Good news everyone: I’m currently using PhotoRec on my dismantled harddrive and I see some pictures I know reapper. For the 3 TB it’ll take about 10 hours.
This is the best news. Good luck overnight, let us know how you get on!!
@Hazamel Great news! Best of Luck!
How did you dismantle and connect to PC?
Pure Force… I followed the guide at iFixit (Western Digital My Book Live Teardown - iFixit), put it into a spare external drive case and hooked it up via USB.
I’ll see what will be recovered. Anything PhotoRec can’t identify is stored as txt. So I guess I’ll have a lot of Canon RAW and Photoshop-Files as text. Will try Recuva tomorrow and hope I’ll get some real names and folder names
@Hazamel Awsome that works! Do you know what type of file system it is? Someone said their file table was gone. PhotoRec reads image file headers, independent of the FAT. I know it runs Linux.
There’s an Windows-Version, too.
What I saw was an ext3 or 4-Filesystem
Also checked to restore the partions. My util found three different versions and I wasn’t bold enoigh. Also none of them showed me my shares in the preview.
@Hazamel Yes I saw those types in some of the code. Hopefully Recuva will do better.
I tried mounting the disk with a USB adapter in Windows 10 (insider built) and it instantly Green screens. 100% reproducibility. I also tried using the same adapter in Linux and there seem to be no partitions.
What is the cause of all this? A bad firmware push? How does this happen? Shows the vulnerability of IoT devices.
The WD MBL log files indicate a script issued “FactoryReset” command to users all over the world.
I don’t use Cloud Storage so I don’t understand how this can happen?
What do you mean by Green screen? Nothing to recover?
Jun 23 15:51:35 MyBookLive : System ready
Jun 23 15:51:37 MyBookLive logger: WD NAS: Email alerts REST API failed to return Success
Jun 23 15:51:37 MyBookLive : Check if new firmware is available
Jun 23 15:51:38 MyBookLive logger: Starting orion services: miocrawlerd, mediacrawlerd, communicationmanagerd
Jun 23 15:53:24 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:53:24 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive logger: hostname=MyBookLive
Just to say I got the same problem with my drive, here in Japan. Factory reset, everything gone. For now, I just disconnected the drive from the network and unplugged it.
I’ll be waiting patiently to see whether people can recover data from it. I’ll likely remove the drive and use something like Recuva if I see people having success.
I have just found I have the same issue. Everything is gone. Just 3 share folders. I’m in the US. This is BAD!
How do I file an official support complaint with WD and get a case number?
TL;DR - I tried Recuva, it got a lot of stuff, but a lot of things are corrupted, especially larger files (my drive mostly had movies and TV shows)
Longer version - I’m in the US/Tennessee, and I had the same problem. I noticed the normally-almost-full drive was empty when I got home from work last night (Wednesday around 6 PM CDT), so I took the drive out of its casing and plugged it into my late-2013 MacBook Pro using a SATA-to-USB. I’ve got Paragon’s extFS for Mac, so I could see the drive was ext3 and that it showed up as 3 mounted partitions, but the drive was completely empty, other than the generic setup file structure (which was actually slightly different than I’d ever see it–I’ve never before noticed a “TimeMachineBackup” or “SmartWare” folders on there, but maybe I deleted them years ago and forgot).
I then ejected the drive and connected it to my Windows desktop, and started running Recuva overnight. First it has to index everything, which takes several hours, then it shows you a list of what you can supposedly recover (although many of those could actually be corrupted). So when I woke up this morning I started the actual recovery, and when I got home from work it had finished. None of the file names were there, which is very annoying, and most of the movies and TV show episodes were either gone or corrupted and can’t actually be played. Smaller files like JPGs and PDFs seemed to be working, with occasional corruptions.
So from my experience Recuva is definitely worth a shot, especially if you had smaller files on your drive. Because I doubt Western Digital is going to offer to recover anyone’s data, even though I’m guessing with a problem this widespread it’s definitely their fault, one way or another.
If anyone with this issue is in any of the following New York areas, please let me know:
- Midtown Manhattan
i’m a hobbyist security researcher who would really like to take a look at a drive that this happened to. If you’re not comfortable doing so taking the drive apart, I can take it apart and run PhotoRec and co. for you and try my best at recovering your files. We can meet in a park or similar public place, and we can remain there for the duration of our meeting. I won’t ask for any payment. I’ve taken apart several WD external drives and I have many leftover SATA to USB adapters from them. I know how to go about the data recovery process as safely as possible. (For those following along at home, this means to image your drive before running PhotoRec or similar on it. If you accidentally write to it, you could destroy your data! Use Macrium Reflect if on Windows, dd if on Mac or Linux)
Also: for those with damaged photos/videos, definitely take a look at Klennet Carver. This software works absolute magic.
It hit me as well, nearly 2TB of data, all gone. Fortunately, it’s all backed up, but this is going to create a lot of extra work. Some details that may be helpful in some way:
My device was a MyBook Live Duo, and I did not have its internet cloud feature enabled as a security precaution, but obviously that was not good enough. My drive had a factory restore executed on June 23 at 03:44 EDT. I was able to log into the control panel of the drive without using a password, so no new password was assigned during the attack. I have it connected to a Linksys WRT1900AC router, which has a firewall as most routers do. I also have a WD Elements USB hard disk connected to my main workstation on the network (which was powered on during the attack), but that was not compromised.
None of my computers were compromised and all are running Windows 10, fully up to date on patches. So it seems even though I had the internet cloud feature disabled, evidently the device is still actually connected to the internet. This was something I did not know, but I learned my lesson there.
From what I’ve been reading, the current WD NAS drives require an always-on internet connection to actually function, which would definitely prevent me from purchasing one, if true.
To anybody thinking that WD might compensate users affected by this, dream on. No way. Unfortunately the MyBook Live is end-of-life, so I would be surprised if we get a new firmware. Even though mine has worked flawlessly for years, it looks like I might be forced to replace a perfectly good-working drive. I won’t be getting a WD product, however.
Also lost 2TB of files today. Luckily, I have recent backups, but I imagine situations where people could have both, primary storage and backup online simultaneously. Imagine a legal firm that has main case files on WD Live drives, and then another set of WD Live’s as a reserve copy, and today both are gone. This could be one of the biggest data losses in history, and let me assure you - the files are non-recoverable. Courtesy of the OS that WD Live uses and secure encryption. EXT3 system that you’ll find, if you scan the drive will give you a new structure. Nothing of the last file set is preserved.
In laymen terms - the files you lost today cannot be recovered with a patch. The key that identifies the way files were written is gone. There is nothing. I only lost a bit of work. I’ll manage. But I can see people wake up to find years or decades of their lives missing this morning. Knowing files cannot be recovered by any means, this will hit the company big time. They should be lawering up, and hoping thier lawyers didn’t put their case files onto WD Live.
First thing I did today was extract the wiped 2TB drive from the shell and scan EX3 partitions with recovery software. The way it appears to me, is that the linux system used uses a key that gets wiped in this type of reset. The data is essentially still on the drive, but can’t be identified for what it is, or decoded without a proper key that no longer exists. Doesn’t look good to me at all. Plus, I can’t wait on the fix. I’m firing up backups. Thankfully they’re not from Western Digital.
So far everything is fine on my drive - powering it off until further information is provided.
I’m just wondering how many of those affected had automatic firmware updates enabled or remote access enabled?
Is it possible WD’s update servers were compromised and a malicious firmware update was posted and pushed to devices?
I received a message from Western Digital requesting my systemlogs which I provided. They say they’re going to call me! Fingers crossed!
Get yours read - Instructions here How To Collect My Book Live or My Book Live Duo System Logs
I ran Easus data recovery. All types of modes. Was only able to see the source Linux EX3 partition. I can only see erased Linux files. All other type of media is gone. Posts above say it’s a reset without zeroing of the sectors, but what I see is a full proper wipe.