Leadership

Video: Restore files from a damaged hard drive with ZAR

Hard drive failures are always a nuisance -- if not a disaster -- especially when the backups have gone missing or were never made. Bill Detwiler shows you how the Zero Assumption Recovery (ZAR) tool can help you find and restore recoverable files from a failed hard drive.

Hard drive failures are always a nuisance -- if not a disaster -- especially when the backups have gone missing or were never made. Whether it's your own oversight or that of a panicked user, at some point you'll probably attempt to retrieve files from a damaged hard drive. In this IT Dojo video, I'll show you how the Zero Assumption Recovery (ZAR) tool can help you find and restore recoverable files from a failed hard drive.

During the video, I warn everyone about the potential dangers of using self-service data recovery tools and recommend that viewers contact a qualified data recovery company if the data is critical or the drive has physical damage. Despite my admonitions, I'll no doubt receive a few complaints once this piece is published, and some will argue that tools like ZAR do more harm than good. But I'd like to move the discussion beyond an anecdotal debate and gather some real numbers--albeit through a nonrandom sample. Answer the following questions, and let us know if you've used a self-service hard drive recovery tool and if the experience was positive.

For those of you who prefer text to video, you can click the Transcript link that appears below the video player window or you can also read Wally Bahny's article, "How do I ... restore files from a damaged hard drive using ZAR?," on which this video is based.

You can also sign up to receive the latest IT Dojo lessons through one or more of the following methods:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

105 comments
tomm
tomm

That was informative, now - how do I restore files from a thumb drive? When I insert the drive I can hear the characteristic bloop/bloop sound, but none of my computers can find it, nor recognize it. The company, Attache', tells me that this is a "TS" problem, and they have no interest in a solution, so I don't know where to turn for these files, which are very important. Thank you Tom Markham tommark8@gmail.com

pcadmin
pcadmin

I had a user with an external hard drive, that was fairly new, he had saved important files to it, he had no other backup and the external drive failed. I saw this on techrepublic, downloaded a trial and foun that it recovered some data, so I purchased the full version and maganed to retrieve about 95% of his data of the failed 1TB drive. Very very happy! :))

tmallery
tmallery

The only "data recovery tool" that has consistantly caused more harm than good is CHKDSK. I never run CHDSK on a machine with critical data. On the other hand, iRecover from DIY data recovery has saved my butt many times, and has never caused a problem.

ho.nguyen
ho.nguyen

That is great! Before I had many problems about losing data. Now i think this is one of my future solutions. http://VietBDS.com

nigel.tidswell
nigel.tidswell

I had an issue where Win 7 thoughtfully scrambled the protective MBR and GPT partition table on a 4TB Lacie. WinHex was able to find the NTFS partition, and recover EVERY file. There was no physical damage to the drive, neither were any sectors of the actual NTFS partition scrambled. In that situation, most other tools I tried either wouldn't see over 2TB, or couldn't see a drive at all. Winhex, which is billed as a Hex editor, does have file scan/recover ability, and did the bizness. Highly recommended at under $100!

herm.harrison
herm.harrison

Of the software that I've used, I've had the best success with GetDataBack from Runtime Software. Lots of options including recovery over a network. I can't compare it to ZAR to say whether it's better, but it is better than any others that I have used including some costing hundreds of dollars.

masterchuck
masterchuck

very informative. I have also used extensively the EAUSAS Data Recovery Wizard, with great success.

Belfalas
Belfalas

Excellent open source file recovery tool.

mcooper
mcooper

I've used FTK and it works great - but there isn't a trial version anymore(at least since I last checked) and the price is outragious!

RuggyRat
RuggyRat

I do not think the term 'damaged' hard drive is used correctly. What do you mean by damaged hard drive? Do you mean hard drive failure? I have encountered drive failure, lost of data, hard drive cluster problem, etc. Drive failure usually means the drive no longer detectable by the CMOS. In a sense, software usually does not see the 'damaged' drive. Other damaged type I commonly encountered is the lost of data due to user deleted the data by mistake. I can see ZAR can come in handy. Basically, when I hear 'damaged hard drive', I see it as mechanical damage or the drive no longer spin or the Read/Write head no longer move or CMOS does not detect the drive at all. However, I did encounter where the CMOS does see the drive but cannot read the data. All I hear is the clicking noise. In summary, damaged drive is basically a dead drive and if a software can still be used to recover the data, the hard drive is not damaged. The title should have been something about recovering deleted files. I do not think there is there a way to use a software to recover data from a damaged drive. However, tools such as ZAR is great to recover accidentally deleted data from a readable hard drive. Tip: When doing a recovery, make sure the destination drive is other then the recovering drive. Meaning, if you are recovering the lost from drive D, set the destination drive to C or E and not D. The Video presentation is great and thanks for intro of ZAR. BTW, that was not my car alarm.

