What Data Recovery Tools Do the Pros Use?

Life2Death writes "I've been working with computers for a long time, and every once and a while someone close to me has a drive go belly up on them. I know there are big, expensive recovery houses that specialize in mission-critical data recovery, like if your house blew up and you have millions of files you need or something, but for the local IT group, what do you guys use? Given that most people are on NTFS (Windows XP) by the numbers, what would you use? I found a ton of tools when I googled, and everyone and their brother suggests something else, so I want to know what software 'just works' on most recoveries of bad, but partially working hard drives. Free software always has a warm spot in my heart."

I Like Knoppix with a Good BIOS

[eldavojohn]

I'm not a pro in this department although I've saved a lot of partial data from hard drives for some friends (I'll be very interested in these comments).

I use a live CD of Knoppix which has really good system repair and troubleshooting [wikipedia.org]. I also have another important tool which is an old Dell Intel motherboard that allows me to set the rotational speed of the drive. Example: my friend's laptop is giving him the click of death so I pop out the IDE drive and hook it up to a 2.5" to 3.5" connector and plug it into the motherboard with a working 1TB 3.5" slaved. On boot up, I hit the BIOS and set the speed as low as it can go or low enough like 1,000 RPM. Then I boot into Knoppix live CD and check to see if I can mount the file system. Knoppix seems to be able to mount a lot of partitions that other more stringent flavors of Linux don't. Sometimes it clicks from the get go and there's nothing you can do. But if it doesn't, then I set a script up to copy their most valuable directories first onto the working 1TB drive. I let it run all night or weekend and check the drive periodically for heat problems. People are surprised what you can save for them doing this ... the downside is sometimes I'm surprised in what I save for people--p0rn is not worth my time.

Knoppix with a Drive Adaptor

[Push Latency]

For your health!

My .02

[NES HQ]

Not to be a smartass, but...

For the folks (family and friends) that seem to think I'm a free computer repair store I told them to go buy a cheap USB hard drive and just set up a quick and dirty batch file to back things up nightly (or weekly, depending on how big their files are).

I've told them to do this or there's a good chance that I won't be able to recover their files if their PC crashes. This is an easy solution, cheap, and requires virtually no end-user interaction. That last bit is especially important since I've found that they typically ignore even the easiest backup procedures (e.g. copy C:\My Documents to D:\).

As for the original question, I still do attempt file recovery for the stubborn ones who ignore my backup advice. I've had moderate success with various pieces of software. Just Googled "hard disk recovery software." Interestingly enough, different programs have recovered different data on the same HDDs...

SpinRite

[powerbooklinux]

Does the job when all hope is lost. I've used it many times for myself and clients. $89.00 and worth every penny. http://spinrite.info/ [spinrite.info]

Re:dd

[greed]

On the other hand, if it's a thermal problem, you may have to rescue in "chunks". I had a disk go that could only be used for about 10 minutes before it got too warm and shut down.

On the third hand, you may have something that looks like physical damage, but when you wipe the disk with zeros to confirm the fault and get ready for RMA-time, it all magically comes back. That's a sign you got corrupted data on the disk that the ECC couldn't deal with. (And probably that you've got a drive with questionable firmware, and is reporting the wrong kind of error: Fujitsu, I'm looking at you. Especially for not recording anything in the SMART counters.)

Re:for fat and ntfs

[pushf popf]

I've been doing consulting and software development for around 30 years, and when I was young and dumb, thought I could fix anything. Now I know better and have found that in this situation, the phrase "Wow, that's too bad. Where are your backups?" works nicely.

While there are all sorts of voodoo, data scraping bit-remunging apps available, at the point before you do anything you have no liability. After you "recover" the data, you're on the hook for everything forever.

All you need is for the customer to come back 2 years later and tell you they were sued into the dirt because something they were required to disclose was missing or incorrect and you'll wish you never took the job.

And even if they don't sue, there will be a never-ending stream of phone calls about broken documents, files they can't find and all sorts of other "un-tidyness".

And even if they don't call, there will be eternal uncertainty about the quality of the recovered data. Are their financials correct? What was that number that had the letters nearby really supposed to be?

My favorite drive recovery method is now BackupPC. You set it up, configure it for an appropriate number of incremental backups each day and let it fly. When a drive craps out, replace it, click the appropriate checkbox on the "Restore" page and press the "go" button. No doubt, no lawsuits, no untidyness.

Do-it-yourself Data Recovery is great if you like to putter with things and have lots of time and no liability (employees generally can't be sued by their employer) however when actual money is at stake, it's better to just send the drive out and let someone who is actually equipped and staffed to do the recovery handle the work.

To put things in a different perspective, how happy would you be if the county tried to sell your house for unpaid taxes because billy-bob "who's really good with computers" did their drive recovery and your tax payments were on one of the bad spots?

Re:Cannot beat RAID

[beodd]

I agree, RAID is not perfect but as for restoring data from a failed drive via some sort of recovery software will be useless in the case of multiple failures.
I work on large SAN/NAS arrays and there is never any full proof way of getting data back. Even if the OS is backed up to tape there is always the chance that the parity will fail, exc.. Most raid controllers are capable of detecting existing RAID configurations so replacing a card should no be that big of a deal. I will give you that it is never full proof and I have even seen data loss on a raid from swapping controllers.
The most awesome safest configuration I have ever seen was a SAN with dual channel drives connected to dull array controllers in a MESH SAN network. The SAN hardware is capable of dynamic RAID 50 with global hot spares. Then on top of all that the entire configuration was mirrored off-site via dark fibre then weekly full backups and daily incremental backups. Oh, and each workstation was connected to the MESH with 4 fibre controllers. There was no single point of failure in this configuration. Was a honor to work on that array.

