What Data Recovery Tools Do the Pros Use?

Life2Death writes "I've been working with computers for a long time, and every once and a while someone close to me has a drive go belly up on them. I know there are big, expensive recovery houses that specialize in mission-critical data recovery, like if your house blew up and you have millions of files you need or something, but for the local IT group, what do you guys use? Given that most people are on NTFS (Windows XP) by the numbers, what would you use? I found a ton of tools when I googled, and everyone and their brother suggests something else, so I want to know what software 'just works' on most recoveries of bad, but partially working hard drives. Free software always has a warm spot in my heart."

for fat and ntfs

[keeegan]

Get Data Back works very well.

Re:for fat and ntfs

[darkvad0r]

For a free solution, check TestDisk.
It has saved my data many times.

Re:for fat and ntfs

[pushf+popf]

I've been doing consulting and software development for around 30 years, and when I was young and dumb, thought I could fix anything. Now I know better and have found that in this situation, the phrase "Wow, that's too bad. Where are your backups?" works nicely.

While there are all sorts of voodoo, data scraping bit-remunging apps available, at the point before you do anything you have no liability. After you "recover" the data, you're on the hook for everything forever.

All you need is for the customer to come back 2 years later and tell you they were sued into the dirt because something they were required to disclose was missing or incorrect and you'll wish you never took the job.

And even if they don't sue, there will be a never-ending stream of phone calls about broken documents, files they can't find and all sorts of other "un-tidyness".

And even if they don't call, there will be eternal uncertainty about the quality of the recovered data. Are their financials correct? What was that number that had the letters nearby really supposed to be?

My favorite drive recovery method is now BackupPC. You set it up, configure it for an appropriate number of incremental backups each day and let it fly. When a drive craps out, replace it, click the appropriate checkbox on the "Restore" page and press the "go" button. No doubt, no lawsuits, no untidyness.

Do-it-yourself Data Recovery is great if you like to putter with things and have lots of time and no liability (employees generally can't be sued by their employer) however when actual money is at stake, it's better to just send the drive out and let someone who is actually equipped and staffed to do the recovery handle the work.

To put things in a different perspective, how happy would you be if the county tried to sell your house for unpaid taxes because billy-bob "who's really good with computers" did their drive recovery and your tax payments were on one of the bad spots?

Re:for fat and ntfs

[TheLinuxSRC]

I could not agree more. Just last week I had a designer friend who accidentally deleted the partition his portfolio was on. We tried to recover the partition however the MFT had become lost/corrupted.

My first attempt to recover his data was with ntfsundelete, however it did not recognize the partition at all. I next used Disk Internals NTFS Recovery program (Commercial) with the same results.

Finally, I Googled a bit and found the testdisk/photorec package and used that. It took about 40 hours to recover ~225GB data. It was unable to recover filenames, however it did create new directories for each directory it found and recreated the files in those directories, albeit with arbitrary names. Most impressively it did recreate the files with the proper file name extensions. With some creative perl scripting I could have even renamed some of these files based on meta data in the files. This was not necessary in my case.

Re:for fat and ntfs

[Anpheus]

Tell them that you don't have a full copy of all their data. Tell them to tell their lawyers that a hard drive failing is equivalent to a small fire occurring in the secretary's desk and while you, the fireman or handy guy with the fire extinguisher can recover a lot of data, there's no way to be certain that it's all the data.

People like you are a lot of what's wrong with the world. You cover your ass so much that you don't accomplish what your clients really want or need.

Re:for fat and ntfs

[pushf+popf]

People like you are a lot of what's wrong with the world. You cover your ass so much that you don't accomplish what your clients really want or need.

Do you know what's worse than "No Data"?

Bad Data.

What my clients really need is data they can trust.

Telling someone "Here's your data, I got some of it back for you, but I'm not sure how much you lost or if the stuff I got back for you is correct" is great for your mother's vacation pictures. It's not great for your bank, insurance company, doctor, school or anybody else that needs to have verifiable, correct data.

