Slashdot Mirror
What Data Recovery Tools Do the Pros Use?
Life2Death writes "I've been working with computers for a long time, and every once and a while someone close to me has a drive go belly up on them. I know there are big, expensive recovery houses that specialize in mission-critical data recovery, like if your house blew up and you have millions of files you need or something, but for the local IT group, what do you guys use? Given that most people are on NTFS (Windows XP) by the numbers, what would you use? I found a ton of tools when I googled, and everyone and their brother suggests something else, so I want to know what software 'just works' on most recoveries of bad, but partially working hard drives. Free software always has a warm spot in my heart."
Get Data Back works very well.
Lemon juice and heat!
Great minds think alike; fools seldom differ.
That they should have backed up.
GetDataBack has worked perfectly for me many times. Very easy interface, works on deleted files as well as formatted disks (provided the data you want to recover hasn't been overwritten, of course). Worth the $79, IMO.
ddrescue
But to be honest, if you've hit that point for an "enthusiast" user, then you're already on your last legs. If you ain't got a backup, forget it - the chances of getting one particular file you've lost might be good, the chances of recovering any significant amounts and being able to verify their integrity are bad.
Plus, with SSD's, flash, memory cards, etc. the chances of being able to recover *anything* from a faulty drive without professional equipment are fast approaching zero. Most USB Flash drives just "die" when they hit their write limits, rather than fail gracefully into read-only mode.
Real professionals never lose their data.
I'm not a pro in this department although I've saved a lot of partial data from hard drives for some friends (I'll be very interested in these comments).
... the downside is sometimes I'm surprised in what I save for people--p0rn is not worth my time.
I use a live CD of Knoppix which has really good system repair and troubleshooting. I also have another important tool which is an old Dell Intel motherboard that allows me to set the rotational speed of the drive. Example: my friend's laptop is giving him the click of death so I pop out the IDE drive and hook it up to a 2.5" to 3.5" connector and plug it into the motherboard with a working 1TB 3.5" slaved. On boot up, I hit the BIOS and set the speed as low as it can go or low enough like 1,000 RPM. Then I boot into Knoppix live CD and check to see if I can mount the file system. Knoppix seems to be able to mount a lot of partitions that other more stringent flavors of Linux don't. Sometimes it clicks from the get go and there's nothing you can do. But if it doesn't, then I set a script up to copy their most valuable directories first onto the working 1TB drive. I let it run all night or weekend and check the drive periodically for heat problems. People are surprised what you can save for them doing this
My work here is dung.
Have had decent results with GetDataBack , R-studio, active@'s software in a few cases
ddrescue is convenient.
Trinity Rescue kit may help you.
I'd get people to make regular backups (force it if i have to) and then restore off the backup though most likely.
Back when most data recovery and disk utility applications didnt work on vista (and many still dont) I found one called r-studio. It managed to recover a whole lot of data of a damaged flaky 5TB Raid 5 array, which is pretty impressive considering it was the only application at the time that could even recognize it as a drive, all the others just call it a damaged volume.
As far as I know its still the only one that can do Raids, at least as far as I can find. It also allows many customization options of searches and donest over simplify things too much. It takes forever but it finds any potential damaged file systems and then lets you use whichever one you like to recover whichever files you like. It can also be used to recover deleted files.
As far as I recall its pretty cheap, at least compared to a few out there and worth a try. But with all recovery and security software, I find the information and their website extremely generalized and vague about what exactly you can do, so I always download the software first to make sure it can do what I want, which 90% of the time it cant, and then if it works I buy it. Its not the most legal practice but if they dont offer demos and wont be specific about what their software does its the only practical solution.
So Skulldilocks threw acid on the schoolchildrens' faces, cause somebody from the bible told her to do it!
For your health!
You may find the following threads helpful:
http://serverfault.com/questions/4331/crashed-hard-drive-data-retrieval
http://serverfault.com/questions/4482/hard-drive-data-rescue-services
For the folks (family and friends) that seem to think I'm a free computer repair store I told them to go buy a cheap USB hard drive and just set up a quick and dirty batch file to back things up nightly (or weekly, depending on how big their files are).
I've told them to do this or there's a good chance that I won't be able to recover their files if their PC crashes. This is an easy solution, cheap, and requires virtually no end-user interaction. That last bit is especially important since I've found that they typically ignore even the easiest backup procedures (e.g. copy C:\My Documents to D:\).
As for the original question, I still do attempt file recovery for the stubborn ones who ignore my backup advice. I've had moderate success with various pieces of software. Just Googled "hard disk recovery software." Interestingly enough, different programs have recovered different data on the same HDDs...
Work your way through this list. Unless you're a corporate entity with a large purse, it's probably going to be a freeware app they use too (unless they have a suite which covers many types of media and file systems). They make money from companies, not end users.
Further Info: I phoned a Tamworth, UK-based company (Google it if you're bothered) regarding recovering a file from a USB drive for a teacher where I tech. They asked what I did so far to recover the file, I said I'd run some freeware recovery tool. They told me that's all they'd do, as they don't make money spending any more than about 5 minutes on it. If that can't find it, and you don't have hundreds / thousands of pounds to spend on engineer time, it's the best you'll get.
Finally had enough. Come see us over at https://soylentnews.org/
Spinrite
Pros make sure they have good backups. Pros tell their users "nothing on your laptop/desktop is backed up", make that corporate policy, and respond to virus infestations by re-imaging the victim's computers to make sure that everyone's too damn scared of Mordac the Preventer to keep anything on local storage.
dd if=/dev/sdb of=dump.img bs=512 conv=noerror,sync iflag=direct
Once a drive has started failing the first thing you want to do is get as good a copy of everything as you can manage. If it's a physical problem, especially if it's a damaged platter, then it tends to get worse as the drive is used. Get everything off and then work on the copy.
Tim.
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
My favorite tools are a combination of the Trinity Rescue Kit linux boot cd and the Restorer tool.
It depends on the type of failure, but generally, I start with a ddrescue to get an image of the drive, especially if the drive is running bad sectors. Either I set the image to go to a secondary spare drive or I push it across the network. ddrescue is nice in that it doesn't bail when it hits those bad sectors, can run in reverse mode, and eventually it'll get as much as isn't corrupt on the drive into the image.
After establishing the image, the original failed drives go into ESD bags and aren't touched again unless they are to get shipped to one of the expensive clean room type places for their style recovery.
Most of the win32 drive recovery softwares out there can handle reading from an image file, so from here on out, I work with the images I took with ddrescue. Restorer has worked pretty well for me on getting things back from hard drives, CF cards, and even raid sets (figuring out the cluster sizes on the raid can be a pain if you don't happen to know them, but the software does support reassembling raid drives from the images you take of the single drives).
Most of the win32 packages out there have support for making the original images, but I haven't had as much luck with most of them when dealing with severely corrupted drives or with a large scattering of bad sectors. Either they take far too long to make it through the image or they end up failing to get by the bad sectors.
Regardless of what you end up picking, you don't want to use any of the recovery tools that advertise how they can fix the partition table and such on the drive, live . . . any recovery operation that thinks it is ok to 'fix' a drive with data on it you want to recover has the wrong mindset. The data is important, not making the drive work again.
check out open source tools for 'file carving' like foremost
https://wiki.remote-exploit.org/backtrack/wiki/Foremost
its open source and avail on backtrack live-cd's
This tool has saved me many times from various issues when it comes to Windows.
http://www.ntfs.com/boot-disk.htm
I have had success with the *free* EASEUS Disk Copy boot CD - http://www.easeus.com/download.htm [easeus.com]. It will perform a bit for bit copy from the defective drive to a new organ-doner drive. I believe you have the option to continue the copy, even on erroneous sectors. On a recent drive in the early stages of failing, I was able to recover the entire disk after I did the bit-for-bit copy and then performed a error check/fix on boot-up. The standard Windows XP error check tool corrected all of the previously mangled bits.
that keep the expensive guys in business
if all data loss were just a matter of awesome software, then wonderful. but frequently you are dealing with mechanical failures like the write head crashing onto the platters, death of the controller, failing motor, etc.
no software is going to fix these things. then its to the $100/hr guys in the clean room
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Boot up your favorite LiveCD and have a spare hard drive handy
dd if=/dev/hda of=/dev/hdb conv=noerror,sync
Of course, hda and hdb may vary depending on what you've got under the hood.
When all is said and done, your spare hard drive is a great replacement.
format c:
I'm a rabbit startled by the headlights of life
See subject line.
