3

I need to recover some old data which were stored on a drive. The data were deleted and the hard drive was formatted twice and filled twice with random data intentionally.

First the drive had a Windows 7 installed.

Then it was formatted twice with windows installer. After each format the space was filled with random video files.

Considering that when we delete something from a drive, only the index is deleted, the actual data is removed when new information is overwritten in that section of the drive.

The drive is an SSD.

Is there any possibility to find the old data?

forest
  • 64,616
  • 20
  • 206
  • 257
Vini7
  • 659
  • 6
  • 15

4 Answers4

6

Given the information that you have rewritten all ssd contents twice with true random data to the brim I'd say

No, you cannot recover any data from that disk.

This is the sane answer to give to people who lost data and e. g. show up in a data recovery shop.

If you want an academic answer weather or not it's possible at all then we're entering the hypothetical sphere of "given unlimited money and will - is it then possible?". There are a lot of contributing factors (e. g. SSD Controller, state of dead cells, random data source, partition alignment, …). But since you asked folks on the internet instead of physically shredding that disk I assume the disk holds no valuable information for any world power.

Please notice that the "Loose all data" option at your operating system installer does not perform a complete wipe of the disk.

BlueWizard
  • 327
  • 1
  • 10
  • -1 **This is wrong.** Overprovisioning space makes it such that even full overwrites of an SSD will not actually wipe everything, as previous data will survive in regions that are not accessible to the OS. – forest Dec 13 '18 at 00:51
  • 4
    @forest , it may have a few percent of a few percent of the original disk’s image remaining in some of the blocks that were cycled through the wear leveling process, and some original data may still be occupying a bad block. But the chances of recovering a specific file intact are minuscule, especially if the desired file was larger than a single block. – John Deters Dec 13 '18 at 04:09
  • @JohnDeters You're thinking of wear leveling. Overprovisioning space actually holds a significant fraction of all storage, not just a single block. I recall one seminal paper showed a non-negligible chance of recovery of multiple blocks even after more than 10 complete wipes of the block device. – forest Dec 13 '18 at 04:29
  • 1
    This is the hypothetical sphere we're entering. Having a "recall one seminal paper" doesn't directly translate to "there's a tool that makes data recovery possible for OP". – BlueWizard Dec 13 '18 at 09:15
  • @BlueWizard You don't use a software tool, you bypass the FTL to get to the NAND directly, which lets you access all the overprovisioning space. That space is what [this answer](https://security.stackexchange.com/a/5665/165253) explains. – forest Dec 13 '18 at 09:16
  • 1
    @BlueWizard There are reasons to give an incomplete or abstract answer. The reason "because you asked people on the internet" is not one of them - especially not on a Q&A site on the *internet*. – Tom K. Dec 13 '18 at 09:20
  • There are a lot of things that can be discussed but probably won't help OP in their quest of getting files from two write cycles ago. See the middle section of my answer on academic solutions and their practicality towards the stated question. – BlueWizard Dec 13 '18 at 09:20
  • @BlueWizard Your middle section is largely commenting on the common myth about recovery of overwritten NAND cells, which has nothing to do with my scenario. And the tools you can use are practical, though it takes a little more expertise than "run this free program". You do have to open the SSD, but you can very easily bypass the FTL with very cheap logic interfaces, dump the contents, and run a filesystem scraper on the image to recover fragments of deleted files. – forest Dec 13 '18 at 09:21
  • 1
    Everybody dissatisifed with my answer is free to write their own answer. This comment section is not for extended discussions on alternative means of data revovery (not mentioned in my answer at all). I will not substantially rewrite an answer that has already received multiple positive responses: it would be unfair towards those people. – BlueWizard Dec 13 '18 at 09:27
  • @BlueWizard The comment system is, however, for pointing out inaccurate answers. I will not be writing my own answer as the question is already a duplicate of an answered question. – forest Dec 13 '18 at 09:28
  • 1
    @forest fair point – BlueWizard Dec 13 '18 at 09:33
  • @forest, the overprovisioned space exists for the wear-leveling logic in the controller to cycle through (it can also serve as the bad block reserve.) "Filling" the drive is not guaranteed to wipe any specific block, but the controller will distribute the new blocks evenly over all the available blocks. Assuming a reserve of 5%, the first overwrite will leave up to 5% of the original data behind. A second overwrite will then destroy 95% of the previously reserved space, leaving ~0.25% of the original blocks. The chance that all blocks of the desired file are intact? Less than 1 in 500. – John Deters Dec 13 '18 at 14:52
  • @JohnDeters You're right that the chance that the entire file remains intact is low, but a significant portion of blocks will remain accessible. This is because the reserve is often far greater than 5%. A terabyte drive will often have, at minimum, nearly a hundred gigabytes of overprovisioning space (it would be _at least_ 1024 GiB - 1000 GB of space). Many drives, especially enterprise ones, have even more. – forest Dec 14 '18 at 02:36
  • 2
    @forest, There are two ways to look at it. If you are a forensic investigator, you might be looking for anything that is evidence, and may be satisfied with finding a single frame of incriminating video. If you are a person looking to recover a treasured photo from an accidental overwrite, you need a very specific set of blocks to have survived. The investigator is in a strong position to find something of value, but the person is not. Yes, if you are looking for a way to thoroughly clean a drive overwriting is insufficient, but that doesn’t mean data is likely recoverable after an overwrite. – John Deters Dec 14 '18 at 15:57
  • 2
    @JohnDeters You're right. I'm looking at it from the forensics perspective. – forest Dec 15 '18 at 00:43
1

Is Data Remanence a Myth?

This is great coverage of the underlying question -- is data recoverable after a wipe. And while the preponderance of answers agree to be "no", the source documentation does also asert this but acquieses that bits of information are potentially recoverable.

So the answer to your question is "no", you cannot recover whole video files after a byte-by-byte overwrite. However, if the drive is known to contain text based data of significant interest where fragments may be enough to piece together a provactive picture, the answer becomes less definite. But, in those cases, you'd be talking in the realm of corporate espionage by the biggest companies in the world and/or nation-states.

thepip3r
  • 633
  • 3
  • 8
0

It depends on what you mean when you say “filled with random video files”.

If the drive was completely filled to capacity with new data, it is highly unlikely to be retrievable.

If the drive was filled to 50% of capacity with new data, the chances are better, but not great.

Don Simon
  • 165
  • 1
  • 9
  • Filled completely ☹ – Vini7 Dec 12 '18 at 21:08
  • 1
    Video files usually have compression. Thus it's unlikely that the SSD controller compressed it before writing it. Some people try to "zero out" their SSDs and then are astonished at the speed on which the SSD is able to do so. – BlueWizard Dec 12 '18 at 21:18
0

You said the hard drive is SSD. This is enough information to answer with a resounding no - even with a single pass write. Let me explain why ...

With an SSD when you delete a file the operating system sends a TRIM command to the SSD and the SSD will delete said file completely. This happens immediately. Why? Because it's faster for the SSD/OS to work this way.

You can read more about it here. Provided the OS issues the TRIM command and the SSD acts upon it then a 1 pass write is enough.

Any more than that and you're just going to burn your SSD out quicker.

BugHunterUK
  • 287
  • 2
  • 11