PhotoRec is a data recovery tool designed to recover lost files from digital media like memory cards, hard disks, and cd roms. It looks for traces and patterns of common file formats in the category of images,documents,archives,songs,videos etc on the raw disk and recovers them. It is capable of recovering files that are deleted or filesystem that are formatted. We will see how to do this
Though a command line tool, most of PhotoRec's options are configured from an interactive ui. The command line syntax itself is pretty simple.
photorec [/log] [/debug] [/d recup_dir] [device|image.dd|image.e01]
/log - Write the recovery activity to the log photorec.log in current directoy.
/debug - Enable debug mode while logging
/d recup_dir - PhotoRec don't save the recovered files back to the drive ( which makes it safer to use ). Instead it creates directories in the current directory and write the files to it. If no name is given, the directories will be named recup_dir.1 recup_dir.2 etc.. If a directory is specified with /d option, that name will be used instead. PhotoRec ui also provides and option to select a parent directory ( instead of current directory ) under which the recup_dir(s) will be created.
PhotoRec can be called with or without an argument. If called with argument, it should be either a device ( /dev/<whatever> ) or a disk image file. If no argument is given, PhotoRec will launch the ui and auto detect the drives/devices and prompt the user to select the drive to be recovered.
Running PhotoRec on my 16G pendrive which was formatted recently.
safeer@lin01:~$sudo photorec /log /debug /d RECOVER_USB /dev/sdb
This will launch the PhotoRec UI in shell. Different options will be presented to the user on a series of screens. Let us see what options are available in each screen. I am putting only relevant parts of the screen over here.
* Screen 1 - Select device
Select a media (use Arrow keys, then press Enter):
>Disk /dev/sdb - 16 GB / 14 GiB (RO) - hp v220w
>[Proceed ] [ Quit ]
The ">" symbol indicates your selection, use up / down / right / left arrow keys for the selections. When all needed option in a screen are selected, press "Enter" or proceed.
Here I am selecting the usb disk. It is already selected since I provided it as argument to PhotoRec. If the drive was not provided in advance, an option to select from the available media in the sytem would pop up (see below )
safeer@lin01:~$sudo photorec /log /debug /d RECOVER_USB
Select a media (use Arrow keys, then press Enter):
>Disk /dev/sda - 250 GB / 232 GiB (RO) - HITACHI HTS723225L9SA61 FDE
Disk /dev/sdb - 16 GB / 14 GiB (RO) - hp v220w
>[Proceed ] [ Quit ]
This screen is showing my laptop hard disk as well, and I have to use the down arrow key to select the usb drive.
* Screen 2 - Select partition
Disk /dev/sdb - 16 GB / 14 GiB (RO) - hp v220w
Partition Start End Size in sectors
No partition 0 0 1 15295 63 32 31326208 [Whole disk]
> 1 P FAT32 LBA 1 0 1 15295 63 32 31324160 [BACKUP_USB_]
>[ Search ] [Options ] [File Opt] [ Quit ]
Here, PhotoRec will detect and list all the partitions within the selected drive ( in this case only one ). You can either select a partition or the whole drive depending on whether you know where exactly your lost files are. At the bottom of the screen you can see options Search/Options/File Opt. Selecting Search will take you to next screen, selecting Options will give you a few configurable parameters that will affect how PhotoRec will do the recovery, File Opt is where you can select what types of files to look for. If you know what file type ( jpg, pdf .. ) you are looking for, this option will be very helpful.
* Screen 2.1 - Options
Paranoid : Yes (Brute force disabled)
Allow partial last cylinder : No
Keep corrupted files : No
Expert mode : No
Low memory: No
>Quit
* Screen 2.2 File Opts
PhotoRec will try to locate the following files
>[ ] Own custom signatures
[X] 1cd Russian Finance 1C:Enterprise 8
[X] 7z 7zip archive file
.......output truncated.........
[X] dex Dalvik
[X] diskimage SunPCI Disk Image
Next
Press s for default selection, b to save the settings
>[ Quit ]
* Screen 3 - Select filesystem type
1 P FAT32 LBA 1 0 1 15295 63 32 31324160 [BACKUP_USB_]
To recover lost files, PhotoRec need to know the filesystem type where the
file were stored:
[ ext2/ext3 ] ext2/ext3/ext4 filesystem
>[ Other ] FAT/NTFS/HFS+/ReiserFS/...
Here you can select the file system type in which the files to recovered were stored prior to deletion/formatting. Press enter after selection.
* Screen 4 - Chose whether to analyse only the free space in the disk or the whole disk.
1 P FAT32 LBA 1 0 1 15295 63 32 31324160 [BACKUP_USB_]
Please choose if all space need to be analysed:
>[ Free ] Scan for file from FAT32 unallocated space only
[ Whole ] Extract files from whole partition
* Screen 5 - Destination directory selection
This screen will be displayed only if the "/d" option was not given on the command line. This will list all directories under the current directory. You can chose a destination from that. If you want use this option, better create a destination directory in current working directory in advance.
Please select a destination to save the recovered files.
Do not choose to write the files to the same partition they were stored on.
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit
Directory /home/safeer
>drwx------ 1000 1000 32768 14-Mar-2013 20:14 .
drwxr-xr-x 0 0 4096 17-Jan-2013 20:22 ..
drwx------ 1000 1000 4096 1-Jan-2012 22:41 Audio
.......
* Screen 6.1 - Recovery - running phase
Disk /dev/sdb - 16 GB / 14 GiB (RO) - hp v220w
Partition Start End Size in sectors
No partition 0 0 1 15295 63 32 31326208 [Whole disk]
Pass 1 - Reading sector 15888406/31326208, 7653 files found
Elapsed time 0h06m00s - Estimated time to completion 0h05m49
cab: 6012 recovered
txt: 662 recovered
tx?: 353 recovered
exe: 351 recovered
mp3: 197 recovered
bmp: 38 recovered
ico: 11 recovered
gif: 7 recovered
doc: 4 recovered
chm: 2 recovered
others: 16 recovered
Stop
* Screen 6.2 - Recovery - final state
Disk /dev/sdb - 16 GB / 14 GiB (RO) - hp v220w
Partition Start End Size in sectors
No partition 0 0 1 15295 63 32 31326208 [Whole disk]
8214 files saved in RECOVER_USB directory.
Recovery completed.
All the recovered files will be saved under directories RECOVER_USB.*
safeer@lin01:~$ ls -ld RECOVER_USB*
drwxr-xr-x 2 root root 4096 Mar 14 11:27 RECOVER_USB.1
drwxr-xr-x 2 root root 20480 Mar 14 11:32 RECOVER_USB.10
drwxr-xr-x 2 root root 20480 Mar 14 11:32 RECOVER_USB.11
....output truncated..................
drwxr-xr-x 2 root root 20480 Mar 14 11:32 RECOVER_USB.7
drwxr-xr-x 2 root root 20480 Mar 14 11:32 RECOVER_USB.8
drwxr-xr-x 2 root root 20480 Mar 14 11:32 RECOVER_USB.9
To find the files of a particular type, say jpg use find command.
safeer@lin01:~$ find RECOVER_USB.* -name "*.jpg"
RECOVER_USB.1/f0039072.jpg
RECOVER_USB.1/f0032720.jpg
RECOVER_USB.18/f31114640.jpg
RECOVER_USB.19/f0037024.jpg
RECOVER_USB.2/f0039072.jpg
RECOVER_USB.2/t0040768.jpg
RECOVER_USB.20/f0037024.jpg
RECOVER_USB.21/t0040768.jpg
RECOVER_USB.21/f0032720.jpg
No comments:
Post a Comment