March 01, 2003
- Ease of Use:
- Value for Money:
- Overall Rating:
Retrieves files that have fallen through the safety net of the recycle bin or have been deleted maliciously by viruses or users.
Potential to restore virus-infected files that have been deleted by some on-demand anti-virus scanners. No version for more established operating systems such as DOS or Win9x.
A useful, although a little expensive, program for recovering some files that may just pay for itself the first time you use it.
The problem of recovering accidentally deleted files was solved largely by the implementation of the recycle bin in Windows - allowing users simply to select 'Restore' from the right-click menu. However, there are a number of users that will, without thinking about what they are doing, automatically empty the recycle bin or even use a utility that does it for them at the end of each session. In addition to this, some viruses delete files, bypassing the safety-net of the recycle bin and of course, some malicious users will deliberately remove certain files. In response to this, O&O Software GmbH has written O&O UnErase which provides the user with a means of recovering such files.
O&O UnErase installs quickly and easily from the CD-ROM and on first use, requires the user to input the license details although, if you have obtained the program from the web site and wish to trial it first, there are options that allow you to use it as a trial or to buy it online which will result in the license details being sent to you. The program requires Microsoft Windows NT 4.0 Workstation, Server /Terminal Server (at least service pack 6); Microsoft Windows 2000 Professional, Server /Advanced Server (all service packs), or, Microsoft Windows XP Home Edition, Professional. It will not run on other Microsoft Windows versions or on DOS.
UnErase's main window displays in its upper section, the drives that it is able to recover data from. In addition to the computer's traditional disk drives it supports Jaz and Zip drives; CompactFlash or MemoryStick cards (which must support NTFS4, NTFS5, FAT16 and FAT32 files systems). The program must run on the computer from which it is recovering data, therefore network drives, even those mapped as though they were logical drives on the current machine, cannot have data recovered from them.
With the drives displayed, the user selects the one of interest and clicks on the search icon. UnErase then displays the names of all of the deleted files it can find, along with details including file offset and type size, creation date, original location and the number of clusters that are recoverable, together with how many there were to start with. Note that this displays all files, no matter how much, if any, of them is recoverable. To tune the search more effectively, an advanced search dialogue box allows the user to specify search strings including wildcards, or date or file size, although the tab order on this form is rather peculiar. In addition to this, the user may specify what proportion of the file needs to remain intact for it to be listed - anywhere between 0 percent to display all filenames or 100 percent for a list of files only that are recoverable in their entirety.
With the files displayed, users can now tick the checkbox for each file they wish to recover, selecting where on the system the resulting files will be saved. It must be pointed out that although UnErase will not recover data from other machines on the network, it can save recovered files or the recoverable parts of them to other network machines if the user's privileges allow them to do so. It is also worth noting that UnErase will only recover data that has not been written over, and saving a file, as UnErase does when it is recovering data, may write over other data that needs recovering. It is recommended therefore that data is saved to a different partition on the drive, if not to a different physical drive or even another machine.
When the files are recovered, they are saved in the new location with the last filename they had. This can lead to a situation where files that have been deleted from the recycle bin all have very similar names of a dc107.gif, dc108.gif nature, so it could be quite a job to identify which file is the one that needed to be recovered. Still, identifying a particular .GIF that hasn't been backed up from a recovered deleted web directory is a small task compared to recovering a database, spreadsheet or other monolithic file where UnErase would pay for itself very quickly if an appropriate backup procedure had not been implemented.
If an important file has been erased on a machine that does not have O&O UnErase already installed on it, it is possible to run the program directly from the CD-ROM. There is also a wizard that allows you to create an emergency installation on a floppy disk, on which the UnErase files fit comfortably at just over 1Mb. It is also possible to use a directory on the network for the emergency installation and this also ran without any problems on the client machine used even though the network machine was running Windows 98.
Although the idea of being able to recover any file that has not been overwritten is an attractive one, there are one or two things that need to be remembered. If somebody has a machine that is set up with an on-demand virus scanner that has deleted an infected file without shredding it, that file may be recovered by O&O UnErase and as the virus scanner will not see it unless it is scanned again, the virus is in a position to do its work.
Another thing that needs to be remembered is that this program can only see what the disk drive and the BIOS show it. Therefore, it is not in a position to access and analyze the analogue magnetic data on the disk which, if it could, would give it access to data that had been written over up to around six or seven times, in the way that disk recovery services can. If an expensive-to-replace file has been erased and written over and it does need to be recovered, analysis of the analogue magnetic data may prove to be worthwhile.
Overall, O&O UnErase provides an easy to use GUI that allows the user to recover data that has slipped through all of the safety nets for one reason or another and, although a little expensive, may prove worth the investment with the first file it recovers.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry