Nearly everybody loses some files that they want back at some point. It’s a fact of life. But fortunately mac data recovery technology is now highly developed and sophisticated because of this. The state of the art is now such that things we would have considered ridiculous or impossible a few years ago now look easy. You just select a disk and click Scan, then see the contents of thousands of deleted files appearing before your very eyes. What is interesting is that what is going on in the background is mind bogglingly complex.

 

 

The recent history of data recovery

In the past file recovery was done by reading the file system on the disk. If it were an Apple HFS disk for example, then the HFS filesystem would be interpreted by the software, and an analysis would be made to try to determine what data was previously present before the deletion was performed on the filesystem. In this way, each different filesystem (typically HFS for Mac, DOS for Windows, ISO 9660 for a CD) would be coded for and interpreted in its own individual way, and each filesystem would have its own success rates and caveats. The success or failure of the file recovery attempt was also generally based on the state of the filesystem at the time. If the filesystem had been heavily modified after the file deletion had taken place, then there would be less chances of being able to undo that deletion. Likewise if the filesystem was heavily corrupted or if it had been formatted, that would often mean that no file recovery would be possible.

It did have some advantages; the folder layout and filenames would sometimes be preserved. Sometimes it would result that getting files back was a quick and painless process. So while it was not so reliable, when it did work it could be very convenient.

This method is generally not possible these days, because filesystems have become more complex, and also because when it comes to deleted file recovery people demand functionality above all else.

The state of the art of data recovery

Now data recovery has become about pattern recognition of individual filetypes. This has the advantage of making data recovery more robust because it is no longer dependent on the filesystem. This is a powerful concept. Because of this files can be recovered after a disk or volume has been formatted , if the filesystem has become corrupted, or even if it has no filesystem at all. It also makes it filesystem independent. It works on hard disks, CD’s, digital cameras, Android phones or tablets, or anything else that can be plugged into a Mac. OS X does not even necessarily have to be able to mount the device (so it can work on devices which do not show up in the Finder). It will work on anything that appears in Disk Utility. (Technically speaking: The only requirement is that OS X provides a POSIX node, for example /dev/rdisk3. Therefore you may be surprised to find that it will recover data from devices that you never even considered, because the device does not show up as a volume. One way you can get the data off such a device is by using something like Mac Data Recovery Guru on it even if you have not got any deleted files on it, because it can recover non-deleted files as well).

The way deleted file recovery software works these days is by reading every byte on the volume, and as it reads through it searches every byte on the disk for common patterns in each individual filetype that it supports (or for patterns in general, for example it can recover all ASCII text). If it encounters the start of a recognizable file it will record the location of that, and then search for whatever middle parts of the file that it can, and search for the end of it to finish it. Once it has a good idea of what the entirety of the file is, it will provide a real thumbnail preview of that file, and display it as an option to be recovered.

This happens in parallel, with different file alternative possibilities for the same data segments on the disk being interpreted and offered as different files, and this can occur thousands of times per second . Multiple file outputs for the same data segment on the disk is necessary, because often files will be embedded inside each other, with each interpretation of the data as a file being equally valid, but distinct. (For example, jpegs embedded inside a PDF will be offered as individual jpegs, but that will not interfere with the PDF also being displayed and recoverable as a file itself, with the embedded jpegs included.)

While the premise of this form of file recovery is simple and making a prototype is easy, outputting good results from such a chaotic environment is when it becomes a science and an art form and require years of refinement and development. No less than 5 years of research and development has been put into our main product for example. And that’s not moving slowly.

In this paradigm of data recovery each file is its own universe. Some files such as jpegs have a beginning, a middle and an end. This is quite a simple filetype in that sense. Others are very different. An MP3 for example, is a nebulous entity. While scanning through the bytes on a disk, MP3 frames can be found wholly or partly pretty much anywhere on a disk, and if you’re the file recovery program it can be hard to know whether you are within an MP3 or not. But it’s the file recovery software’s job to find the fragments, determine if they are clumped together as a single sound file or multiple, and even parse out the ID3 information in order to correctly preserve it so that the album artwork and song name are correctly displayed after the files are recovered. If you try the software you will see that somehow it does this, and remarkably, does so perfectly.

The most challenging aspect of this approach is that the names that the files were arbitrarily named on the filesystem are often lost, because that is stored in the filesystem itself. We do our best to overcome this limitation by displaying live thumbnail previews of all the deleted files (not an easy feat!), and allowing quick recovery of entire file types in order to later search through them with the OS X Finder and Spotlight.

Steps to take the moment you realize you lost some important data

The first thing to do is assess how much risk you are at. If you have just deleted a single small document, chances are very good that you’ll get it back even if you’re very casual about everything. Performing steps one and two listed below are optional in this case, and probably wont really make a difference. If you lose many files, or one very big file, this is when it is more appropriate to start acting like you’re in a forensics situation, and following steps one and two below would be highly recommendable.

Step one (Optional): Stop using the disk of that Mac as soon as possible. If it is the start up disk, then stop using that Mac at all. If your computer is downloading or copying anything onto the disk, stop that process. Close your email clients and any programs that may write to the disk, but do not take any unnecessary actions either. Do the minimum to the computer to put it into a position where it will write as little to the disk as possible in the near future. It is not necessary to shut it down.

Step Two (Optional): Download a data recovery program. Again, it is preferable to download it to a disk that is not that which you will be recovering data from, because downloading the data recovery program itself is writing to the disk. If the data recovery program is small in size (say less than 5MB), this is not such an issue, because writing say 5MB to a disk with thousands of MB of space on it stands a very low risk of writing over the exact piece of data that you want to recover. Mac Data Recovery Guru is very small in size, so there is little concern if you are downloading this program.

Step Three: Run the data recovery program. Preferably have a second disk or USB device ready to recover the files you want back to (if you are recovering a single small file, chances are this won’t strictly be necessary). You will get a warning from the software if you are recovering the file to the same disk you are recovering it from.

 

(Side note: As strict as the suggested steps shown above may be, we recommend them because technically this is the optimal way of ensuring that you have the very best possibility of recovering the data that you want back. Ironically however, if you download the data recovery software and have a look at the deleted files it shows you, you will most likely see that it lists hundreds of thousands of deleted files, even from years ago. People are generally amazed as they browse through the deleted files it shows them, seeing files which they would never have thought would still be present on their system. Go ahead and take a look even if just for curiosity’s sake, or to get an appreciation of the power of digital forensics technology. It’s easy and free, and may really surprise you.)

If you are using Mac Data Recovery Guru, it is often better to allow the scan to completely finish, select the folders of the filetypes you want back (hold down the command key to select multiple folders), then hit Recover to recover entire folders of filetypes you want back, and then search through for specific files using Spotlight or the Finder. This can be quicker and easier than searching through the files using the data recovery software itself. The demo is useful to ensure that the files that you want back are recoverable and visible within the program beforehand.

Now, the first step is to download some data recovery software to see what it can see on your disk.

Download Mac Data Recovery Guru