 copies of a photo I took (JPG, ≈2.2MB each) into it: for i in {1..1000} ; do cp photo.jpg /path/to/DCIM/photo$i.jpg ; done

6. Unmounted the partition and wrote a single pass of zeros to the drive via dd if=/dev/zero of=/dev/sdx bs=8192

7. Calculated the drive hash (which matched for both drives): sha256sum /dev/sdx fbcafc0be05c4ee1ba0e3b52a3adb0f3795916deb9d4f3f4b93f9fde63fee955

8. Rather than running hexdump again, checked the SHA-256 hash with epAllZeroHashCalculator to confirm that it represented a complete zero fill of the drive:
   
   (LBA48 user addressable sectors: 1953525168 * Logical Sector size: 512 bytes = 1,000,204,886,016 bytes)

I shipped the first disk to Ontrack. While preparing to ship the second to Datarecovery.com as instructed, they replied to my original inquiry: "The answer to your question would be no."

A few days later, I received this news from Ontrack: "This drive has been low-level formatted. All sectors zeroed. Unfortunately no data can be recovered."

Insofar as top professional data recovery services are concerned, one pass of zeros is enough to render data unrecoverable.

created: 2018.06.04