How Not to Erase Data

From past blog posts it is fairly obvious that the OS/2 Museum occasionally purchases used hard disks. Most of the time, the disks are either completely erased (overwritten with zeros) or don’t have anything very interesting on them.

But sometimes they do. Especially old SCSI disks tend to have old data on them, simply because very few people have the necessary equipment to use them anymore. But recently I encountered a case that appears to be an epic failure to delete data.

The hard disk is a Maxtor 25128AT, a 2.5″ IDE drive with 128 MB capacity that started its life as an OEM drive in an IBM ThinkPad. It was originally set up with MS-DOS 6.20 and Windows 3.11 for Workgroups.

At some point in the past, someone attempted to wipe the disk by high-level formatting it, i.e. putting in place a fresh FAT file system. That normally does quite a lot of damage by destroying the root directory and FAT tables. If the file system was fragmented, recovering the files can be quite difficult and very labor intensive. Yet on this particular drive, reformatting the drive resulted in no appreciable data loss and recovering all files was fairly easy. How is that possible?

The drive was originally compressed with DoubleSpace. When a drive is compressed with DoubleSpace, it becomes a “host drive” and will contain only a few files: IO.SYS, MSDOS.SYS, DBLSPACE.BIN, and DBLSPACE.000. The latter is usually a very large file that takes up almost the entire disk. Within DBLSPACE.000, there is another, FAT-like but quite non-standard file system, which contains the compressed drive contents.

When the drive showed up, I made an image of it. That’s standard procedure for getting a sense of what shape the drive is in (unsurprisingly, the health of used drives can be all over the place). Of course I immediately saw that although the drive is freshly formatted and has almost no files on it, it’s far from empty.

Somewhere within the first few thousand sectors, I noticed a strange looking boot sector with an “MSDSP6.0” OEM signature, unfamiliar to me. Punching that string into a search engine resulted in exactly one hit—that almost never happens. It was a source comment in the Spanish language version of Undocumented DOS. Fortunately I have the English language book, as well as the source code that came with it.

There I quickly established that the source code in the book dumps information about a compressed DoubleSpace volume, and that it’s based on a utility called DSDUMP and published by Microsoft, not truly undocumented. And I was able to find the original Microsoft utility, too.

With the DSDUMP utility in hand, I was able to determine that the reformatted disk contained the entire and untouched compressed volume file (CVF). The next step took me a few tries to get right.

I found out that the compressed disk was not created with MS-DOS 6.22, because that used DriveSpace and not DoubleSpace. I also found out that while MS-DOS 6.0 did use DoubleSpace, it did not like the CVF from the Maxtor drive, claiming it is too new. Finally MS-DOS 6.2 turned out to be the right pick.

What I did next was run DoubleSpace to compress the empty disk, and then copied over the DBLSPACE.000 file that I’d recovered from the original drive. This produced a fully functioning file system complete with Windows 3.11 for Workgroups and several applications, such as WordPerfect 6.0 for DOS or IBM Legato (later known as IBM Works) for Windows.

As far as I can tell, the only thing formatting the drive managed to destroy was the Windows 3.11 permanent swap file, which most likely wouldn’t have been all that interesting anyway. Everything else was still there within the CVF.

Moral of the story: If you want to erase data, do it right!