Earlier this week ‘rumors‘ started spreading about WD MyBook Live NAS devices were remotely instructed to return to factory settings. Well, this is no longer a rumor, it is happening. I write this blogpost as I learn new stuff about this issue so nothing of this is written in stone and I will update and correct if and when needed.
Advisory Summary:
At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device.
I am not discussing the why and how, I am interested in whether the data is recoverable or not.
As many of the USB type MyBooks decrypt data whether you set a password or not, I was first fearing data recovery would become rather complex. Turns out affected devices are not encrypted. They’re best regarded small Linux PCs. File system used is EXT4 as far as I can tell.
It is unclear to me at this point if it’s safe to start your WD MyBook Live at this point after you disconnect it from the network. So I would not at this point. Only attempt data recovery if you already determined your device was wiped.
Data Recovery chances WD MyBook Live
According to one Redditor who examined scripts, the drive’s partitions were wiped > new partitions created > partitions were EXT4 formatted.
File recovery from a formatted EXT4 partition is not trivial. From what I gathered from several forums (closed to data recovery and PC repair techs only), best option was R-Studio. Best in the sense that R-Studio was able to recover files + file names + folder structure.
It is my understanding though that when an EXT4 volume is formatted, most file system meta data is wiped. So, I do not expect such a nice recovery in this case (so no filenames and folder structure). File data from unfragmented files can be recovered using the RAW or signature based recovery method.
Another major limitation of RAW recovery is that any tool can 0nly recover file types it has signatures for. Tools like R-Studio and DMDE allow you to add you own signatures if needed. You can determine signatures by examining 3 intact files of that type and look for common byte sequences.
Data Recovery Steps
- You need to remove the hard drive from the WD MyBook Live enclosure. YouTube is your friend! IFIXIT also has step-by-step tear down guide.
- Hook up the drive to a PC. Ideally you use it’s native connection, converting it to USB is an option too using a SATA to USB adapter.
![]()
- Ideally now clone the drive so you create a safety net for yourself. Tools like R-Studio and DMDE offer a disk imaging option. To store the image you need another drive slightly larger than the one you clone.
- Recover files using RAW scan method.
If you decide to use Windows based file recovery software: Windows may pop up the ‘Do you want to format this drive?’ dialog once it detects the WD MyBook drive. Cancel any suggestions Windows makes! DO NOT FORMAT OR INITIALIZE THE DRIVE!
Almost all good generic file recovery offer a RAW scan option, and they automatically fall back to this if file system reconstruction fails. Both tools I recommended before (R-Studio and DMDE) do. These also offer the ability to add custom signatures for file types they do not detect out of the box.
Most famous RAW scanner is probably PhotoRec and unlike the other two tools, it’s free! PhotoRec is accompanied by TestDisk which is a potentially dangerous tool. Do NOT try to rebuild partitions using TestDisk!! Limit yourself to file recovery using PhotoRec.
UPDATE: I have seen several reports of disappointing results by people using PhotoRec.
UPDATE: I see reports of people having success using R-Studio. Demo shows intact previews! An intact preview is a guarantee a file can be recovered.
STEPS to recover data from EXT4 partition using R-Studio:
Note that screenshots are from the Linux version, Windows version looks slightly different.
Important: You need an additional disk to save recovered files to!
Download R-Studio (do not purchase yet!).
- Start R-Studio and locate the reformatted disk and the disk where the recovered files will be stored.
2. Select the ‘patient’ drive (the one from the WD MyBook. It’s okay to only leave only the Ext2/Ext3/Ext4 file system selected. Also make sure ‘Extra Search for Known File Types’ is checked.
3. Click the Scan button.
4. If other partitions previously existed on the disks, R-Studio may find them. You will have to determine which of the recognized partitions is the one you are looking for. In most cases, the partition you are attempting to recover will be the same size as the existing logical disk. In this case we double click ‘Recognized1’.
5. R-Studio will enumerate the files on it and show the folder tree.
6. Use the built-in Previewer to estimate chances for successful data recovery. This is particularly useful with large picture files.
7. Select the files and folders you want to recover and choose a location to save the recovered files.
Places to monitor for more news:
There’s several threads on Reddit, here’s one data recovery related: https://www.reddit.com/r/techsupport/comments/o71ls4/legacy_western_digital_mybooklive_nas_drives/
On the WD support community forums: https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111
Always good to watch Bleeping Computer: https://www.bleepingcomputer.com/news/security/wd-my-book-nas-devices-are-being-remotely-wiped-clean-worldwide/
