Month: September 2017

Linux data recovery with photorec

A friend recently gave me an old computer to try to recover  photos off

I pulled the drive from the computer – which had a nice Windows ME sticker on the side ūüôā

20GB Western Digital drive.  Plugged it in to my debian linux machine using a USB adapter like this one :AGPtek SATA/PATA/IDE Drive to USB

Then I made sure to install the testdisk package which provides a program called photorec

root@fedora:~# sudo apt-get install testdisk

Plugged the drive in, and using the dmesg command I can see the drive was recognized by the kernel as /dev/sdb

root@fedora:~# dmesg|tail

[ 310.582814] sd 7:0:0:0: Attached scsi generic sg2 type 0
 [ 310.583761] sd 7:0:0:0: [sdb] 39102336 512-byte logical blocks: (20.0 GB/18.6 GiB)
 [ 310.584632] sd 7:0:0:0: [sdb] Write Protect is off
 [ 310.584639] sd 7:0:0:0: [sdb] Mode Sense: 00 38 00 00
 [ 310.585518] sd 7:0:0:0: [sdb] Asking for cache data failed
 [ 310.585525] sd 7:0:0:0: [sdb] Assuming drive cache: write through
 [ 310.615912] sdb: sdb1
 [ 310.619622] sd 7:0:0:0: [sdb] Attached SCSI disk
 [ 316.129542] FAT-fs (sdb1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.

using fdisk, I can see the drive contains a 2GB partition (/dev/sdb1) but that is all – not a whole lot of disk space to search for photos:

root@fedora:~# fdisk /dev/sdb
 Welcome to fdisk (util-linux 2.29.2).
 Changes will remain in memory only, until you decide to write them.
 Be careful before using the write command.

Command (m for help): p
 Disk /dev/sdb: 18.7 GiB, 20020396032 bytes, 39102336 sectors
 Units: sectors of 1 * 512 = 512 bytes
 Sector size (logical/physical): 512 bytes / 512 bytes
 I/O size (minimum/optimal): 512 bytes / 512 bytes
 Disklabel type: dos
 Disk identifier: 0x00000000

Device Boot Start End Sectors Size Id Type
 /dev/sdb1 * 63 4192964 4192902 2G e W95 FAT16 (LBA)

Command (m for help): q

my file manager window pops up with the automatically mounted drive and as I click through, there isn’t a whole lot there.¬† Makes me wonder if a reinstall of windows was done (and forgotten about).

So I start out by making a dd copy of the partition and then one of the full drive – potentially including 16-18GB of “empty” space, but better to be safe than sorry.

root@fedora:~# dd if=/dev/sdb1 of=/Downloads/backup/disk1.img bs=1024M
root@fedora:~# dd if=/dev/sdb of=/Downloads/backup/disk2.img bs=1024M

 

root@fedora:~# man photorec

PHOTOREC(8) Administration Tools PHOTOREC(8)

NAME

photorec - Recover lost files from harddisk, digital camera and cdrom

SYNOPSIS

photorec [/log] [/debug] [/d recup_dir] [device|image.dd|image.e01]

 

Looks easy enough, let it rip.

 

root@fedora:~# photorec /d /Downloads/backup/recovery disk2.img

First photorec screen, select the drive which we have already specified on the command line as disk2.img

 

Second screen, note we select “No partition” here, so it will scan the whole disk image, not just the partition

 

Screen 3 – this is a windows FAT drive so select that for the partition type so it knows how to scan the disk image.

 

Screen 4 – select “Whole” to scan the whole disk. This scans the disk image sector by sector looking for files.

 

Screen 5 – the scan starts, you can watch it increment the different file types (txt, jpg, gif, exe, etc …) as it finds them.

 

Screen 6 – nearing the end of the the first scan just of the windows partition, only took it about 20 minutes. Full scan of the whole disk takes much longer.

 

Screen 7 – summary of what it found. It will split the recovered files using the name supplied on the command line as the base name, so 500 files in recovery.1, 500 files in recovery.2, etc …

 

At the end of it all, I end up with several of the “recovery.1, recovery.2, … directories, each containing¬† 500 files . This recovers EVERY file type, windows files (*.exe, *.dll, *.chm), text files (*.txt), as well as mp3, jpg, gif, bmp.¬† The thing about the images it recovers is that the basic windows interface is rendered using icons and smaller images, so there are just a ton of files to sift through at the end.

I ended up removing everything I knew was junk

# rm recovery.*/*.exe recovery.*/*.dll recovery.*/*.chm recovery.*/*.bmp

Afterwards I copied all of the recovery.* directories to a thumb drive for my friend to sift through and figure out which files he wanted.