Tag Archives: photorec

Recuva: File Recovery Made Easy

Loosing data whether by accident or hardware failure can be painful, however in most cases if the data in question has not been overwritten a high probability of being recovered exist. While I am a user of Photorec a command line based data carving utility, the average user in need of a recovery tool may find the command line too complicated to learn. In the end all the user wants is to get his or her pictures back from the SD card

This is where Recuva comes in, created by the company behind CCleaner. Recuva works by looking for unreferenced data, if the operating system hasn’t overwritten the marked free space a recovery can be performed. Equally important is the user friendly Windows GUI, Recuva turns the recovery operation into a simple click and wait procedure. Another nice extra feature is the ability for Recuva to securely wipe a drive using List options, rendering any recovery attempts difficult or impossible to perform on the drive.

Before Starting?

I will go over a simple data recovery procedure with Recuva, the target will be a formatted 2GB SD card containing a total of six files three JPEGs, One PDF, One Zip file, and one Executable.

The Recovery

When Recuva starts you will be given the option to use the Wizard, I rather not use the Wizard by checking on Do not who this Wizard on startup. And then clicking on Cancel.

On the top left side of the window select the drive you wish to scan from the drop down menu, and click on Scan.

Bacause the E drive was formatted it contains no visible file, Recuva will recommend you enable Deep Scan. Click on Yes, this is when Recuva starts looking for any data to be recovered.

Allow for some time, the more data you have on the drive the longer its going to take.

Out the six files Recuva found five of them: three JPGs, one PDF, and one ZIP. To recover the files, you can either check the boxes of the ones you want to recover or you can check the top box to select all discovered files and click on Recover.

Recovery Results

Most of the files were recovered. Files were numbered according to the order of recovery.

While the executable was never found I would not trust the integrity of the executable even if recovered the result might have been a corrupt file. Whenever you recover data keep in mind the file name will change, you might have to spend some time organizing the recovered data(beats having none at all).

It can’t get any easier than this, Recuva makes file recovery an easy operation. Remember to keep backups of all your data, do not rely on recovery software alone.

Recover deleted or formated data with PhotoRec

Last updated : 01/04/09

Accidents happen for example a Flash drive that might have been accidentally formatted or certain files erased from a hard drive. The good news is that as long as the data is not overwritten there is a high margin for a successful recovery. After all the recycle bin is not a secure way of destroying data by any standards.

For this article I will be using PhotoRec by CG Security, Photorec has many advantages for example it’s open source, cross platform, configurable and is relatively light while operating. The entire operation will take some time depending in size of the drive to be inspected. Do not expect the files to recovered with the original file name, instead Photorec will assign them a number. The output data should be stored on a second drive, don’t even think about about using the same drive.

The recovery technique I use is called Data Carving, I’ll let the collective knowledge explain what it means.

Data Carving is a data recovery technique that allows for data with no file system allocation information to be extracted by identifying sectors and clusters belonging to the file. Data Carving usually searches through raw sectors looking for specific desired file signatures. The fact that there is no allocation information means that the investigator must specify a block size of data to carve out upon finding a matching file signature. This presents the challenge that the beginning of the file is still present and that there is (depending on how common the file signature is) a risk of many false hits. Also, data carving requires that the files recovered be located in sequential sectors (rather than fragmented) as there is no allocation information to point to fragmented file portions. This method can be time and resource intensive.

Excerpt from Wikipedia

Download PhotoRec from CGSecurtity

PhotoRec is part of the TestDisk Suite.
http://www.cgsecurity.org/wiki/PhotoRec

Step 1

After PhotoRec starts you will be presented with all the drives PhotoRec was able to detect. For demonstration purposes I will be using a 2 GB flash drive.

Disk /dev/sdb - 2097 MB / 1999 MiB (RO) - OCZ ET1208AD

And press enter to proceed.

Step 2

Select the partition table in my case it’s.

[ Intel ] intel/PC partition

Step 3

In this case I want to inspect the whole disk for data.

D No partition        0    0    1    254 245 54  4095999 [Whole disk]

Step 4

If you noticed in the bottom of the terminal you are also presented with the following options.

