What Data Recovery Tools Do the Pros Use? 399
Life2Death writes "I've been working with computers for a long time, and every once and a while someone close to me has a drive go belly up on them. I know there are big, expensive recovery houses that specialize in mission-critical data recovery, like if your house blew up and you have millions of files you need or something, but for the local IT group, what do you guys use? Given that most people are on NTFS (Windows XP) by the numbers, what would you use? I found a ton of tools when I googled, and everyone and their brother suggests something else, so I want to know what software 'just works' on most recoveries of bad, but partially working hard drives. Free software always has a warm spot in my heart."
for fat and ntfs (Score:5, Informative)
GetDataBack (Score:5, Informative)
Re:for fat and ntfs (Score:1, Informative)
I agree - I have a lot of success with this package...
Well (Score:5, Informative)
ddrescue
But to be honest, if you've hit that point for an "enthusiast" user, then you're already on your last legs. If you ain't got a backup, forget it - the chances of getting one particular file you've lost might be good, the chances of recovering any significant amounts and being able to verify their integrity are bad.
Plus, with SSD's, flash, memory cards, etc. the chances of being able to recover *anything* from a faulty drive without professional equipment are fast approaching zero. Most USB Flash drives just "die" when they hit their write limits, rather than fail gracefully into read-only mode.
None! (Score:2, Informative)
Real professionals never lose their data.
Re:for fat and ntfs (Score:5, Informative)
It has saved my data many times.
R-Studio (Score:5, Informative)
Back when most data recovery and disk utility applications didnt work on vista (and many still dont) I found one called r-studio. It managed to recover a whole lot of data of a damaged flaky 5TB Raid 5 array, which is pretty impressive considering it was the only application at the time that could even recognize it as a drive, all the others just call it a damaged volume.
As far as I know its still the only one that can do Raids, at least as far as I can find. It also allows many customization options of searches and donest over simplify things too much. It takes forever but it finds any potential damaged file systems and then lets you use whichever one you like to recover whichever files you like. It can also be used to recover deleted files.
As far as I recall its pretty cheap, at least compared to a few out there and worth a try. But with all recovery and security software, I find the information and their website extremely generalized and vague about what exactly you can do, so I always download the software first to make sure it can do what I want, which 90% of the time it cant, and then if it works I buy it. Its not the most legal practice but if they dont offer demos and wont be specific about what their software does its the only practical solution.
This question exists on Serverfault.com (Score:1, Informative)
You may find the following threads helpful:
http://serverfault.com/questions/4331/crashed-hard-drive-data-retrieval [serverfault.com]
http://serverfault.com/questions/4482/hard-drive-data-rescue-services [serverfault.com]
Freeware does the job. (Score:3, Informative)
Further Info: I phoned a Tamworth, UK-based company (Google it if you're bothered) regarding recovering a file from a USB drive for a teacher where I tech. They asked what I did so far to recover the file, I said I'd run some freeware recovery tool. They told me that's all they'd do, as they don't make money spending any more than about 5 minutes on it. If that can't find it, and you don't have hundreds / thousands of pounds to spend on engineer time, it's the best you'll get.
Pros avoid having to use data recovery tools. (Score:5, Informative)
Pros make sure they have good backups. Pros tell their users "nothing on your laptop/desktop is backed up", make that corporate policy, and respond to virus infestations by re-imaging the victim's computers to make sure that everyone's too damn scared of Mordac the Preventer to keep anything on local storage.
dd (Score:5, Informative)
dd if=/dev/sdb of=dump.img bs=512 conv=noerror,sync iflag=direct
Once a drive has started failing the first thing you want to do is get as good a copy of everything as you can manage. If it's a physical problem, especially if it's a damaged platter, then it tends to get worse as the drive is used. Get everything off and then work on the copy.
Tim.
TRK - dd/dd_rescue/ddrescue, Restorer (Score:5, Informative)
It depends on the type of failure, but generally, I start with a ddrescue [gnu.org] to get an image of the drive, especially if the drive is running bad sectors. Either I set the image to go to a secondary spare drive or I push it across the network. ddrescue is nice in that it doesn't bail when it hits those bad sectors, can run in reverse mode, and eventually it'll get as much as isn't corrupt on the drive into the image.
After establishing the image, the original failed drives go into ESD bags and aren't touched again unless they are to get shipped to one of the expensive clean room type places for their style recovery.
Most of the win32 drive recovery softwares out there can handle reading from an image file, so from here on out, I work with the images I took with ddrescue. Restorer has worked pretty well for me on getting things back from hard drives, CF cards, and even raid sets (figuring out the cluster sizes on the raid can be a pain if you don't happen to know them, but the software does support reassembling raid drives from the images you take of the single drives).
Most of the win32 packages out there have support for making the original images, but I haven't had as much luck with most of them when dealing with severely corrupted drives or with a large scattering of bad sectors. Either they take far too long to make it through the image or they end up failing to get by the bad sectors.
Regardless of what you end up picking, you don't want to use any of the recovery tools that advertise how they can fix the partition table and such on the drive, live . . . any recovery operation that thinks it is ok to 'fix' a drive with data on it you want to recover has the wrong mindset. The data is important, not making the drive work again.
EASEUS Disk Copy (Score:2, Informative)
Re:Freeware does the job. (Score:3, Informative)
Spinrite works miracles (Score:4, Informative)
Re:Well (Score:5, Informative)
Here's one that's saved my butt several times.
Often times when a drive fails it's not the physical mechanism that goes bad, it's something on the circuit board. If you can find an identical drive (should be pretty easy in a corporate environment, could be tricky for a home user), just carefully remove the board from the good drive and install it on the bad one. You'd be surprised how many times that "totally dead" hard drive will start working like new.
The software solutions are great for some situations, but they can't do anything if the drive isn't even visible to them.
One time I used Me (Score:3, Informative)
Uphill, both ways, in the snow.
This is the ultimate last resort if you absolutely, have to, get a file back.
Re:for fat and ntfs (Score:3, Informative)
By necessity, I discovered and used this software just last night, and the data recovery process was smoother than I had anticipated. At one point when I was copying the salvaged files to a good drive, Windows took exception with one of the files and started barking one of its usual program-terminating error messages. I was afraid that I'd have to have GetDataBack reread the whole drive and start the whole process all over again, but the program was robust enough to avoid crashing. It just moved on to the next file and kept on going. It's not often that I pay for software but this was $80 well spent.
Depends (Score:3, Informative)
We usually start off with a bootable XP CD. Often there isn't anything really that messed up, and you can read the data that way with no problems. There are a couple of free programs, the names of which I can't remember off the top of my head, that do a fine job for "undeleting" files.
If it won't read in that, the next step is usually Knoppix. You can tell it to force mount a bad partition. Now that is a mixed blessing since sometimes the data you'll get is garbled which is why you try something else first. However, barring any serious problems, it'll usually mount and read.
If both of those have problems, the next set it the tools from the drive manufacturer to check for physical problems. You set those to do a full scan. At this point, there are three possible results:
1) It runs to completion, no errors. Means the physical disk is fine, it is all a logical data problem. Now go back to bootable Windows and run a checkdisk. Reason we didn't do this earlier is the moving of data checkdisk does can screw things up worse if there are physical problems.
2) It runs to completion, errors found and corrected. Back to Windows or if that doesn't work Knoppix to try and read the disk again. Usually it'll read, checkdisk it if not.
3) It errors out and gives a a diagnostic code meaning serious, unrecoverable errors. We are now at another juncture:
a) The data is really important. At this point, time to send it off to a specialist. Gillware.com is who I like. Pack it up and mail it off, you probably get your data back along with a bill for $300.
b) The data isn't critical, but we'd like to recover it. Run what I call "the magic disk destroyer." It's a program called Spinrite. It is a VERY aggressive recovery program. Because of that it is either going to get the disk readable, or fuck it up so bad nobody will be able to. Hence my nick name for it. Put the disk somewhere that you can have a fan blow on it, fire up Spinrite, and let it go for a day or two. See what happens.
A collection of small apps... (Score:2, Informative)
I agree with others about GetDataBack... it indeed is a good app.
