A few months ago a real-estate client called me on a Saturday night: "The server drive is making a weird sound and we can't open anything." When I got there, the HDD was doing the classic click of death. The person on site, trying to "fix it," had powered it on and off five times in a row, run chkdsk /f on boot, and then tried to clone it with some random tool downloaded off the internet. By the time I had it on my bench, the little that was still recoverable had been turned into junk. This could have been avoided.
This article is for that moment of panic. Read it before you touch anything.
First things first: what NOT to do
80% of the unrecoverable damage in data recovery isn't caused by the original failure — it's caused by what the user does next. The golden rule:
If your data is important and you don't have a current backup, unplug the device and don't plug it back in until you have a plan. Every minute it's powered on, every boot, every "let me try one thing" reduces your odds of recovery.
- Stop using the drive. If it's the system drive, shut the machine down. Every write can overwrite the sectors holding your data.
- Do not run
chkdsk,fsck, or "repair drive." Those tools fix the filesystem structure at the cost of data integrity. They can permanently destroy what was still recoverable. - Do not reinstall the OS "to see if it boots." The installer overwrites the partition table and thousands of sectors.
- Do not format, not even "quick." And especially not a "full format": on SSDs that triggers TRIM and wipes everything at the cell level.
- Do not open the drive. Hard drives are assembled in rooms with fewer particles per cubic foot than an operating room. Opening one on your desk puts dust between the platters and the head — and kills any later professional recovery attempt.
- Don't download the first "Recuva Pro" or "cracked EaseUS" Google shows. Many are malware. And even if they weren't, installing them on the very drive you're trying to recover is counterproductive.
- Don't plug the "dead" drive as a secondary into your main PC. If it has a shorted PCB it can take your main machine down too.
- Don't freeze the drive. Old forum myth. The condensation when it thaws finishes it off.
Step 1 — Diagnosis: logical or physical failure?
This is the most important call in the whole process. It determines whether you can try something yourself or have to go straight to a lab.
| Type | Symptoms | Typical causes | DIY? |
|---|---|---|---|
| Logical | Drive is detected and mounts, but files are missing / partitions are gone / it says "unknown filesystem" / files are corrupted. SMART is fine. | Accidental delete, format, deleted partition, filesystem corruption, ransomware, virus, power outage. | Yes, with care. |
| Physical | Drive clicks or beeps, not seen by BIOS, runs very hot, smells burned, was dropped, soaked, or hit by a power surge. | Damaged heads, scratched platters, seized motor, fried controller chip, degraded NAND in an SSD. | No. Go to a lab. |
If the BIOS doesn't see the drive or it makes mechanical noises, it's physical. Period. Don't keep trying. Each extra power-on can scratch the platters a little more and drop the recoverable percentage from 90% to 30%.
Step 2 — Logical failure: the DIY path (with care)
If you've ruled out physical failure, here's the right sequence:
2.1 — Clone before you touch
The first thing a pro does is NEVER work on the original drive. They sector-clone it (bit by bit) to another drive of equal or larger size, and work on the copy. Tools:
- ddrescue (Linux, GNU) — the de-facto standard. Clones around bad sectors and retries them at the end. Free.
- HDDSuperClone — similar to ddrescue with more controls and reporting.
- R-Drive Image / Acronis True Image — commercial options that also do sector-level cloning.
- Win32 Disk Imager — for creating a .img of a USB/SD card.
If the drive still boots and you've only lost specific files, cloning may not be necessary — but if the drive shows fatigue signs (extreme slowness, reallocated sectors in SMART), clone it first.
2.2 — Recover from the copy
These are the tools that actually work, sorted by scenario:
| Scenario | Recommended tool | Cost |
|---|---|---|
| Deleted files, no format | Recuva (Windows, simple) or PhotoRec (cross-platform, more thorough) | Free |
| Deleted partition or damaged MBR/GPT | TestDisk (same author as PhotoRec) | Free |
| Formatted drive, need full scan | R-Studio, DMDE, UFS Explorer | USD 80–250 |
| Degraded or broken RAID | R-Studio Network, UFS Explorer RAID, ReclaiMe Pro | USD 200–600+ |
| Files are there but corrupt | Format-specific tools (PST: scanpst; SQL: transaction log restore; Office: open-and-repair) | Varies |
| Camera or phone SD/microSD | PhotoRec, R-Studio | Free / USD 80 |
NEVER recover files back to the same drive you're recovering them from. You need a different destination drive, with enough space. Writing back to the source overwrites the very sectors you're trying to rescue.
2.3 — Special case: deleted SSD
On an SSD, once the TRIM command has swept through the deleted cells (seconds to minutes), the data is unrecoverable even forensically. If you deleted something important from an SSD, power it off immediately and unplug it. Every minute powered on is TRIM running. The success rate with SSDs is brutally lower than with HDDs.
Step 3 — Physical failure: lab, no shortcuts
If the drive clicks, isn't detected, was dropped, soaked, or got salt water (common in coastal cities with laptops), do not plug it in again. The correct steps:
- Shut the device down if it's on, and remove the battery if you can.
- If it got wet: do not plug it in to "see if it still works." Dry the outside, without opening it, and take it like that.
- Call a specialized lab. In Latin America there aren't many serious ones — ask whether they have a class 100 / ISO 5 clean room, not just a "closed room."
- Ask for a free or low-cost diagnosis, separate from the recovery work itself. Serious labs give you a success-rate range and price before charging for recovery.
- Accept that physical recovery costs. A lot.
What does a real lab do that your local repair shop doesn't?
- Clean room: an environment with less than 100 particles per cubic foot so the drive can be opened without contaminating the platters.
- Donor drives: identical drives by brand/model/firmware/batch to cannibalize heads or PCBs. This isn't "buy the same model on eBay" — firmware ROM, head code, and sometimes the factory batch all have to match.
- Hardware imaging gear: PC-3000, Atola, DeepSpar. Talk to the drive at firmware level, bypassing damaged electronics or bad heads.
- Chip-level work: on SSDs and USBs, read NAND chips directly and rebuild the FTL (Flash Translation Layer).
Cost ranges (approximate)
| Case | Approx. range | Notes |
|---|---|---|
| Logical recovery (DIY or basic tech) | USD 50–250 | If you do it yourself: just the destination drive. |
| HDD mechanical failure (head swap) | USD 600–2500 | Depends on capacity, model and donor availability. |
| SSD controller failure | USD 800–3000 | Lower success rate; many are unrecoverable. |
| Enterprise RAID | USD 1500–6000+ | Multiplies per-disk cost; needs virtual rebuild. |
| Server + clean room + rush | USD 3000–15000+ | "24h rush" can double the cost. |
Yes, those numbers are uncomfortable. And that's exactly why the best data recovery is the one you never had to do.
Special cases I see all the time
Ransomware
This isn't "data recovery" in the classic sense — the files are there, just encrypted. The only two real ways out:
- Restore from a clean backup that wasn't connected at the time of the attack.
- Check whether the ransomware variant has a public decryptor on No More Ransom (a Europol project). Sometimes you get lucky.
Paying the ransom is not recommended: in many cases they don't hand over the key, it flags the business as a payer, and it funds the next wave. I go deeper in my article on backups and continuity.
Cheap USB flash drives
Counterfeit or sketchy-brand USB drives have brutally higher failure rates than HDD/SSD. Recovering from a failed, never-backed-up USB is one of the most common requests — and one of the lowest success rates, because they often ship with defective NAND chips. I cover this in why USB drives are not for important data.
Phones
- Android, unrooted, encryption on (default since Android 6): if the screen is broken but the phone turns on, you can usually plug an OTG keyboard/mouse or use scrcpy with USB debugging already enabled. If not, recovery is extremely hard.
- iPhone: if you had iCloud Backup or iCloud Photos on, restore from there. Without that, no local backup on a Mac/PC, and no known passcode, it's effectively impossible.
- The phone's SD card (mid-range Android): treat it as a regular card with PhotoRec/R-Studio.
RAID
If your RAID 5 lost two drives at the same time, do not start the rebuild without first cloning every surviving drive. Most "dead" RAIDs I receive could have been saved if no one had launched a rushed rebuild that wrote over the good disks.
The lesson I repeat until I'm tired: prevention
A successful data recovery costs between USD 600 and USD 6000. A solid backup scheme costs between USD 50 and USD 500 per year. The math is obvious, but most people only invest after the first incident.
3 copies of your data, on 2 different media, with 1 copy offsite. And at least one of them immutable or offline (so a ransomware crawling the network can't touch it).
- OneDrive / Google Drive / Dropbox are NOT a backup: they're sync. If you delete a file locally, it deletes in the cloud. If ransomware encrypts it, it uploads encrypted. They have versioning but limited.
- Snapshots on your NAS (Synology, QNAP, TrueNAS) are the first layer. Immutable and fast to restore.
- Offsite backup: Backblaze B2, Wasabi, AWS S3 Glacier, or an external drive you take to a different physical location.
- Test your backups. A backup you've never restored isn't a backup — it's hope.
Recap — the correct flow
- Stop touching the device. Power off, unplug.
- Diagnose: mechanical noise, not detected, soaked, dropped? → physical, call a lab. Visible but missing files or partitions? → logical, continue.
- Clone the drive to another before doing anything.
- Recover from the copy with TestDisk/PhotoRec/R-Studio. Write rescued files to a different drive.
- If you're not 100% sure at any step, stop and call someone experienced. The cost of doing it wrong is much higher than the cost of a consultation.
- When you're done, set up the backup you should have had in the first place.
If you need help with this — diagnosis, logical recovery, mediation with a lab, or designing a serious backup plan for your business — message me on WhatsApp. I work with clients in Cartagena on-site and across Colombia remotely.