Re:for fat and ntfs

[Zoromo]

No question with TestDisk as an excellent open source/free recovery option.

It was the only thing I found (freeware or pay) that relatively easily restored a couple of NTFS logical partitions--and all data--after they were destroyed by an older version (8.0) of Diskeeper's "boot optimization" defragging. The last time I used Diskeeper or recommended it. I continue to use and recommend TestDisk. The author of TestDisk was also responsive to emails when I encountered a unique issue with the drives I ended up needing help with.

Note that TestDisk is only for recovering lost partitions and making non-bootable partitions bootable again. For those functions, there is no better program out there.

Its sister program included in its download--PhotoRec--can do file recovery. Its designed mainly for recovery of photos off all media, but it supports many different file formats. So the TestDisk/PhotoRec package may be all you need.

Other freeware/non-open source file recovery alternatives that are reliable and work well:

--PC INSPECTOR File Recovery. 100% free & full featured, many options. Been using it for years.

--Recuva. 100% free, by Piriform, the maker of the very popular CCleaner/Crap Cleaner system cleaner.

Somewhat less elegant than the above one. But the only freeware option I've studied that can do a "deep scan" of your drives for lost files. Which can take hours, but may turn up more missing data than the other non-PhotoRec options here.

--EASEUS Deleted File Recovery. A more limited version of their $70 "EASEUS Data Recovery Wizard", but very well designed for basic file recovery.

There are other freeware file recovery options I've studied, but they are all more limited than the above. Would recommend TestDisk (for partitions) and PhotoRec (for files) first, then the other three (for files) in the order given.

In all honesty, shelling out for a payware solution is very unlikely to "find" more deleted files on a NTFS partition than the above freeware solutions, unless you have special needs they don't cover. Which is rare. And again, there is nothing better than TestDisk--free or payware--for recovering partitions.

Ordinary Kitchen Stuff

[Mikkeles]

Lemon juice and heat!

I tell the tools

That they should have backed up.

Re:I tell the tools

[Big+Hairy+Ian]

Agreed Although the number of times I've been called in when the back up was cocked because nobody knew what they were doing make me think this is a little harsh. Good lesson here kids just because the tape was in overnight doesn't mean there's anything useful on it.

GetDataBack

[sean_nestor]

GetDataBack has worked perfectly for me many times. Very easy interface, works on deleted files as well as formatted disks (provided the data you want to recover hasn't been overwritten, of course). Worth the $79, IMO.

Well

[ledow]

ddrescue

But to be honest, if you've hit that point for an "enthusiast" user, then you're already on your last legs. If you ain't got a backup, forget it - the chances of getting one particular file you've lost might be good, the chances of recovering any significant amounts and being able to verify their integrity are bad.

Plus, with SSD's, flash, memory cards, etc. the chances of being able to recover *anything* from a faulty drive without professional equipment are fast approaching zero. Most USB Flash drives just "die" when they hit their write limits, rather than fail gracefully into read-only mode.

Re:Well

[bonehead]

Here's one that's saved my butt several times.

Often times when a drive fails it's not the physical mechanism that goes bad, it's something on the circuit board. If you can find an identical drive (should be pretty easy in a corporate environment, could be tricky for a home user), just carefully remove the board from the good drive and install it on the bad one. You'd be surprised how many times that "totally dead" hard drive will start working like new.

The software solutions are great for some situations, but they can't do anything if the drive isn't even visible to them.

I Like Knoppix with a Good BIOS

[eldavojohn]

I'm not a pro in this department although I've saved a lot of partial data from hard drives for some friends (I'll be very interested in these comments).

I use a live CD of Knoppix which has really good system repair and troubleshooting. I also have another important tool which is an old Dell Intel motherboard that allows me to set the rotational speed of the drive. Example: my friend's laptop is giving him the click of death so I pop out the IDE drive and hook it up to a 2.5" to 3.5" connector and plug it into the motherboard with a working 1TB 3.5" slaved. On boot up, I hit the BIOS and set the speed as low as it can go or low enough like 1,000 RPM. Then I boot into Knoppix live CD and check to see if I can mount the file system. Knoppix seems to be able to mount a lot of partitions that other more stringent flavors of Linux don't. Sometimes it clicks from the get go and there's nothing you can do. But if it doesn't, then I set a script up to copy their most valuable directories first onto the working 1TB drive. I let it run all night or weekend and check the drive periodically for heat problems. People are surprised what you can save for them doing this ... the downside is sometimes I'm surprised in what I save for people--p0rn is not worth my time.

R-Studio

[CodyRazor]

Back when most data recovery and disk utility applications didnt work on vista (and many still dont) I found one called r-studio. It managed to recover a whole lot of data of a damaged flaky 5TB Raid 5 array, which is pretty impressive considering it was the only application at the time that could even recognize it as a drive, all the others just call it a damaged volume.

As far as I know its still the only one that can do Raids, at least as far as I can find. It also allows many customization options of searches and donest over simplify things too much. It takes forever but it finds any potential damaged file systems and then lets you use whichever one you like to recover whichever files you like. It can also be used to recover deleted files.

As far as I recall its pretty cheap, at least compared to a few out there and worth a try. But with all recovery and security software, I find the information and their website extremely generalized and vague about what exactly you can do, so I always download the software first to make sure it can do what I want, which 90% of the time it cant, and then if it works I buy it. Its not the most legal practice but if they dont offer demos and wont be specific about what their software does its the only practical solution.

Knoppix with a Drive Adaptor

[Push+Latency]

For your health!

Pros avoid having to use data recovery tools.

[argent]

Pros make sure they have good backups. Pros tell their users "nothing on your laptop/desktop is backed up", make that corporate policy, and respond to virus infestations by re-imaging the victim's computers to make sure that everyone's too damn scared of Mordac the Preventer to keep anything on local storage.

Re:Pros avoid having to use data recovery tools.

[jumpingfred]

No the pro install nightly backup tools on the laptops. At least they do on mine.The backup software then uses heuristic algorithms to start the backups when the laptop is being used for meeting presentations in front of many people.

dd

[locofungus]

dd if=/dev/sdb of=dump.img bs=512 conv=noerror,sync iflag=direct

Once a drive has started failing the first thing you want to do is get as good a copy of everything as you can manage. If it's a physical problem, especially if it's a damaged platter, then it tends to get worse as the drive is used. Get everything off and then work on the copy.

Tim.

Re:dd

[greed]

On the other hand, if it's a thermal problem, you may have to rescue in "chunks". I had a disk go that could only be used for about 10 minutes before it got too warm and shut down.

On the third hand, you may have something that looks like physical damage, but when you wipe the disk with zeros to confirm the fault and get ready for RMA-time, it all magically comes back. That's a sign you got corrupted data on the disk that the ECC couldn't deal with. (And probably that you've got a drive with questionable firmware, and is reporting the wrong kind of error: Fujitsu, I'm looking at you. Especially for not recording anything in the SMART counters.)

TRK - dd/dd_rescue/ddrescue, Restorer

[millisa]

My favorite tools are a combination of the Trinity Rescue Kit linux boot cd and the Restorer tool.

It depends on the type of failure, but generally, I start with a ddrescue to get an image of the drive, especially if the drive is running bad sectors. Either I set the image to go to a secondary spare drive or I push it across the network. ddrescue is nice in that it doesn't bail when it hits those bad sectors, can run in reverse mode, and eventually it'll get as much as isn't corrupt on the drive into the image.

After establishing the image, the original failed drives go into ESD bags and aren't touched again unless they are to get shipped to one of the expensive clean room type places for their style recovery.

