I am trying to find out what technically happens on the disk when I re-format a partition (as opposed to deleting the partition), and what are the chances of recovering the information that was on the partition before the re-format. I ask because I accidentally re-formatted a partition and was told my stuff is irretrievable.
2 Answers
Depends on what type of format you did
First things first STOP USING THIS DISK IMMEDIATELYif possible, make a backup, if there was a lot of free space you may be able to make use of compressing this backup
as a superuser, whenever I need to do such a backup I run dd if=/dev/sda|pv -s 500g|bzip2|dd of=/path/to/backupmake sure your backup is located on a separate disk
pv is optional, it just tells me how much data is remaining, it will slow things down, here I have told it to expect 500g of data, if you exceed this the backup wont stop, if you just use pv on it's own it will just display how much information is passing, and bzip2 will compress the backup, depending on what type of data was on the disk this will save you a lot of space but also be very time consuming, you may also remove this pipe
There are two ways to format a disk, you can rewrite the disk with zero's and place a new filesystem in there
As disk space has been increasing, this has been becoming less and less common as it can be very time consuming
These days, whenever you delete a file you are just deleting the reference to that file, and whenever you format a disk, you are just recreating the structure, data is simply re-written
A fun past time of mine is buying cheap hard drives off eBay and examining their contents, most people just format the disk, they don't wipe it
There are a number of propeitry tools available under windows to recover files from such disks, in Linux there is testdisk, scalpel and autopsy (the sleuth kit)
Your data will not be indexed, it will be all over the drive, often in fragments, it is possible to put all these pieces back together, but you must figure out what is important and what isn't, otherwise you will spend forever recovering that data
8Steve's answer is a good one. I'd like to add a bit to it:
- In the distant past, the term "format" often referred to low-level formatting, which meant defining where on the disk individual sectors began and ended. Ubuntu still includes a tool, called
fdformat, which performs this type of low-level formatting on floppy disks. To avoid confusion, many older tools and documentation eschewed the term "format" when referring to higher-level operations, instead using terms like "create a filesystem." Modern hard disks are low-level formatted at the factory and it's difficult or impossible to re-do those operations. Thus, you're only likely to deal with a high-level format (such as creating a filesystem) today. Even writing zeroes to the entire disk using a tool likedddoes not affect the low-level format. - Deleting a partition means deleting a handful of bytes on the disk that define where the partition begins and ends. Most partitions are just areas on the disk that hold the real data structure of interest -- the filesystem. When you delete a partition, the filesystem data structures are normally untouched. (Details depend on the tool you used to delete the partition, though. Some might deliberately wipe or damage filesystem data structures in the interests of security, but this is rare.) Thus, a deleted partition can often be recovered with a tool like TestDisk, which searches for filesystem data structures and creates a new partition table entry that points to what it finds. When you create a new filesystem, though, the filesystem data structures are at least partially overwritten. Some data structures normally remain, though, as will most of the files -- they'll just be scattered about with nothing pointing to them, as Steve describes.
- In addition to the tools that Steve mentioned, PhotoRec is the go-to Linux tool for data recovery when filesystem data structures are toast (as after creating a new filesystem over an old one). PhotoRec can often recover individual files, but they usually lack helpful metadata such as their original filenames, so you can end up with an astounding mass of random files, most of which won't be of any value to you. Imagine searching a haystack for a few gold needles. That's what you'll be doing if you need to use such tools. I've heard that some Windows tools do a better job of recovering filenames from NTFS volumes, but I've never looked into this in detail.
- A complication to all of this is in SSDs. On a hard disk, sectors have more-or-less fixed locations on the disk platters. (A rare exception is when a sector goes bad; it can then be mapped out and replaced by another one held in reserve for this eventuality.) With SSDs, sectors can be remapped by the drive's electronics. This is especially true if TRIM is used. This feature enables an OS to tell the SSD which sectors it is or is not using, and the SSD can then adjust its mappings, consolidate and wipe unused sectors, etc., to improve reliability and efficiency. If you issued an
fstrimcommand or mounted the filesystem with thediscardoption after creating the new filesystem, you activated TRIM, which means that the SSD may have scrambled the mapping of actual storage areas to sector numbers and perhaps wiped data. This will make data recovery much harder. If you did not do either of these things, data might be as recoverable as it would be on a conventional hard disk. All that said, my experience recovering data from SSDs is quite limited, so I don't know how much of an extra challenge TRIM would pose in reality.
