Slashdot Mirror
What Data Recovery Tools Do the Pros Use?
Life2Death writes "I've been working with computers for a long time, and every once and a while someone close to me has a drive go belly up on them. I know there are big, expensive recovery houses that specialize in mission-critical data recovery, like if your house blew up and you have millions of files you need or something, but for the local IT group, what do you guys use? Given that most people are on NTFS (Windows XP) by the numbers, what would you use? I found a ton of tools when I googled, and everyone and their brother suggests something else, so I want to know what software 'just works' on most recoveries of bad, but partially working hard drives. Free software always has a warm spot in my heart."
Get Data Back works very well.
GetDataBack has worked perfectly for me many times. Very easy interface, works on deleted files as well as formatted disks (provided the data you want to recover hasn't been overwritten, of course). Worth the $79, IMO.
ddrescue
But to be honest, if you've hit that point for an "enthusiast" user, then you're already on your last legs. If you ain't got a backup, forget it - the chances of getting one particular file you've lost might be good, the chances of recovering any significant amounts and being able to verify their integrity are bad.
Plus, with SSD's, flash, memory cards, etc. the chances of being able to recover *anything* from a faulty drive without professional equipment are fast approaching zero. Most USB Flash drives just "die" when they hit their write limits, rather than fail gracefully into read-only mode.
Real professionals never lose their data.
Back when most data recovery and disk utility applications didnt work on vista (and many still dont) I found one called r-studio. It managed to recover a whole lot of data of a damaged flaky 5TB Raid 5 array, which is pretty impressive considering it was the only application at the time that could even recognize it as a drive, all the others just call it a damaged volume.
As far as I know its still the only one that can do Raids, at least as far as I can find. It also allows many customization options of searches and donest over simplify things too much. It takes forever but it finds any potential damaged file systems and then lets you use whichever one you like to recover whichever files you like. It can also be used to recover deleted files.
As far as I recall its pretty cheap, at least compared to a few out there and worth a try. But with all recovery and security software, I find the information and their website extremely generalized and vague about what exactly you can do, so I always download the software first to make sure it can do what I want, which 90% of the time it cant, and then if it works I buy it. Its not the most legal practice but if they dont offer demos and wont be specific about what their software does its the only practical solution.
So Skulldilocks threw acid on the schoolchildrens' faces, cause somebody from the bible told her to do it!
You may find the following threads helpful:
http://serverfault.com/questions/4331/crashed-hard-drive-data-retrieval
http://serverfault.com/questions/4482/hard-drive-data-rescue-services
Work your way through this list. Unless you're a corporate entity with a large purse, it's probably going to be a freeware app they use too (unless they have a suite which covers many types of media and file systems). They make money from companies, not end users.
Further Info: I phoned a Tamworth, UK-based company (Google it if you're bothered) regarding recovering a file from a USB drive for a teacher where I tech. They asked what I did so far to recover the file, I said I'd run some freeware recovery tool. They told me that's all they'd do, as they don't make money spending any more than about 5 minutes on it. If that can't find it, and you don't have hundreds / thousands of pounds to spend on engineer time, it's the best you'll get.
Finally had enough. Come see us over at https://soylentnews.org/
Pros make sure they have good backups. Pros tell their users "nothing on your laptop/desktop is backed up", make that corporate policy, and respond to virus infestations by re-imaging the victim's computers to make sure that everyone's too damn scared of Mordac the Preventer to keep anything on local storage.
dd if=/dev/sdb of=dump.img bs=512 conv=noerror,sync iflag=direct
Once a drive has started failing the first thing you want to do is get as good a copy of everything as you can manage. If it's a physical problem, especially if it's a damaged platter, then it tends to get worse as the drive is used. Get everything off and then work on the copy.
Tim.
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
My favorite tools are a combination of the Trinity Rescue Kit linux boot cd and the Restorer tool.
It depends on the type of failure, but generally, I start with a ddrescue to get an image of the drive, especially if the drive is running bad sectors. Either I set the image to go to a secondary spare drive or I push it across the network. ddrescue is nice in that it doesn't bail when it hits those bad sectors, can run in reverse mode, and eventually it'll get as much as isn't corrupt on the drive into the image.
After establishing the image, the original failed drives go into ESD bags and aren't touched again unless they are to get shipped to one of the expensive clean room type places for their style recovery.
Most of the win32 drive recovery softwares out there can handle reading from an image file, so from here on out, I work with the images I took with ddrescue. Restorer has worked pretty well for me on getting things back from hard drives, CF cards, and even raid sets (figuring out the cluster sizes on the raid can be a pain if you don't happen to know them, but the software does support reassembling raid drives from the images you take of the single drives).
Most of the win32 packages out there have support for making the original images, but I haven't had as much luck with most of them when dealing with severely corrupted drives or with a large scattering of bad sectors. Either they take far too long to make it through the image or they end up failing to get by the bad sectors.
Regardless of what you end up picking, you don't want to use any of the recovery tools that advertise how they can fix the partition table and such on the drive, live . . . any recovery operation that thinks it is ok to 'fix' a drive with data on it you want to recover has the wrong mindset. The data is important, not making the drive work again.
I have had success with the *free* EASEUS Disk Copy boot CD - http://www.easeus.com/download.htm [easeus.com]. It will perform a bit for bit copy from the defective drive to a new organ-doner drive. I believe you have the option to continue the copy, even on erroneous sectors. On a recent drive in the early stages of failing, I was able to recover the entire disk after I did the bit-for-bit copy and then performed a error check/fix on boot-up. The standard Windows XP error check tool corrected all of the previously mangled bits.
Spinrite has worked miracles in the past for me. It's brought back unbootable corrupted windows partitions back to life for me. Supposedly it also fixes physical defects in hard drives as well. It boots off of a image from disc. It costs $89.00 but it's saved my butt in the past.
I had a drive where the file system was shredded, so I loaded the drive into FTK Imager (its free, about halway down the page), did a search of the raw space of the drive for the file name I needed, found the relevant $i30 reference (its in there), jumped to the relevant sectors on the disk using ftk imager's goto command , carved out the hex with ftk imager's copy hex command, dumped it into a hex editor, and saved the file under the extension. It worked perfectly.
Uphill, both ways, in the snow.
This is the ultimate last resort if you absolutely, have to, get a file back.
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
We usually start off with a bootable XP CD. Often there isn't anything really that messed up, and you can read the data that way with no problems. There are a couple of free programs, the names of which I can't remember off the top of my head, that do a fine job for "undeleting" files.
If it won't read in that, the next step is usually Knoppix. You can tell it to force mount a bad partition. Now that is a mixed blessing since sometimes the data you'll get is garbled which is why you try something else first. However, barring any serious problems, it'll usually mount and read.
If both of those have problems, the next set it the tools from the drive manufacturer to check for physical problems. You set those to do a full scan. At this point, there are three possible results:
1) It runs to completion, no errors. Means the physical disk is fine, it is all a logical data problem. Now go back to bootable Windows and run a checkdisk. Reason we didn't do this earlier is the moving of data checkdisk does can screw things up worse if there are physical problems.
2) It runs to completion, errors found and corrected. Back to Windows or if that doesn't work Knoppix to try and read the disk again. Usually it'll read, checkdisk it if not.
3) It errors out and gives a a diagnostic code meaning serious, unrecoverable errors. We are now at another juncture:
a) The data is really important. At this point, time to send it off to a specialist. Gillware.com is who I like. Pack it up and mail it off, you probably get your data back along with a bill for $300.
b) The data isn't critical, but we'd like to recover it. Run what I call "the magic disk destroyer." It's a program called Spinrite. It is a VERY aggressive recovery program. Because of that it is either going to get the disk readable, or fuck it up so bad nobody will be able to. Hence my nick name for it. Put the disk somewhere that you can have a fan blow on it, fire up Spinrite, and let it go for a day or two. See what happens.
