PhotoRec Step By Step

From CGSecurity
Jump to: navigation, search

En.png english version De.png deutsche Version Es.png versión español Fr.png version française It.png versione italiana Pt.png versão português Ro.png versiunea română Ru.png Русская версия


This Recovery example guides you through PhotoRec step by step to recover deleted files or lost data from a reformatted partition or corrupted file system. For lost/deleted partitions or deleted files from a FAT or NTFS file system, try TestDisk first - it's usually faster and TestDisk can retrieved the original file names. Translations of this PhotoRec manual to other languages are welcome.

Run PhotoRec executable

If PhotoRec is not yet installed, it can be downloaded from TestDisk Download. Extract the files from the archive including the sub-directories.

To recover files from hard disk, USB key, Smart Card, CD-ROM, DVD, etc., you need enough rights to access the physical device.

  • dos.png Under DOS, run photorec.exe
  • win.png Under Windows, start PhotoRec (ie testdisk-6.13/photorec_win.exe) from an account in the Administrator group. Under Windows Vista or later, right click photorec_win.exe and then click Run as administrator to launch PhotoRec.
  • linux.png Under Unix/Linux/BSD, you need to be root to run PhotoRec (ie. sudo testdisk-6.13/photorec_static)
  • macosx.png Under Mac OS X, start PhotoRec (ie testdisk-6.13/photorec). If you are not root, PhotoRec will restart itself using sudo after a confirmation on your part. Sudo will ask for a password - enter your Mac OS X user password.
  • os2.png Under OS/2, PhotoRec doesn't handle physical devices, only disk images. Sorry.

To recover files from a media image, run

  • photorec image.dd to carve a raw disk image
  • photorec image.E01 to recover files from an Encase EWF image
  • photorec 'image.???' if the Encase image is split into several files.
  • photorec '/cygdrive/d/evidence/image.???' if the Encase image is split into several files in the directory d:\evidence

linux.png macosx.png Most devices should be autodetected including Linux software RAID (that is, /dev/md0) and file system encrypted with cryptsetup, dm-crypt, LUKS or TrueCrypt (ie. /dev/mapper/truecrypt0). To recover files from other devices, run photorec device.

Forensics users can use the parameter /log to create a log file named photorec.log; it records the location of the files recovered by PhotoRec.

Disk selection

PhotoRec startup.png

Available media are listed. Use up/down arrow keys to select the disk that holds the lost files. Press Enter to proceed.

macosx.png If available, use the raw device, /dev/rdisk* instead of /dev/disk* for faster data transfer.

Source partition selection

PhotoRec src.png

Choose

  • Search after selecting the partition that holds the lost files to start the recovery,
  • Options to modify the options,
  • File Opt to modify the list of file types recovered by PhotoRec.

PhotoRec options

PhotoRec options.png
  • Paranoid By default, recovered files are verified and invalid files rejected.

Enable bruteforce if you want to recover more fragmented JPEG files, note it is a very CPU intensive operation.

  • Allow partial last cylinder modifies how the disk geometry is determined - only non-partitioned media should be affected.
  • The expert mode option allows the user to force the file system block size and the offset. Each filesystem has his own block size (a multiple of the sector size) and offset (0 for NTFS, exFAT, ext2/3/4), these value are fixed when the filesystem has been created/formated. When working on the whole disk (ie. original partitions are lost) or a reformated partition, if PhotoRec has found very few files, you may want to try the minimal value that PhotoRec let you select (it's the sector size) for the block size (0 will be used for the offset).
  • Enable Keep corrupted files to keep files even if they are invalid in the hope that data may still be salvaged from an invalid file using other tools.
  • Enable Low memory if your system does not have enough memory and crashes during recovery. It may be needed for large file systems that are heavily fragmented. Do not use this option unless absolutely necessary.

Selection of files to recover

PhotoRec files.png

In FileOpts, enable or disable the recovery of certain file types, for example,

[X] riff RIFF audio/video: wav, cdr, avi
...
[X] tif  Tag Image File Format and some raw file formats (pef/nef/dcr/sr2/cr2)
...
[X] zip  zip archive including OpenOffice and MSOffice 2007

The whole list of file formats recovered by PhotoRec contains more than 320 file families representing more than 200 file extensions.

File system type

PhotoRec filesystem.png

Once a partition has been selected and validated with Search, PhotoRec needs to know how the data blocks are allocated. Unless it is an ext2/ext3/ext4 filesystem, choose Other.

Carve the partition or unallocated space only

PhotoRec free.png

PhotoRec can search files from

  • from the whole partition (useful if the filesystem is corrupted) or
  • from the unallocated space only (available for ext2/ext3/ext4, FAT12/FAT16/FAT32 and NTFS). With this option only deleted files are recovered.

Select where recovered files should be written

PhotoRec dst.png

Choose the directory where the recovered files should be written.

  • dos.png win.png os2.png To get the drive list (C:, D:, E:, etc.), use the arrow keys to select .., press the Enter key - repeat until you can select the drive of your choice. Validate with Yes when you get the expected destination.
  • linux.png File system from external disk may be available in a /media, /mnt or /run/media sub-directory. Mount your destination drive if necessary.
  • macosx.png Partitions from external disk are usually mounted in /Volumes.

Recovery in progress

PhotoRec running.png

Number of recovered files is updated in real time.

  • During pass 0, PhotoRec searches the first 10 files to determine the blocksize.
  • During pass 1 and later, files are recovered including some fragmented files.

Recovered files are written in recup_dir.1, recup_dir.2... sub-directories. It's possible to access the files even if the recovery is not finished.

Recovery is completed

PhotoRec end.png

When the recovery is complete, a summary is displayed. Note that if you interrupt the recovery, the next time PhotoRec is restarted you will be asked to resume the recovery.

  • Thumbnails found inside pictures are saved as t*.jpg
  • If you have chosen to keep corrupted files/file fragments, their filenames will beginning by the letter b(roken).
  • Hint: When looking for a specific file. Sort your recovered files by extension and/or date/time. PhotoRec uses time information (metadata) when available in the file header to set the file modification time
  • After Using PhotoRec: Some ideas to sort recovered files or repair broken ones.
  • win.png You may have disabled your live antivirus protection during the recovery to speed up the process, but it's recommended to scan the recovered files for viruses before opening them - PhotoRec may have undeleted an infected document or a trojan.

Donation
Please support the project
with your donations.