Re:Cannot beat RAID

[beodd]

Oh, I forgot, It also had scheduled snapshots on the LUN so it could be recovered to any point at any time.. Was such a beautiful thing..

Crashed drive with a virtualbox image

[ThomasDePaine]

Last week I crashed drive with a virtualbox image on it. The nature of the crash was a ground loop spike while programming a microcontroller board. This spike blew a big capacitor on the board, fried tracks, wiped out 1 of 2 usb controllers on my laptop and zapped my second hard drive. By murphy's law I had just cleared off the one hard drive that was the recent backup for this vdi file and now I'm left with a two year old backup (after looking through about 50 dvds and 6 old hard drives). I bought an equivalent hard drive on Ebay and swapped out the electronics to no effect. Seeing that people swapped out the heads I tried it but all I get is major clicking. Opening up the drive I see a faint mark where the head was trying to traverse the top of top platter (there are two platters). I'm pretty sure that the spindle motor isn't fried. How screwed am I?

Re:Well

[bonehead]

When did this start? I had to do this at home not to long ago to save some data from a relatively recent 500GB drive. That worked out fine.

I'm not doubting you, just curious.

Re:dd

[Kiaser Zohsay]

ddresuce (or dd_rescue) is a better choice here, because instead it will write zeros in place of read errors, so that successfully read block later on are in the right place. You can also set it to retry error block multiple times, and record progress to a log file so you can resume the retries at a later time.

if Linux doesn't work

[kimvette]

if the tools you can get for Linux don't work, check out R-Studio [r-tt.com].

If you come across a product called "Stellar Phoenix" RUN AWAY. They are the shittiest company in existence. A few years ago I needed a tool and the demo of Stellar Phoenix seemed it would work (it lists the files it said it could recover) so we purchased it only to find that it could not recover them. Come to find out that while they claim support for ALL of NTFS's features, their software WOULD NOT recover files compressed using NTFS compression. This was despite their claims of NTFS5.1 support. They refused to issue a refund and it was a months-long battle so we finally complained to Amex to try to get a chargeback against them but we tried to work it out directly with stellarinfo for too long, so it was too late. They (stellarinfo) claim a 30-day money-back guarantee but DO NOT HONOR IT - or at least they didn't back then.

We then tried R-Studio, and their trial software listed files it could recover - AND it could recover 64KB chunks to prove it. So for some files I needed immediately I used the trial to decompress and reassemble the files (in 64KB chunks, and then catted them together), and for the rest when we received the key for the full version. We were able to recover every single file. I've used R-studio for clients since then and it has worked every single time, providing the drive will enumerate.

If the drive will not enumerate you have two possibilities: freezing it in CO2 (I have had success with that), or finding another of the same model drive with the same firmware and swap PCBs, and hope that the problem is with the controller and not the drive itself.

Why was there no backup? Believe me I asked the same question. :)

Summary:

free Linux tools - good
R-Studio - Awesome
stellar phoenix from stellar info - snake oil from a shitty company comprised of douchebags

Re:Spinrite works miracles

[Anonymous Coward]

I'll chip in with a thing or two about SpinRite.

Firstly, I have used it and agree that it's very good and does what it says. It takes advantage of at least some degree of knowledge of the mechanical properties of the actual physical disk, along with extremely low-level access (such as cleverly detecting the temperature of the disk on modern BIOSes and optionally waiting for it to cool down before continuing). Steve obviously knows what he's doing, and it's too bad that all of the technical documentation is written in market-ese; there's clearly a good knowledge of science and technology behind the product, but I can't follow much of it because the explanations of the principles of operation are virtually nonsensical. Obviously his strategy, but a shame for the rest of us (and possibly counter-productive - I almost dismissed it without a giving it a chance on account of its documentation, and only tried it in the end because I've used other programs by Steve that are exactly what he says they are).

But I'll also add that it works by making modifications to the data on disk. As has been said many times here, it's a very good idea to make an image before you let this program loose. Honestly, if this program can't save it, then I don't know how much luck you'll have on the image, but it's a good habit to be in anyway. And besides, you should try working on the image first and only using SpinRite as a last resort. It's good, but if the disk is faulty then it's probably not going to be fast.

Re:My .02

[bonehead]

I used to do the in-home thing on the side several years back. Even at $100 an hour for regular home users, I had enough business going that I could almost have quit my day job.

But, you're right. Home users whine way, way too much. They also have no concept of "business hours". They don't think twice about calling you at 10:00 pm to ask why some website won't load. They also seem to honestly and truly believe that their blown power supply is your fault because you installed Office on their computer 6 weeks ago ("Well OF COURSE I expect you to fix it for free! You broke my computer you son of a bitch!").

In the end, I decided that while the money was pretty decent, my sanity was more valuable.

Freeze the drive, seriously...

[DomNF15]

We recently had an NTFS drive on one of our Dell servers go partially bad. Windows wouldn't boot or read it. I had limited success using various Linux Live distros along with tools like PhotoRec (http://www.cgsecurity.org/wiki/PhotoRec) since the drive was part of a Windows logical raid array. Don't be fooled by the website, the tool works for all kinds of files, not just photos, on various file system types. In the end, someone I work with suggested putting the drive in a ziplock bag and freezing it for a few hours. The rest of us were skeptical, but were also at our wit's end trying to recover the files from this drive, so we tried it. Amazingly, we were able to boot the drive normally and recover the needed files before it got back up to normal operating temperature and failed again.

Re:Software

[miggyb]

I agree. Trinity Rescue Kit is all you need if you're getting your mother's vacations pictures from a hard drive that isn't fully dead yet. That and a fridge [blogspot.com]