How to restore data after accidentally starting DD on a hard drive but stopping it before it went too far?

Question

Today I've plugged new ssd into my PC and started an dd command for USB drive. It was too late as I recognized, that the drive letters moved around and I started flashing an ISO image over all my data. I recognized it after 2 seconds and cancelled the process but it was already too late.

Do you think there is any chance of restoring the data? I ran it over a hard drive.

It's how it looks inside of fdisk:

Device     Boot Start      End  Sectors  Size Id Type
/dev/sdd1  *        0 11311103 11311104  5.4G  0 Empty
/dev/sdd2         808     5427     4620  2.3M ef EFI (FAT-12/16/32) <- it was the NTFS partition with size of 991 GB

And this is output of /proc/partitions:

major minor      #blocks    name
   8    48     976762584    sdd
   8    49       5655552    sdd1
   8    50          2310    sdd2

This hard drive has a capacity of 1TB and it was formatted with NTFS. I've used it as storage for both - Linux and Windows.

The dd (dd ver: 9.1) command was fired from Fedora 37 and it was this one:

sudo dd if=./Qubes-R4.1.1-x86_64.iso of=/dev/sdd

Answer 1

Assuming approximately 1 TB FAT32 partition, start of volume overwritten, biggest determining factor is whether FATs (file allocation tables) ,or at least one copy survived. No one can tell this in advance as multiple variables are at play; how much was overwritten and size of FATs.

IF FAT survived file system based recovery is possible. This means we can reconstruct (virtually) a folder structure, recover file names, and recover fragmented files.

Without the FAT we can (partially) reconstruct folder structure and filenames but we'd have to assume all files are contiguous. So result of recovery is dictated by amount of data that was overwritten:

Ideally when dealing with data-loss scenarios you clone or image the patient drive first. So for that you'd need a destination drive with sufficient capacity.

I suggest then you scan the clone/disk image (or patient drive if you decide not to clone) using a tool like DMDE. After scan select most promising file system.

Then click 'All found / Virtual file system > Default reconstruction > Parameters to determine state of file allocation tables.

Select 2nd FAT if 1st is partially damaged.

DMDE demo allows you to test recovery by actually saving some files. You can also preview for example JPEG files. Check some larger JPEGs and see if the look okay. If not the tool may have come up with incorrect file system parameters, start of file system and clustersize being most important:

As directory entries point to start cluster, file allocation table refers to cluster, two factors that need to be 'guessed' correctly is offset from which we start counting clusters + sectors per cluster.

Tools > Reopen Volume Parameters allows you to modify these parameters but modifying these requires understanding of FAT32 file system internals (and a bit of luck?).

Assuming NTFS a similar story applies, this time however it's the MFT that is important: How much of MFT did survive?

MFT usually is towards the start of the volume, it however common the MFT is fragmented and those additional fragments have a better chance of surviving.

The more of the MFT survives, the better and more complete file system reconstruction will be. You can only find out by trying.