WD MyBook Live drives wiped – Data Recovery

By | June 25, 2021

Earlier this week ‘rumors‘ started spreading about WD MyBook Live NAS devices were remotely instructed to return to factory settings. Well, this is no longer a rumor, it is happening. I write this blogpost as I learn new stuff about this issue so nothing of this is written in stone and I will update and correct if and when needed.

UPDATE: I added a paragraph on improving recovery result of ‘RAW scans’ right below the R-Studio step-by-step guide. These tips apply to any tools that do a RAW scan or signature scan for lost files, so also PhotoRec for example. This may address some of the issues of people recovering many corrupt files.

UPDATE: I see posts of people who contacted data recovery labs and got quotes ranging from $1000-$2000. These are ridiculous quotes for basically a logical data recovery case IMO. Feel free to use the contact form and share your location with me to see if I can recommend a reliable affordable lab near you. Or leave a comment. As a general advice, skip large labs like Ontrack, DriveSavers etc. unless you do not mind paying too much.

UPDATE: https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo

Advisory Summary:
At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device.

I am not discussing the why and how, I am interested in whether the data is recoverable or not.

As many of the USB type MyBooks decrypt data whether you set a password or not, I was first fearing data recovery would become rather complex. Turns out affected devices are not encrypted. They’re best regarded small Linux PCs. File system used is EXT4 as far as I can tell.

It is unclear to me at this point if it’s safe to start your WD MyBook Live at this point after you disconnect it from the network. So I would not at this point. Only attempt data recovery if you already determined your device was wiped.

Data Recovery chances WD MyBook Live

According to one Redditor who examined scripts, the drive’s partitions were wiped > new partitions created > data partitions were EXT4 formatted.

File recovery from a formatted EXT4 partition is not trivial. From what I gathered from several forums (closed to data recovery and PC repair techs only), best option was R-Studio. Best in the sense that R-Studio was able to recover files + file names + folder structure.

It is my understanding though that when an EXT4 volume is formatted, most file system meta data is wiped. So, I do not expect such a nice recovery in this case (so no filenames and folder structure). File data from unfragmented files can be recovered using the RAW or signature based recovery method.

Another major limitation of RAW recovery is that any tool can 0nly recover file types it has signatures for. Tools like R-Studio and DMDE allow you to add you own signatures if needed. You can determine signatures by examining 3 intact files of that type and look for common byte sequences.

Data Recovery Steps

  • You need to remove the hard drive from the WD MyBook Live enclosure. YouTube is your friend! IFIXIT also has step-by-step tear down guide.
  • Hook up the drive to a PC. Ideally you use it’s native connection, converting it to USB is an option too using a SATA to USB adapter with external power supply.
  • Ideally now clone the drive so you create a safety net for yourself. Tools like R-Studio and DMDE offer a disk imaging option. To store the image you need another drive slightly larger than the one you clone.
  • Recover files using RAW scan method.

If you decide to use Windows based file recovery software: Windows may pop up the ‘Do you want to format this drive?’ dialog once it detects the WD MyBook drive. Cancel any suggestions Windows makes! DO NOT FORMAT OR INITIALIZE THE DRIVE!

Almost all good generic file recovery offer a RAW scan option, and they automatically fall back to this if file system reconstruction fails. Both tools I recommended before (R-Studio and DMDE) do. These also offer the ability to add custom signatures for file types they do not detect out of the box.

Most famous RAW scanner is probably PhotoRec and unlike the other two tools, it’s free! PhotoRec is accompanied by TestDisk which is a potentially dangerous tool. Do NOT try to rebuild partitions using TestDisk!! Limit yourself to file recovery using PhotoRec. Also check paragraph below R-Studio step-by-step guide as it applies to PhotoRec too.

UPDATE: I have seen several reports of disappointing results by people using PhotoRec. Check paragraph below R-Studio step-by-step guide as it applies to PhotoRec too. Hint: disable / deselect .txt files in PhotoRec.

UPDATE: I see reports of people having success using R-Studio. Demo shows intact previews! An intact preview is a guarantee a file can be recovered.

STEPS to recover data from EXT4 partition using R-Studio:

Note that screenshots are from the Linux version, Windows version looks slightly different.

Important: You need an additional disk to save recovered files to!

Download R-Studio (do not purchase yet!).

  1.  Start R-Studio and locate the reformatted disk and the disk where the recovered files will be stored.

2. Select the ‘patient’ drive (the one from the WD MyBook. It’s okay to only leave only the Ext2/Ext3/Ext4 file system selected. Also make sure ‘Extra Search for Known File Types’ is checked.

3. Click the Scan button.

4. In case of the WD MyBook Live there should be 4 partitions. The 4th, the EXT4 partition is where your data resides, so select that.

5. R-Studio will enumerate the files on it and show the folder tree.

6. Use the built-in Previewer to estimate chances for successful data recovery. This is particularly useful with large picture files.

7. Select the files and folders you want to recover and choose a location to save the recovered files.

Some tips on improving results of RAW recovery (any tool)

A RAW scan detects files using ‘magic bytes’ or file signatures. If we know JPEGs start with 0xFFD8FF and MP3 files with 0x494433, we can detect files by scanning a drive for these byte patterns. For many file types you can not tell easily what their size is, only few end with some kind of end of file signature. So then the tool needs to guess:

– Assume certain default file size
– File end where next file starts

However, since many of these signatures are not unique byte patterns they can occur at any time. So assume we detected JPEG signature (0xFFD8FF) and while we’re saving this file, tool detects byte pattern 0x494433. That could be perfectly valid JPEG data but also start of MP3 file. If tool assumes the latter we end up with a corrupt JPEG and corrupt MP3 file. In these cases it can help to overrule the tool’s default selection for file types to detect. IOW disable MP3 and it may recover a perfectly fine JPEG file.

Places to monitor for more news:

There’s several threads on Reddit, here’s one data recovery related: https://www.reddit.com/r/techsupport/comments/o71ls4/legacy_western_digital_mybooklive_nas_drives/

On the WD support community forums: https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111

Always good to watch Bleeping Computer: https://www.bleepingcomputer.com/news/security/wd-my-book-nas-devices-are-being-remotely-wiped-clean-worldwide/

Leave a Reply

Your email address will not be published. Required fields are marked *