While I have done a lot of dd work, as in:
The dd Command
http://www.kubuntuforums.net/showthr...The-dd-Command

I'm not a forensics guy. But ... the 480 GB of overwritten data is gone, sorry. dd, as you know, works bit-by-bit (in what we think of in a linear sense, working through the bits). How that interacts with file system structure or data structure is a crap shoot (data in a file system is placed all over the disk, not necessarily in any sort of linear fashion). (E.g., to work with file system data structure, one uses the copy command rather than dd.) ANYTHING you do with the drive containing the data will possibly affect your good data (damage it).

Hang on here, I'm sure someone else may have something specific you can try.

Possibly PhotoRec and TestDisk? ... TestDisk may restore the partition label, then try something like PhotoRec to recover the data.

Thanks for your answers/recommendations, Qqmike.
I'll try the tools you listed .. and others, too.

First, I have to wait for the delivery of a new internal 2,5TB hdd, though.

As you said every operation could cause further damage, I figured to image the "damaged" drive onto a new one.
Then I can work on the image and try all the tools without risking to cause further damage to the original.


I think, I never deleted anything from the damaged drive, so the remaining data should not be fragmented.
So most of the files I might be able to restore should be complete and ok.
Am I correct?


The history of the drives in detail:
The first WD Elements 2TB drive, I had my backups on, started to make louder noises, than when it was new.
So I thought to myself: "I should get a new drive. Then I can go through all the stuff in order to throw out dupes and copy all the remaining, important stuff to the new drive.".
So that's what I did (using rsync).
After that I only copyied over some new stuff - never deleting anything from the new drive.

Then I zero'd (or random'd - cant remember) the old, ratteling drive and put an empty NTFS partition on it.

My intention was to mirror the new drive onto the old and put both of them in a closet.

At this point - as I described in my first post - things went wrong.

So, I don't know, if some forensics-magician could possibly get data off the old, ratteling hard drive, since it used to contain the same data ..
That's the main reason, why I want to do my experiments on a new 2.5TB drive.
And the reason for 2.5TB is I don't want to mirror the broken drive and at the last 200MB get a "drive full" error.
And internal, because SATA it's faster than USB 2.0.

So if all my attempts fail, I still have the 2 original drives.
So when I ever meet some professional, who might know some tricks, that I don't know, I can hand them to him.

This might seem to you, like a drowning man holding on to a straw - so let me explain.

I've seen lots of podcasts, where hard drives were shot with guns/grilled with thousands of volts/baked in an oven or a microwave/crushed in some giant shredder or even molten with some super-hot, lava-looking stuff usually used for cutting/repairing train-tracks.

So I keep asking myself:
"Why would they do any of that?
If there definitely is no way of restoring data from a zero'd drive, then why not zero and reuse/resell/throw away the drive and get on with your life?
Where does the necessity of physical destruction come in?"

I can think of 2 answers:
1. They are totally paranoid
2. They know something, I don't

So, since I am in this situation, I have to hope for number 2 to be correct.

That doesn't mean, my mind cannot be changed, though.
It just means, I have no proof for answer 1 or 2 to be correct or false .. so I keep hoping for a way out of my situation.


Replies/ideas/comments/etc. are still very welcome, as I wait for the delivery of the new hard drive. So keep 'em coming.
As you might have guessed: I can't wait to try everything, I can possibly try.

Even a single write pass of anything (zeros, random data, whatever) to a disk sector will eliminate whatever was there before. So to the extent that dd placed something into a sector, the prior data is gone. Untouched sectors will still possess their contents, and some data recovery shops can extract that. This usually isn't cheap, however.

It's all for show. Really.

That's actually a perfectly valid way to purge a drive, and various challenges to disprove this have gone unfulfilled. Note that writing one big file is insufficient; you need to use something like dd that operates at the sector level. And once you're operating at the sector level, a single pass is all you need. Ignore the advice of those who claim you need to buy their "special DoD-certified" product.

That said, the various methods people employ for data destruction can be very entertaining. I wrote about one example on my old Microsoft security blog.

Thank you for your reply, SteveRiley.

Sorry, that I'm answering that late, but I had to go back to the hospital for another week (my lung kept acting up).
I had to go through heavy duty surgery twice during the past month .. in short: I'm happy to be back and I'm happy to be mostly ok, also.

I haven't followed all of your links and read everything, yet .. but thank you very much for setting the record straight.
Though it's sad, that a lot of my data will stay lost, knowing what is possible/impossible is worth a lot.

Under the circumstances, I won't be hiring a professional, I guess.
I hope, I'll be able to get the remaining (un-zero'd) data off the drive, myself.

What I'm planning to do is:
1. dd-copy the hard drive to an internal drive - in order to prevent data loss if anything goes wrong
2. Run some file-system-check-tools and hope they will repair the file system / Run all kinds of forensics-software.
3. Be happy with whatever data can be restored.
4. Put everything on a RAID in the future.

Since I'll have to be treated at a health resort, all of this will have to wait for about another month.
But after that, I'll keep updating this post with my success- and/or failure-stories.

If anyone has ideas/tricks on restoring data to share: Keep 'em coming - I'll be grateful.

Get well -- your health is most important.

I don't have any experience with particular forensics or data recovery tools. Perhaps a few others here might.

I have had some experience of data recovery, from messing up partition tables (using tools like testdisk) and from a drive that was developing read errors (using ddrescue). But your case is a little different - and I think photorec might be the tool of most value. However, it recognises potential files by their internal data structures so it probably won't find plain text files, including some of your programming source.

I presume (a) the drive with the data is physically fine and (b) you probably only had one partition on it, covering the full drive.