Review: File Recovery Tools

We've previously covered a range of tools to securely delete data, but what if you want to recover data? Perhaps you want to make sure a secure deletion works as intended, or restore data written over on a portable USB, or perhaps you've been tasked with recovering critical business data on the boss’s hard drive before tomorrow's important meeting.

There are many reasons it can be critical to have data recovery tools on hand, and while there are professional suites and services available, most losses come occur from simple mistakes that can be easily recovered with relatively cheap or even free tools that are readily available.

Types of tools

Data recovery tools can be roughly broken down into two categories: filesystem, and raw. Most tools will sport features to analyse the filesystem and dig up deleted file data. This doesn't always mean a file is recoverable, but it's a good place to start as the pointers to the sectors where the file should be found is often enough for the software to recover data. These tools are often quite easy to use, and sometimes include pre-defined file filters to help find that missing data quickly.

However, these tools aren't as useful if the filesystem has seen a lot activity since a file was lost, or worse if a partition or drive has been formatted or a partition deleted. But that doesn't mean all hope is gone -- this is where raw disk reading tools come, bypassing the filesystem and analysing the disk sector-by-sector. These tools have the advantage of being able to see and recover all manner of data filesystem-based tools miss, but actual data recovery can be much harder: files may need to be reconstructed, and if part of a file has been overwritten by another, only part of the data may be present. You also need to know what you're looking for – searching, for example, for a text string you know to exist in a document you want to find.

Even so, there are plenty of tools to perform even advanced file recovery. We've rounded up a handful of the best and tested their expertise in finding a sample of deleted files of different types. All passed with flying colours, so of our selection here, which is the better tool largely comes down to features and ease of use.

But first, a primer.

Data recovery best practices

Naturally, data recovery tools can only work with what they're given -- if the data you are looking for has been overwritten, you may only find part of what you're looking for, or nothing at all.

Which is why, the moment you're tasked with saving someone's ever-important document, there's a number of simple steps one should follow.

The first step is to have them stop using the machine immediately, to not launch any new programs and importantly not to close any either (unless they are actively writing to the disk -- a de-fragmentation program would be an extreme example of a program to close immediately!) -- a lot of software perform writes to the drive when closing, even something as simple as saving user preferences. Shutting down, in turn, is a big no-no as Windows closes programs and writes log files and other data during shut down.

The twisted irony of data recovery software is that if you don't already have it installed on a system (as if you were expecting to lose data), the act of installing the software will of course write to the disk, thereby increasing the chances you overwrite the very data you're trying to recover. Hence, if possible it's preferred to launch any recovery software from removable media like a USB drive. Fortunately, most tools will run fine like this, though they may need to be installed on another machine first and copied across (thanks to packaging installers). Some programs may be truly portable and come as a stand-alone .exe.

If a machine has already been shut down, the best course will be to boot another OS -- such as a Linux live-CD or Bart's PE (www.nu2.nu/pebuilder). Linux is actually a perfect recovery tool: not only are bootable live Linux images ubiquitous (most all distributions ship with one), Linux itself has a host of data recovery tools and natively supports NTFS.

Finally, if the data is crucially important it's a good idea to image the drive or partition before doing anything else. If booting an OS like a Linux live CD, this is easy enough to do (see 'Linux recovery distributions' for two options), but some portable Windows programs may let you image the drive as well. An image can act either as a backup, or the source of the data recovery being attempted. Either way, you'll have at least one copy of the drive in its unaltered state.

SSDs: complicating the matter

Because SSDs map spinning-disk sectors that modern operating systems and filesystems expect to on-board memory, not to mention the wear-levelling algorithms which continually work to prolong the life of an SSD by moving these pointers to memory, it's not possible to reliably access any given sector.

Data recovery tools, as we covered here, work just as well on SSDs as spinning-platter drives, with the exception that you're more likely to lose deleted data with SSDs -- as the drive maps new sectors for wear-levelling, 'empty' cells can be picked up and used for data, or wiped entirely via the device's garbage collection routines. Garbage collection is important for an SSD, pre-emptively cleaning cells to reduce the effect of write-amplification (where writing even a small 1kB file causes a whole 512KB block to be read, erased, modified and re-written). Additionally, with TRIM support now ubiquitous in modern operating systems (Windows, Linux and Mac OSX all support TRIM), the drive can mark blocks for clearing more rapidly when the operating system deletes a file, leading to old data being physically wiped and unrecoverable before perhaps you've had a chance to attempt recovery.

Linux recovery distributions

Linux is a perfect medium for recovery tools, not only being easy to boot and run from removable media be it a CD-ROM or a USB key, but its heritage in Unix brings with it a wealth of system tools including those to manipulate filesystem data.

There are a number of recovery distributions that cover pretty much all bases from undeleting files to raw-disk reading through to whole partition and disk recovery. Two tools to look for here are PhotoRec (the Windows version of which we cover here) and Foremost (foremost.sourceforge.net) -- a forensics file recovery tool developed by the United States Air Force of Special Investigations. Foremost is quite powerful, able to recognise and rebuild files based off their headers.

Two popular distributions include System Resuce CD (www.sysresccd.org/SystemRescueCd_Homepage) and Ubuntu Rescue Remix (ubuntu-rescue-remix.org), both of which come bundled with a range of data recovery tools and are designed to run directly from a bootable CD-ROM or USB key. Alternatively if you prefer to use Windows recovery tools, you can still use a Linux recovery distribution to boot and then image the drive, and the use the Windows tools to work on the image.

Recuva

www.piriform.com/recuva; Free

Recuva is from the same developers that bought us Crap Cleaner and Defraggler -- both simple and easy to use tools. Recuva is no different, with a clean interface and a helpful wizard to start the recovery process. This focuses on file types -- images, music, videos and so on -- but can optionally be set to just find all deleted files on a system.

The default review window can be a little overwhelming considering an average system is likely to have hundreds if not thousands of deleted files thanks to the way Windows operates (and to say nothing of a browser), so it's worth using the file type filters if you know what you're looking for. These are essentially file extension filters, so if the missing data is of a format not recognised in Recuva's filters, you may be stuck trawling through a long file list. That said, it does also nicely color-code results green or red that you can sort by -- with red being discovered filenames but whose data is unrecoverable.

You can also search an entire drive based on filename, or alternatively click the 'Scan' button and choose to do a search based on content. If this doesn't turn up results, there's an optional 'Deep Scan' mode which takes much longer, and which raw-reads the drive, to find deleted data. Recuva's not as feature-rich as some of the other tools covered here, but it does have one feature we like a lot -- it can optionally add a 'Recover delete files' option to the context menu of the Recycle Bin, and considering this is the most common location people will want to recover data from, it's the type of tool you could install on office machines and have staff recover their own files without having to bother the IT department.

GetDataBack NTFS

www.runtime.org/data-recovery-software.htm; Trialware

GetDataBack NTFS' catchy name promises to be your saviour should the worst happen. And, to its credit, it opens with a wizard asking what type of recovery you want to perform so it optimise its performance. This is followed by drive and/or partition selection, or alternatively you can load disk images or virtual disk volumes. Speaking of which, if you want to, GetDataBack can create a drive image before you begin, using this for recovery or as a backup before attempting recovery on the main drive.

After scanning, results are presented as directory tree of the drive, so you can navigate to where the file used to be. A built-in viewer allows you to preview files before trying to recover them, and you can optionally search the results with filename masks, date, and size. For problematic filesystems which may be damaged, an 'Excessive search' feature will basically raw-read the drive.

Unlike some of the tools presented here, there are no pre-defined file formats to search for, but then there's a great depth in the flexibility of GetDataBack's options in tailoring the recovery for specific scenarios (a format, inaccessible partition etc). It can also perform an analysis remotely over the network (though don't expect this to be fast!).

As the name implies GetDataBack NTFS only supports NTFS, though there is also a separate version for FAT. Note also that GetDataBack is trialware -- it can find files for you but you need to buy a $79 license to recover them.

PhotoRec

www.cgsecurity.org/wiki/PhotoRec; Free

Despite its name, PhotoRec can do more than recover lost photos -- it's rather good at recovering any and all deleted files on a filesystem.

If you care about interfaces PhotoRec isn't for you, as it's a purely console-based tool. However, once you tell it what drive or partition you want to recover files from, and choose a destination directory, it will happily recover [i]all[/i] files it can find. This is good if you don't know exactly what you're looking for, but time-consuming on a system with a large volume. It can be partially sped up by choosing the option to only try and recover files from free space, but if you don't find what you need here, you can direct PhotoRec to scan all sectors.

PhotoRec's strength lies in a database of some 400 file types that it can recognise and piece together -- this isn't based on file extension, as some of the other data recovery tools listed here, but actual headers of the files themselves -- hence it's able to recognise and recover file types regardless of their name or extension, and reconstruct partially deleted files, even if the file's metadata is no longer present in the filesystem. Where possible it will make a determination of where a file ends based on data it can read from its filetype header.

PhotoRec also comes with a tool called TestDisk aimed at assisting whole partition and drive recovery. However it, too, can also undelete files, but it presents found files as a long list, so you need to know exactly what you're looking for.

Both PhotoRec and TestDisk are portable and support Windows, Linux and Mac OS X as well as FAT, NTFS, ext2/3/4 and HFS filesystems. Not a pretty tool, but perhaps the most flexible and powerful listed here.

