Recover lost files with PhotoRec

Oct 7, 2024 by Thibault Debatty | 525 views

Forensics

https://cylab.be/blog/364/recover-lost-files-with-photorec

PhotoRec is file data recovery software designed to recover lost files from hard disks, solid state drives, CD-ROMs and digital camera memory.

photorec-list-disks.png

As the name states, PhotoRec was initially designed to recover lost pictures from digital cameras. With time it has been extended and now recognizes and recovers numerous file formats including ZIP, Office, PDF, HTML, JPEG and various graphics file formats. The whole list of file formats recovered by PhotoRec contains more than 480 file extensions (about 300 file families).

PhotoRec ignores the file system and goes after the underlying data, so it will still work even if the file system has been severely damaged or reformatted. PhotoRec works by searchinf for known file headers. If there is no data fragmentation, it can recover the whole file. However, if the file is fragmented PhotoRec has very limited possibilities to recover the file.

Installation

At the time of writing, the latest version is 7.2, so here is how to install:

# download
wget https://www.cgsecurity.org/testdisk-7.2.linux26-x86_64.tar.bz2

# extract
tar -xjf testdisk-7.2.linux26-x86_64.tar.bz2
cd testdisk-7.2

Testing

To test PhotoRec, I’ll copy files on a USB drive, and wipe the filesystem. In the examples below, /dev/sda is my USB drive, don’t forget to update if you run the same commands!

Wipe the disk, just to be sure…:

sudo dd if=/dev/zero of=/dev/sda bs=4M

Create a filesystem:

sudo mkfs.ext4 /dev/sda

Mount the filesystem, then copy some files:

sudo mount /dev/sda /mnt

sudo cp ~/Downloads/*-unsplash.jpg /mnt/

Unmount, and wipe the filesystem:

sudo dd if=/dev/zero of=/dev/sda bs=4M count=1

Try to mount again… This time it should fail!

sudo mount /dev/sda /mnt

mount-failed.png

Usage

However, we can use PhotoRec to try to recover the files…

sudo ./photorec_static

PhotoRec provides a terminal based interface. The first step is to select the appropriate drive:

photorec-list-disks.png

PhotoRec also requires to specify the filesystem of the disk to recover.

photorec-filesystem.png

Finally you simply specify the directory where recovered files must be copied.

In my simple test, PhotoRec managed to recover the 5 images that I had copied on the USB drive. However, the initial file names were lost. This makes sens as this information is not stored in the file itself, but it the filesystem.

With a disk image

Finally, you can also use PhotoRec against a disk image with

./photorec_statuc <image>

PhotoRec supports raw and E01 images, although I did not test the last one…

Want to try by yourself?

You can download a compressed disk image usb-07.img.xz from https://cylab.be/s/uyrzF

Once uncompressed, you should be able to recover 5 images using PhotoRec.

This blog post is licensed under CC BY-SA 4.0

Elaborated new phishing method targeting Belgian people -- Part 1

Forensics Phishing Cyber-Wise

Dec 10, 2024 | 290 views
Dump the memory of a VirtualBox VM for Volatility3

Forensics

Dec 2, 2024 | 245 views
Install Autopsy on Linux and on the SIFT workstation

Forensics

Oct 16, 2024 | 429 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept