How to determine in Windows whether a disk contains any data or is completely blank (zeros)?

Question

I would like to ask how to find out in Windows whether or not a disk contains any data ?
In other words: I need to verify if any non-zero bytes exist on the disk.
Can this be done with any tool shipped with Windows (10 in my case) or any other tool for Windows (preferably freeware) ?

what I have tried so far

Some hex editors like HxD are capable of raw disk access ("disk sector editing"). On my disk, I only see entire pages full of zeros. But scrolling down the raw disk output of a 4 TB disk would take ages – it is not humanly possible. There are search functions, but they only allow me to search for a specific hex value. There is no NOT operator to search non-zero values. Regex would work, but I have not found a free hex editor with regex search.

use cases

There are a couple of use cases:

• Other users (see similar questions below) have wiped their drives and want to ascertain that the job was successful, i.e. the drive is filled with zeroes only.
• My personal scenario: I have purchased a HDD a few years ago, but I don't remember whether or not I ever copied any data onto it. The "disk management" applet says "not initialized" and "unallocated". This indicates that I probably never used the disk. But sometimes disks or partitions are not recognized by the OS although they contain data. In this case I would lose my preexisting data if I re-initialize/partition/format the disk. Data loss would be a horrible scenario for me. Therefore, I want to make absolutely sure that no data is present and the disk is indeed blank.

similar questions

There are many similar questions, but they all pertain to Linux:

• How to verify that hard drive is filled with zeroes in Linux?
• Is there a faster way to verify that a drive has been fully zeroed?
• how to know if some data already exist on device - disk
• https://serverfault.com/questions/867956/how-to-know-if-some-data-already-exists-on-a-device-disk
• How to check if a particular disk sector contains data?

Answer 1

Any program can access raw disks as if they were files; this is not limited to certain few hex editors. For example, you could use a Python program:

empty_sector = b"\x00" * 512
with open(r"\\.\PhysicalDrive1", "rb") as fh:
    i = 0
    while buf := fh.read(512):
        print(f"Read sector {i}", end="\r", flush=True)
        if buf != empty_sector:
            print(f"Sector {i} is not empty!")
        i += 1

\\.\PhysicalDrive<x> is an alias for \\.\GLOBALROOT\Device\Harddisk<x>\DR<x>.

But sometimes disks or partitions are not recognized by the OS although they contain data

Partitions don't exist out of nowhere; they're referenced by the partition table that you would find in sectors 0–32 of the disk (sector 0 for the MBR, sectors 1+ for GPT). If these sectors are all empty, then either there were never any partitions, or you had deliberately deleted them.

And it takes effort to manually wipe the partition table i.e. "un-initialize" the disk, so if you find the first 200-ish sectors completely blank, then it's safe to assume that this deletion either a) wouldn't have been accidental, or b) would have continued onwards to delete a good chunk of your first partition.

Though in case the disk was used through a USB SATA adapter that does 4k sector remapping but is now being accessed through a direct connection which doesn't, the GPT partition table would instead be found in sector 8 and up (the sector addresses being multiplied by 8), so Windows indeed would not recognize it – although it would still be visible in HxD.

But even in that case, Windows would at minimum recognize the "protective" MBR partition table in sector 0 (which remains sector 0 even after 4k remapping), if there were one (all GPT disks normally have one).

Answer 2

One possible (heavy) way is to do forensic analysis on the disk.

As first point is wise to create a image of the drive in question. This will minimize the probability of change something on the source disk. Good candidate for this task is FTK Imager.

Next you can use program Autopsy, load the drive, analyze it and (eventually) recover file(s). With this software you can do:

File system analysis: support for NTFS, FAT, EXT and HFS+ formats, distinction between visible and hidden files, access to metadata and system logs.

Deleted file recovery: analysis of disk sectors, reconstitution of deleted files and recovery of documents, images, videos or archives as long as they have not been overwritten.

Extraction of system artifacts: browsing history, event logs, recently executed programs and network connections to trace actions performed on a device.

Metadata analysis: extraction of hidden information from files, such as EXIF image data, document modification dates and access permissions.

Advanced search and indexing: search engine to identify keywords in files, e-mails and system logs, with automatic extraction of textual content.

Analysis of multimedia files: detection of explicit content, extraction of thumbnails and analysis of image and video metadata.

Mapping of digital interactions: identification of connections to remote servers, exchanges on social networks and messaging logs to trace suspicious communications.

Forensic report generation: production of detailed reports in PDF, HTML or CSV, including artifacts identified, modifications detected and chronology of events.

Here you can watch good video to get an idea of the process.

If you do not see any recoverable file you can assume with high probability disk is empty or information can't be recovered.

P.S. No affiliate with above products/companies