Storage media is more reliable than it’s ever been. But while drive failures are fewer and further between, technology improvements do nothing to protect you from the No. 1 cause of data loss: human error. It’s devastating to lose the only copy you have of any file -- that important document or irreplaceable photo -- all because you mistakenly formatted the wrong drive or hit Delete too quickly. It’s even more infuriating when you have only yourself to blame.
The good news is that the tools for recovering data from disk drives, SSDs, SD cards, USB drives, and most every other kind of media continue to grow in power, ease, and versatility. The hardest part may not be the recovery itself, but sorting through the welter of tools available and figuring out which one is best for dealing with your particular disaster.
In this roundup, we’ll look at a gamut of software products that you can use to recover data from damaged media, reformatted media, and the land of accidental deletes. Ranging from free utilities for nontechnical users to commercial packages for businesses, they include tools for Windows, Mac, and Linux, and they encompass a variety of use cases, from simple end-user recovery (Recuva) to recovery as part of a general system analysis (Sleuth Kit/Autopsy) to reconstruction of data from RAID arrays (Kroll Ontrack EasyRecovery Enterprise).
Whatever the nature of your particular data disaster, you’ll likely find the tool you need right here.
Few data recovery tools out there are as immediately useful and versatile as PhotoRec.
A free open source project that runs on Windows, Linux, and Mac OS X (both Intel and PowerPC Macs), PhotoRec uses file signatures to detect and recover files in 400-plus data formats, with more added all the time. It’s even possible to add custom data signatures -- in case you’re attempting to recover data from file formats of your own creation.
PhotoRec is a good, cost-free, first line of recovery for common file types. It’s also relatively foolproof to work with, and its more powerful options aren’t obtrusive. If all you need to do is yank the most readily recoverable data from a piece of media and you’re on a low budget, PhotoRec it is made to order.
PhotoRec comes in two versions for each platform, a command-line/text-only version and a GUI version. The GUI tool is easier to navigate, but both editions can be automated through command-line parameters. In both cases, the recovery process is highly guided. The user simply picks a volume to recover from, a directory to write the recovered files to, and whether to recover from unused space only or the entire source volume. Choosing what kinds of files to scan for is optional.
PhotoRec supports most any block device or file type as a source. Supported files include the likes of VM disk images and image files stored in the Encase EWF format commonly used in digital forensics work. PhotoRec can also recover data from smartphones, provided they can be mounted as USB mass storage devices.
Whenever PhotoRec encounters data that’s a possible match for a known file format, it makes a best guess on the constituents of the complete file and writes the results into a subfolder of the target folder. Some options are available for more aggressive reconstruction of certain file formats, such as JPEG images, but for the most part, the best results come from files that aren’t fragmented. However, you won't get the original filenames; PhotoRec will automatically generate filenames for the recovered files.
PhotoRec also has a companion application, TestDisk, for recovering entire disks or partitions that have been lost due to damage or accidental deletion.
Brian Carrier’s Sleuth Kit is a free open source digital forensics package -- a collection of tools for analyzing disks, both physical drives and disk images, and recovering data from them. According to Carrier, Sleuth Kit is used mainly by “law enforcement, military, and corporate examiners to investigate what happened on a computer,” so it’s mainly for recovering evidence of activity throughout a whole system, rather than recovering specific files from a single volume. For more casual use, it’s probably overkill, but it’s well suited to figuring out why data might have been lost on a system -- for example, because of a compromise in system security.
Sleuth Kit and several other tools in the same vein are wrapped up together in a GUI application called Autopsy, also provided by Carrier. The included tools come packaged as modules, allowing a prospective developer to roll their own or repackage an existing tool as a module. Both Python and Java are supported as module development languages, with the tools themselves either written in those languages or wrapped with them.
PhotoRec, discussed above, is among the included modules, so Autopsy is a handy way to make use of it in conjunction with other tools. Other components include the Recent Activity module, which extracts data from Web browser histories, looks for whatever programs were installed most recently, and examines the Registry hive by way of the RegRipper tool. Another module parses email in common formats such as PST or Thunderbird’s MBOX format. Still another module examines file types often found on Android phones.
Once you connect to a given volume or image file and start analysis on it, results begin to appear almost immediately in Autopsy’s GUI. If you’re performing a recovery operation on a large volume and you want to start parsing the results to others as quickly as possible, this is a huge boon.
Most of the best features in Autopsy help perform reconstruction of events that took place on a system. The Timeline feature, for instance, collates results from various modules based on when they took place, and they can be filtered or narrowed based on a given time range or event type. Autopsy also allows for multi-user collaboration on cases, though that requires multiple third-party pieces -- PostgreSQL, Solr, ActiveMQ -- to be installed and configured.
Kroll Ontrack EasyRecovery Enterprise
With a guided wizard interface and straightforward workflow, Kroll Ontrack EasyRecovery Enterprise is designed for quick extraction of data from volumes, most notably RAID arrays that require reconstruction.
EasyRecovery can perform recovery operations from conventional hard drives, USB memory devices, optical media, mobile devices, VMware disk images, and disks from malfunctioning RAID arrays. In addition to being able to explore a volume and recover files from it (deleted or not), EasyRecovery can wipe drives, analyze media for errors or usage details, and perform disk imaging functions such as copying the contents of drives or writing a disk’s data to an image file. The Remote Recovery feature provides a built-in way for one instance of EasyRecovery to be remote-controlled by another instance of the program, as long as the two instances can talk to each other over a network via port 5900 (the VNC protocol).
Deleted file recovery works one of two ways: either by performing simple undeletes (by checking NTFS directory records) or by scanning the free space on a volume and attempting to reconstruct files on the volume based on heuristics. Discovered files can be inspected directly on disk by way of a built-in hex/ASCII/Unicode/binary viewing tool, a convenient way to see quickly if the files in question are what you’re looking for.
Unfortunately, if you’re scanning an entire volume, you can’t save out or examine files as they show up in the scan’s results. You have to wait until the entire scan is finished before determining if anything useful has turned up, unlike with Autopsy or PhotoRec. It also doesn’t appear to be possible to add custom file signatures to the application (as with PhotoRec), so you’re limited to the file types that are hard-wired into the program. What few controls exist are largely minor tweaks, such as whether or not to attempt to concatenate broken video streams during the recovery process. You can see log messages generated by the scan as they come in, although they’re somewhat cryptic.
One real winner of a feature for enterprise users is the RAID array recovery tool, in big part because it isn’t limited to recovering only one or two types of RAID or JBOD. Support is included for a slew of common software and hardware RAID 0 and RAID 5 types: HP/Compaq, Adaptec, AMI, Silicon Image, Promise, and so on. Also included is an automatic reconstruction function, which can allegedly scan the provided disks and make an educated guess as to how the array was put together.
EasyRecovery can also recover data from a number of email clients: Outlook, Outlook Express, Eudora, Mozilla, Becky, and Windows Live Mail. One downside to the email recovery tool is that it doesn’t use the same workflow as the rest of the program. You have to open a separate interface for it via a toolbar button, then point it to a folder where mail files are known to reside. Browsing Outlook PSTs with a few gigabytes of data in them proved to be extremely slow; it sometimes took as long as a minute or two to display the list of messages in a given folder in the PST, and the tool would often show multiple copies of folders. According to Kroll Ontrack technical support, the program assumes the PSTs in question are damaged, and thus shows earlier versions of folders that may still exist. The team said the speed of email recovery will be addressed in a future version.
EasyRecovery isn’t cheap. You’ll pay $79 for the Home edition, $149 for the Professional edition, or $499 for the Enterprise edition reviewed here. Fortunately, all editions of the program have a free trial. The trial doesn’t allow actual data recovery, but it lets you see what can be recovered. EasyRecovery is available for both Windows and Mac.
Created by the same outfit that gave the world the excellent CCleaner utility, Recuva provides a file recovery tool for Windows that’s as straightforward and easy to work with as CCleaner.
By default, Recuva fires up in a wizard mode, making it easy to perform point-and-shoot recovery jobs. You pick a file type (or go with “all files”); point the program at a specific drive, device, or common file location (such as the Recycle Bin), and choose whether to perform a quick scan or a deep one. Recuva will dig through the media in question and present you with a list of possible files for recovery. It’s even possible to scan shadow copies (snapshots) of mounted drives, although you can’t scan drive images unless they’re mounted and available through a drive letter. (The drive has to be mounted as a local drive to be scannable.)
Like many of the other programs in this roundup, Recuva doesn’t let you peruse the results of a scan while it’s in progress; you have to wait for the scan to finish. The upside is that Recuva scans quickly. Even in “deep scan” mode, where it probes for a wider variety of file types, it took only 1 minute, 50 seconds to scan a 16GB removable flash drive, as opposed to the 10 or more minutes required of some other products. (PhotoRec was similarly fast.)
Once the scan is done, you’ll get a list of files with their original locations, last-modified dates, and general info about the health of the file. Files are color-coded by how recoverable they are. If one file has been overwritten by another, Recuva will let you know.
If you want more details about the recovery job, you can switch to advanced mode. There, you can search for files by name or contents, inspect header data on the file, or save the list of candidate files as plain text. You can also elect to run in advanced mode by default when you start the program. Saving the files is as easy as right-clicking on them in the list and selecting the Recover option. A secure-erase function lets you destroy uncovered data, in case you’re verifying an item that should have been erased to begin with.
Ease of use (25%)
Recovery speed (25%)
File types recovered (20%)
Media support (20%)
Overall Score (100%)
Kroll Ontrack EasyRecovery 11.5
|Remo Recover 4.0||9||7||10||8||8|
|Sleuth Kit 4.0.0||7||9||10||10||10|