Switch to full style
Tools for hard drive diagnostics, repair, and data recovery
Post a reply

EaseUS Data Recovery oddities...

January 23rd, 2020, 8:28

First post, please be gentle...

I have couple of HDDs that required wiping, prior to recycling them; the drives are external via USB port on a Windows 10 Pro, 64-bit desktop. The software for this purpose is Hardwipe, version 5.2.1 and used DOD 5220.22-M to erase the content of the drive. After the erase, the raw drives were scanned via EaseUS Data Recovery version 13 for verification purposes. That's where things got confusing...

EaseUS Data Recovery advanced scan of the raw drive found 30 files (712.23 GB) on a 120 GB drive, yes, on a 120 GB drive. All of the found files are shockwave flash files, extension SWF. Erasing the the drive again didn't help, EaseUS advanced scanning showed the same same results.

I created a simple partition for the 120 GB drive and formatted the drive with NTFS file system. After the format had completed, the drive had been encrypted with Windows 10's Bitlocker for external drive. Once the drive had been fully encrypted, the partition was deleted and re-scanned with EaseUS Data Recovery. The advance scan results were better than before, but it still found 26 files (44.68 GB) with SWF extension.

The drives probably never had that many shockwave files and the chances are, that the scan results are incorrect.

Is it "normal" for data recovery software to have that many "incorrect" files identified?

TIA...

Re: EaseUS Data Recovery oddities...

January 23rd, 2020, 17:58

Can be - I don't use EaseUS but I would suggest try it with a more professional tool like r-Studio (https://www.r-studio.com/Buy-Data-Recov ... tware.html) or UFS Explorer (https://www.ufsexplorer.com/ufs-explore ... covery.php).

Basically that tools search the start of a file based on the "magic number" - e.g. a JPG-file start with 0xFF followed by 0xD8. If a block start with that two hex-values a RAW-recovery tool will assume that all data between the starting-point and some other values which mark the end of the file are a picture.

In case you don't mean 712MB then the software get confused by the pattern the erasing method creates. You can also try to recover some of the files and you will see if that file has some useful content or not.

You can also try testdisk in case you don't want to buy a licence.

Further you can fill the whole drive with 0x00 just for test purpose and after that the programms should not find anything anymore.

Re: EaseUS Data Recovery oddities...

January 23rd, 2020, 18:58

Thanks maddin...

I did mean 712 GB data discovered on the 120 GB drive. Here's the initial interface in EaseUS, only the drive in question visible:

lost partition 120 GB.jpg


Below is the end result of the scan:

Raw drive 120 GB.jpg


The discovered files are too large for EaseUS to open, it seemingly has 100 MB maximum size of any of the files. Either that, or the file is corrupted. After the Bitlocker partition deleted and did another disk wipe, EaseUS shows this error:

Raw drive 120 GB with Bitlocker.jpg


I did try the UFS Explorer, that found a file with the "GZ" file extension, about 40 GB in size that may, or may not open. The trial version limits opening a file to 250 MB, if I recall correctly. At this point, I am cautious to try another trialware with its limitation.

Initially, I've used KillDisk to write a single pass of zeros, believing that it should be sufficient for the purpose. After checking the results with EaseUS, I switched to Hardwipe with 2 x 0s and 1 x random characters, but EaseUS still showed 30 - 40 shockwave flash files each being 2 - 10 GB. Bitlocker encryption and just deleting the partition didn't help either, hence my confusion about the EaseUS results. Once a drive is fully encrypted, not just the data, none of the data recovery software should find anything useful.

I actually returned to my previous HDD sanitization method to be certain, removed all the platters from the drive and use them as spacers. It's not a long term solution, but it certainly works. :cool:

I'd still like to know why this odd behavior with this variation of the software used...

Re: EaseUS Data Recovery oddities...

January 24th, 2020, 12:27

You can check with a disk editor to see what's going on. HxD includes one. Search for SWF signature manually. Signature, must be 46, 57, 53 hex ("FWS") for uncompressed, or 43, 57, 53 hex ("CWS") for compressed data.

Re: EaseUS Data Recovery oddities...

January 25th, 2020, 2:34

Or, for peace-of-mind's sake, you could re-do the wiping with a simple zero-fill pattern, and be done with the O.C.D.-ness... :) (I should take a taste of my own medicines sometimes.)

Initially, I've used KillDisk to write a single pass of zeros, believing that it should be sufficient for the purpose. After checking the results with EaseUS

Did you run EaseUS after the “single pass of zeros” ? It would be very odd if it reported finding something out of literally nothing. Or was it “encrypted nothing” ? In which case it could still contain false positives, i.e. random strings matching the beginning of a known file type.


You can check with a disk editor to see what's going on.

What's going on, as already explained above, is that the drive was most likely (as in, almost certainly) wiped with a fancy pseudo-random pattern, and a data recovery software with a “raw” search mode will detect as a “file” any chunk of data with a “signature” matching one of its known files signatures, and in 120GB of random data there's a good chance that it will find “something”. Heck, sometimes a fake JPG or MP3 signature can be found inside of a legitimate video file... I've had a situation once where, using Photorec with a variety of common file types enabled, including MP3, it truncated several video files which were not fragmented on the scanned drive, because it encountered what it interpreted as MP3 headers (hundreds of them), each time extracting a dummy 3KB MP3 file, then resuming the extraction of the video file, minus the 3KB — resulting of course in the extracted video files being unreadable beyond the first “hole”. When it found a fake JPG header it stopped extracting the video file altogether, and attempted to extract the (non existing) JPG file. So I had to run the extraction again, this time only enabling the detection of the expected video file types. Photorec is reputed to be excellent at what it does (it's been favorably compared with highly expensive “carving” utilities), but this is a major drawback.

Re: EaseUS Data Recovery oddities...

January 26th, 2020, 9:43

Thank you all for sharing your knowledge on the subject...

You helped me to understand, that disks "wiped with a fancy pseudo-random pattern" will result in false/incorrect file detection. On the other hand, "wiping with a simple zero-fill pattern" will not. This has been confirmed with an 80 GB IDE HDD in my tests. Neither EaseUS, nor UFS detected any data, after a single pass of writing zeros to the drive.

If zero-fill pattern that is all one needs, then there's no need for KillDisk, Hardwipe, etc., disk wiping software. Running the Windows "format" command as administrator can do that easily and just as efficiently:

Code:
Microsoft Windows [Version 10.0.18363.592]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>format W: /fs:NTFS /p:1*
The type of the file system is NTFS.
Enter current volume label for drive W: Erase

WARNING, ALL DATA ON NON-REMOVABLE DISK
DRIVE W: WILL BE LOST!
Proceed with Format (Y/N)? y
Formatting 74.5 GB
23 percent completed.

*- /p:1 one pass, change the value for more passes

Be careful... While the "format" command cannot wipe the system drive, in most cases it's "C:", but will happily wipe your any other drives. Entering the correct "volume label" serves as confirmation, that you do want to wipe the drive. Conversely, entering the incorrect volume label will abort the format command. Writing zero-fill pattern to the disk with the format command takes about the same time, as disk wiping software does.

The chances are, that most, if not all, disk wiping software for Windows utilizes the format command to write zeros. Other OSs probably have similar built-in commands.

One or two passes with zeros is more than sufficient for most people. Anything beyond that will get complicated, up to physical destruction of the drive.

Again, thank you for your insight in this matter...
Post a reply