Recover lost files with PhotoRec

Oct 7, 2024 by Thibault Debatty | 308 views

Forensics

https://cylab.be/blog/364/recover-lost-files-with-photorec

PhotoRec is file data recovery software designed to recover lost files from hard disks, solid state drives, CD-ROMs and digital camera memory.

photorec-list-disks.png

As the name states, PhotoRec was initially designed to recover lost pictures from digital cameras. With time it has been extended and now recognizes and recovers numerous file formats including ZIP, Office, PDF, HTML, JPEG and various graphics file formats. The whole list of file formats recovered by PhotoRec contains more than 480 file extensions (about 300 file families).

PhotoRec ignores the file system and goes after the underlying data, so it will still work even if the file system has been severely damaged or reformatted. PhotoRec works by searchinf for known file headers. If there is no data fragmentation, it can recover the whole file. However, if the file is fragmented PhotoRec has very limited possibilities to recover the file.

Installation

At the time of writing, the latest version is 7.2, so here is how to install:

# download
wget https://www.cgsecurity.org/testdisk-7.2.linux26-x86_64.tar.bz2

# extract
tar -xjf testdisk-7.2.linux26-x86_64.tar.bz2
cd testdisk-7.2

Testing

To test PhotoRec, I'll copy files on a USB drive, and wipe the filesystem. In the examples below, /dev/sda is my USB drive, don't forget to update if you run the same commands!

Wipe the disk, just to be sure...:

sudo dd if=/dev/zero of=/dev/sda bs=4M

Create a filesystem:

sudo mkfs.ext4 /dev/sda

Mount the filesystem, then copy some files:

sudo mount /dev/sda /mnt

sudo cp ~/Downloads/*-unsplash.jpg /mnt/

Unmount, and wipe the filesystem:

sudo dd if=/dev/zero of=/dev/sda bs=4M count=1

Try to mount again... This time it should fail!

sudo mount /dev/sda /mnt

mount-failed.png

Usage

However, we can use PhotoRec to try to recover the files...

sudo ./photorec_static

PhotoRec provides a terminal based interface. The first step is to select the appropriate drive:

photorec-list-disks.png

PhotoRec also requires to specify the filesystem of the disk to recover.

photorec-filesystem.png

Finally you simply specify the directory where recovered files must be copied.

In my simple test, PhotoRec managed to recover the 5 images that I had copied on the USB drive. However, the initial file names were lost. This makes sens as this information is not stored in the file itself, but it the filesystem.

With a disk image

Finally, you can also use PhotoRec against a disk image with

./photorec_statuc <image>

PhotoRec supports raw and E01 images, although I did not test the last one...

Want to try by yourself?

You can download a compressed disk image usb-07.img.xz from https://cylab.be/s/uyrzF

Once uncompressed, you should be able to recover 5 images using PhotoRec.

This blog post is licensed under CC BY-SA 4.0

Create your own plugin for RegRipper
RegRipper is a collection of powerful perl scripts that allow to dump the content of a registry hive file into readable text. RegRipper relies on a plugin mechanism. Hence in this post I will show how to create your own plugin for RegRipper. The example will be very basic, and will extract the value of the Current ControlSet.
Oct 15, 2024 | 236 views
Install Eric Zimmerman's forensics tools on Linux
In a previous blog post, I presented the forensics tools written by Eric Zimmerman. Although these tools were originally developed for Windows, you can also run them on a Linux. This allows to run a full forensic investigation using a Linux computer.
Aug 7, 2024 | 539 views
Velociraptor : hunt malwares as a pack
Velociraptor is a digital forensic and incident response tool that allows to collect information on multiple endpoints at once, and easily analyze the collected data using Notebooks and a query language (called Velociraptor Query Language, VQL), which is very similar to SQL. This makes Velociraptor a valuable tool for threat hunting over a large network.
Nov 22, 2023 | 982 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept