Site icon Dipin Krishna

Recover deleted files in linux using Photorec easily

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its ‘Photo Recovery’ name) from digital camera memory. PhotoRec ignores the filesystem and goes after the underlying data, so it will still work even if your media’s filesystem has been severely damaged or re-formatted.
For more safety, PhotoRec uses read-only access to handle the drive or memory support you are about to recover lost data from. Important: As soon as a pic or file is accidentally deleted, or you discover any missing, do NOT save any more pics or files to that memory device or hard disk drive; otherwise you may overwrite your lost data. This means that even using PhotoRec, you must not choose to write the recovered files to the same partition they were stored on.

FAT, NTFS, ext2/ext3/ext4 filesystems store files in data blocks (also called clusters under Windows). The cluster or block size remains at a constant number of sectors after being initialized during the formatting of the filesystem. In general, most operating systems try to store the data in a contiguous way so as to minimize data fragmentation. The seek time of mechanical drives is significant for writing and reading data to/from a hard disk, so that’s why it’s important to keep the fragmentation to a minimum level.

When a file is deleted, the meta-information about this file (filename, date/time, size, location of the first data block/cluster, etc.) are lost; e.g., in an ext3/ext4 filesystem, the names of deleted files are still present, but the location of the first data block is removed. This means the data is still present on the filesystem, but only until some or all of it is overwritten by new file data.

To recover these ‘lost’ files, PhotoRec first tries to find the data block (or cluster) size. If the filesystem is not corrupted, this value can be read from the superblock (ext2/ext3/ext4) or volume boot record (FAT, NTFS). Otherwise, PhotoRec reads the media, sector by sector, searching for the first ten files, from which it calculates the block/cluster size from their locations. Once this block size is known, PhotoRec reads the media block by block (or cluster by cluster). Each block is checked against a signature database; which comes with the program and has been growing in the type of files it can recover ever since PhotoRec’s first version came out.

For example, PhotoRec identifies a JPEG file when a block begins with:

* 0xff,0xd8,0xff,0xe0
* 0xff,0xd8,0xff,0xe1
* or 0xff,0xd8,0xff,0xfe

If PhotoRec has already started to recover a file, it stops its recovery, checks the consistency of the file when possible and starts to save the new file (which it determined from the signature it found).

If the data is not fragmented, the recovered file should be either identical; or possibly larger than the original file, in size. In some cases, PhotoRec can learn the original filesize from the file header, so the recovered file is truncated to the correct size. If, however, the recovered file ends up being smaller than its header specifies, it is discarded. Some files, such as *.MP3 types, are data streams. In this case, PhotoRec parses the recovered data, then stops the recovery when the stream ends.

When a file is recovered successfully, PhotoRec checks the previous data blocks to see if a file signature was found but the file wasn’t able to be successfully recovered (i.e., the file was too small), and it tries again. This way, some fragmented files can be successfully recovered.

More Info
Step By Step procedure on how to use PhotoRec (with screen shots).

Installation on Linux
To install Photorec on ubuntu simply type :

sudo apt-get install testdisk

On fedora/CetOS :

yum install testdisk

Official Website: http://www.cgsecurity.org/wiki/PhotoRec

Exit mobile version