Most of the win32 drive recovery softwares out there can handle reading from an image file, so from here on out, I work with the images I took with ddrescue. Restorer has worked pretty well for me on getting things back from hard drives, CF cards, and even raid sets (figuring out the cluster sizes on the raid can be a pain if you don't happen to know them, but the software does support reassembling raid drives from the images you take of the single drives).

Most of the win32 packages out there have support for making the original images, but I haven't had as much luck with most of them when dealing with severely corrupted drives or with a large scattering of bad sectors. Either they take far too long to make it through the image or they end up failing to get by the bad sectors.

Regardless of what you end up picking, you don't want to use any of the recovery tools that advertise how they can fix the partition table and such on the drive, live . . . any recovery operation that thinks it is ok to 'fix' a drive with data on it you want to recover has the wrong mindset. The data is important, not making the drive work again.

Re:None!

Real professionals backup their data.

Spinrite works miracles

[stenchcow]

Spinrite has worked miracles in the past for me. It's brought back unbootable corrupted windows partitions back to life for me. Supposedly it also fixes physical defects in hard drives as well. It boots off of a image from disc. It costs $89.00 but it's saved my butt in the past.

Re:Spinrite works miracles

[Glonoinha]

I was using Spinright back in the 90's - it was awesome then, but I wasn't aware they are still around.

I endorse the package from the 90s and if it is the same guys I'm tempted to endorse them today.

Re:Spinrite works miracles

[NetRanger]

Same here. At $89, SpinRite is a bit on the pricey side, but I have recovered data from hard drives that I thought I had zero chance of saving. I figure since it saved hundreds of dollars in labor -- several times -- it was worth every penny. Especially in those circumstances where your highly paid datacenter techs thought it was a great idea to construct a RAID 5 from all identical hard drives from the exact same manufacturer lot. Sucks when two of those drives experience the exact same fault within a few minutes of each other. Fortunately I was able to whip out SpinRite and save the day, because otherwise we were looking at days and days of restoring from incremental backup tapes.

It's an ancient-looking DOS command-line utility, but I definitely give props to Steve Gibson for keeping SpinRite up to date to where it works on modern hard drives. $89 versus days and days of overtime pay for IT guys -- it certainly made me look pretty good come performance review time.

Re:Spinrite works miracles

[Jane+Q.+Public]

SpinRite is no more capable of causing a head crash than Microsoft Excel is. If the heads crashed, they crashed. Don't blame SpinRite for it. That's like blaming a coolant failure for destroying your engine, when it fact it overheated because you ran out of oil.

SpinRite

[powerbooklinux]

Does the job when all hope is lost. I've used it many times for myself and clients. $89.00 and worth every penny. http://spinrite.info/

Re:Cannot beat RAID

[DigiShaman]

I agree, these days every home PC should be setup for RAID1 (RAID5 for workstations). However, RAID should *never* be a substitute for making backups to external media.

Pros before Hos...

[DarthVain]

If your a Pro you back up all your important data anyway, so it is a moot point. Likely you even have some remote back up. There are services out there. Use Google, it ain't hard. In a pinch you can just email yourself some attachments in Gmail. Not good for media files or anything large, but if you want to save some key documents or your tax returns etc... Privacy may be an issue, but if your really prickly about that, then just encrypt it (though make sure you can decrypt easily later).

If it is a friend or family member who has just lost everything: Look very superior, point at them, remind them they should have backed up, and how stupid it is not to do so, then laugh at them for a while. Once your eyes clear of tears, repeat. After 4 or 5 times maybe it might sink in, and you will have done them a great service. Send them a bill in the mail.

Harsh I know, but come on, this has been cannon for years, get with the program.

Honestly though most people's computers are totally full of crap. There are some things like Personal files, Photos, and the like that are irreplaceable, but most stuff is just media you can replace, or software you can replace, etc... and if it is important to you, then back it up for god sakes.

Seriously, if you save their data you are just re-enforcing and rewarding bad behavior.

Re:My .02

[Glonoinha]

Bah - learn to make house calls to fix computers. It gets you laid (as in : having sex with a real woman.)

