All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: EaseUS Data Recovery oddities...
PostPosted: January 23rd, 2020, 8:28 
Offline

Joined: January 23rd, 2020, 7:43
Posts: 3
Location: Connecticut
First post, please be gentle...

I have couple of HDDs that required wiping, prior to recycling them; the drives are external via USB port on a Windows 10 Pro, 64-bit desktop. The software for this purpose is Hardwipe, version 5.2.1 and used DOD 5220.22-M to erase the content of the drive. After the erase, the raw drives were scanned via EaseUS Data Recovery version 13 for verification purposes. That's where things got confusing...

EaseUS Data Recovery advanced scan of the raw drive found 30 files (712.23 GB) on a 120 GB drive, yes, on a 120 GB drive. All of the found files are shockwave flash files, extension SWF. Erasing the the drive again didn't help, EaseUS advanced scanning showed the same same results.

I created a simple partition for the 120 GB drive and formatted the drive with NTFS file system. After the format had completed, the drive had been encrypted with Windows 10's Bitlocker for external drive. Once the drive had been fully encrypted, the partition was deleted and re-scanned with EaseUS Data Recovery. The advance scan results were better than before, but it still found 26 files (44.68 GB) with SWF extension.

The drives probably never had that many shockwave files and the chances are, that the scan results are incorrect.

Is it "normal" for data recovery software to have that many "incorrect" files identified?

TIA...


Top
 Profile  
 
 Post subject: Re: EaseUS Data Recovery oddities...
PostPosted: January 23rd, 2020, 17:58 
Offline

Joined: July 27th, 2019, 17:40
Posts: 113
Location: Vienna
Can be - I don't use EaseUS but I would suggest try it with a more professional tool like r-Studio (https://www.r-studio.com/Buy-Data-Recov ... tware.html) or UFS Explorer (https://www.ufsexplorer.com/ufs-explore ... covery.php).

Basically that tools search the start of a file based on the "magic number" - e.g. a JPG-file start with 0xFF followed by 0xD8. If a block start with that two hex-values a RAW-recovery tool will assume that all data between the starting-point and some other values which mark the end of the file are a picture.

In case you don't mean 712MB then the software get confused by the pattern the erasing method creates. You can also try to recover some of the files and you will see if that file has some useful content or not.

You can also try testdisk in case you don't want to buy a licence.

Further you can fill the whole drive with 0x00 just for test purpose and after that the programms should not find anything anymore.


Top
 Profile  
 
 Post subject: Re: EaseUS Data Recovery oddities...
PostPosted: January 23rd, 2020, 18:58 
Offline

Joined: January 23rd, 2020, 7:43
Posts: 3
Location: Connecticut
Thanks maddin...

I did mean 712 GB data discovered on the 120 GB drive. Here's the initial interface in EaseUS, only the drive in question visible:

Attachment:
lost partition 120 GB.jpg
lost partition 120 GB.jpg [ 67.71 KiB | Viewed 15318 times ]


Below is the end result of the scan:

Attachment:
Raw drive 120 GB.jpg
Raw drive 120 GB.jpg [ 50.12 KiB | Viewed 15318 times ]


The discovered files are too large for EaseUS to open, it seemingly has 100 MB maximum size of any of the files. Either that, or the file is corrupted. After the Bitlocker partition deleted and did another disk wipe, EaseUS shows this error:

Attachment:
Raw drive 120 GB with Bitlocker.jpg
Raw drive 120 GB with Bitlocker.jpg [ 88.67 KiB | Viewed 15318 times ]


I did try the UFS Explorer, that found a file with the "GZ" file extension, about 40 GB in size that may, or may not open. The trial version limits opening a file to 250 MB, if I recall correctly. At this point, I am cautious to try another trialware with its limitation.

Initially, I've used KillDisk to write a single pass of zeros, believing that it should be sufficient for the purpose. After checking the results with EaseUS, I switched to Hardwipe with 2 x 0s and 1 x random characters, but EaseUS still showed 30 - 40 shockwave flash files each being 2 - 10 GB. Bitlocker encryption and just deleting the partition didn't help either, hence my confusion about the EaseUS results. Once a drive is fully encrypted, not just the data, none of the data recovery software should find anything useful.

I actually returned to my previous HDD sanitization method to be certain, removed all the platters from the drive and use them as spacers. It's not a long term solution, but it certainly works. :cool:

I'd still like to know why this odd behavior with this variation of the software used...


Top
 Profile  
 
 Post subject: Re: EaseUS Data Recovery oddities...
PostPosted: January 24th, 2020, 12:27 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
You can check with a disk editor to see what's going on. HxD includes one. Search for SWF signature manually. Signature, must be 46, 57, 53 hex ("FWS") for uncompressed, or 43, 57, 53 hex ("CWS") for compressed data.

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: EaseUS Data Recovery oddities...
PostPosted: January 25th, 2020, 2:34 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
Or, for peace-of-mind's sake, you could re-do the wiping with a simple zero-fill pattern, and be done with the O.C.D.-ness... :) (I should take a taste of my own medicines sometimes.)

Quote:
Initially, I've used KillDisk to write a single pass of zeros, believing that it should be sufficient for the purpose. After checking the results with EaseUS

Did you run EaseUS after the “single pass of zeros” ? It would be very odd if it reported finding something out of literally nothing. Or was it “encrypted nothing” ? In which case it could still contain false positives, i.e. random strings matching the beginning of a known file type.


Quote:
You can check with a disk editor to see what's going on.

What's going on, as already explained above, is that the drive was most likely (as in, almost certainly) wiped with a fancy pseudo-random pattern, and a data recovery software with a “raw” search mode will detect as a “file” any chunk of data with a “signature” matching one of its known files signatures, and in 120GB of random data there's a good chance that it will find “something”. Heck, sometimes a fake JPG or MP3 signature can be found inside of a legitimate video file... I've had a situation once where, using Photorec with a variety of common file types enabled, including MP3, it truncated several video files which were not fragmented on the scanned drive, because it encountered what it interpreted as MP3 headers (hundreds of them), each time extracting a dummy 3KB MP3 file, then resuming the extraction of the video file, minus the 3KB — resulting of course in the extracted video files being unreadable beyond the first “hole”. When it found a fake JPG header it stopped extracting the video file altogether, and attempted to extract the (non existing) JPG file. So I had to run the extraction again, this time only enabling the detection of the expected video file types. Photorec is reputed to be excellent at what it does (it's been favorably compared with highly expensive “carving” utilities), but this is a major drawback.


Top
 Profile  
 
 Post subject: Re: EaseUS Data Recovery oddities...
PostPosted: January 26th, 2020, 9:43 
Offline

Joined: January 23rd, 2020, 7:43
Posts: 3
Location: Connecticut
Thank you all for sharing your knowledge on the subject...

You helped me to understand, that disks "wiped with a fancy pseudo-random pattern" will result in false/incorrect file detection. On the other hand, "wiping with a simple zero-fill pattern" will not. This has been confirmed with an 80 GB IDE HDD in my tests. Neither EaseUS, nor UFS detected any data, after a single pass of writing zeros to the drive.

If zero-fill pattern that is all one needs, then there's no need for KillDisk, Hardwipe, etc., disk wiping software. Running the Windows "format" command as administrator can do that easily and just as efficiently:

Code:
Microsoft Windows [Version 10.0.18363.592]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>format W: /fs:NTFS /p:1*
The type of the file system is NTFS.
Enter current volume label for drive W: Erase

WARNING, ALL DATA ON NON-REMOVABLE DISK
DRIVE W: WILL BE LOST!
Proceed with Format (Y/N)? y
Formatting 74.5 GB
23 percent completed.

*- /p:1 one pass, change the value for more passes

Be careful... While the "format" command cannot wipe the system drive, in most cases it's "C:", but will happily wipe your any other drives. Entering the correct "volume label" serves as confirmation, that you do want to wipe the drive. Conversely, entering the incorrect volume label will abort the format command. Writing zero-fill pattern to the disk with the format command takes about the same time, as disk wiping software does.

The chances are, that most, if not all, disk wiping software for Windows utilizes the format command to write zeros. Other OSs probably have similar built-in commands.

One or two passes with zeros is more than sufficient for most people. Anything beyond that will get complicated, up to physical destruction of the drive.

Again, thank you for your insight in this matter...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 21 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group