Is it possible to recover overwritten data?

No. It is not possible to recover data that was overwritten.

Why?

The computer memory does not retain any trace of its previous state when it is overwritten.

The secret service must have the technology to do it

No.

  • For the flash memory, the technology just does not exist.
  • For the magnetic memory (hard drives), the technology is only good to recover the faint sound from an erased cassette player tape, not from a modern "perpendicular recording" hard drive. Not even from a legacy "non-perpendicular" IDE drive.

But there must be exceptions

Actually, yes. SSDs use over-provisioning to provide better endurance and reliability. When an SSD is made, it has more flash memory chips than its advertised capacity. The extra memory, which can sometimes be as much as 20% of the advertised SSD capacity, is used to balance wear across different cells (so called SSD wear-levelling) so that all memory cells degrade at roughly the same rate and no one cell fails much earlier than others. This overprovisioned space is not accessible via normal interface (SATA, SAS, or whatever) and thus cannot be overwritten at will. If one disassembles the SSD, removes flash memory chips, and reads them directly, some data may be obtained even after SSD had all its sectors zeroed. Exactly how many and what data is recovered is determined by SSD controller algorithms.

However, this is not the case of being able to recover overwritten data. Conversely, this is the case of not being able to overwrite some part of the data.

How to confirm data was overwritten in a particular case?

If data cannot be recovered by data recovery software, it should be considered overwritten. However, you should try several different data recovery tools before giving up because different programs use different recovery techniques and thus produce different results. There are two typical scenarios:

  • A complete format (also called "low level format") was performed on the drive. In this case, any data recovery utility would show no files at all. ReclaiMe would specifically report that "The drive was subject to a complete format", confirming the fact that the drive is actually blank.
  • One of the secure erase (also known as "disk wiping") utilities was used. In this case, multiple files, sometimes with random names, can be recovered but they do not contain any useful data. These files are created and filled with random data by the secure erase utility; this is done specifically to thwart any possible data recovery attempt.

Still have questions?