Sometimes however, people have come to me with a hard drive with a FOUND.000 directory full (sometimes about 10GB) of CHK files... for that I recommend:
http://www.ericphelps.com/uncheck/ [ericphelps.com]
It is free and does a good job recognizing the supported files
Also, it is worth getting something like mplayer or VLC and try to manually open the biggest CHK files to see if they are some kind of media file.
Additionally, a Hex editor like xvi32 can be helpful to give a fast glance at the header of the file and see what is it... maybe reading the folder with a Linux distribution (which gets the description of the file based on the content rather than the extension) could also help... but for other more obscure things, a hex editor is good (of course you need to be familiar with several headers... yay I feel 1337!)
Comment removed (Score:4, Informative)
Re:Spinrite works miracles (Score:4, Informative)
I was using Spinright back in the 90's - it was awesome then, but I wasn't aware they are still around.
I endorse the package from the 90s and if it is the same guys I'm tempted to endorse them today.
SpinRite 6.0 (Score:1, Informative)
SpinRite 6.0 has worked for me very well for many years now. It's slow, and has very very entertaining graphics. Under 2MB ISO.
Re:Spinrite works miracles (Score:5, Informative)
Same here. At $89, SpinRite is a bit on the pricey side, but I have recovered data from hard drives that I thought I had zero chance of saving. I figure since it saved hundreds of dollars in labor -- several times -- it was worth every penny. Especially in those circumstances where your highly paid datacenter techs thought it was a great idea to construct a RAID 5 from all identical hard drives from the exact same manufacturer lot. Sucks when two of those drives experience the exact same fault within a few minutes of each other. Fortunately I was able to whip out SpinRite and save the day, because otherwise we were looking at days and days of restoring from incremental backup tapes.
It's an ancient-looking DOS command-line utility, but I definitely give props to Steve Gibson for keeping SpinRite up to date to where it works on modern hard drives. $89 versus days and days of overtime pay for IT guys -- it certainly made me look pretty good come performance review time.
simple.. but not free. (Score:2, Informative)
Re:Spinrite works miracles (Score:1, Informative)
I can agree with endorsing SpinRite. It is currently in version 6, and development on it continues. I've used it to restore raid arrays, desktop and laptop drives, and every time it has worked well enough to get the drive working to have the data moved off of it.
Best $89 tool I've purchased in a long time.
Also, for uber-critical backup data, always throw in some PARity recovery data, as an added layer of recovery security. I've had PAR files save my ass from damaged optical backups.
Re:for fat and ntfs (Score:5, Informative)
My first attempt to recover his data was with ntfsundelete, [ntfsundelete.com] however it did not recognize the partition at all. I next used Disk Internals NTFS Recovery [diskinternals.com] program (Commercial) with the same results.
Finally, I Googled a bit and found the testdisk/photorec [cgsecurity.org] package and used that. It took about 40 hours to recover ~225GB data. It was unable to recover filenames, however it did create new directories for each directory it found and recreated the files in those directories, albeit with arbitrary names. Most impressively it did recreate the files with the proper file name extensions. With some creative perl scripting I could have even renamed some of these files based on meta data in the files. This was not necessary in my case.
Ontrack EasyRecovery Professional (Score:2, Informative)
The software, last time I checked, is no longer suported or updated. Ontrack now seems to specialize in data recovery, not data recovery software. I'm sure however you can find the software.... somewhere....
Circuitboard Repair or Replacement often necessary (Score:3, Informative)
As far as software goes, a combination of dd / ddrescue / strings / fdisk / grep / mount / and the r-studio suite from r-tt.com are what I use. Though, most of the time the drive is physically damaged, and it's not always inside.
For example, last week I had a laptop come in with no power to the drive. I examined the board with my eyes and my Fluke Multimeter and discovered that the power +5V on pins 41 and 42 wasn't reaching very far into the board and was basically disconnected at the first component. It looked to be a power-protection diode which had blown due to a surge. I was able to bypass it with a dot of solder, and once reassembled the hard drive powered on, I copied the data off. When the customer decided he didn't want to pay, well, I removed that solder dot before returning his drive to him without his data...
On 3.5" hard drives you'll often see a rectifier diode serving the same purpose, so when you run into a drive that doesn't spin up, check that out first. It's a small black component connecting the power to ground, and it shouldn't be passing electricity (but it will when it fails, so just pop it off to get your drive working again).
Other times a clicking drive can be fixed by just swapping out the board with an identical one from another drive. Sometimes, similar model number boards will work as well, but not often. It's a lot of fun trial and error. On the plus side, if the drive is totally fubar'd but still spins up, you can pop it open and do some hard drive spin art!
A mix of tools... (Score:3, Informative)
If the disk is good, but the OS hosed, try a Vista install DVD. Boot it into recovery mode, and one of the options is "copy files". (Honestly, the recovery tools included with Vista are a good first step). It'll copy the files to a USB hard disk.
If not, then it's time to boot Knoppix (which can mount NTFS just fine, thanks to ntfs-3g). If the disk is dying, but still good, use something like ddrescue to make an image (ddrescue uses dd to clone the disk, but it'll first do the good parts (fast), then try harder and harder on the parts the disk has problems with - this way you'll get the good parts of the disk off quickly and it can concentrate on the bad parts).
If you lost your partitions, gpart wourks great at seeking and finding 'em. One of my coworkers had just that problem and gpart managed to recover the partition table...
dd + Advanced NTFS Recovery ($100) (Score:1, Informative)
I salvaged a lot of files from an NTFS partition on a badly failing drive by plugging the drive into another computer, making a dd image (it took several days due to all the disk errors), and then using Advanced NTFS Recovery on Windows to recover files from the dd image. You can use dd under Linux and transfer the image to a Windows box or just use the Cygwin version of dd. Advanced NTFS Recovery has a free demo, but it's fairly useless unless you register it (for $100). The demo only shows you the files it would recover, without actually recovering them. I was reluctant to pay that much, but it seemed to recover far more files than any of the other free or commercial demo tools I found at the time.
Re:My .02 (Score:4, Informative)
Even sadder, is I do this for a living - onsite, in home repair & installation - and the reality is they just whine about having to pay you for watching the progress bar. Pickup & dropoff involves so much less whining.
Re:I Like Knoppix with a Good BIOS (Score:2, Informative)
If you can't find a board to swap (Score:2, Informative)
Re:XFS (Score:2, Informative)
As an official Data Recovery Professional, most of the over the counter tools work well in various situations. But, most require a stable hard drive with minimal sector damage.
- The first step in data recovery is to stabilize the drive. (leave this to the pros...and we DON'T use freezers)
- The next step is to do a sector level mirror. We use very expensive hardware for this step. DD will work, but if the drive has a lot of media damage, it may be still worth getting a professional to do the job before the problem gets worse.
- The next step is to deal with the file system and recovery. This is where your software tools come in. Again, we use very expensive programs for this step, but we also play with some of the programs mentioned above.
When I talk to IT professionals about using our services, they have a preconceived idea that data recovery always costs thousands of dollars. This is usually because the IT professional does everything they can think of (freezer, open the drive, tap with a hammer) to recover the data before passing the job over to the data recovery lab. As a result, the data recovery labs tend to charge more because of the added problems caused by the previous attempts. My company does not charge more because of what was done, but we have had to give clients bad news because the data is unrecoverable because of what was done.
In short, if the data is valuable, don't use the freezer or programs like SpinRite; rather, get a free quote by a data recovery professional. If the price is too high, get a second opinion. If the second opinion is too high, then you have nothing to lose.
Re:Spinrite works miracles (Score:4, Informative)
Recuva + good controller (Score:3, Informative)
Recuva (http://www.recuva.com/) is free and works pretty well. It has a handy preview feature too, although it doesn't always work.
To be honest, there isn't really much beyond what Recuva can do. Some paid-for tools support scanning for a few more file types in situations where the filesystem is gone and you have to scan the whole disk, but unless you happen to have files in some unusual format then there is no real advantage.
The one thing which does make a big difference is the drive controller. Some chipsets are a lot better than others at dealing with knackered disks. You need one which does not lock up for long periods or try to read bad sectors too many times, otherwise your scan will take days or weeks with no improvement in the amount of data recovered. ATI chipsets seem to be best.
