Page 1 of 1

Help recovering disk erased with Mac OS Disk Utility

Posted: 09 May 2013, 01:18
by jchriswilliamson
I needed quick temporary storage for a 40 GB file, so a friend and houseguest lent me his 1 TB WD My Passport, which was only about half full. We miscommunicated regarding his travel schedule. As he rushed to get out the door on time, my file—a VirtualBox virtual disk image, which I've occasionally used in sensitive work for myself and others—was still on his drive. I could live without the file; I don't store data on the virtual machine and can create a new one. But what if, say, someone stole my friend's bag? I thought of one particular password a creative, determined, tech-savvy thief might be able to extract from my virtual disk image and how much damage he might do with it. I had to erase my virtual disk image from my friend's drive before letting it go out my front door.

I'd copied the .vdi file from my Kubuntu Linux laptop, but I plugged the external drive into my Mac (OS X Snow Leopard, 10.6.8), figuring Disk Utility would be more intuitive and quick than whatever tools Kubuntu comes with. My friend was rushing around and talking at me, and I couldn't immediately find the option to securely erase a single file. I did see the button to erase the whole disk. He reluctantly said to just do that. I clicked "Erase...", which I think reformats the disk. The erase operation finished within a minute or two, which seemed far too fast to have securely overwritten a half-full 1 TB disk. He told me to keep the drive, and then he left.

Pretty quickly I noticed the "Erase Free Space..." and "Security Options..." buttons and figured out that these would let me securely overwrite part or all of the disk. Since I'd erased the disk before clicking either of these buttons, and the only thing I've done with the disk since clicking "Erase..." is look at it with TestDisk, I assume the data is all, or almost all, still intact. Ideally I'd like to recover the WD My Passport to its state just before I clicked "Erase...", copy the .vdi file back to my laptop (which has a freshly reinstalled OS and filesystem) and securely erase the .vdi file from the WD My Passport. Then I can ship the WD My Passport back to my friend. If a full recovery is not possible, then the priority, other than securely wiping my .vdi file, would be to recover personal business documents. The drive also contained media files, which would be nice to recover, but only if I can do so without risking the documents.

Until recently I was a full-time web producer/developer, using a variety open-source technologies, tools and systems. So I pick up stuff like this quickly. But aside from rescuing a few GB of accidentally deleted images last year, I have no data recovery experience, and I've always let operating system installers handle partitioning. I've of course referred to the TestDisk documentation and found more via Google, but I've yet to find anything that clearly speaks to my case.

I've spent maybe five or six hours since Sunday trying the TestDisk Analyse and Geometry options. I've had the WD My Passport hooked up to both my Kubuntu laptop and my Mac and am attaching the logs from both. Analyse shows only the newly reformatted partition. I see the warnings about head and sector numbers, but trying different geometry numbers just produces another warning and doesn't reveal anything I can recognize as useful. Yesterday morning I started a partition (deep) search, which took more than a day to complete and produced a long list (looks like hundreds) of partitions TestDisk says can't be recovered. Here's one page of it from the Mac terminal:

Code: Select all

TestDisk 6.14-WIP, Data Recovery Utility, April 2013                            
Christophe GRENIER <grenier@cgsecurity.org>                                     
http://www.cgsecurity.org                                                       
                                                                                
Disk /dev/disk1 - 1000 GB / 931 GiB - 1953458176 sectors (RO)                   
                                                                                
The harddisk (1000 GB / 931 GiB) seems too small! (< 17809682 TB / 16197811 TiB)
Check the harddisk size: HD jumpers settings, BIOS detection...                 
                                                                                
The following partitions can't be recovered:                                    
     Partition               Start        End    Size in sectors                
   FAT12                 3271300196 5073011548 1801711353                       
   FAT16 >32M            3274532107 3303515318   28983212                       
   FAT12                 3274793881 5641943165 2367149285                       
   HPFS - NTFS           3277618874 5930156408 2652537535                       
   FAT32 LBA             3279998443 4360450574 1080452132                       
   FAT16 >32M            3281084637 4229281061  948196425                       
   FAT16 LBA             3284006141 7069190451 3785184311                       
   FAT16 LBA             3287576359 4853374483 1565798125                       
   FAT12                 3288567529 6266759656 2978192128                       
>  FAT16 LBA             3290329087 5994227067 2703897981                       
                                                                                
[ Continue ]                                                                    
1384 GB / 1289 GiB
If someone with TestDisk experience could suggest what to try next, I'd very much appreciate it. I know the files must still be there. If I can't find any help, then my next move probably will be to try to recover only my friend's documents with PhotoRec, upload them to secure file-sharing space so he can download them, securely erase the WD My Passport and ship it back to him. But if I could restore the whole drive, including his media files, that'd be much better.

And for what it's worth: My own documents and media files are all backed up. Most of them are encrypted too. Though encryption creates a whole other set of issues and more work. What I'll take from this episode is probably to be even more reluctant than I already am to have unencrypted sensitive data on someone else's storage, whoever "someone else" may be, and for however short a time.