Review: 7 data recovery tools for every data disaster

Storage media is more reliable than it’s ever been. But while drive failures are fewer and further between, technology improvements do nothing to protect you from the No. 1 cause of data loss: human error. It’s devastating to lose the only copy you have of any file — that important document or irreplaceable photo — all because you mistakenly formatted the wrong drive or hit Delete too quickly. It’s even more infuriating when you have only yourself to blame.

The good news is that the tools for recovering data from disk drives, SSDs, SD cards, USB drives, and most every other kind of media continue to grow in power, ease, and versatility. The hardest part may not be the recovery itself, but sorting through the welter of tools available and figuring out which one is best for dealing with your particular disaster.

In this roundup, we’ll look at a gamut of software products that you can use to recover data from damaged media, reformatted media, and the land of accidental deletes. Ranging from free utilities for nontechnical users to commercial packages for businesses, they include tools for Windows, Mac, and Linux, and they encompass a variety of use cases, from simple end-user recovery (Recuva) to recovery as part of a general system analysis (Sleuth Kit/Autopsy) to reconstruction of data from RAID arrays (Kroll Ontrack EasyRecovery Enterprise).

Whatever the nature of your particular data disaster, you’ll likely find the tool you need right here.

PhotoRec

Few data recovery tools out there are as immediately useful and versatile as PhotoRec.

A free open source project that runs on Windows, Linux, and Mac OS X (both Intel and PowerPC Macs), PhotoRec uses file signatures to detect and recover files in 400-plus data formats, with more added all the time. It’s even possible to add custom data signatures — in case you’re attempting to recover data from file formats of your own creation.

PhotoRec is a good, cost-free, first line of recovery for common file types. It’s also relatively foolproof to work with, and its more powerful options aren’t obtrusive. If all you need to do is yank the most readily recoverable data from a piece of media and you’re on a low budget, PhotoRec it is made to order.

PhotoRec comes in two versions for each platform, a command-line/text-only version and a GUI version. The GUI tool is easier to navigate, but both editions can be automated through command-line parameters. In both cases, the recovery process is highly guided. The user simply picks a volume to recover from, a directory to write the recovered files to, and whether to recover from unused space only or the entire source volume. Choosing what kinds of files to scan for is optional.

PhotoRec supports most any block device or file type as a source. Supported files include the likes of VM disk images and image files stored in the Encase EWF format commonly used in digital forensics work. PhotoRec can also recover data from smartphones, provided they can be mounted as USB mass storage devices.

Whenever PhotoRec encounters data that’s a possible match for a known file format, it makes a best guess on the constituents of the complete file and writes the results into a subfolder of the target folder. Some options are available for more aggressive reconstruction of certain file formats, such as JPEG images, but for the most part, the best results come from files that aren’t fragmented. However, you won’t get the original filenames; PhotoRec will automatically generate filenames for the recovered files.

PhotoRec also has a companion application, TestDisk, for recovering entire disks or partitions that have been lost due to damage or accidental deletion.

Sleuth Kit

Brian Carrier’s Sleuth Kit is a free open source digital forensics package — a collection of tools for analyzing disks, both physical drives and disk images, and recovering data from them. According to Carrier, Sleuth Kit is used mainly by “law enforcement, military, and corporate examiners to investigate what happened on a computer,” so it’s mainly for recovering evidence of activity throughout a whole system, rather than recovering specific files from a single volume. For more casual use, it’s probably overkill, but it’s well suited to figuring out why data might have been lost on a system — for example, because of a compromise in system security.

Sleuth Kit and several other tools in the same vein are wrapped up together in a GUI application called Autopsy, also provided by Carrier. The included tools come packaged as modules, allowing a prospective developer to roll their own or repackage an existing tool as a module. Both Python and Java are supported as module development languages, with the tools themselves either written in those languages or wrapped with them.

PhotoRec, discussed above, is among the included modules, so Autopsy is a handy way to make use of it in conjunction with other tools. Other components include the Recent Activity module, which extracts data from Web browser histories, looks for whatever programs were installed most recently, and examines the Registry hive by way of the RegRipper tool. Another module parses email in common formats such as PST or Thunderbird’s MBOX format. Still another module examines file types often found on Android phones.

Once you connect to a given volume or image file and start analysis on it, results begin to appear almost immediately in Autopsy’s GUI. If you’re performing a recovery operation on a large volume and you want to start parsing the results to others as quickly as possible, this is a huge boon.

Most of the best features in Autopsy help perform reconstruction of events that took place on a system. The Timeline feature, for instance, collates results from various modules based on when they took place, and they can be filtered or narrowed based on a given time range or event type. Autopsy also allows for multi-user collaboration on cases, though that requires multiple third-party pieces — PostgreSQL, Solr, ActiveMQ — to be installed and configured.

Kroll Ontrack EasyRecovery Enterprise

With a guided wizard interface and straightforward workflow, Kroll Ontrack EasyRecovery Enterprise is designed for quick extraction of data from volumes, most notably RAID arrays that require reconstruction.

EasyRecovery can perform recovery operations from conventional hard drives, USB memory devices, optical media, mobile devices, VMware disk images, and disks from malfunctioning RAID arrays. In addition to being able to explore a volume and recover files from it (deleted or not), EasyRecovery can wipe drives, analyze media for errors or usage details, and perform disk imaging functions such as copying the contents of drives or writing a disk’s data to an image file. The Remote Recovery feature provides a built-in way for one instance of EasyRecovery to be remote-controlled by another instance of the program, as long as the two instances can talk to each other over a network via port 5900 (the VNC protocol).

Deleted file recovery works one of two ways: either by performing simple undeletes (by checking NTFS directory records) or by scanning the free space on a volume and attempting to reconstruct files on the volume based on heuristics. Discovered files can be inspected directly on disk by way of a built-in hex/ASCII/Unicode/binary viewing tool, a convenient way to see quickly if the files in question are what you’re looking for.

Unfortunately, if you’re scanning an entire volume, you can’t save out or examine files as they show up in the scan’s results. You have to wait until the entire scan is finished before determining if anything useful has turned up, unlike with Autopsy or PhotoRec. It also doesn’t appear to be possible to add custom file signatures to the application (as with PhotoRec), so you’re limited to the file types that are hard-wired into the program. What few controls exist are largely minor tweaks, such as whether or not to attempt to concatenate broken video streams during the recovery process. You can see log messages generated by the scan as they come in, although they’re somewhat cryptic.

One real winner of a feature for enterprise users is the RAID array recovery tool, in big part because it isn’t limited to recovering only one or two types of RAID or JBOD. Support is included for a slew of common software and hardware RAID 0 and RAID 5 types: HP/Compaq, Adaptec, AMI, Silicon Image, Promise, and so on. Also included is an automatic reconstruction function, which can allegedly scan the provided disks and make an educated guess as to how the array was put together.

EasyRecovery can also recover data from a number of email clients: Outlook, Outlook Express, Eudora, Mozilla, Becky, and Windows Live Mail. One downside to the email recovery tool is that it doesn’t use the same workflow as the rest of the program. You have to open a separate interface for it via a toolbar button, then point it to a folder where mail files are known to reside. Browsing Outlook PSTs with a few gigabytes of data in them proved to be extremely slow; it sometimes took as long as a minute or two to display the list of messages in a given folder in the PST, and the tool would often show multiple copies of folders. According to Kroll Ontrack technical support, the program assumes the PSTs in question are damaged, and thus shows earlier versions of folders that may still exist. The team said the speed of email recovery will be addressed in a future version.

EasyRecovery isn’t cheap. You’ll pay $79 for the Home edition, $149 for the Professional edition, or $499 for the Enterprise edition reviewed here. Fortunately, all editions of the program have a free trial. The trial doesn’t allow actual data recovery, but it lets you see what can be recovered. EasyRecovery is available for both Windows and Mac.

Recuva

Created by the same outfit that gave the world the excellent CCleaner utility, Recuva provides a file recovery tool for Windows that’s as straightforward and easy to work with as CCleaner.

By default, Recuva fires up in a wizard mode, making it easy to perform point-and-shoot recovery jobs. You pick a file type (or go with “all files”); point the program at a specific drive, device, or common file location (such as the Recycle Bin), and choose whether to perform a quick scan or a deep one. Recuva will dig through the media in question and present you with a list of possible files for recovery. It’s even possible to scan shadow copies (snapshots) of mounted drives, although you can’t scan drive images unless they’re mounted and available through a drive letter. (The drive has to be mounted as a local drive to be scannable.)

Like many of the other programs in this roundup, Recuva doesn’t let you peruse the results of a scan while it’s in progress; you have to wait for the scan to finish. The upside is that Recuva scans quickly. Even in “deep scan” mode, where it probes for a wider variety of file types, it took only 1 minute, 50 seconds to scan a 16GB removable flash drive, as opposed to the 10 or more minutes required of some other products. (PhotoRec was similarly fast.)

Once the scan is done, you’ll get a list of files with their original locations, last-modified dates, and general info about the health of the file. Files are color-coded by how recoverable they are. If one file has been overwritten by another, Recuva will let you know.

If you want more details about the recovery job, you can switch to advanced mode. There, you can search for files by name or contents, inspect header data on the file, or save the list of candidate files as plain text. You can also elect to run in advanced mode by default when you start the program. Saving the files is as easy as right-clicking on them in the list and selecting the Recover option. A secure-erase function lets you destroy uncovered data, in case you’re verifying an item that should have been erased to begin with.

The single biggest limitation of Recuva is that file signatures appear to be hard-wired into the program. If you want to look for a custom format or another file not in Recuva’s list, you’ll need to use PhotoRec or an application that allows custom file signatures. What’s more, it was difficult to figure out exactly which file types are supported by the application in the first place. Piriform’s website doesn’t seem to list which files Recuva recognizes, although I found a note in the product forum that provided a way to discover supported file types in advanced mode.

Recuva comes in a free edition with no support provided, as well as $24.95 business and professional versions that provide paid support. There don’t appear to be any licensing restrictions on businesses using the free version, nor do there seem to be any missing or crippled features. A portable edition of the program (also available free) can be placed on a USB drive and run without needing to be installed on the target machine — a handy way to run the program in environments with a number of machines.

SystemRescueCd

Dozens of Linux-based rescue CDs with file recovery tools are out there, but many of them are no longer updated, require too much command-line wizardry to be really useful, or both. SystemRescueCd is a Linux rescue CD (or USB stick) that strikes a good balance between being complete and being usable. Plus, you’ll find generous documentation on the SystemRescueCd website, though it’s geared for experts who aren’t afraid of Linux or the command line.

SystemRescueCd is best for recovering data from systems that are unbootable or where you don’t want to run the risk of contaminating the data. When you boot the OS, the file systems on the machine in question aren’t automatically mounted, to keep them from being changed inadvertently. They can be read from by many of the tools on board, but they can’t be written to. If you’re trying to copy data off such a system, you’ll need to manually mount the drive where you want the files saved.

SystemRescueCd provides a wealth of open source tools for inspecting, copying, and saving data from a damaged drive or system. PhotoRec is among them, and while it’s only available in its text-mode version, that’s still useful and powerful if not as easy to use as the GUI edition. Naturally, the speed of the data recovery depends entirely on the particular program used.

Another nice boon of SystemRescueCd is that the whole system, tools included, is kept up to date with current builds of everything. (The version I reviewed, dated Oct. 29, 2015, was superseded on January 1.)

The single biggest downside to SystemRescueCd is that there is absolutely no guidance for the user. If you don’t know your way around a Linux system, it’s best to learn before attempting to perform any kind of recovery work with this tool. SystemRescueCd lets you fire up a graphical desktop with many common tools available from a cascading menu, but that’s no substitute for a wizard or a starting menu of common recovery options. AVG Rescue, another rescue CD created by the makers of the AVG antivirus suite, provides exactly this sort of guidance to the user, but many of its tools are out of date, making it difficult to recommend.

CardRecovery

As the name implies, CardRecovery for Windows is focused on recovering data from memory cards used in cameras, with a few features specific to how those recovery jobs work. A sibling program, CardRescue, brings the same capabilities to Mac OS X.

Like Recuva, CardRecovery starts off with a wizard interface, from which you choose the media to recover from and the target directory to write the recovered files. If you’re recovering data from a card that was used in a specific model of digital camera (Canon, Sony, Nikon, Pentax, and so on), you can specify the brand to refine the search.

The most crucial limitation of the program is that it confines itself to scanning for common file types found on camera media, mainly JPEG, TIFF, and RAW formats. You can scan for some formats of audio and video as well. But if you’re trying to recover any other kind of file, another program is in order. Note too that cards must be mounted and made available through a drive letter; you can’t scan a volume image file or a network share.