[Options]  [File Opt]

You can select [Options] or [File Opt] to see the available file extensions that PhotoRec can recover, you can also unchecked the file extensions you don’t want to recover. Or configure how persistent PhotoRec should be.

Step 5

Now specify the file system on which PhotoRec will attempt to recover the data from. My USB drive was formatted to FAT32.

[ Other ]    FAT/NTFS/HFS+/ReiserFS/...

Step 6

PhotoRec is now presenting you with the option of choosing the default output directory /home/user or your own directory. You might want to create a directory just for the recovery which is usually spread across several directories.

Step 7

After selecting the output directory the recovery process will start, PhotoRec will let you know of the remaining time and number of files found.

The recovery process is done. All recovered files are enumerated.

Output

Example of the recovery, all data is spread across multiple directories. The recovered files are renamed.

Not all is lost sometimes most of the data can be recovered. Keep in mind some media files may be beyond recovery. Always back up your data and there will be no need for a recovery, otherwise I hope this article helps.

http://en.wikipedia.org/wiki/Data_recovery

Open source tools I can’t work without

Whether it’s for recovery or day to day activities open source has a lot to offer. From simple entertainment software to data recovery there are a lot of options available in the Internet. Here is a list of what I commonly use to get the job done, if you have any recommendation feel free to comment.

Testdisk

Sometimes accidents happen and partitions are deleted or the system may become un-bootable for some reason. Useful for those nasty Windows viruses which may damage the partition table.

PhotoRec

PhotoRec was design to recover data from storage media like hard disk and Flash drives alike that may have been accidentally formated or deleted. PhotoRec aims to recover common formats like PDF, HTML MP3 to name a few. When doing a recovery you might only want to recover the actual files that contain the data and not the software it used to run on.

DBAN

By far the best tool for those who want to re-use hard drives which may or may not contain sensitive data. Instead of just erasing the data DBAN rewrites random data generated by Mersenne twister or ISAAC on the hard drive multiple times. How secure it is?, well it holds several official certifications from government agencies.

Ophcrack

Useful for when the user forgets his or her password and has no other way of obtaining the password to the system. It beats other commercial tools I have used previously.

GParted

For those who boot into multiple operating systems and need to re-size the primary partition or have to re-size the partition where Windows resides. Some PC manufacturers do not provide an actual CD/DVD, instead the OS is installed in to a partition.

UNetbootin

Some tools are offered in the form of an ISO for a reason, meaning they have to burned in to a CD/DVD. UNetbootin allows a USB drive to become bootable with little effort, reducing the amount of CD/DVD’s I have to burn (waste). UNetbootin removes the hassle of having to make the ISO’s bootable, just point to the ISO and UNetbootin does the rest.

File Recovery With Photorec

Recovering files from an accidental erase or format should not be that hard, I use a tool call Photorec it makes wonders it will even recover files that have been deleted previously. I decided to use a USB flash drive for testing because its only 128MB and it would result in a faster recovery, the bigger the storage space the more time it will take to recover those files. One of the features that I like in Photorec is whether to search the entire medium or just for specific formats, also be prepare to sort between files because the software will recover previously deleted files, I always find that amazing. For more information on Photorec visit their site.

Testing equipment

128MB flash drive
2 JPEG pictures
and my desktop

The flash drive was formated to simulate and accidental erase.

Steps

  • Start Photorec, cdm appears.
  • We are going to choose our device which is being represented as /dev/sdc 123 MB, hit enter
  • In the next screen we are ask for the partition table type, I believe the most common one in this case is Intel/PC partition, then hit enter.
  • In the 3rd screen we choose the 2nd option which is being represented as partition FAT32, you can use the right arrow if you want to go to [options] or [file opt] in this case I don’t find it necessary.
  • In the 4th screen we get to specify the file system, lets choose the 2nd option FAT/NTFS/HFS+/ReiserFS/.
  • 5th Screen choose the 2nd option [ Whole ], we are going to extract all files from the medium.
  • 6th Screen you get to tell where the results will be saved, remember you have to press y/n.