Leather straps, thumbscrews, jumper cables... there's plenty.
Spinrite has worked miracles in the past for me. It's brought back unbootable corrupted windows partitions back to life for me. Supposedly it also fixes physical defects in hard drives as well. It boots off of a image from disc. It costs $89.00 but it's saved my butt in the past.
I used to use Norton Tools, until it was bastardized by Symantec. I have had good luck in the last couple of years with RStudio (http://www.r-tt.com/). I used it to recover the pictures from a wiped SD card. I wish I hadn't once I saw the photos, but that isn't the software's fault. Looks like there is a free version for use on ext2/ext3 filesystems.
There is very little future in being right when your boss is wrong.
s/the pros/you guys/
There are no recovery pros in local IT groups.
Notepad ;-)
Black jump suit, glass cutter, crowbar, can of black spray paint, butterfly knife, pack of smokes, maybe a giant burlap sack with a green $$$ printed on the side because if it said 'data' it might look suspicious...
"Quote me as saying I was mis-quoted." -Groucho Marx
No one has mentioned TestDisk yet??
http://www.cgsecurity.org/wiki/TestDisk
I've used this plenty of times, restoring 'blank' hard drives (especially USB drives who's partition tables were corrupted) and file recovery works great with NTFS, as well as most other filesystem types...
I had a drive where the file system was shredded, so I loaded the drive into FTK Imager (its free, about halway down the page), did a search of the raw space of the drive for the file name I needed, found the relevant $i30 reference (its in there), jumped to the relevant sectors on the disk using ftk imager's goto command , carved out the hex with ftk imager's copy hex command, dumped it into a hex editor, and saved the file under the extension. It worked perfectly.
Uphill, both ways, in the snow.
This is the ultimate last resort if you absolutely, have to, get a file back.
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
I agree with you 100%. I've done this many times, myself.
Although it is primarily used as a forensic analysis tool Guidance Software's EnCase is excellent for data recovery and there is extensive support for many filesystems and operating systems. It's darn expensive but if you are really looking to get data back on a large scale then the long-term investment may be worth it.
Does the job when all hope is lost. I've used it many times for myself and clients. $89.00 and worth every penny. http://spinrite.info/
The chain of tools I used barely a month ago goes like this.
1. dd to get whatever can be had off the hardware and into a disk image.
2. testdisk recovers partition information to make the images mount-able.
3. foremost to recover files. Pay attention to the conf file. There are *lots* of options that will discover all kinds of files in various condition.
As someone who just went through this with my laptop, the last two things to remember:
-You will need tons of disk space to work with the disk images and all of the files foremost recovers.
-check your backup files very, very often. Bacula worked beautifully, but somehow the tar archives it created were corrupt.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
When worst comes to worst there is nothing better than having a RAID. I personally run a RAID5 at home but drives are cheap enough that is should be easy to set up a mirror on any workstation. Most motherboards these days support mirroring strait from the bios but even if it does not windows will do it in the OS as well. It is also my understanding that Linux supports all raid levels in software.
Now days it is also common place to see laptops with room for multiple drives. There is no reason at all to not have some sort of raid these days, especially if there is critical data on the drive.
As for OS corruption a raid will not prevent this but there are built in services for configuration "restore" points as well as drive snapshots that will be able to restore a system to a functional state from a "Safe Boot". There really is no reason to use any special software to "Recover" a system if it is configured in a manner that is redundant and secure.
Joshua
We usually start off with a bootable XP CD. Often there isn't anything really that messed up, and you can read the data that way with no problems. There are a couple of free programs, the names of which I can't remember off the top of my head, that do a fine job for "undeleting" files.
If it won't read in that, the next step is usually Knoppix. You can tell it to force mount a bad partition. Now that is a mixed blessing since sometimes the data you'll get is garbled which is why you try something else first. However, barring any serious problems, it'll usually mount and read.
If both of those have problems, the next set it the tools from the drive manufacturer to check for physical problems. You set those to do a full scan. At this point, there are three possible results:
1) It runs to completion, no errors. Means the physical disk is fine, it is all a logical data problem. Now go back to bootable Windows and run a checkdisk. Reason we didn't do this earlier is the moving of data checkdisk does can screw things up worse if there are physical problems.
2) It runs to completion, errors found and corrected. Back to Windows or if that doesn't work Knoppix to try and read the disk again. Usually it'll read, checkdisk it if not.
3) It errors out and gives a a diagnostic code meaning serious, unrecoverable errors. We are now at another juncture:
a) The data is really important. At this point, time to send it off to a specialist. Gillware.com is who I like. Pack it up and mail it off, you probably get your data back along with a bill for $300.
b) The data isn't critical, but we'd like to recover it. Run what I call "the magic disk destroyer." It's a program called Spinrite. It is a VERY aggressive recovery program. Because of that it is either going to get the disk readable, or fuck it up so bad nobody will be able to. Hence my nick name for it. Put the disk somewhere that you can have a fan blow on it, fire up Spinrite, and let it go for a day or two. See what happens.
Two years ago one of my hard drives started making strange noises like a grinding motor. When trying to read some of the bits on the disk, the hard drive would fail for a minute or two before giving up.
I used Handy Recovery. It scans the drive and gives a file explorer similar to the one in WindowsXP. Recovery is easy. I've also been able to recover files from an old file system even after formating a disk and putting files on the new filesystem.
I realize that many tools exist. Are most able to recover files from disks with PHYSICAL malfunctions? That seems important.
I agree with others about GetDataBack... it indeed is a good app.
Sometimes however, people have come to me with a hard drive with a FOUND.000 directory full (sometimes about 10GB) of CHK files... for that I recommend:
http://www.ericphelps.com/uncheck/
It is free and does a good job recognizing the supported files
Also, it is worth getting something like mplayer or VLC and try to manually open the biggest CHK files to see if they are some kind of media file.
Additionally, a Hex editor like xvi32 can be helpful to give a fast glance at the header of the file and see what is it... maybe reading the folder with a Linux distribution (which gets the description of the file based on the content rather than the extension) could also help... but for other more obscure things, a hex editor is good (of course you need to be familiar with several headers... yay I feel 1337!)
Ubuntu is an African word meaning 'I can't configure Debian'
I have used file scavenger (windows) with great success. File scavenger has restored files from disks that were unreadable or disks that come up as un-formatted. Even if you accidentally reformat the disk and write some data to it file scavenger will find what ever has not yet been corrupted and copy it to where ever you want it to go. Files that cant be recovered are still written to the backup disk but are given a zero byte size. You can then search for zero byte files and see what was unable to be recovered. Also files that are found but cannot be identified are copied to a "lost and found" folder. These might have been deleted files or partially overwritten files. Its pretty cheap too, about $35 USD.
The other day I recovered a friends 160GB USB disk (formatted NTFS) using file scavenger after it suddenly came up as unformatted. Every file was restored since the disk had not been tampered with. I then zeroed out the disk using dd under Linux and ran badblocks to see if there were any bad sectors. None were found and I formatted the disk, copied the data back to it and returned it to him. I also keept a backup on my system for him.
Under Linux I have used dd to grab an entire disk structure from a dying disk (clicking but working) to a server. Then restore the dd image to a new hard disk. I have yet to need to recover any lost data from a Linux system but I hear TestDisk is one of the best. It can locate lost super blocks and undelete files from NTFS, FAT and EXT2. R-linux is also good for ext2/3 recovery.
If your a Pro you back up all your important data anyway, so it is a moot point. Likely you even have some remote back up. There are services out there. Use Google, it ain't hard. In a pinch you can just email yourself some attachments in Gmail. Not good for media files or anything large, but if you want to save some key documents or your tax returns etc... Privacy may be an issue, but if your really prickly about that, then just encrypt it (though make sure you can decrypt easily later).
If it is a friend or family member who has just lost everything: Look very superior, point at them, remind them they should have backed up, and how stupid it is not to do so, then laugh at them for a while. Once your eyes clear of tears, repeat. After 4 or 5 times maybe it might sink in, and you will have done them a great service. Send them a bill in the mail.
Harsh I know, but come on, this has been cannon for years, get with the program.
Honestly though most people's computers are totally full of crap. There are some things like Personal files, Photos, and the like that are irreplaceable, but most stuff is just media you can replace, or software you can replace, etc... and if it is important to you, then back it up for god sakes.