Wondershare data recovery

www.wondershare.com/data-recovery; Trialware

Wondershare wows with a pretty interface and initially follows the same layout as Recuva's wizard, but the results are presented differently. If not using a file filter, after scanning all deleted files on a device are presented and neatly broken down into a folder structure of categories -- for example, Word docs -- which makes it nice and easy if you know what file type you're looking for. If you'd prefer to browse results by path, this is provided by an alternate viewing tab.

There's a basic preview mode for images and some formats like Word docs, but it works based on extension, not actual content, and we found it couldn't even view simple text files, making it less useful than other tools here that can preview or search for contents within files. You can also skip the wizard and switch to 'Standard' mode, allowing you to scan for deleted files with or without its 'Deep Scan' mode, and to recover lost or deleted partitions -- helpful for those 'accidental format' scenarios.

There isn't much more to Wondershare. It's focused on simple file recovery tasks, and makes it easier through the use of its wizard, though it claims to recognise some 550 file types to assist finding the right file its categorised folder structure. It's also cheaper than tools like GetDataBack, but then the free tools we cover here are just as capable.

The trial version is fully functional but limited to 100MB of recoverable data. The full version costs $39.95.

File scavenger

www.quetek.com; Trialware

One of the few tools that touts Windows 8 support, File Scavenger bundles a lot of features into a tiny program. By default you can scan via partitions or disks, and the Quick scan and Long scan options show deleted files and their recoverable status (good, poor, et al). It defaults to a long list view, but a Tree View button breaks down the results by path.

You can narrow results by searching for specific file formats of which File Scavenger includes dozens ranging from sound and video through to Office and plain text. Multiple formats can be selected in a search.

The interface is clean and neat and, when run after being downloaded, will ask if you want to install it or run it directly -- aka portable mode, making it easy to use on a machine while still in the OS (for eg downloading to a USB key and running from there).

Impressively, it also sports a feature to reconstruct RAID 0 or 5 volumes prior to recovery -- and claims it can do this with both hardware RAID controller assembled arrays and the software-based method used in Microsoft's Dynamic Disk format.

About the only omission appears to be the ability to search for strings or patterns that you know a file contains to help you find it. Note that File Scavenger is trialware, supporting recovery of only 64k or less files unless a license is purchased. Pricing depends on use (personal vs professional) but starts at $49.95.

Restoration

www.aumha.org/a/recover.php; Free

Restoration is small, simple, portable and free. It doesn't have file filters or any advanced features, but what it lacks in added value, it makes up for in being a straight-forward disk scanner. Simply clicking 'Search Deleted Files' will turn up every undeleted file on your system, so it's helpful to at least supply a filename mask, especially if ticking the 'Include used clusters by other files' option. This is quite effective at finding pretty much anything resembling a file on the system: in an only lightly used Windows 7 system it still turned up close to 10,000 files.

Beyond this the only other option Restoration offers is the 'Scan all clusters' mode which is brutally thorough (and thus slow). The main fault for Restoration is the means to narrow down search results, beyond simply sorting by name, location or size. Otherwise, it's our selection of programs covered here because it's one of the few tools available that's truly portable, coming as a single 200kb .exe. It's also blazingly fast.

Undelete 360

www.undelete360.com; Free

Undelete 360 comes in two versions -- installable and portable. Note that, unlike File Scavenger, these are two different downloads so be sure to grab the right one. Unfortunately, you also have to dodge and navigate multiple fake 'DOWNLOAD!' advertising buttons on the download page to the actual files. Which is a pity, because it's a decent tool once you grab it.

Finding deleted files is simply a matter of clicking Search and choosing a partition or drive. Results are broken down by an easy-to-browse filetype list or alternatively path-based folder view. An optional filter can apply name, size and date masks to narrow down results, and there's a tick box to hide temporary files -- a neat little option since temporary files clog the results of all file recovery tools covered here.

Files are rated in their chance of recovery from 'Overwitten' (no chance) to 'Very good' (highly likely!) and interestingly the color-coded rated results are displayed in an overall progress-bar scan of the drive, showing at a glance how healthy the deleted files are on a filesystem.

Files can also be previewed through an optional preview tab, though it works off extension not content (eg an .ini file though text couldn't be previewed), as well as a Hex-view tab to look at the raw data, handy for file types Undelete 360 doesn't recognise.

There's also a secondary function alongside the Recover Files feature at the top -- Wipe Files. If your intention is to ensure a deleted file remains lost, you can use this to wipe a file, folder, or entire filesystem. Naturally, you don't want to get two features mixed up and go hitting the wrong button.

While not as feature rich as some of the other tools covered here, it has a clean interface and comes in a portable version. It's also free, which is hard to argue with.

Tags GetDataBack NTFSRestorationRecuvaUndelete 360WondersharePhotoRecFile scavenger

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Risk Management Solutions

Protect resources and ensure security compliance through incident detection, response, and remediation.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.