The trick is, pay attention to the computer for a while (ignoring the woman.) Then set it off doing something that's going to take a half hour or so (defragging the hard drive or backing up to an external) and explain - well, that's going to take an hour ... what can we do that will keep me busy while that thing works? Then the clothes start flying off.

Hey, it could happen!

Circuitboard Repair or Replacement often necessary

[TunaPhish]

As far as software goes, a combination of dd / ddrescue / strings / fdisk / grep / mount / and the r-studio suite from r-tt.com are what I use. Though, most of the time the drive is physically damaged, and it's not always inside.

For example, last week I had a laptop come in with no power to the drive. I examined the board with my eyes and my Fluke Multimeter and discovered that the power +5V on pins 41 and 42 wasn't reaching very far into the board and was basically disconnected at the first component. It looked to be a power-protection diode which had blown due to a surge. I was able to bypass it with a dot of solder, and once reassembled the hard drive powered on, I copied the data off. When the customer decided he didn't want to pay, well, I removed that solder dot before returning his drive to him without his data...

On 3.5" hard drives you'll often see a rectifier diode serving the same purpose, so when you run into a drive that doesn't spin up, check that out first. It's a small black component connecting the power to ground, and it shouldn't be passing electricity (but it will when it fails, so just pop it off to get your drive working again).

Other times a clicking drive can be fixed by just swapping out the board with an identical one from another drive. Sometimes, similar model number boards will work as well, but not often. It's a lot of fun trial and error. On the plus side, if the drive is totally fubar'd but still spins up, you can pop it open and do some hard drive spin art!

Repair a clone of a clone

[seawall]

Assuming the disk works at all: Work on a clone, not the original.

If you are working on a 2nd generation clone you can afford to take risks in restoring the filesystem. "Oh it that didn't work, fire up another clone and try something else".

ddrescue (and other damaged disk oriented cloners) lets you work on a copy (or in my preference: a copy of a copy). This preserves the original disk if it has to go to a specialist lab later.

SpinRite has also saved my bacon more than once but that's something run on the original drive: not done lightly.

(Warning: dd_rescue is not Gnu ddrescue and Debian Linuxes rename dd_rescue to ddrescue. dd_rescue is a similar but not identical).

Finally: I need to add Windows NTFS rescue (built in) impressed me last time I needed it. It trundled for many hours but at the end, I had a mostly intact copy of a filesystem on my 2nd generation cloned drive. The original disk had been a mess.

Re:My .02

[tinkerghost]

Sad thing is, before I even got to your post I was envisioning this exact scenario and was considering starting a business on the side doing house calls.

Even sadder, is I do this for a living - onsite, in home repair & installation - and the reality is they just whine about having to pay you for watching the progress bar. Pickup & dropoff involves so much less whining.

Re:For a free solution, check

[Mister+Whirly]

In cases like this, when you are bringing your system in to have someone work on a specific component (not the hard drive), I find it is hand to have a small "I don't care about this" drive that you can slap an OS on, then remove and set aside. Then if you ever need a repair, put it back and remove the one with your actual data on it. (Or once I knew someone that had 2 drives in their system - 1 for the OS and 1 for data. I suggested he remove the data one before bringing it in. And of course, they reformatted the one with the OS on it, even though he had requested doing nothing with the hard drive.) After having almost the exact same thing happen to a friend of mine a few years ago, that is what I did for his system, and what i recommend to anyone going to have the systems worked on by "geniuses" or "geeks".

Re:Make the repair shops pay for loss of data

[Mister+Whirly]

When I repair a computer, I set the terms, not the customer. I would never agree to pay for an inflated damage cost, ever. As a matter of fact, I tell them flat out I am not responsible for any data loss that would occur. Not that I have ever lost anyone's data, but if I did I want it clear i am not liable for any monetary loss they would suffer. If their data is THAT important, they have multiple backups, right?