Help recovering disk erased with Mac OS Disk Utility
Posted: 09 May 2013, 01:18
I needed quick temporary storage for a 40 GB file, so a friend and houseguest lent me his 1 TB WD My Passport, which was only about half full. We miscommunicated regarding his travel schedule. As he rushed to get out the door on time, my file—a VirtualBox virtual disk image, which I've occasionally used in sensitive work for myself and others—was still on his drive. I could live without the file; I don't store data on the virtual machine and can create a new one. But what if, say, someone stole my friend's bag? I thought of one particular password a creative, determined, tech-savvy thief might be able to extract from my virtual disk image and how much damage he might do with it. I had to erase my virtual disk image from my friend's drive before letting it go out my front door.
I'd copied the .vdi file from my Kubuntu Linux laptop, but I plugged the external drive into my Mac (OS X Snow Leopard, 10.6.8), figuring Disk Utility would be more intuitive and quick than whatever tools Kubuntu comes with. My friend was rushing around and talking at me, and I couldn't immediately find the option to securely erase a single file. I did see the button to erase the whole disk. He reluctantly said to just do that. I clicked "Erase...", which I think reformats the disk. The erase operation finished within a minute or two, which seemed far too fast to have securely overwritten a half-full 1 TB disk. He told me to keep the drive, and then he left.
Pretty quickly I noticed the "Erase Free Space..." and "Security Options..." buttons and figured out that these would let me securely overwrite part or all of the disk. Since I'd erased the disk before clicking either of these buttons, and the only thing I've done with the disk since clicking "Erase..." is look at it with TestDisk, I assume the data is all, or almost all, still intact. Ideally I'd like to recover the WD My Passport to its state just before I clicked "Erase...", copy the .vdi file back to my laptop (which has a freshly reinstalled OS and filesystem) and securely erase the .vdi file from the WD My Passport. Then I can ship the WD My Passport back to my friend. If a full recovery is not possible, then the priority, other than securely wiping my .vdi file, would be to recover personal business documents. The drive also contained media files, which would be nice to recover, but only if I can do so without risking the documents.
Until recently I was a full-time web producer/developer, using a variety open-source technologies, tools and systems. So I pick up stuff like this quickly. But aside from rescuing a few GB of accidentally deleted images last year, I have no data recovery experience, and I've always let operating system installers handle partitioning. I've of course referred to the TestDisk documentation and found more via Google, but I've yet to find anything that clearly speaks to my case.
I've spent maybe five or six hours since Sunday trying the TestDisk Analyse and Geometry options. I've had the WD My Passport hooked up to both my Kubuntu laptop and my Mac and am attaching the logs from both. Analyse shows only the newly reformatted partition. I see the warnings about head and sector numbers, but trying different geometry numbers just produces another warning and doesn't reveal anything I can recognize as useful. Yesterday morning I started a partition (deep) search, which took more than a day to complete and produced a long list (looks like hundreds) of partitions TestDisk says can't be recovered. Here's one page of it from the Mac terminal:
If someone with TestDisk experience could suggest what to try next, I'd very much appreciate it. I know the files must still be there. If I can't find any help, then my next move probably will be to try to recover only my friend's documents with PhotoRec, upload them to secure file-sharing space so he can download them, securely erase the WD My Passport and ship it back to him. But if I could restore the whole drive, including his media files, that'd be much better.
And for what it's worth: My own documents and media files are all backed up. Most of them are encrypted too. Though encryption creates a whole other set of issues and more work. What I'll take from this episode is probably to be even more reluctant than I already am to have unencrypted sensitive data on someone else's storage, whoever "someone else" may be, and for however short a time.
I'd copied the .vdi file from my Kubuntu Linux laptop, but I plugged the external drive into my Mac (OS X Snow Leopard, 10.6.8), figuring Disk Utility would be more intuitive and quick than whatever tools Kubuntu comes with. My friend was rushing around and talking at me, and I couldn't immediately find the option to securely erase a single file. I did see the button to erase the whole disk. He reluctantly said to just do that. I clicked "Erase...", which I think reformats the disk. The erase operation finished within a minute or two, which seemed far too fast to have securely overwritten a half-full 1 TB disk. He told me to keep the drive, and then he left.
Pretty quickly I noticed the "Erase Free Space..." and "Security Options..." buttons and figured out that these would let me securely overwrite part or all of the disk. Since I'd erased the disk before clicking either of these buttons, and the only thing I've done with the disk since clicking "Erase..." is look at it with TestDisk, I assume the data is all, or almost all, still intact. Ideally I'd like to recover the WD My Passport to its state just before I clicked "Erase...", copy the .vdi file back to my laptop (which has a freshly reinstalled OS and filesystem) and securely erase the .vdi file from the WD My Passport. Then I can ship the WD My Passport back to my friend. If a full recovery is not possible, then the priority, other than securely wiping my .vdi file, would be to recover personal business documents. The drive also contained media files, which would be nice to recover, but only if I can do so without risking the documents.
Until recently I was a full-time web producer/developer, using a variety open-source technologies, tools and systems. So I pick up stuff like this quickly. But aside from rescuing a few GB of accidentally deleted images last year, I have no data recovery experience, and I've always let operating system installers handle partitioning. I've of course referred to the TestDisk documentation and found more via Google, but I've yet to find anything that clearly speaks to my case.
I've spent maybe five or six hours since Sunday trying the TestDisk Analyse and Geometry options. I've had the WD My Passport hooked up to both my Kubuntu laptop and my Mac and am attaching the logs from both. Analyse shows only the newly reformatted partition. I see the warnings about head and sector numbers, but trying different geometry numbers just produces another warning and doesn't reveal anything I can recognize as useful. Yesterday morning I started a partition (deep) search, which took more than a day to complete and produced a long list (looks like hundreds) of partitions TestDisk says can't be recovered. Here's one page of it from the Mac terminal:
Code: Select all
TestDisk 6.14-WIP, Data Recovery Utility, April 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk /dev/disk1 - 1000 GB / 931 GiB - 1953458176 sectors (RO)
The harddisk (1000 GB / 931 GiB) seems too small! (< 17809682 TB / 16197811 TiB)
Check the harddisk size: HD jumpers settings, BIOS detection...
The following partitions can't be recovered:
Partition Start End Size in sectors
FAT12 3271300196 5073011548 1801711353
FAT16 >32M 3274532107 3303515318 28983212
FAT12 3274793881 5641943165 2367149285
HPFS - NTFS 3277618874 5930156408 2652537535
FAT32 LBA 3279998443 4360450574 1080452132
FAT16 >32M 3281084637 4229281061 948196425
FAT16 LBA 3284006141 7069190451 3785184311
FAT16 LBA 3287576359 4853374483 1565798125
FAT12 3288567529 6266759656 2978192128
> FAT16 LBA 3290329087 5994227067 2703897981
[ Continue ]
1384 GB / 1289 GiB
And for what it's worth: My own documents and media files are all backed up. Most of them are encrypted too. Though encryption creates a whole other set of issues and more work. What I'll take from this episode is probably to be even more reluctant than I already am to have unencrypted sensitive data on someone else's storage, whoever "someone else" may be, and for however short a time.