Linux data recovery with photorec
A friend recently gave me an old computer to try to recover photos off
I pulled the drive from the computer – which had a nice Windows ME sticker on the side 🙂
20GB Western Digital drive. Plugged it in to my debian linux machine using a USB adapter like this one :AGPtek SATA/PATA/IDE Drive to USB
Then I made sure to install the testdisk package which provides a program called photorec
root@fedora:~# sudo apt-get install testdisk
Plugged the drive in, and using the dmesg command I can see the drive was recognized by the kernel as /dev/sdb
root@fedora:~# dmesg|tail[ 310.582814] sd 7:0:0:0: Attached scsi generic sg2 type 0 [ 310.583761] sd 7:0:0:0: [sdb] 39102336 512-byte logical blocks: (20.0 GB/18.6 GiB) [ 310.584632] sd 7:0:0:0: [sdb] Write Protect is off [ 310.584639] sd 7:0:0:0: [sdb] Mode Sense: 00 38 00 00 [ 310.585518] sd 7:0:0:0: [sdb] Asking for cache data failed [ 310.585525] sd 7:0:0:0: [sdb] Assuming drive cache: write through [ 310.615912] sdb: sdb1 [ 310.619622] sd 7:0:0:0: [sdb] Attached SCSI disk [ 316.129542] FAT-fs (sdb1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
using fdisk, I can see the drive contains a 2GB partition (/dev/sdb1) but that is all – not a whole lot of disk space to search for photos:
root@fedora:~# fdisk /dev/sdb Welcome to fdisk (util-linux 2.29.2). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Command (m for help): p Disk /dev/sdb: 18.7 GiB, 20020396032 bytes, 39102336 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/sdb1 * 63 4192964 4192902 2G e W95 FAT16 (LBA) Command (m for help): q
my file manager window pops up with the automatically mounted drive and as I click through, there isn’t a whole lot there. Makes me wonder if a reinstall of windows was done (and forgotten about).
So I start out by making a dd copy of the partition and then one of the full drive – potentially including 16-18GB of “empty” space, but better to be safe than sorry.
root@fedora:~# dd if=/dev/sdb1 of=/Downloads/backup/disk1.img bs=1024M
root@fedora:~# dd if=/dev/sdb of=/Downloads/backup/disk2.img bs=1024M
root@fedora:~# man photorecPHOTOREC(8) Administration Tools PHOTOREC(8) NAME photorec - Recover lost files from harddisk, digital camera and cdrom SYNOPSIS photorec [/log] [/debug] [/d recup_dir] [device|image.dd|image.e01]
Looks easy enough, let it rip.
root@fedora:~# photorec /d /Downloads/backup/recovery disk2.img
At the end of it all, I end up with several of the “recovery.1, recovery.2, … directories, each containing 500 files . This recovers EVERY file type, windows files (*.exe, *.dll, *.chm), text files (*.txt), as well as mp3, jpg, gif, bmp. The thing about the images it recovers is that the basic windows interface is rendered using icons and smaller images, so there are just a ton of files to sift through at the end.
I ended up removing everything I knew was junk
# rm recovery.*/*.exe recovery.*/*.dll recovery.*/*.chm recovery.*/*.bmp
Afterwards I copied all of the recovery.* directories to a thumb drive for my friend to sift through and figure out which files he wanted.