Seriously, if you save their data you are just re-enforcing and rewarding bad behavior.
http://www.myharddrivedied.com/
Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt. (When catapults are outlawed, only outlaws will
On our "recovery shop" we use a microscope, a piece of paper and pencil.
Our 2000 monkeys^W recovery experts guarantee your data wil be recovered in 1 month, no mather the size of your drive :)
once you have linux up and running the first thing I do is try dd with the "ignore error" setting. this way I cant get a copy of the bad disk onto a good disk. Now I've separated the recovery from corruption from the problems due to intermittency.
Some drink at the fountain of knowledge. Others just gargle.
SpinRite 6.0 has worked for me very well for many years now. It's slow, and has very very entertaining graphics. Under 2MB ISO.
In the past I've used SpinRite to check the disk for errors, and it's been a life saver twice. But in the case where there's nothing wrong with the physical drive, which is probably the case most of the time, I've had great success with R-Studio. My 2 cents. -P
I've "accidentally" deleted many files that only had one copy over the years. If you are talking about recovering only a few specific accidentally delelted files, then the best tool is Restoration. It's free too. Enjoy. (As for "disaster recovery," unless you are making regular backups or willing to spend lotsa $$ for a professional clean room recovery, FORGET IT.)
I booted the desktop with an old Knoppix 3.4 Live CD and used SAMBA to copy her critical files to another windows computer. Every click and kerchunk of the dying harddrive only momentarily slowed the transfer of data.
I tried to do the same thing on an Ubuntu drive that had bad sectors, but the security on the files prevented them from being accessed.
Signature applied for, Patent Pending
For a free tool, I've had reasonable success with PCInspector, but File Scavenger seems to do a better job at recovery.
Ontrack EasyRecovery is the best software I've used. It WILL NOT WORK under Vista, so hopefully you'll have 2k or xp installed somewhere.
The software, last time I checked, is no longer suported or updated. Ontrack now seems to specialize in data recovery, not data recovery software. I'm sure however you can find the software.... somewhere....
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
You get what you pay for, really. That's why I gave up on Maxtor and any other craptastic HD manufacturers. I've bought only Western Digital HD's for the past 9 years now, and have never had a problem. No crash, no data loss, nothing. I've worked with newer other modeled HD's in these 9, and had the same results of using Maxtor/other manufacturer's HD's as before: random failure with no warning. Undetected bad sectors, but the worst is the sudden failure. I'm happy to report that I haven't had that happen to me and /my/ HD's in almost a decade now. Thank you much, Wester Digital!
Last week I crashed drive with a virtualbox image on it. The nature of the crash was a ground loop spike while programming a microcontroller board. This spike blew a big capacitor on the board, fried tracks, wiped out 1 of 2 usb controllers on my laptop and zapped my second hard drive. By murphy's law I had just cleared off the one hard drive that was the recent backup for this vdi file and now I'm left with a two year old backup (after looking through about 50 dvds and 6 old hard drives). I bought an equivalent hard drive on Ebay and swapped out the electronics to no effect. Seeing that people swapped out the heads I tried it but all I get is major clicking. Opening up the drive I see a faint mark where the head was trying to traverse the top of top platter (there are two platters). I'm pretty sure that the spindle motor isn't fried. How screwed am I?
This page has helped me in the past: Data Recovery
See my Home Theater
Backups .. no need for recovery tools!
As far as software goes, a combination of dd / ddrescue / strings / fdisk / grep / mount / and the r-studio suite from r-tt.com are what I use. Though, most of the time the drive is physically damaged, and it's not always inside.
For example, last week I had a laptop come in with no power to the drive. I examined the board with my eyes and my Fluke Multimeter and discovered that the power +5V on pins 41 and 42 wasn't reaching very far into the board and was basically disconnected at the first component. It looked to be a power-protection diode which had blown due to a surge. I was able to bypass it with a dot of solder, and once reassembled the hard drive powered on, I copied the data off. When the customer decided he didn't want to pay, well, I removed that solder dot before returning his drive to him without his data...
On 3.5" hard drives you'll often see a rectifier diode serving the same purpose, so when you run into a drive that doesn't spin up, check that out first. It's a small black component connecting the power to ground, and it shouldn't be passing electricity (but it will when it fails, so just pop it off to get your drive working again).
Other times a clicking drive can be fixed by just swapping out the board with an identical one from another drive. Sometimes, similar model number boards will work as well, but not often. It's a lot of fun trial and error. On the plus side, if the drive is totally fubar'd but still spins up, you can pop it open and do some hard drive spin art!
If the disk is good, but the OS hosed, try a Vista install DVD. Boot it into recovery mode, and one of the options is "copy files". (Honestly, the recovery tools included with Vista are a good first step). It'll copy the files to a USB hard disk.
If not, then it's time to boot Knoppix (which can mount NTFS just fine, thanks to ntfs-3g). If the disk is dying, but still good, use something like ddrescue to make an image (ddrescue uses dd to clone the disk, but it'll first do the good parts (fast), then try harder and harder on the parts the disk has problems with - this way you'll get the good parts of the disk off quickly and it can concentrate on the bad parts).
If you lost your partitions, gpart wourks great at seeking and finding 'em. One of my coworkers had just that problem and gpart managed to recover the partition table...
I salvaged a lot of files from an NTFS partition on a badly failing drive by plugging the drive into another computer, making a dd image (it took several days due to all the disk errors), and then using Advanced NTFS Recovery on Windows to recover files from the dd image. You can use dd under Linux and transfer the image to a Windows box or just use the Cygwin version of dd. Advanced NTFS Recovery has a free demo, but it's fairly useless unless you register it (for $100). The demo only shows you the files it would recover, without actually recovering them. I was reluctant to pay that much, but it seemed to recover far more files than any of the other free or commercial demo tools I found at the time.
If you are working on a 2nd generation clone you can afford to take risks in restoring the filesystem. "Oh it that didn't work, fire up another clone and try something else".
ddrescue (and other damaged disk oriented cloners) lets you work on a copy (or in my preference: a copy of a copy). This preserves the original disk if it has to go to a specialist lab later.
SpinRite has also saved my bacon more than once but that's something run on the original drive: not done lightly.
(Warning: dd_rescue is not Gnu ddrescue and Debian Linuxes rename dd_rescue to ddrescue. dd_rescue is a similar but not identical).
Finally: I need to add Windows NTFS rescue (built in) impressed me last time I needed it. It trundled for many hours but at the end, I had a mostly intact copy of a filesystem on my 2nd generation cloned drive. The original disk had been a mess.
It is excellent for fixing a rattling disk, giving you enough time for a complete backup.
don't wast your time using dd on a bad drive, ddrescue is dd that doesn't barf when it cant read a sector
Backups.
prodiscover works just fine, and it is one of the tools we used in my forensics class. there are many others, but that one has a free version that is reliable. the only catch is that you have to have it plugged into a machine that can boot.
I've used LINUX tools and such with KNOPPIX, had mixed success. We like R-Studio too. But a good backup is indeed the best. We now recommend software-less backup solutions like the Tandem DXR or FirstRAID G2 products from Highly Reliable. It makes the whole offsite backup problem as simple as the old Video Surveillance tape systems. Making it easy for the customer ultimately produces the most reliable and frequent backup copies.
Testdisk to recover partition & mbr data.
Windows PE live disc to try to read disc/chkdsk, and/or use HandyRecovery v1 (fw) for undelete/quick format recovery
Knoppix to read corrupt NTFS
SpinRite to try and recover/reset bad sectors
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
I would be interested to hear if anyone has come across GOOD software for ext2/3, ReiserFS or ZFS. Google finds lots of links, but most are non-free, and most related forum posts seem to be shills for the same products.
But I guess that in my case this is more or less academic. My sysadmin background goes back decades, and old habits die hard, so I keep good, VERIFIED backups. In ~14 years of running Linux, I have never been in the position of being forced to restore from bare metal. But one of these days I'm going to have to deal with a less provident client or acquaintance...
Anything out there for XFS? Like...at all?
"These people look deep within my soul and assign me a number based on the order in which I joined" --Homer re:
I've had luck with recovery by using GNU ddrescue to first pull everything off the drive I can. AFTER that, if there are still unrecovered sections of disk, it gets a little weird... I have no idea why this works, but... 1) Unplug the drive & let it cool to room temperature. 2) Put it in the freezer. 3) Wait an hour. 4) wrap it in saran wrap (to prevent condensation). 5) Hook it back up. 6) If it doesn't spin up, wait 15 minutes and try again. 7) Once it has spun up, run ddrescue again, using the previously generated log file to recover only the blocks that are still missing from the recovery file.
I really should have charged that client a LOT more, but it saved them a ton of $, and it was like $40 on e-bay!
How much is your data worth? Back it up now.
Anybody got any good recommendations for MAC OS X recovery?
if the tools you can get for Linux don't work, check out R-Studio.
If you come across a product called "Stellar Phoenix" RUN AWAY. They are the shittiest company in existence. A few years ago I needed a tool and the demo of Stellar Phoenix seemed it would work (it lists the files it said it could recover) so we purchased it only to find that it could not recover them. Come to find out that while they claim support for ALL of NTFS's features, their software WOULD NOT recover files compressed using NTFS compression. This was despite their claims of NTFS5.1 support. They refused to issue a refund and it was a months-long battle so we finally complained to Amex to try to get a chargeback against them but we tried to work it out directly with stellarinfo for too long, so it was too late. They (stellarinfo) claim a 30-day money-back guarantee but DO NOT HONOR IT - or at least they didn't back then.
We then tried R-Studio, and their trial software listed files it could recover - AND it could recover 64KB chunks to prove it. So for some files I needed immediately I used the trial to decompress and reassemble the files (in 64KB chunks, and then catted them together), and for the rest when we received the key for the full version. We were able to recover every single file. I've used R-studio for clients since then and it has worked every single time, providing the drive will enumerate.
If the drive will not enumerate you have two possibilities: freezing it in CO2 (I have had success with that), or finding another of the same model drive with the same firmware and swap PCBs, and hope that the problem is with the controller and not the drive itself.
Why was there no backup? Believe me I asked the same question. :)
Summary:
free Linux tools - good
R-Studio - Awesome
stellar phoenix from stellar info - snake oil from a shitty company comprised of douchebags
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Try putting the bad drive in the fridge for about 15 minutes. Sometimes it's a thermal expansion problem on the board or in a chip and you can get a few working minutes with the drive to copy files off. If that doesn't work, try the freezer. If that doesn't work, try some gentle heat with a hair dryer. If none of that works, you're back to the board swap or a professional recovery service. If the fridge/freezer thing works, using a USB interface on the drive will buy you some more up time, as you don't waste "cool" time while the machine boots up before you start pulling files off.
At the gov't facility I work at, we back up everything to prepare for any bare-metal recovery using EMC's Legato Networker; it's expensive, but it works, and tax dollars pay for it. Just depends on your environment, and technological and idealogical approach I guess. Since we do regular, monthly full-server offsites, nightly incrementals and any mission critical data (that's in the hundreds of terrbytes) we have ship it to another computer room which houses a STK tape silo for long-term archive, I've never had the need to use data analysis/recovery tools because just doing regular backups have a 99.9% retention for us to get back anything we want. And it's not just small talk; our datacenter has a UPS backup power failure and took out a few critical servers, one being our operational Oracle database server. With the DBAs cold backups and our bare-metal recovery to repair the awry ext3 filesystem, we had zero data loss other than what wasn't commited journaling and database wise with the power outage hit. A lot of people said it on here; if you back up your important stuff and keep up with the cycle, there should be no question that getting what you need back that has great importance should be anything less than a trivial, minute manner.
The GPL Free Software tool PhotoRec is a great application. In combination with ddrescue and dd_rescue if needed, it can pull the data off from many drive format types (and images when needed) and it has saved many drives for me and my clients.
http://www.cgsecurity.org/wiki/PhotoRec
apt-get install testdisk
This of course requires that the drive is visible. Too often the drive will make some noise at boot and then fail to show once the OS loads. I've been meaning to get an external USB enclosure to plug the drive in after boot up, but haven't yet done that.
We recently had an NTFS drive on one of our Dell servers go partially bad. Windows wouldn't boot or read it. I had limited success using various Linux Live distros along with tools like PhotoRec (http://www.cgsecurity.org/wiki/PhotoRec) since the drive was part of a Windows logical raid array. Don't be fooled by the website, the tool works for all kinds of files, not just photos, on various file system types. In the end, someone I work with suggested putting the drive in a ziplock bag and freezing it for a few hours. The rest of us were skeptical, but were also at our wit's end trying to recover the files from this drive, so we tried it. Amazingly, we were able to boot the drive normally and recover the needed files before it got back up to normal operating temperature and failed again.
In my years of a repair shop, I found a bastard workaround in case of mechanical problems.
First we started freezing the drives, which gave us about half hour to copy files. After that the process would completely stop. To get past that, I created a system.
Plug the harddrive in. While plugged in, put it into 3 garbage bags. Those seem to have the most trustworthy seals. Place the drive in a bucket of ice, then fill the bucket with cold water. Don't use bubble wrap, since that will insulate the drive from the water, which is counterproductive.
At this point, the drive will always stay at the temperature of melting ice, ie 32F or 0C.
We were successful at recovering many drives this way, saving clients money, and making more for ourselves
Sounds crazy? But it works!
but i was told not to trust comrade putin ;-)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I used to do occasional linux recoveries for a place called Reynolds Data Recovery in Colorado. They weren't a mega-huge recovery company, but they got a few dozen drives every day and did good business. They used a collection of software - some proprietary utilities from the drive manufacturers, some commercial utilities. Also, some drives overheated, so they had a freezer that they could put a drive in, so it ran long enough to copy the data off it, also, they had clean rooms, so they could re-seat heads onto platters if they came off somehow, then they'd run the drive "open" until they could copy the data off. Other times, the electronics (controller card on the drive) were dead, so they had a huge shelf of working controller cards from every possible drive that you could think of. They'd pop the old card off, put in a known-working card, then copy the data off. The data would normally be returned on a 'loaner' drive that the customer would return or a new drive that the customer would pay for. RAIDs were hit-and-miss and sometimes they worked and sometimes they didn't. I'm not sure of any of the names of the software that they used, but it varied depending on how difficult the recovery was.
When I had to do linux recoveries, I slowly built-up a little distro of my own which had tons of tools on it. I'd have my 'distro' on a disk that they could plug in when they needed me to work on a linux disk, then I'd ssh into the machine remotely and work on the disk without having to drive in. I'd fix the partitions or the disk if it was possible and copy the data off onto a backup disk. There are some good tools availble in linux to do recoveries of things, but with the newer filesystems nowadays, it's more and more difficult to get anything off now. I'm not sure about SSD. Never had to deal with them yet. :) ext2, fat, vfat and memory cards, easy. reiserfs & ext3, much more difficult.
FTK Imager from AccessData (download page) is free to download for windows and will carve partitions, files, and even file fragments from disk. It reads NTFS, HFS+, and ext2/3 filesystems. This is the same tool that's used by law enforcement when they image PCs for criminal cases.
Model 551, Chambered in 6mm
First time here on slashdot, so I'm still Anonymous Coward.
I typically use external USB enclosures, and the Ultimate Boot CD for Windows + Live Linux distrobutions. They both have their pros and cons,
The UBCD 4win is great for people who:
1. don't know Linux
2. are afraid of Linux
3 hate Linux
It has many tools and works great for both diagnostics of the drive, and data recovery. The environment is a bit laggy.
The Live Linux CD's give you a better interface to work from and better file-system compatibility, Less diagnostic ability. If I know a drive is dying and I just need the data I prefer Live Linux. If I have questions about the Drives integrity I use the UBCD.
TestDisk.
Thanks for the link. I have a Linux PC with two drives formated with ReiserFS, one set as the home directory. The mobo failed while under warranty so I took it to the store where I got it for repair. I specifically told them not to format the user drive but the tech reformatted it anyway. I had more than 500GB on it so I've been looking for something to unformat it and recover the data. Looking at the wiki you link to it looks like it can do it. Now if only I can get off my ass, buy a new external drive, and try to recover the data.
Falcon
Should there be a Law?
I've used the free FindNTFS utility twice to pull almost everything off of two bad drives (both corrupted boot disks for Windows XP). A got a lot of points with my father-in-law for that! You can get it for free at http://www.partitionsupport.com/utilities.htm
I would be interested to hear if anyone has come across GOOD software for ext2/3, ReiserFS or ZFS. Google finds lots of links, but most are non-free, and most related forum posts seem to be shills for the same products.
I went through the same thing after I took my Linux PC in for repair, it was under warranty, and the tech reformatted the drives even though I specifically told them not to. Someone in a post above posted a link to TestDisk which works with the formats you list above, my drives are formatted ReiserFS so if I can get off my ass, go buy a new external drive, and try it I may recover my data.
