Data recovery has always been thought of as a mystical process that often involves trained professionals and copious amounts of money. While it's still a good idea to involve a professional with data recovery on a critical system, you would be surprised at what you can get done with a spare computer and some free tools. We have worked on several data recovery projects and would like to share our findings. This is a short guide to basic data recovery, and is not a comprehensive guide that will work in all situations. Follow these instructions at your own risk, and know when to involve the pros.
Stage 1 - Setting up the recovery environment
To ensure the best possible outcome for your recovery, you need to actually have a stable environment for the recovery to take place. Think of an operating room for example. Every aspect from temperature to tool placement to sterility is regulated to increase safety and ensure the success of the procedure. Data recovery is no different. While you won't need a clean room (unless opening mechanical hard drives, which is NOT covered in this guide), you still need a stable setup for your recovery. Below are some of the most important considerations, depending on your scenario, there can be many more considerations worth taking into account.
- You need to ensure a stable power source for the computer system that will be executing the recovery. Imagine you are hours into a data recovery and the power suddenly flickers or goes out. Best case scenario, you just start over or resume the process. Worse case, that hard drive never spins back up again and you are stuck contacting a professional (expensive) recovery service. Obtain a suitable UPS (battery backup) for your data recovery computer and all peripherals. Be sure to TEST IT and ensure it can support the load for at least enough time to make other arrangements such as safely shutting down, pausing the recovery, or starting up a generator. This may seem extreme, but don't let a simple utility power failure stand between you and successfully recovering your data.
- The second consideration is the computer that will actually be executing the data recovery. This should be a reliable desktop PC from a reputable manufacturer, or a well-built custom system. Choose something like a Dell Precision workstation or an HP Z series desktop. It's okay if its a bit older. In fact a used, but tested and validated system, is ideal. So many modern computers are flawed, include cheap hardware, have buggy firmware, etc. and are not always reliable. Something like an HP Z800 workstation from 2012 is tried and true. As long as it has been maintained, something like that could be a great candidate. We recommend workstation grade machines as they are built to be reliable and dependable in an enterprise setting. You want a reliable machine when it comes to recovering your precious data. Avoid using a laptop or some crappy RGB-infested gaming PC you got from Ali Express. Regardless or which computer system you choose, be sure to test it thoroughly before using it for any recovery. Run memory tests, CPU stress tests, burn-in, etc. to make sure it's reliable before you put it to work recovering data. Be sure to connect any storage devices directly to SATA/SAS/IDE ports on the system board. Avoid using USB to SATA/IDE adapters as they are not very reliable and can prevent SMART data from being read from the drive. This of course does not apply to USB external hard drives where your only choice is to connect them to a suitable USB port on the motherboard. Also, be sure to provide adequate cooling for the device. You don't have to go overboard, but if a hard drive or storage device gets too hot during a recovery, it's going to fail. Something simple like directing a fan at the drive or placing it on a large metal heatsink should be sufficient as long as the room is kept at an appropriate, cool temperature.
- Operating system choice is probably going to be the most controversial consideration, but stay with us. We don't hate Windows or Microsoft, but DO NOT use any Windows operating system for critical data recovery operations, unless the recovery tool you need is only compatible with Windows. Here is why: Windows (by default) will immediately start indexing newly connected drives and most AV products such as Microsoft Defender will scan them for viruses. This results in unnecessary strain on an already unstable or failing disk. This is a risk that is completely unnecessary and easily avoidable. What's the solution? USE LINUX! Yes, seriously use a Linux OS such as Debian or Ubuntu. Installing Debian or Ubuntu with a GUI is simple, and most distros are pretty lightweight out of the box. Also, we have personally observed that most Linux operating systems will not immediately go to town interacting with newly-connected disks, which is important to avoid stressing the recovery source medium. Also, with Linux you don't have to worry about random updates, reboots, and nonsense like Candy Crush being automatically installed on your system! Most of the recommended free recovery tools work best on Linux anyway. Keep the recovery computer's operating system clean and light. Every additional program you install has the potential to interfere with the recovery process. We recommend installing the base OS (Debian or Ubuntu), updating it and just installing the recovery tool. Remember, it's a dedicated recovery PC, not your daily driver.
- One additional consideration is Internet access. This one is kind of extreme and we don't have a strong opinion, but would like to provide reasoning for both sides. Isolating the recovery computer from the Internet while executing a recovery operation can be a good idea to remove a point of failure. Perhaps in some extreme circumstance, it runs an update and interrupts the recovery process. Or maybe someone accidentally reboots it remotely via SSH. These are very unlikely, but should be considered based on the importance of the recovery. If you have to use Windows as the OS for the recovery computer, we would recommend isolating it from the Internet while a recovery is in progress. Reasons to have the system online really only include the need to monitor the recovery operation remotely, which can be useful for long recoveries. Use you best judgment to decide this one for yourself.
Stage 2 - Proceeding with the recovery
- Case of a mechanical hard drive that is still functional but is dying, unstable, or has bad sectors. This scenario is relevant to mechanical hard drives (HDD) that are failing or unreliable but not completely dead. There may be re-allocated sectors or the SMART status may indicate a current or predicted failure. In this case, time is of the essence. While most mechanical hard drives are forgiving when they are on their way out, time is limited. Once the drive is started and running it's best to keep it that way. Powering a failing hard drive down and back on too many times will likely seal it's fate. Once you have the failing drive connected to your data recovery computer (running Linux ideally) your first objective is to begin imaging the drive using ddrescue. You could use dd first if the drive is not in the bad of shape, but we recommend skipping directly to ddrescue to avoid wasting time. ddrescue won't hurt even if the drive is fine. As mechanical hard drives fail, we have observed that they can oscillate between normal and extremely slow operation, and sometimes stop reading data completely. However, if you are patient, they will ramp back up again. That is why ddrescue is the right tool for this scenario. It is designed to be patient and recover as much data as possible but will wait for the drive to respond if it stops doing so. It will recover data as fast or as slow as the drive will allow and dynamically adapt to it's behavior. Most other disk imaging or file copy command will simply fail when the drive slows down and locks up for a moment. ddrescue can also make multiple passes and retry sectors that it was unable to read. Using this method, we were able to sometimes recover up to 99% of data from some very unhealthy mechanical hard drives. This process can take days, so be patient. Please refer to the ddrescue manual for the exact syntax as it will vary depending on your hardware and situation.
- Case of a missing or damaged partition table, master file table, FAT, etc. If you are working with a physically and electronically functional HDD or SSD, but have determined that the partition table or master file table is missing or damaged, you have different options. This could be caused by unintentional deletion of the partition, formatting of the disk, malware, or other software errors. In this case, data may still be present on the disk (unfortunately not if it's an SSD and has been trimmed). The location of the data is unknown. Common operating systems may see no partition, a corrupt partition, or an unformatted disk. To recover data from a disk in this state, you would use a recovery tool that scans the entire disk surface essentially looking for files. How this works is a bit more complicated than that. Tools such as TestDisk PhotoRec contain a database of known signatures for heads or common file formats. This includes file formats such as PNG, JPG, TXT, DOCX, MP4, etc. The headers of most common file formats are recognized by these tools while scanning the disk surface. Once a file header is found, the data that follows can be recovered and processed by the tool to regenerate the actual file. It is important to note that when performing this type of file recovery, you lose all folder structure and filenames. You will be left with several folders or loose files with randomly generated names. While this is inconvenient, it's still better than losing the data completely. We have had great luck using PhotoRec (TestDisk) by CG Security. It's a free tool and very easy to use. It has a command line and GUI version. Also, it recovers more file formats than just photos, we were confused by this at first. There is a long list of supported file formats on their website.
- Case of an encrypted drive. If you are working with a failing HDD or SSD that you know is encrypted, your only realistic option is to immediately image the entire disk using dd or ddrescue. You can image the disk directly to a suitable destination disk or an image file on a disk. Only once you have recovered as much as possible (ideally all) of the disk, should you start working on decryption. This process will vary significantly based on what encryption tool was used, such as Microsoft Bitlocker or VeraCrypt. If you do not know which encryption tool was used, you are in for a wild ride.