I agree with others about GetDataBack... it indeed is a good app.
Sometimes however, people have come to me with a hard drive with a FOUND.000 directory full (sometimes about 10GB) of CHK files... for that I recommend:
http://www.ericphelps.com/uncheck/
It is free and does a good job recognizing the supported files
Also, it is worth getting something like mplayer or VLC and try to manually open the biggest CHK files to see if they are some kind of media file.
Additionally, a Hex editor like xvi32 can be helpful to give a fast glance at the header of the file and see what is it... maybe reading the folder with a Linux distribution (which gets the description of the file based on the content rather than the extension) could also help... but for other more obscure things, a hex editor is good (of course you need to be familiar with several headers... yay I feel 1337!)
Ubuntu is an African word meaning 'I can't configure Debian'
I agree, these days every home PC should be setup for RAID1 (RAID5 for workstations). However, RAID should *never* be a substitute for making backups to external media.
Life is not for the lazy.
SpinRite 6.0 has worked for me very well for many years now. It's slow, and has very very entertaining graphics. Under 2MB ISO.
In the past I've used SpinRite to check the disk for errors, and it's been a life saver twice. But in the case where there's nothing wrong with the physical drive, which is probably the case most of the time, I've had great success with R-Studio. My 2 cents. -P
Ontrack EasyRecovery is the best software I've used. It WILL NOT WORK under Vista, so hopefully you'll have 2k or xp installed somewhere.
The software, last time I checked, is no longer suported or updated. Ontrack now seems to specialize in data recovery, not data recovery software. I'm sure however you can find the software.... somewhere....
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
As far as software goes, a combination of dd / ddrescue / strings / fdisk / grep / mount / and the r-studio suite from r-tt.com are what I use. Though, most of the time the drive is physically damaged, and it's not always inside.
For example, last week I had a laptop come in with no power to the drive. I examined the board with my eyes and my Fluke Multimeter and discovered that the power +5V on pins 41 and 42 wasn't reaching very far into the board and was basically disconnected at the first component. It looked to be a power-protection diode which had blown due to a surge. I was able to bypass it with a dot of solder, and once reassembled the hard drive powered on, I copied the data off. When the customer decided he didn't want to pay, well, I removed that solder dot before returning his drive to him without his data...
On 3.5" hard drives you'll often see a rectifier diode serving the same purpose, so when you run into a drive that doesn't spin up, check that out first. It's a small black component connecting the power to ground, and it shouldn't be passing electricity (but it will when it fails, so just pop it off to get your drive working again).
Other times a clicking drive can be fixed by just swapping out the board with an identical one from another drive. Sometimes, similar model number boards will work as well, but not often. It's a lot of fun trial and error. On the plus side, if the drive is totally fubar'd but still spins up, you can pop it open and do some hard drive spin art!
If the disk is good, but the OS hosed, try a Vista install DVD. Boot it into recovery mode, and one of the options is "copy files". (Honestly, the recovery tools included with Vista are a good first step). It'll copy the files to a USB hard disk.
If not, then it's time to boot Knoppix (which can mount NTFS just fine, thanks to ntfs-3g). If the disk is dying, but still good, use something like ddrescue to make an image (ddrescue uses dd to clone the disk, but it'll first do the good parts (fast), then try harder and harder on the parts the disk has problems with - this way you'll get the good parts of the disk off quickly and it can concentrate on the bad parts).
If you lost your partitions, gpart wourks great at seeking and finding 'em. One of my coworkers had just that problem and gpart managed to recover the partition table...
