Have you ever accidentally deleted a file and then regretted it? We’ve all done just that at some point! So the question that needs to be asked is how to recover a deleted file? Under Linux, especially under Ubuntu, this question can be answered with the following words: testdisk’s photorec. This tool is a recovery tool that is both open source and free. In this tutorial, we will examine testdisk’s photorec in depth.
Photorec
PhotoRec is a recovery tool that can recover deleted files such as videos, documents and archives from hard drives, CD-ROMs and digital camera memory. In fact, PhotoRec can be used in conjunction with hard drives, CD-ROMs, memory cards (CompactFlash, Memory Stick, Secure Digital/SD, SmartMedia, Microdrive, MMC, etc.), USB memory drives, DD raw image, EnCase E01 image, etc. PhotoRec recovers your lost files even if the file system has been corrupted or even reformatted. However, you must be careful not to overwrite the deleted files and for this reason you must not write anything to the hard drive.
Photorec is a free, open-source tool available for DOS/Windows 9x, Windows 10/8.1/8/7/Vista/XP, Windows Server 2016/2012/2008/2003, Linux, FreeBSD, NetBSD, OpenBSD, Sun is Solaris and Mac OS X.
PhotoRec can recover: FAT, NTFS, exFAT, ext2/ext3/ext4 file system and HFS+. In addition, it can recover ZIP, Office, PDF, HTML, JPEG files and various other graphic file formats. In fact, it can recover over 480 file extensions.
Install and use Testdisk/Photorec
Photorec is part of Testdisk. You can download test disk from https://www.cgsecurity.org/wiki/TestDisk_Download and install manually. However, you can also download it from the repository.
sudo photo shoot
You need root privileges to run photorec. When you first type “sudo photorec” you will be greeted with a page that gives details about the available media. You can use the up/down arrow keys to navigate the page and once you have made your selection select “Continue” and press Enter.
Once you have selected your media, you can select the source partition.
Here you can select the partition where the lost file is located in the source partition selection panel. Also, you can choose “Options” to change the search options and “File Opt” can be used to choose the type of file you want to recover. In fact, the File Opt option comes with over 480 extensions. Once you’ve selected the partition you want, opt for “Find” and press Enter.
After the partition selection is made, you need to choose the file system type. The author of the tool states that if it is an ext2/ext3/ext4 filesystem then that will be selected, otherwise “other”.
In my case, it’s a Linux filesystem, so I choose that [ext2/ext3] file system.
Next, you can choose where to save the recovered files. If you are saving to an external hard drive, it may be available through the /media, /mnt, or /run/media directories. It is recommended to mount the drive if you wish. The author of the tool has included two warnings (https://www.cgsecurity.org/testdisk.pdf):
— WARNING: The recovered files should not be saved in the source file system. The deleted files can be overwritten and thus lost forever.
— WARNING: Do not select a FAT32 file system for saving as it cannot handle files larger than 4GB.
When you have selected the correct target, press the “C” key.
Then the files will be restored and saved to the specified destination.
All recovered files will be placed in subdirectories named recup_dir* (recup_dir.1, recup_dir.2, etc.). Please note that if you interrupt the recovery process, the next time you start photorec you will be asked if you want to continue where you left off.
The filenames within the subdirectories start with a letter, followed by 7 or more digits and finally end with an extension. The files are marked as follows:
b=broken
t=jpeg embedded thumbnail
For example, a file might be named f1234567.txt. The seven-digit number is calculated by the computer (file location minus partition offset divided by sector size). Also, each folder contains at most 500 files (a new subfolder is created when there is no more space in a single subfolder).
Although there are many benefits to using PhotoRec such as: B. recovering from damaged file systems and newly formatted systems, there is a disadvantage. Personally, I didn’t find it easy to sift through the files found. It cannot specifically find a single isolated file. Rather, it just restores everything with the extensions you specified and lists them without name tags. This means that the original name of the file is not preserved and many files are retrieved. So it’s horrible to search every file to find a specific file! All files are renamed and to find the file you want you have to search them all and in my case I believe it found files with 4 or 5 digits (e.g. 5000 files) so searching through them is manual anyway not realistic. Ok, assuming there will be thumbnails for jpegs and other graphics, I still think the renaming of the files and the huge number of files found make it difficult to find that one file we deleted.
We’ve all gaped at one point or another, whether it’s using the rm command to remove an important file or emptying the Recycle Bin and permanently deleting the files inside. We then searched everywhere for file recovery tools and there are quite a few for Linux. Some of them are GUI, some are not. Anyway, the point is that there are many tools out there for file recovery, and one of them is Testdisk’s PhotoRec. PhotoRec can recover files from damaged and/or reformatted systems. Additionally, it can recover deleted files from various media including digital cameras, CD-ROMs, and USB flash drives (among others). The process is fairly easy if you can properly navigate through the pages that are presented.
Happy coding!