tomirock
tomirock

I appreciated the helpful tips. It reminded me of something I should never forget....BACKUPS: centralize data, be consistent in running the backup, err on the side of increased frequency and leave nothing to chance. I've also used a product from Piriform called "Recuva". It has proved an invaluable file wiping and recovery tool over the years.

widya.hc
widya.hc

I'm using ZAR for image recovery on my thesis. The only negative thing I found is that, it doesn't restore the original file name. The recovered images are named with numbers, while sometimes the file name can help in determining the value of the image, such as a person's name, or family relation, etc. But other than that, this software is quite powerful. It can recovered more images than Encase 5 that I use.

lverdinr
lverdinr

It's a very usefull tool, but it depends from the damage on the hard drive. Sometimes I've used Filerecovery, Paragon Hard Disk Manager Pro or conecting the unredeable hard drive and booting from a Linux partition using SuSe or Red Hat, wich allow me to read the drive. But I will use ZAR to have my own experience recovering data from unredeable hard drives.

bryant
bryant

ZAR looks just like iRecover from diydatarecovery.nl which I've used for 2 years. It's a good product. Same company & product with a new name or is someone cheating?

dave
dave

Used this freeware tool on some incredibly trashed drives with good success.

teddy.lim
teddy.lim

I have used Fast File Recovery Pro for windows from ESS Data Recovery. It is old, slow but effective but no longer available. I have also used RecoverMyFiles which is much faster and menu driven.

teddybreyez
teddybreyez

can you use a windows based pc to recover a seagate macbook harddrive? or is there another software to do the same thing? teddybeareyez@yahoo.com

pgustave
pgustave

Yes, as a data recovery expert, I agree if the hard drive is really failing, just running a data recovery software alone may get matter worst. If the hard drive seems to be in good shape, it is the least you can do to get your data back.

jwlindsey
jwlindsey

... very successfully a few times. It costs more than ZAR but I've never had a problem. I also recouped the original cost on the first job I used it to recover. As with most of those recovery programs, you will probably get back more files than you expected, especially if there are old deleted files on the drive that have not been overwritten. You'll even recover useless fragments of files that have been partially overwritten. Better "more" than "less" though.

celtickerr1888
celtickerr1888

Most effective recovery I've used was linux rescue disk(Knoppix). Windows (XP home) wouldn't boot at all even in safe mode. No WIN boot disk available. Booting with Knoppix enabled access to the HD & was able to use Knoppix's burn utility to copy critical files. CGK

aheishman
aheishman

I have the program loaded on my laptop and I use Infosafe drive enclosures for the users' HDD. I've had very good luck so far using ZAR, company purchased the license for me right away.

mboyle
mboyle

I have not used a service but am interested in the results of the poll.

juan.villagra
juan.villagra

I think you may be did overlook a critical detail: If you are using this type of tool, in the step where you choose the destination for recovered files, one MUST NEVER choose a directory in the same partition where are the damaged or lost files... you will be stepping on your own tail. Same for any other partition from where you pretend to recover files after. I think there were no sufficient enfasis on this point. Regards! JCVH

joel.brabant
joel.brabant

I have used i360 service from Seagate to recover my data on a 500GB Maxtor drive (from a Maxtor Shared Storage Plus) and they've never been able to restore anything, all the files were corrupted (I did not pay the 1500$). I got the drive back and I decided to try by myself. I purchased WinHex and did a recovery by file types. I was able to recover about 20% of my precious photos!

aleader
aleader

I used ZAR to recover .jpg files from a drive that failed in my wife's computer. After the recovery, I tried to find a way to open the files and no software I owned, would open any of the files. Is there a program that will repair the .jpg files, after recovering them?

i.t
i.t

I had a hard drive that contained all of my documents since I was 15, (I'm now 23) Stupidly, although I backed up the drive, I hadn't done it in about two years, The Hard drive then failed fantastically. I really wasn't amused. So I found this tool called EASUS Data recovery suite, it restored my files absolutely brilliantly. ALSO, recently I purchased a mac. I installed NTFS-3G on it and then tried to mount a drive that wouldn't usually have worked on windows and it worked perfectly, almost like there wasn't an issue. Unfortunately that drive is full of porn, not required files. but its still nice to know it works.

HAL 9000
HAL 9000

Is to edit your Post and remove your E-Mail Address as the Bots that crawl the net will harvest it and fill your In Box with Spam. Now if these files are Important you really need to send the Thumb Drive to a Professional Data Recovery Service and pay them to recover your Data. It will be cheaper and faster if you do not mess with the drive and you will have a better chance of recovering all of the data. The more that you play with the drive now the less likely you are to recover the Data and the more expensive it's going to be to try to recover it. I always use OnTrack but that's a personal preference on my part. Most companies who specialize in Data Recovery should be able to help you here. But if you want to try messing with the drive you need to Open the [b]Drive Management[/b] and see if the Thumb Drive is being shown there after it is inserted into a USB Port. If it is you can use any of the Data Recovery Applications to attempt to recover your Data. Here is a short list of the better ones but it is by no means a complete list of all the available software. http://tinyurl.com/273ay5 http://tinyurl.com/rmvrv http://tinyurl.com/yvrsl http://tinyurl.com/yyk8cm http://tinyurl.com/382vm http://tinyurl.com/ynwnel http://tinyurl.com/nc4kx http://tinyurl.com/2wox7l http://tinyurl.com/374d8b http://tinyurl.com/djw6u http://tinyurl.com/f73se http://tinyurl.com/8bd3f http://tinyurl.com/afu2j While the last 2 are from the same company they are very different products. Win Hex should only be considered for use by someone who knows Hex Inside Out while Davory is a great cheap General Purpose Application. Personally I prefer the On Track Option but it's anything but cheap. However because I use this type of software a lot it's paid for itself many times over by now, for a cheaper option Spin Rite from Gibson Research or Stella have both very good reputations by other TR members. Col

Eqwatz
Eqwatz

If a drive spins up (and doesn't make head-crashing noises,) you pull a binary image off of it before doing anything else. If it is still running after doing an image; do at least one more. Use UPS power, plenty of ventilation on the drive, and have the work room at no more than 75 degrees farenheit. Forensic programs in Linux allow you to merge and "diff" binary files with no size limitations other than the size of your drive array. If the bitmap of re-directed bad sectors is unreadable or corrupted, the software can be set to replace that info with null/binary_zeroes, which still can leave you with files which have to be hex-edited to be readable--if they can be recovered at all. If the information on a drive is important--you unplug the drive immediately upon discovery of a crash. You then carefully pack it up and send it to the most reputable recovery specialists.

JCitizen
JCitizen

often(every quarter or so) and before doing the next defrag, as this can extend disk life. If the disk has bad sectors, it is good to discover this early and do something about it before it becomes a problem! I can't remember the last drive failure any client, that listened to me, had resulted in a dead drive. It seems to extend the life of the drive by at least 5 years! My oldest drive is going on 8 years, and still reliable, despite wars with malware, viruses, misbehaving software applications, and utilities that blew up the operating system. I am a big fan of CHKDSK, but would not run it for someone who doesn't use it regularly for maintenance, when a disaster recovery process is in order.

JCitizen
JCitizen

Looks like a hex editor is good at looking at machine language level files and interpreting the data without a file table system in place! NTFS is designed to blow up, by security concerns, I'm afraid!

rbnelsrbnels
rbnelsrbnels

With several years now of doing data restorations from drives which have come into our shop as either "damaged" or "dead", it's important for newer techs to know that there IS a difference. A dead drive is one that won't spin up/power up so there is not the chance to recover data from it without it going off to a clean-room facility for a very expensive swapout. A damaged drive can be making strange noises, the dreaded click, or no noise at all but you can't get to the data. This may be due to hardware issues (drop or failing). BUT it is even more often that sectors on the drive itself are damaged (data corrupted or deleted). That's not hardware and not a dead drive (although failing hardware COULD have caused the sectors to fail). I've successfully recovered data from most of the drives that have come in and have now done a lot. Have even been able to fully recover data from a drive that had the click of death (that's not always possible but be aware that it sometimes is - if you hear the clicking it's not automatically beyond hope). Some tools that have been helpful are Active Partition Recovery (well worth the small price and solves a surprising number of probs by doing solely a partition table rebuild - note: if your zero zector's bad on the drive you'll have to work off an image of the drive done sector-by-sector first), HDD Regenerator, Active@7 UNDELETE Enterprise (for RAID) and R-STUDIO (can handle HFS file systems from MAc which most products won't). For the total novices, the best free full software may be Recuva from piriform.com as it's not throttled down. Hope this is a help to techs embarking on the very time consuming and painstaking (but rewarding) road of hard drive data recovery!!

JCitizen
JCitizen

Its like the nineties all over again, company gobbling company!

JCitizen
JCitizen

might be the ticket. At least to diagnose the problem. However ANYTHING you do to the drive, including just starting the PC/Mac or the drive can reduce the probability of recovery! So gage your success by the financial viability of it; and go from there. Definitely have a disaster recovery plan before even turning on the Mac again. Have all hardware/software ready and plugged in before flipping the switch!

bobv
bobv

By Steve Gibson, it's $89, but it's like magic -- saved my ass...ets more than once. Just Google it. Once, had an important Linux system that would not boot because of a disk data error. SpinRite fixed it and saved me several hours of work. SpinRite somehow can re-create the the actual bad sector, so there's no actual data "recovery", it just fixes that bad spot. Of course, it won't help in all cases, and some spots are just not correctable, but it hasn't failed me yet in 3 or 4 tries. I now run semi-annual "maintenance" scans on my disks. bv

mrand
mrand

A few of the programs I know (Ontrack Recovery for instance), say that you should NOT save ANYTHING to the drive you are trying to recover from. You might end up Over-writing what you are trying to recover. You should try to get the files to a second drive. I have used a USB adapter to connect IDE or Sata drives to a working pc, that has the recovery software installed. I then "tell" the program to send anything recovered to a folder on my internal drive. Also, doing it this way, hopefully keeps any auto-start Viruses (on the patient) from doing anything on the working pc.

Bill Detwiler
Bill Detwiler

It's possible that ZAR detected the markers for the files but wasn't able to recover the actual data--it may have been overwritten. What is the recovered file's name, does it read 0 bytes, and have you tried to open the file with a Hex editor?

sapsavoir
sapsavoir

While trying to install Linux OpenSuze 12.0 I somehow lost the contents of my main C drive. I spent a long time looking for a solution in the Web and finally came across Diskinternal's NTFS Recovery. The product can be a little tricky to use, but it is certainly capable of recognizing and restoring most files on a system with a trashed NTFS partition. Tricky because you have to try to restore the partition that was lost, and then CANCEL that action, before you can ask it to recover the files from the drive. One problem: memory. I only have 1 Gbyte of RAM and after having cataloged around 3/4 of the drive, the software simply stopped running before I could save the identified files to another disk. I checked the System Manager and found that the software was using 475 Mbytes of memory (!!!). Either it has a memory leak or somewhat poor design. I ran it again (two hours or so) and stopped it before it hung the machine, and that way was able to recover about 55% of the files I lost on my drive. Increasing my machine's RAM to 2 Gb for around 30 euros would probably enable this software to recover most or all of the damaged partition on the drive.

JCitizen
JCitizen

that guy might have spent many hours collecting that porn! ;)

bobp
bobp

I have also had disks that weren't recognized by Windows but were recognized fine on a Mac. After that, I could put them back in my Windows machine and they worked again. Windows is weak.

dfoote
dfoote

My tool of choice for attempting to recover data is a SysRescue CD or bootable USB drive and ntfs-3g. With these tools I've been able to recover data from: 1) drives so badly infected with malware that they weren't bootable, even in Safe Mode, and 2) drives that failed to boot or even mount in Window yet mountable in Linux. SysRescue is freely available as a download with all the instructions necessary to create a bootable CD or thumbdrive, will boot on most any system (only once have I needed to use an alternative driver set), and is fast. I've used (and own) SpinRite, which works well, but often I need the data secured before I run another tool, not to mention the time it takes to run it. SysRescue can't and won't recover everything yet I've had amazing success with it.

JCitizen
JCitizen

only now there are newer utilities available. I've even been able to recover the full file tree from clicking hard drives using the recovery console, or DOS in older machines. But you get ONE chance if your lucky doing it that way! From my foggy memory I've used Davory, NTFS recovery(disk internals), koppix, partition magic(Quest), and have had ghost but couldn't bring myself to use it because of typical issues relating to ALL Norton products of that time!

Realvdude
Realvdude

Haven't looked at it in years, but Spinrite also refreshed your drive contents by reading and then writing each block. This restores the full strength of the physical magnetic field that stores the data. Used to take hours on a 40Mb IDE, I can only imagine on 40Gb.

pgit
pgit

One of the most recent "security now" podcasts they went into detail on how spinright works. They basically keep hounding the bad sector, reading it from just about every angle possible. They move the heads sligtly off to the side, red a bit ahead and behind, and usually somewhere they get one good hit on the data. Then spinright writes it to a good sector and goes on to the next bad one. They don't touch the bad sector, just mark it bad and try to get the data.

PJfromOttawa
PJfromOttawa

Just kidding ... sorta The executable is ~186K. That's it! That includes a GUI and DOS-based view (same exe) for $89!!! I don't remember spending that amount in the early 80s for that little, KB-wise. It's an amazingly tight little program, all written in assembler, apparently. If Leo Laporte says it's important to have it, I'll get it. And I did.

Editor's Picks