I salvaged a lot of files from an NTFS partition on a badly failing drive by plugging the drive into another computer, making a dd image (it took several days due to all the disk errors), and then using Advanced NTFS Recovery on Windows to recover files from the dd image. You can use dd under Linux and transfer the image to a Windows box or just use the Cygwin version of dd. Advanced NTFS Recovery has a free demo, but it's fairly useless unless you register it (for $100). The demo only shows you the files it would recover, without actually recovering them. I was reluctant to pay that much, but it seemed to recover far more files than any of the other free or commercial demo tools I found at the time.
Even sadder, is I do this for a living - onsite, in home repair & installation - and the reality is they just whine about having to pay you for watching the progress bar. Pickup & dropoff involves so much less whining.
Knoppix is used here as well, and it can help you to save your data in many situations. One suggestion: not every network card is supported by the standard knoppix distributions, so either you burn a custom knoppix CD tailored for your system, or you keep a disk at hand with the appropriate drivers.
Try putting the bad drive in the fridge for about 15 minutes. Sometimes it's a thermal expansion problem on the board or in a chip and you can get a few working minutes with the drive to copy files off. If that doesn't work, try the freezer. If that doesn't work, try some gentle heat with a hair dryer. If none of that works, you're back to the board swap or a professional recovery service. If the fridge/freezer thing works, using a USB interface on the drive will buy you some more up time, as you don't waste "cool" time while the machine boots up before you start pulling files off.
XFS? Try UFS Explorer.
As an official Data Recovery Professional, most of the over the counter tools work well in various situations. But, most require a stable hard drive with minimal sector damage.
- The first step in data recovery is to stabilize the drive. (leave this to the pros...and we DON'T use freezers)
- The next step is to do a sector level mirror. We use very expensive hardware for this step. DD will work, but if the drive has a lot of media damage, it may be still worth getting a professional to do the job before the problem gets worse.
- The next step is to deal with the file system and recovery. This is where your software tools come in. Again, we use very expensive programs for this step, but we also play with some of the programs mentioned above.
When I talk to IT professionals about using our services, they have a preconceived idea that data recovery always costs thousands of dollars. This is usually because the IT professional does everything they can think of (freezer, open the drive, tap with a hammer) to recover the data before passing the job over to the data recovery lab. As a result, the data recovery labs tend to charge more because of the added problems caused by the previous attempts. My company does not charge more because of what was done, but we have had to give clients bad news because the data is unrecoverable because of what was done.
In short, if the data is valuable, don't use the freezer or programs like SpinRite; rather, get a free quote by a data recovery professional. If the price is too high, get a second opinion. If the second opinion is too high, then you have nothing to lose.
Recuva (http://www.recuva.com/) is free and works pretty well. It has a handy preview feature too, although it doesn't always work.
To be honest, there isn't really much beyond what Recuva can do. Some paid-for tools support scanning for a few more file types in situations where the filesystem is gone and you have to scan the whole disk, but unless you happen to have files in some unusual format then there is no real advantage.
The one thing which does make a big difference is the drive controller. Some chipsets are a lot better than others at dealing with knackered disks. You need one which does not lock up for long periods or try to read bad sectors too many times, otherwise your scan will take days or weeks with no improvement in the amount of data recovered. ATI chipsets seem to be best.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Hello,
Here is a list of data recovery programs I have put together. Some of them may be a little old, for floppies or optical media only, but should still be useful. Unless otherwise noted, they are all for Microsoft Windows.