Falcon
Should there be a Law?
if the disk is jangling like a janitor's key ring, it won't work. if the chips are fried, it won't work.
under any other conditions, SpinRite is just freakin' amazing in what it can do.
if this is supposed to be a new economy, how come they still want my old fashioned money?
If anyone has any deleted files from ext3 - I HIGHLY recommend ext3grep - http://code.google.com/p/ext3grep/ The developer is amazing, really nice guy too! Personally helped with recovering a deleted 312GB vmware drive image. After 2 weeks of every person I encountered offering only the most arrogant BS response: 'oh you should have had backups' I stumbled upon ext3grep and with the tremendous help of the ext3grep developer, Carlo, was able to get back the entire 300GB vmware image, and boot it and everything.
Gives you a nice status report every 15 seconds. If you're doing this on OS X, use "-s SIGINFO" instead of "-SIGUSR1".
On a similar note, I'm stuck with Chkdsk freezing when I let it run on Vista booting... The disk seems to work well so far, but is there any (free) way to find out what might be wrong? I have seen other cases of this problem on the 'Net but no solutions so far :(
Recuva (http://www.recuva.com/) is free and works pretty well. It has a handy preview feature too, although it doesn't always work.
To be honest, there isn't really much beyond what Recuva can do. Some paid-for tools support scanning for a few more file types in situations where the filesystem is gone and you have to scan the whole disk, but unless you happen to have files in some unusual format then there is no real advantage.
The one thing which does make a big difference is the drive controller. Some chipsets are a lot better than others at dealing with knackered disks. You need one which does not lock up for long periods or try to read bad sectors too many times, otherwise your scan will take days or weeks with no improvement in the amount of data recovered. ATI chipsets seem to be best.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Sample drive: 40GB Hitachi 2.5" Laptop IDE, Windows OS
Equipment: (1) Standard desktop PC, no host operating system, 2 open IDE or SATA ports, floppy drive, (kb/mon) [DRIVE CLONING]
(1) Standard desktop PC, Windows XP operating system, open IDE or SATA port, (kb/mon/mouse) [FILE RECOVERY]
Software: Media Tools Professional, RTT R-Studio, Ontrack Easy Recovery Professional
Step One - Diagnosis: Connect customer drive to first IDE channel and a good, empty drive (previously zeroed) of equal or larger LBA to second channel. If customer drive model is detected by system BIOS, jump to [Step Two - Cloning]. If drive is not detected, check to see if it is spinning or making noises. If drive is spinning and indexing (the brief click-clunking you here after it reaches target RPM), then keep power-cycling drive until it detects. If drive is spinning and not indexing, not spinning, or clacking repeatedly - I can't really cover all that, but you can find HOWTOs on YouTube. As long as it isn't a firmware related problem, you can attempt a physical recovery at home (unless you have major $$). *You do NOT NEED A CLEAN ROOM* - a computer desk with all the junk moved aside and some finger condoms will work just fine. You'd be surprised just how resilient a hard drive is, despite all the horror stories online. A head swap on a 40GB laptop drive takes less than 15 minutes once you've done it a few thousand times. The firmware issue I mentioned above is a problem you aren't going to overcome at home (again, unless you're willing to spend $8k+). Data recovery companies use standard desktop PCs with a special ISA/PCI card to recode the information coming to and from the firmware area of the drive. Some makes/models have firmware information written to the data tracks and others have it embedded on the PCB. This is very different from user-accessible firmware areas you might find on some makes of drives. For more information, contact ACE Labs or DeepSpar and query the PC-3000 drive recovery system.
Step Two - Cloning: Since you've come this far, you're GOING to get data back. However, this step will determine just how much. Much like painting an automobile, the result here is a direct result of your preparation and attention to detail. The onboard SATA/ATA controllers are often pretty sluggish with this step. If you have the ability, pick up a Promise ATA133/SATA controller PCI card with enough of the corresponding connector type to connect both your source and destination drives to. You might also find that drives which previously wouldn't detect on the mobo SATA/ATA ports will detect on a PCI-based card - sometimes that's just the delay the drive needs to come to life, since the PCI card initializes well after the PC BIOS. Anyway, since you still have everything hooked-up from Step One, insert the Media Tools Professional (MTL) floppy disk and boot from it. This is a much more efficient procedure than using a Windows utility. Work your way through the menu to clone from disk to disk - 'Source' is the customer drive and 'Destination' is your empty drive. Begin cloning from the front to back. If you run into read errors, accept the errors and keep going. There are more advanced methods possible here but we're going to try for minimum effort since the customer paid a minimum fee of $175 anyway...*ahem*.
Step Three - Recovery: This is the software recovery part. It is pretty much self-explanitory. Connect the copy of the customer's drive to the 'File Recovery' PC and boot into your Windows installation. It is very important that you know what you're doing and how to hook things up so you don't accidently boot off the customer's data drive. If it gives you fits, you can disconnect the drive and boot Windows first, then put the data drive in a USB sled and connect it after Windows has finished loading. Now open R-studio and open the drive contents. Snoop through all their data. Then begin copying user data to a network drive or large
SpinRite has saved my ass more than once.
It's not just a checkdisk/fsck type tool, but reads and refreshes all the blocks on the disk, with ECC on and off. It will beat on a sector hundreds of times if needed to get a trustworthy copy.
So, not for "Oops, I deleted a file" but for "I keep getting read errors on this vital file."
I've used a program called Recovery Studio successfully a few times. One time I formatted my wifes old laptop, gave it to my brothers for a few days to screw around with when she mentioned that she neither backed up nor copied off any of her data from the laptop. Got everything she needed back. I also used ZAR for flash cards. Works great and it's free.
Anything short of a physical failure of the drive should be recoverable with a tool like FreeUndelete or NTFS Undelete. I've used both to success, though I've not had to deal with any serious corruption or overt disk failure. Usually, those are a lost cause.
Seriously, did we bother to STFW? They're the first couple hits for "NTFS undelete" or similar.
I've also had some luck with photorec, part of the 'testdisk' package on Debian (and Ubuntu) recovering files from memory cards (though it should find lost files, to some degree, in any filesystem type - it's a diverse tool). It sure beats the hell out of manually digging for the file header and trying to reassemble!
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Here are a few tools I keep on hand for the less catastrophic problems:
-Knoppix - live linux boot, can mount NTFS and flash drives and has a number of standard linux tools
-Gparted - excellent graphical partition tool - useful in setting up a staging disk and in copying partitions, but it's unhappy if your NTFS drive is severely busted
-Ultimate Boot CD - This disc has many tools (filesystem, hardware, etc) you shouldn't be without
My recent drive crash (with backups a month old, oops) involved copying one partition with ntfsclone from the gparted disk (manually run to ignore errors). Chkdsk and some other tinkering was enough to restore the clone. In the end, the other partition required commercial software which worked despite my scepticism.
Due to the variety of types of errors and possible causes of data loss, I find that -throughout the recovery process- the more options you set by yourself (requiring knowledge and experience in hard drives and file systems) the more efficient the process is. So, no matter the tool you choose, try to provide as much info to the tool as possible, and don't rely on the software developer(s) to choose a best general case which will always work...
Your Ad here
I've had success with PC Inspector File Recovery.
http://www.pcinspector.de/Sites/file_recovery/info.htm?language=1
CHKDSK and RECOVER
Hell, it works most of the time on a widows box.
A magnetized needle and a steady hand.
Hello,
Here is a list of data recovery programs I have put together. Some of them may be a little old, for floppies or optical media only, but should still be useful. Unless otherwise noted, they are all for Microsoft Windows.
A-FF Labs - NTFS Undelete and Partition Find and Mount
Access Data - FTK Imager
Acronis - RecoveryExpert
Advanced NTFS Recovery - NTFS Recovery (may handle FAT32 as well)
bitMART - Restorer Ultimate
Brant, Dmitry - DiskDigger
BriggSoft - Directory Snoop
CGSecurity - TeskDisk and PhotoRec
Convar - PC Inspector File Recovery
Digital Assembly - Adroit Photo Recovery (pictures only)
DiskInternals - NTFS Recovery
DIY Data Recovery - iRecover
DTI Data - Recover It All
DataRescue.Com - PhotoRescue (intended for flash RAM cards, which are typically formatted with FAT, may work with other devices as well)
EASEUS - Data Recovery & Security Suite
Fsys Software - DFSee
Gibson Research Corp. - Spinrite
Gillware - GillWare File Viewer
Higher Ground Software - Hard Drive Mechanic Gold
Kato, Brian - Restoration (also here)
LC Technology -
[Continued in next message, as for some reason, Slashdot would not let me post in its entirety (too many URLs?). AG]
Dexter is a good dog.
Most people here will recommend those "one click and you're done" tools. But those tools, and the missing knowledge about file systems and storage, often destroy more than they save.
Over the years, I gradually went from those colorful one-click things over some different tools, to professional software like EnCase et. al., plus some Linux shell tools. With them, I even save the hard stuff.
Still, the best "recovery" is prevention with backups, ZFS scrubbing and S.M.A.R.T.. (But beware those virii and disk errors that slowly corrupt the data. When you notice it, all backups are already destroyed.)
By the way: Wikipedia could have told you this too. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Freeze The Drive. Yes, as in put the drive into a zip-top bag with a silicon desiccant thingy and after an hour or so (to dry out the inside of the zip top baggy) gently place the whole thing in the freezer compartment of your fridge. Leave it there overnight. In the morning, open the end of the baggy enough to run in the drive's cables, and place the baggy between two blocks of "Blue Ice" sealed cooler ice packs. Its absolutely AMAZING how often this will allow you to read the entire disk again (at least one time).
Also, a couple of times I've had dying drives that work OK for a few minutes after a cold boot, and then they (heat up and) die. I've had good luck throwing the drive in the freezer (in a ziplock bag) for a day, then powering up it, recovering as much as I can until the drive chokes again, lather, rinse, repeat, until all recoverable data has been copies off to a good drive.
I'm not a full time professional in data recovery but I am trained and certified in hard drive forensics.
I'm assuming you're talking about recovering data that is lost from corruption errors, not the drive itself dying.
There's a variety of free command line tools that are used for recovering data from corrupted hard drives that function at various levels (such as inodes), but really, unless you have training in them or need something really specific, the graphic (via web browser) frontend Autopsy is the way to go:
http://www.sleuthkit.org/autopsy/
If I'm looking for a specific type of file, sometimes I'll use Foremost:
http://foremost.sourceforge.net/
As far as commercial software, EnCase commonly used but pricey compared to Autopsy.
http://www.guidancesoftware.com/
The key thing with either the commercial or non-commercial options is to avoid damaging the file system you're working on. This means that if you're attempting to mount the drive from a working machine that you do so read-only (if you get really into this, there are hard drive -> USB mounts that block all writes) and if possible you clone the drive into an image and work on that rather than the original. The free version to do that is dd. Be sure to use the noerror option on it to make sure that a bad sector doesn't cause the process to fail.
Also, clone the entire drive, not just the partition in case there's data that you need outside of the partition. In other words, do this:
dd if=/dev/hda of=/forensics/image.dd conv=noerror,sync
Rather than this:
dd if=/dev/hda1 of=/forensics/image.dd conv=noerror,sync
Spinrite has become a standard part of my workflow. When a PC comes in for maintenance, I run Spinrite on it overnight to remap bad or weak sectors.
I had to run it on a high end HP workstation with a set of RAID 0 (striped) SCSI320 drives. This was one of those million dollar projects the engineer was working on, and had not copied his latest edits to the server. He needed the performance of his local drives, so he was not being unreasonable in keeping the files local. He forgot to copy the files to the server after a late night work session, and the workstation wouldn't boot the next morning. Major panic.
Spinrite worked on it for a few hours and everything came right back. Freaking amazing. Easy too.
I have no association with GRC, I've just used the product since the early 90's. I will not be without this product.
Place nail here >+
Easus tools have helped me several times and they offer many good data recovery and management tools.
Some are free, some are not...
Either way... Easus works, if the drive functions at all...
PeacE!
SlavoX
I have used Recuva - File Recovery http://www.recuva.com/, It worked great I was able to get everything off the hard that i needed plus more that the user didn't need.. I just let them go though it and figure out what they did and didn't want.. it is free and works Great.. :) I hope that this helps
I've got one around somewhere that I think had a head crash (it was standing on edge due to the case design, and it fell over). The disk spins up, then spins down again, so I never get to a stage where the disk actually shows up on a system (ISA, in a USB 2.0 cradle). It's not critical, just curiosity, I haven't gotten around to being evil to it and then throwing it away :-).
Insert
is there a way? please tell me there is.. please?
There are plenty good solutions in this thread, but I'd say don't bother recovering, just learn the lesson and move on. I'm pretty sure you'll waste less time that way. Especially since the time wasted will not be yours it looks pretty good to me.
Show a man some news, distract him for an hour. Show a man some mod points, distract him for the rest of his life.
I back up my data by doing the following:
1. Burn copies of "irreplaceable" data to a DVD and tuck it away someplace safe
2. Use netbootdisk (www.netbootdisk.com) to create a recovery CD that will boot the computer and allow me to map a network drive (In my case, a network share running on my linux server) from DOS.
3. run GHOST and create or restore an image.
That has always gotten me back up and running within minutes. Downside is that I have to keep the GHOST image updated, but that's a once-a-month thing. The GHOST image just prevents me from spending hours doing a clean install.. convenience only. The "real" data is always burned to CD.
I'm sure there are more elegant solutions out there, but this is what works for me. I've probably done a dozen image restorations and they've always worked flawlessly.
to recover a hard disk?
your ninja geek skills are truly awesome
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I thought there was some kind of rule against "Ask Slashdots" questions that technerds actually know how to answer?!
Someone correct me if I remember wrongly, but the key to Knoppix is that there is a root account, with a password that no one knows; and there's the usual user account ("knoppix") which has admin rights and no password. So you type in a command-line: "sudo password" to set your own password for root, and then "su" to switch-user to root. That will give whatever rights you need.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
I tried about 20 different data recovery solutions when I was recovering from a nasty crash. To everyone using GetDataBack & co.: take a look at R-Studio. It supports everything all other popular solutions support (finding and restoring partitions, recognition of directory entries and files by signature, all major filesystems) plus support for virtual disks and RAIDs. Unlike many recovery solutions, you don't need to do a full scan to undelete just one file - you can just browse to the directory and undelete it, which really helps when you accidentally pressed the wrong key. The standard edition is at $80, just as much as GetDataBack.
http://blog.econtech.selfip.org/2008/05/hard-drive-recovery-101/
A short preview
SpinRite's strongest and most unique capability
quote from their website
Does anybody have any luck rescuing dead usb flash drives??
Wanted : A Signature.
SpinRite
www.grc.com
Nothing better
When I was a school sysadmin, there was one particularly clueless/rude teacher who sternly believed that U: was stored on her local hard drive. She told me, that in no uncertain terms, that if her hard drive had a head crash, she would expect me to recover everything that was on her U:.
Sadly, she never had a head crash. When her U: reappeared, it would be either "told you so", or "I overnighted the hard drive to Taiwan and paid $1000 out of my own pocket for the recovery!" :-)
How to recover, depends on the state of the device you want to recover things from..
Most people that come to me to recover stuff from a hd.. We ask what type of recovery they want...
Corrupt device, corrupt tape, corrupt tapedrive etc..
Corrupt hd -> Is it a software (filesystem issues)
-> recover4all does the undelete actions quite well on MS type fs-esses
-> Partition recovery (any fs)
-> UFS explorer (linux fs and much more)
Corrupt tape:
-> try tar, else rent really expensive professionals
Corrupt HD hardware (board)
-> Be sure to never junk old HD's.. swapping a HD PCB can fix tons of problems !
Corrupt HD mechanics:
-> Try a Linuxrescue/Knoppix CD.. and use dd_rescue... Goes a long way
If the HD mechanics problem does not work... Try:
-> Beers, fridge, rubberhammer, ziplock-bag:
Cool down the HD quite a bit in a fridge, in a zip-locked bag (keeping it dry). Reconnect, keep it cool. Hit it with a rubber hammer fron the side...
use dd_rescue.. Then if you can copy it to a working device then use the fs/software tools..
Over the last 10 years, on about 50 disks like that, I got a 70% ratio. On tons of different disks.. Novell Netware, EXT3, XFS etc formated disks..
Be sure.. If a customers asks about pricing.. It ain't cheap !! Sometimes it took me 10 hours for a single disk.. (from a no-RAID Netware server, without backups, that was easily over 2000 euro !!) only 4 files out of 50.000 were corrupt... But had to do the whole thing.. (hd replacement board, in frigde , hit it with rubber hammer, dd_rescue etc)
One thing that nobody seems to have mentioned yet is freezer trick. If the drive is just not spinning anymore (and you do not hear a click of death), just throw your drive in a ziplock bag into the freezer for a couple of hours. Often times it will then run long enough to make a bit-to-bit (dd) copy as others already mentioned.
If I can't pull the hard drive out right there, I use a live usb stick of either ubuntu or CAINE/Trinity Rescue CD, then run smartmontools short test to see if it is really dying. I also try mounting the partition and checking dmesg output. If I can see that the hard drive is dying, I pull the drive out and run ddrescue on another machine, until I can pull off a good image. If it's simply a partition issue, and I can't mount it or repair the filesystem right away, then I run testdisk. Of course, a good chkdsk on an NTFS partition can almost always help. DDRESCUE RULES!!! NOT TO BE CONFUSED WITH that OTHER DD_RESCUE!!!
I am referring to a blog entry from Scott A. Moulton who is a forensic and data recovery expert and currently teaches the SANS 606: Drive and Data Recovery Forensics course.
Spinrite is not data recovery software. I get many questions about why I left off Spinrite on my recommendations of recovery software. I specifically leave off Spinrite because under the strictest terms it is not data recovery software. Almost every single data recovery package knows, and will warn you not to write the data back to the original source drive. Data Recovery/Forensics software almost always recover from a source to a destination. Spinrite does not do that, it refreshes the surface and controls reads to get the maximum amount of data from the sectors and then puts it back down on the same drive.
I think it does quite a few things very well and it does an excellent job at reporting and reading the SMART info and refreshing the surface of the hard drive. However, I would like to first try to get the data from the drive before scanning it and trying to rebuild sectors. There are many reasons for this, but the most important one being that the drive can die in the process of running Spinrite. It is possible to do more damage to the drive by doing excessive read and writes. There are times that you only get once good chance at data and if you use a tool that just goes in and surgically removes the data you want BEFORE doing the scan you will be a lot safer.
If I was going to use Spinrite, I would get everything I could off the drive to another destination first and then use Spinrite to try to get anything I could not repair (although I never have to with the tools I use). Another horrific story I have seen with drives sent to me, is that if Spinrite it runs successfully, people are under the impression that the drive is repaired and is usable again and continue to use it. Big mistake and it usually dies again shortly. On a Windows Hard Drive I would try NTFSExplorer/FatExplorer first in the hopes of doing a surgical recovery as oppose to spending days rewriting sectors in the hopes that my drive can live though it as Spinrite does. But for $80 it is well worth the attempt if you are going to do nothing else. Good Luck.
Oct 6, 2008 11:26 PM
Also, you can find some very interesting papers here.
Quoted from here:
Spinrite is not data recovery software. I get many questions about why I left off Spinrite on my recommendations of recovery software. I specifically leave off Spinrite because under the strictest terms it is not data recovery software. Almost every single data recovery package knows, and will warn you not to write the data back to the original source drive. Data Recovery/Forensics software almost always recover from a source to a destination. Spinrite does not do that, it refreshes the surface and controls reads to get the maximum amount of data from the sectors and then puts it back down on the same drive.
I think it does quite a few things very well and it does an excellent job at reporting and reading the SMART info and refreshing the surface of the hard drive. However, I would like to first try to get the data from the drive before scanning it and trying to rebuild sectors. There are many reasons for this, but the most important one being that the drive can die in the process of running Spinrite. It is possible to do more damage to the drive by doing excessive read and writes. There are times that you only get once good chance at data and if you use a tool that just goes in and surgically removes the data you want BEFORE doing the scan you will be a lot safer.
If I was going to use Spinrite, I would get everything I could off the drive to another destination first and then use Spinrite to try to get anything I could not repair (although I never have to with the tools I use). Another horrific story I have seen with drives sent to me, is that if Spinrite it runs successfully, people are under the impression that the drive is repaired and is usable again and continue to use it. Big mistake and it usually dies again shortly. On a Windows Hard Drive I would try NTFSExplorer/FatExplorer first in the hopes of doing a surgical recovery as oppose to spending days rewriting sectors in the hopes that my drive can live though it as Spinrite does. But for $80 it is well worth the attempt if you are going to do nothing else. Good Luck.
Oct 6, 2008 11:26 PM
Also, you can find some very interesting papers/presentations/videos here.
Also, there seem to be many other youtube videos about data recovery there as well.
Stellar, www.stellarinfo.com has to be the best tool I have used for recovery,
It provides a great GUI and has heaps of tweakables, supports most common systems (yes there is a linux version too!) and can even recover data from a formatted drive.
5 stars.
ntfsundelete.com did work for me
I used to be a software engineer for Ontrack Data Recovery, one of the major data recovery companies. Perhaps not surprisingly, our data recovery tools were proprietary tools custom-written in-house. It's not something that was available to, or marketed to, the average Joe (or even the average Joe Programmer).
hiren's boot cd
I'm surprised nobody has come up with a dirty simple cheep: "mount a platter, (the cleaner the room the better) find an entry point, and dump the raw data to a target disk/other source"
it honestly can't be the hardest thing in the world to do, I mean the uses for such a beast would be pretty few and far between, and some sort of track mapping based on the vendor might be required, but it seems feasible to me!
Get off my lawn before I mow you down with my edlin!
Yes, anything for unix.
Unless you meant something with a pretty GUI... then yes, I recommend a linux live cd.
Here's an idea to stop inconpetent repair shops. When you hand over the equipment to be repaired, also hand them a contract to sign saying they will be liable for any costs associated with loss of data or recovery of said data. This contract should specify that it overrides any conflicting "We're not responsible for loss of data" clauses in their standard terms and conditions. PS: Make sure you put **AA inflated values on your data and time. BTW: IANAL but would be interested in one's view on this approach.
Start by putting the bad drive and a blank drive as big or bigger than the bad drive in a DIFFERENT known working PC. Sometimes a bad controller, motherboard, or power supply may be the cause.
dd_rescue bad-drive to good-drive forward direction writing a sector of zeroes on error (I use direct reads with 4k hard sectors too)
then again backwards with skip write on error
repeat as desired with skip write on error and your copy can only get better each time
when done make a copy of the copy and play with that as many ways as you want.
the only software thing that might do better than this is a program that does raw reads on the bad sectors and uses that instead of a sector of zeroes.
After this I usually access the files from a linux mount.
if that does not do it and you know some text in an important file it is time to search the drive for strings or try different flavors of file system recovery software.
never write on the original or the first generation copy.
Backups, off-site backups and Spinrite - in that order.
In modern servers, spinrite is a hassle to be avoided since it doesn't work on RAID systems. Individual disks only, so you'll need to swap the failed disk to another machine to run it. In many organizations, it is easier to pull the SMART data and have the drive returned under warranty.
Nothing replaces a backup - you did say "professional", right? Professionals back up the OS, applications and data - PERIOD.
I just file a FOIA request with the NSA for my own data. I can usually remember the redacted bits with some context. If I need help rebuilding my iTunes library I can just subpoena that from the RIAA. You're welcome.
His name was Robert Paulsen.
Like many have mentioned, I've used a Knoppix boot CD for my most intense recovery to date and it worked. It was a corrupted NTFS file system that would cause any windows based computer to crash when it mounted the drive, so using another computer didn't work. Knoppix was able to mount the drive in read only mode. Making a clone of the disk is also a good idea and what the "Pro's" would do for the reasons mentioned already. If it's a physical problem, and the data is important enough, I've seen companies that will go as far as taking the drive to a clean room, and physically disassembling the bad drive and moving the platters over into a new case to get it working, then cloning it, then performing all the software tricks on the clone. You wouldn't want to try this without a clean room though. For damaged/corrupted data (like from a damaged platter) I remember seeing a brief video where some FBI guy was going through the harddrive on a byte level and using error correction software and manually guiding the software to try to rebuild the damaged bytes. I think this would only be effective for single file recovery though, where you know what kind of data 'should be there', and also because going through a 500GB drive byte by byte would be a lesson in futility. I've also heard that some of the more prestigious data recovery companies use proprietary software that will help rebuild missing data using the data that is available. The FBI thing I mentioned may be a similar situation. Remember, that recovering a file and recovering a USABLE file is two different things. You may be able to get the file back, but if bytes within the file were damaged/lost, then the file still might not be usable without some kind of error correction method.
2. testdisk recovers partition information to make the images mount-able.
Yeap, someone near the top mentioned TestDisk and I'll give it a try, maybe. I need to recover data from when my Linux PC threw a fit. The mobo died and because the PC was still under warranty I took it to the store I bought it from. There I specifically told the tech not to reformat or erase the drive I used for user documents, the home folder was on a second hdd. I should have had backups as he went ahead and reformatted the disk anyway. However the disk was 750GB and I had more than 500GB on it. Back then I couldn't afford a big enough external drive and if I had burned the docs to DVDs it would have taken more than 100 disks.
Falcon
Should there be a Law?
larger drives. The originals become my backups while the new drives get tested.
Yea that's what I plan on for my Linux PC. I got a 1.5 TB disk to replace the 750 GB disk in the PC. I also have a USB docking station I can then put the original disk into to use as a backup.
Of course before I can do that I need to unformat and recover the data on the first drive.
Falcon
Should there be a Law?
dd is only good to a point. Gnu ddrescue (not to be confused with dd_rescue) is much better at working with physical errors in that it can work around them and then come back to the missed and try to get more information.
Run this once: /source/drive /target logfile
ddresue -n
Then run this to try to work around any errors /source/drive /target logfile
ddrescue -r -1
The process can be stopped and later resumed thanks to the log file.
I'm going to throw my support behind 2 tools already mentioned.
SpinRite is a great tool, and on the occasions where that fails I've had good fortune with a Knoppix Live CD.
Knoppix is seemingly better than windows at looking as damaged NTFS partitions, and I have managed to recover corrupt partitions using it where windows wouldn't even find the file system.
If your interested in a good desktop backup tool, a tool I haven't seen mentioned yet is ShadowProtect http://www.storagecraft.com.au/
I've been using it for a few months now, and it has a minimal impact on desktop performance, and allows incrementals up to every 15 mins.
I've only needed it once, and on that occasion I had my machine back up and working within 30 mins, and as far as I could tell lost nothing.
Pretty good result from a complete HDD failure I thought - I was impressed.
I purchased from Blue Technology in Sydney. They pointed me in the right direction when I needed to do the actual restore, so while I'm at it, a shameless plug for them too :)
http://www.bluetechnology.com.au/
http://www.ontrackdatarecovery.com/ probably one of the best corp in their section... good app choise and also services where you are sending them your hard drive and letting them to do the hard work(only when the hard drive is very dead).
Go disk to disk and carry the drive over to the next door neighbor (or someone that is a safe distance away).
One thing I do not understand is why Spinrite does not write to another drive! If Steve Gibson would add that feature, most of us would use no other tool for data recovery.
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
I happened upon phoenix NTFS a little while back. No its not free but if you lack LINUX know-how its a very good option if you're having file system traumas. For recovering deleted or formatted data I've not used anything which works better.
.. dangerous advice if used on dying disks, IMHO.
I'd use SpinRite (www.grc.com) on dying disks and then recover the filesystem and files after that with Get Data Back or free alternatives.
Scott Moulton of MyHardDiskDied.com and the YouTube videos on hard disk data recovery says the exact opposite. Don't use SpinRite because it can kill a dying disk. Use ddrescue or something to get the files off into a copy, THEN screw around with SpinRite if you have to. SpinRite alters a disk and on a dying hard disk that can kill it. The goal is to get the data off, not make the hard disk last longer.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Very pricey, but it's worth it if you're doing DR on anything Windows for a living. Even if WIndows thinks your disk is unformatted, ERP will still be able to sift through and piece together directory and files.
Well, Recuva from Piriorm (those guys from Ccleaner) has worked for me a couple of times. It's free http://www.piriform.com/recuva/download Hope it helps.
Seriously, IBM Tivoli Storage Manager http://www-01.ibm.com/software/tivoli/products/storage-mgr/, formerly Adstar, is used by many large corporations.
Despite the somewhat amateurish interface, I've gotten better and faster results with GDB than any other out there. I've done PC repairs for small companies and private persons for over 7 years and I've tried them all, and nothing else gets the job done this efficiently.
If you're in the same business as me, it's great to introduce victims of data loss to an online backup solution where you get a commission, there's plenty of 'em out there.
A positive attitude may not solve all your problems, but it will annoy enough people to make it well worth the effort.
Most recoveries can be done with free tools? Check. Most require minimal sector damage? Check. Most of the time DD will work? Check. File recovery requires mysterious "expensive software tools" when you just said free ones work fine most of the time? OK I'll write a check. You say IT pros hammer on drives before sending them to you? Sorry, tearing up the check now. Hey you should link to your homepage and try to convince readers to use your service. Oh wait...
Consistently, hands-down, GetDataBack is the best recovery app I've ever used for FAT and NTFS. It has never failed me. And now, with their RAID Reconstructor, Runtime even help me get my data back from a broken SiI 3115 RAID-5 array. Think your data is safe with RAID-5? Forget it :)
When you hand over the equipment to be repaired, also hand them a contract to sign saying they will be liable for any costs associated with loss of data or recovery of said data. This contract should specify that it overrides any conflicting "We're not responsible for loss of data" clauses in their standard terms and conditions. PS: Make sure you put **AA inflated values on your data and time. BTW: IANAL but would be interested in one's view on this approach.
I have two problems with this. The first is that the computer was still under warranty. Not only did I not know what was wrong but I would have had to pay for any repairs, and I couldn't afford to. Secondly I didn't then and still don't know of anybody who could repair it. When I bought the PC I also bought a second HDD, the original one was only 40 GB and the one I bought was 750 GB. The store has a repair shop right there and I asked them if they could install the HDD as a second drive and make it the home directory. Not one person there had any experience with Linux and didn't know how to do it. So I tried to install it myself. I got it installed but Linux did not recognize it. I went online and found out Linux had problems with Maxtor drives, which is what it was. So I removed it and returned the drive. I then found another 750 GB drive at Best Buy, the store I bought the PC from was Microcenter. I figured that since the Geek Squad did the computer work at, and was owned by, Best Buy they could install the drive and set it up so it was the home directory for users. Like Microcenter Best Buy didn't have anyone who worked on Linux. So I asked someone that could and was given an address for a Geek Squad. There I was told they would not touch a Linux PC. Back at the Best Buy a tech said he could research it and try to do the install but that I would have to sign a release from damages. An hour later I was headed home with my PC working how I wanted.
While I had to run around to have a second drive installed in a Linux PC, I now know enough to be able to do the research myself. I know it's the fstab file that needs to be edited to tell the OS where to look for the home directory.
Falcon
Should there be a Law?
ReiserFS,
Good filesystem to recover from, I have successfully recovered data from a drive formatted over ReiserFS. For all his quirks, it's a great filesystem. What did they format over it, NTFS I'm guessing?
The reformat was ReiserFS also. The tech allowed the CD install disk to run automatically and use the defaults, and the default format was ReiserFS. So I'm hoping, though I don't know, that the table was only rewritten.
I had more than 500GB on it so I've been looking for something to unformat it and recover the data.
1. get a bigger drive say 1TB.
I now have 2 1.5 TB drives, an internal one I'll use to replace the older drive and an external drive for backups. Back when this happened I couldn't afford an external drive, I still went out on a limb to buy these two drives.
2. dd the raw image of the target drive onto the new drive *do not attempt data recovery off the original disk*, all data recovery is conducted from the dd image.
DD? Does it clone drives or what? Guess I'll look into it.
3. Do you have the original partition information, this can be handy as if you can get these original figure you can use some of the Reiser tools to restore the journal and recover the data
I don't know what the "original partition information" is. Or how to copy it.
4. if you can't use 3, you will need to use a tool (magic rescue comes to mind) to recover files from the drive image based on file types in sweeps.
Reviews for TestDisk say it can restore partition tables, which may make the data accessible. I may use an external drive to copy it to and I imagine it'd take hours to do. Which would be okay if it works.
Fortunately for you you picked reiserFS which is more forgiving that other filesystems. You have lost data, but I rate you chances as pretty high even if some dolt has formatted right over your file systems. It takes a lot of time to do the recoveries so I usually set them up to run in batches over night.
ReiserFS was the default format used by the distro. I imagine it'd take me days to recover my data if I am able to. But I have a lot of tyme and I want the data back so it doesn't matter too much how long it takes.
Good Luck!!!!!
Thanks!
Falcon
Should there be a Law?