List of data recovery tools (Score:3, Informative)
Here is a list of data recovery programs I have put together. Some of them may be a little old, for floppies or optical media only, but should still be useful. Unless otherwise noted, they are all for Microsoft Windows.
A-FF Labs [hdd-tools.com] - NTFS Undelete [ntfsundelete.com] and Partition Find and Mount [findandmount.com]
Access Data [accessdata.com] - FTK Imager [accessdata.com]
Acronis [acronis.com] - RecoveryExpert [acronis.com]
Advanced NTFS Recovery [ntfsrecovery.com] - NTFS Recovery [ntfsrecovery.com] (may handle FAT32 as well)
bitMART [bitmart.net] - Restorer Ultimate [restorer-ultimate.com]
Brant, Dmitry [dmitrybrant.com] - DiskDigger [dmitrybrant.com]
BriggSoft [briggsoft.com] - Directory Snoop [briggsoft.com]
CGSecurity [cgsecurity.org] - TeskDisk [cgsecurity.org] and PhotoRec [cgsecurity.org]
Convar [convar.com] - PC Inspector File Recovery [pcinspector.de]
Digital Assembly [digital-assembly.com] - Adroit Photo Recovery [digital-assembly.com] (pictures only)
DiskInternals [diskinternals.com] - NTFS Recovery [diskinternals.com]
DIY Data Recovery [diydatarecovery.nl] - iRecover [diydatarecovery.nl]
DTI Data [dtidata.com] - Recover It All [dtidata.com]
DataRescue.Com [datarescue.com] - PhotoRescue [datarescue.com] (intended for flash RAM cards, which are typically formatted with FAT, may work with other devices as well)
EASEUS [easeus.com] - Data Recovery & Security Suite [easeus.com]
Fsys Software [dfsee.com] - DFSee [dfsee.com]
Gibson Research Corp. [grc.com] - Spinrite [spinrite.com]
Gillware [gillware.com] - GillWare File Viewer [gillware.com]
Higher Ground Software [highergroundsoftware.com] - Hard Drive Mechanic Gold [highergroundsoftware.com]
Kato, Brian [aumha.org] - Restoration [aumha.org] (also here [cnet.com])
LC Technology [lc-tech.com] - [lc-tech.com]
[Continued in next message, as for some reason, Slashdot would not let me post in its entirety (too many URLs?). AG]
Mac OS X options (also: the freezer trick) (Score:3, Informative)
Also, a couple of times I've had dying drives that work OK for a few minutes after a cold boot, and then they (heat up and) die. I've had good luck throwing the drive in the freezer (in a ziplock bag) for a day, then powering up it, recovering as much as I can until the drive chokes again, lather, rinse, repeat, until all recoverable data has been copies off to a good drive.
Re:Repair a clone of a clone (Score:3, Informative)
For me, SpinRite has successfully corrected fubared Windows installations (STOP error at boot, unreadable boot volume, registry
SpinRite is also the only tool I'm comfortable running on an encrypted volume.
It's not voodoo, and I run it quarterly for maintenance purposes.
Re:For a free solution, check (Score:3, Informative)
*idiots*, the only way to be sure is to remove the drive, but I guess it was part of the warranty deal.
Good filesystem to recover from, I have successfully recovered data from a drive formatted over ReiserFS. For all his quirks, it's a great filesystem. What did they format over it, NTFS I'm guessing?
Good Luck!!!!!
Re:Make the repair shops pay for loss of data (Score:3, Informative)
You would never get a technician to sign it.
I certainly would not, even though I do not reformat hard drives while there are any other alternatives. (I don't think I ever have, apart from when the customer walks in and says "reformat this for me.")
Hard disk drives dying on the operating table, or power supplies failing and zapping the drive controllers, are just too common for me to take liability for the data.
Re:Make the repair shops pay for loss of data (Score:4, Informative)
Re:Pros before Hos... (Score:3, Informative)
Wow, you're an asshole.
Maybe you should just do what you can for your family and then remind them that they should backup with their new drive. You know, as opposed to reinforcing the stereotype that all computer geeks are antisocial bastards that don't care about a person's feelings at all.