A-FF Labs - NTFS Undelete and Partition Find and Mount
Access Data - FTK Imager
Acronis - RecoveryExpert
Advanced NTFS Recovery - NTFS Recovery (may handle FAT32 as well)
bitMART - Restorer Ultimate
Brant, Dmitry - DiskDigger
BriggSoft - Directory Snoop
CGSecurity - TeskDisk and PhotoRec
Convar - PC Inspector File Recovery
Digital Assembly - Adroit Photo Recovery (pictures only)
DiskInternals - NTFS Recovery
DIY Data Recovery - iRecover
DTI Data - Recover It All
DataRescue.Com - PhotoRescue (intended for flash RAM cards, which are typically formatted with FAT, may work with other devices as well)
EASEUS - Data Recovery & Security Suite
Fsys Software - DFSee
Gibson Research Corp. - Spinrite
Gillware - GillWare File Viewer
Higher Ground Software - Hard Drive Mechanic Gold
Kato, Brian - Restoration (also here)
LC Technology -
[Continued in next message, as for some reason, Slashdot would not let me post in its entirety (too many URLs?). AG]
Dexter is a good dog.
Also, a couple of times I've had dying drives that work OK for a few minutes after a cold boot, and then they (heat up and) die. I've had good luck throwing the drive in the freezer (in a ziplock bag) for a day, then powering up it, recovering as much as I can until the drive chokes again, lather, rinse, repeat, until all recoverable data has been copies off to a good drive.
SpinRite works to identify bad sectors on a track on magnetic media. Once it locates a bad sector, it attempts to re-read (repeatedly) the bitmap from that sector. If successful, it will re-write that bitmap to an unused sector, mark the original sector as bad, and provide a pointer in the index of the drive to the newly created sector.
.xxx missing at boot time, etc), repairing a disk with a FileVaulted sparseimage (allowing it to mount), repairing a disk that was TrueCrypted (allowing it to mount), as well as repairing a drive enough to the point where I can make an image copy of it and recover atleast some (and in some cases, most) of the data on it.
For me, SpinRite has successfully corrected fubared Windows installations (STOP error at boot, unreadable boot volume, registry
SpinRite is also the only tool I'm comfortable running on an encrypted volume.
It's not voodoo, and I run it quarterly for maintenance purposes.
Informatus Technologicus
*idiots*, the only way to be sure is to remove the drive, but I guess it was part of the warranty deal.
Good filesystem to recover from, I have successfully recovered data from a drive formatted over ReiserFS. For all his quirks, it's a great filesystem. What did they format over it, NTFS I'm guessing?
1. get a bigger drive say 1TB. 2. dd the raw image of the target drive onto the new drive *do not attempt data recovery off the original disk*, all data recovery is conducted from the dd image. 3. Do you have the original partition information, this can be handy as if you can get these original figure you can use some of the Reiser tools to restore the journal and recover the data, if you are lucky you will then be able to use fsck which will start to restore the files to Lost+Found as unconnected inodes. You may even be able to mount the image as a loopfs and copy the files off directly. 4. if you can't use 3, you will need to use a tool (magic rescue comes to mind) to recover files from the drive image based on file types in sweeps. I have successfully recovered data from trashed drives this way. Fortunately for you you picked reiserFS which is more forgiving that other filesystems. You have lost data, but I rate you chances as pretty high even if some dolt has formatted right over your file systems. It takes a lot of time to do the recoveries so I usually set them up to run in batches over night.Good Luck!!!!!
My ism, it's full of beliefs.
You would never get a technician to sign it.
I certainly would not, even though I do not reformat hard drives while there are any other alternatives. (I don't think I ever have, apart from when the customer walks in and says "reformat this for me.")
Hard disk drives dying on the operating table, or power supplies failing and zapping the drive controllers, are just too common for me to take liability for the data.
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
When I repair a computer, I set the terms, not the customer. I would never agree to pay for an inflated damage cost, ever. As a matter of fact, I tell them flat out I am not responsible for any data loss that would occur. Not that I have ever lost anyone's data, but if I did I want it clear i am not liable for any monetary loss they would suffer. If their data is THAT important, they have multiple backups, right?
"But this one goes to 11!"
Wow, you're an asshole.
Maybe you should just do what you can for your family and then remind them that they should backup with their new drive. You know, as opposed to reinforcing the stereotype that all computer geeks are antisocial bastards that don't care about a person's feelings at all.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs