Recover Deleted Files Easily with PhotoRec

1
10523

While most of us do regular back-ups of important data, some just postpone the back-up date until that dreaded day arrives—unexpectedly, in the blink of an eye, you suddenly realise all that precious data you gathered over months, has disappeared. Maybe it was just ‘the wrong key’ that got pressed. Well, it’s time to start pulling your hair out and sweating profusely. May the Lord rescue you if your boss has a bad temper.

Well don’t lose hope; there’s PhotoRec to the rescue. A huge list of 140 different file types like JPEG, MID, SQLite, Real Audio, MP3, .doc, Macromedia, .exe, .flv, VMware images, .chm, .bz2, Autocad, RAR, Adobe Photoshop images, etc, are supported. This tutorial will help you in recovering your data without emptying your pockets—and hey, I hope it’ll put the smile back on your face once you’re out of your dire straits. However, you will have to spend some time searching for that important file.

PhotoRec is an open source multi-platform application distributed under the GPL. It is a companion program to TestDisk, an application for the recovery of lost partitions for a variety of file systems and to make disks bootable again.
Apart from Linux, PhotoRec supports the following operating systems:

  • DOS/Win9x
  • Windows NT 4/2000/XP/2003/Vista
  • FreeBSD, NetBSD, OpenBSD
  • Sun Solaris
  • Mac OS X
  • UNIX

PhotoRec can recover lost files from the following file systems:

  • FAT/FAT32
  • NTFS
  • EXT2/EXT3
  • HFS+
  • ReiserFS (does not work very well with this file system)

Getting PhotoRec

While most distributions include TestDisk (which, in turn, has PhotoRec) in their repositories, you can download the source file or the RPM for your distro from www.cgsecurity.org/wiki/TestDisk_Download. Alternatively, you can go for PartedMagic (~ 90 MB in size), which contains TestdDisk and a host of other utilities. This is available at SourceForge.net.

The road to recovery

You can use PhotoRec to recover data or pictures that have been deleted from a pen drive. You can also recover data from a partition of a hard disk and save it to another partition on the same disk. The only condition is the partition to which data will be saved should be equal to or larger than the partition from which data will be recovered.

You will require a card reader for digital camera flash drives. Hard disks require a suitable USB enclosure. Alternatively, you can connect hard disks to an internal slot.

Step 1

Create a directory called photorec_dir where PhotoRec will save files. Connect the flash/hard disk drive to your USB port/internal port (or just select your internal drive if you want to recover data from a partition) and fire up PhotoRec from the terminal as the superuser:

[root@localhost ~]# photorec

PhotoRec will display all your hard disks and USB drives. Choose the drive from which data needs to be recovered (Figure 1).

Figure 1: Choose the drive from which data has to be recovered
Figure 1: Choose the drive from which data has to be recovered

Step 2

Up next is to choose the partition table type (Figure 2). PhotoRec supports a number of partition table types—Intel/PC, Apple, Sun Solaris, XBox, EFI GPT partition and ‘None’ partition types. Choose the Intel/PC type, which most of us use anyway. Even if you have a single partition, do not choose the ‘None’ option.

Figure 2: Choose the partition type
Figure 2: Choose the partition type

Step 3

The next screen offers the option to recover data from the whole disk or the choice of selecting a partition. Choose your option using the up/down arrow keys. In case of a disk with multiple partitions, PhotoRec will display all the partitions, similar to what fdisk -l option does. Select the partition that contains the deleted data using up/down arrow keys (Figure 3).

Figure 3: Choose the partition of a drive
Figure 3: Choose the partition of a drive

Step 4

We now come to the most important step of the recovery process. Select the ‘File Opt’ option using the left/right arrow keys and press Enter. PhotoRec puts forth a huge list of about 140 different file types that can be recovered. Use the up/down arrow keys to move between entries, and use the Space bar to select [x] or unselect [ ] file types to be recovered. For instance, to recover only picture files, choose ‘jpg’, ‘gif’, ‘dsc’, etc (Figure 4). Select ‘Quit’ when done. This takes you back to the last screen. Select the ‘Search’ option.

Figure 4: Choose the file types to recover
Figure 4: Choose the file types to recover

Step 5

To recover lost/deleted files, PhotoRec needs to know the file system type your files were stored in. Options include ‘ext2/ext3’ and ‘Other’. Choose ‘Other’ for FAT, NTFS, ReiserFS, etc (Figure 5).

Figure 5: Choose the filesystem type that contains the delated files
Figure 5: Choose the filesystem type that contains the delated files

Step 6

The next screen gives the option of choosing between recovering data from the ‘whole partition/disk’ or from the ‘free space’ of the partition (Figure 6). This ‘free space’ has the inodes that contain the deleted data. Choose the ‘free space’ option using the up/down arrow keys.

Figure 6: Recover files from the whole partition or from free space
Figure 6: Recover files from the whole partition or from ‘free space’

Step 7

PhotoRec now needs to know the destination folder to save the recovered files. In Step 1, we created a folder called photorec_files. Navigate to your path using the up/down arrow key and press Enter. Mine was /hdc6/home/nelson/photorec_files. If the path is not provided, the default directory will be /root.

Figure 7: Choose the destination to save recovered files
Figure 7: Choose the destination to save recovered files

Your recovered files will be saved in the destination directory in a number of folders recup_dir.1, recup_dir.2, etc. In a single recup_dir, you will find zip files, doc files, jpg files, etc, if you have chosen to recover these files.

Searching for a file through those that are lost can be a real pain. You need to sort these files out. Here is what you can do to sort out zip files. Make a directory for zip files as follows:

mkdir /home/user/Zip

Now as the root user:

mv  /home/user/recup_dir.1/*.zip ~/Zip

Alternatively, issue the following command:

mv  /home/user/recup_dir.*/*.zip ~/Zip

You can similarly repeat the steps for other file types.

Of particular interest is how to sort out picture files. Let us separate those little thumbnail pictures from your ‘real’ ones. Again, create a directory for small pictures with the code below:

mkdir ~/small_jpg

Now, as the root user, issue the following command:

find /home/user/recup_dir.1/ -name  "*.jpg" -size  -20K | xarg  -i  mv  {}  /home/user/small_jpg

This will find all jpg files equal to or smaller than 20K and move them to small_jpg.

The bottom line

I found almost all of my deleted photographs and various other files with a little sweat (manually opening each file till I got the one I was really looking for) using PhotoRec. Anyone looking at a launch pad for a career in forensics?

1 COMMENT

  1. Hi,
    The article is very nice. I have used photorec to recover some delted files following the above article,but i failed.
    What i did is i created a file under /root and dumped some data into it … then deleted it using rm -rf command and ran photorec from command line, there i am not able to see the file i deleted, there its showing only the present existing files in /root. please some one help me out in right way.
    thnq

LEAVE A REPLY

Please enter your comment!
Please enter your name here