Scanning a 15GB drive took approximately 15 minutes, but CardRecovery gives you the option of pausing the scan partway through to recover any files already discovered by the search. Any additional property data available with the files, such as EXIF data recorded by the camera, can also be previewed.

The program provides a browsable list of thumbnails of the files that can be recovered, allowing you to identify a particular image file by sight. One minor annoyance with that feature: You can browse only six images at a time. Note too that some recovered movie files can’t play as-is when recovered; CardRecovery’s creators suggest a number of third-party applications to help repair those files.

If you want to find out whether or not CardRecovery can save your particular bacon without spending money on it, the evaluation version of the program finds files and lets you preview them, but doesn’t allow you to save them. For that, a licensed copy of CardRecovery costs a mere $39.95.

Remo Recover

Available for Windows and the Mac, Remo Recover comes in three editions. The Basic edition handles recovery of most common types of files, while the Media edition adds support for various kinds of media such as RAW camera files. The Pro edition is for recovery of entire drives that have suffered damage or been repartitioned or reformatted. About 280 file types are supported by the Media and Pro editions. On starting the program, you’re given the option of which edition you want to run. If you don’t have a license key for that particular edition, you’ll see what files you can recover, but you won’t be permitted to restore them.

Standard file recovery can search both for freshly deleted files, where directory entries are still present, and for files in a drive’s free space, where the program tries to match data against file signatures. Searching by directory entries is selected by default because Remo Recover can obtain results very quickly that way.

Searching by file signature is slow, and you don’t get any feedback during such a search to tell you if anything has turned up yet. On the plus side, when you’re finished scanning a given drive, you can save the state of the recovery session. This allows you to return to the results of a scan and continue restoring files, without having to rescan the whole drive. I doubt the program will be able to do anything if the contents of the drive change between recovery sessions, so be careful.

Like CardRecovery, Remo Recover has the ability to scan for manufacturer-specific RAW image types used in digital cameras, including relatively exotic, high-end breeds like Leica. I should note that PhotoRec claims to be able to search for many of those formats as well, although not all of them. Formats for Hasselblad and Ricoh, for instance, are supported in Remo Recover, but not in PhotoRec. For those who use one of those devices, this might tip the scales in favor of Remo Recover.

The Pro edition tools, partition recovery and drive unformatting, allow you to scan a raw drive, even one without a drive letter attached, to recover data from it. Entire drives can be imaged to a file with the Pro edition, making it possible to perform recovery operations without needing the original media. Note that writing out an image file takes a long time — typically, about as long as it takes to scan the media in the first place. But if you’re copying the image from media that reads slowly to a local hard drive or SSD, searching the image will be many times faster.

Free preview editions of Remo Recover let you preview recoverable data, but not save it. Basic, Media, and Pro editions for Windows cost $39.97, $49.97, and $99.97 respectively. The prices for the Mac versions are $59.94, 69.94, and $179.94.

Now you see it

Which recovery tool is for you? PhotoRec and companion TestDisk have consistently been among the most useful, performant, flexible, and inexpensive applications available for data recovery. They don’t have the breadth of options of some of the other apps examined here, but it’s almost impossible to go wrong with them as a first step.

Sleuth Kit/Autopsy is more of a full toolbox than a single wrench or hammer, and for that reason might be intimidating to work with, especially if all you need to do is recover a particular file. But for those who need the full toolbox, it is a great way to have one for no initial cost. SystemRescueCd also rolls up a great many tools into one bundle, but it’s strictly for experts. Those afraid of the command line shouldn’t even think of using it.

Kroll Ontrack EasyRecovery Enterprise stands out with its RAID recovery function, and it’s recommended for those who need that capability. For those who don’t, many of its other features can be found in other programs, like Remo Recover.

Remo Recover stood out for making it easy to save out image files from media, and for having some fairly exotic camera file types as part of its database. CardRecovery supported a number of those file types as well, although its slow scanning and slightly clumsy interface worked against it.

Finally, Recuva packs a lot of great features into one program: fast scanning, a convenient interface, and useful details about what’s recoverable and what’s not. It should be in every Windows user’s toolbox.