ZAR is not a tool you will use every day. But whenever we needed it, it never failed to step up and perform like a champ. It even reconstructed the data on servers with failed RAID arrays.
Are you sure you backed up your data? It seems like an easy enough question, but how many times have you asked a user this only to have them come back, and ask for a critically important file a few days later? Itâ€™s happened quite a few times where I work. Unfortunately, we have generally have a very quick turnaround time on systems, so by the time the question is asked, the system generally has been reformatted and returned to a different user.
We had a definite need for a data recoverability strategy. While user education can account for a lot of improvement in this area, we still had a need for additional data recovery. While we initially implemented a moratorium before a system could be re-imaged, this was not effective as the quick turnaround time insures that we are not constantly in need of purchasing new systems. We looked into data recovery services, but they were price prohibitive. Finally we found a software package that seemed like it would fit our needs.
At first glance the tool Zero Assumption Recovery (ZAR) really seemed to be exactly what we needed. This tool will allow you to recover deleted data from within Windows (NT, 2000, XP, 2003). Windows will need to be able see the disk in Disk Management, but it does not need to be mounted as a drive. ZAR can work off of raw volumes, so even if windows insists that it needs to format the disk to read it ZAR can still recover data from the device. It can read data from disks that are (or were) formatted FAT16, FAT32, or NTFS. It can also recover data from ext2 partitions and digital cameras, though this is limited. You can find a list of supported cameras here. Also, it can read from and even repair RAID 0 and RAID 5 arrays.
Putting Zero Assumption Recovery to the Test
Our first chance to use ZAR was on a PC that had been re-formatted but had not yet been re-imaged. A user came to us in tears saying that a spreadsheet she had been working on for 3 weeks was saved on her local box, and she had forgotten to back it up. We told her we would attempt to recover it, but we could not promise anything. We took the hard drive and placed it in another working PC. Windows 2000 Pro booted up, and saw the hard drive, but could not mount it due to the lack of formatting. We installed and started ZAR, and pointed it to the drive. It had no problem seeing the drive, and immediately began working on scanning it. As this was a 60 GB drive it took quite a while for the scan to complete, but when it was finished it presented the entire drive in a typical Windows Explorer fashion. Placing a check next to a file or folder marked it for recovery. We recovered this users My Documents folder to her U: drive. Not only was the spreadsheet was looking for on their, but several other documents she had forgotten to back up. See ZAR in action here.
Right Tool for the Job?
ZAR is not a tool we use everyday. Luckily whenever we have needed it, it has never failed to step up and perform like a champ. On a few occasions we have even used it on servers with failed RAID arrays to reconstruct the data contained on them, and it has never let us down. ZAR will become a wonderful tool in your network toolbox, and it most assuredly is the Right Tool for the Job.