Here’s a step-by-step guide to an application called PhotoRec, which helps you recover deleted data.
While most of us do regular back-ups of important data, some just postpone the back-up date until that dreaded day arrives—unexpectedly, in the blink of an eye, you suddenly realise all that precious data you gathered over months, has disappeared. Maybe it was just ‘the wrong key’ that got pressed. Well, it’s time to start pulling your hair out and sweating profusely. May the Lord rescue you if your boss has a bad temper. Well don’t lose hope; there’s PhotoRec to the rescue. A huge list of 140 different file types like JPEG, MID, SQLite, Real Audio, MP3, .doc, Macromedia, .exe, .flv, VMware images, .chm, .bz2, Autocad, RAR, Adobe Photoshop images, etc, are supported. This tutorial will help you in recovering your data without emptying your pockets—and hey, I hope it’ll put the smile back on your face once you’re out of your dire straits. However, you will have to spend some time searching for that important file.
PhotoRec is an open source multiplatform application distributed under the GPL. It is a companion program to TestDisk, an application for the recovery of lost partitions for a variety of file systems and to make disks bootable again. Apart from Linux, PhotoRec supports the following operating systems:
DOS/Win9x
Windows NT 4/2000/XP/2003/Vista
FreeBSD, NetBSD, OpenBSD
Sun Solaris
Mac OS X
UNIX
PhotoRec can recover lost files from the following file systems:
FAT/FAT32
NTFS
EXT2/EXT3
HFS+
ReiserFS (does not work very well with this file system)
Getting PhotoRec
While most distributions include TestDisk (which, in turn, has PhotoRec) in their repositories, you can download the source file or the RPM for your distro from www.cgsecurity.org/wiki/TestDisk_Download. Alternatively, you can go for PartedMagic (~ 90 MB in size), which contains TestdDisk and a host of other utilities. This is available at downloads.sourceforge. net/partedmagic/pmagic-3.7.iso.zip.
The road to recovery
You can use PhotoRec to recover data or pictures that have been deleted from a pen drive. You can also recover data from a partition of a hard disk and save it to another partition on the same disk. The only condition is the partition to which data will be saved should be equal to or larger than the partition from which data will be recovered. You will require a card reader for digital camera flash drives. Hard disks require a suitable USB enclosure. Alternatively, you can connect hard disks to an internal slot.
Step 1 : Create a directory called photorec_dir where PhotoRec will save files. Connect the flash/hard disk drive to your USB port/internal port (or just select your internal drive if you want to recover data from a partition) and fire up PhotoRec from the terminal as the superuser:
[root@localhost ~]# photorec
PhotoRec will display all your hard disks and USB drives. Choose the drive from which data needs to be recovered.
Step 2 : Up next is to choose the partition table type. PhotoRec supports a number of partition table types—Intel/PC, Apple, Sun Solaris, XBox, EFI GPT partition and ‘None’ partition types. Choose the Intel/PC type, which most of us use anyway. Even if you have a single partition, do not choose the ‘None’ option.
Step 3 : The next screen offers the option to recover data from the whole disk or the choice of selecting a partition. Choose your option using the up/down arrow keys. In case of a disk with multiple partitions, PhotoRec will display all the partitions, similar to what fdisk -l option does. Select the partition that contains the deleted data using up/down arrow keys.
Step 4 : We now come to the most important step of the recovery process. Select the ‘File Opt’ option using the left/right arrow keys and press Enter. PhotoRec puts forth a huge list of about 140 different file types that can be recovered. Use the up/down arrow keys to move between entries, and use the Space bar to select [x] or unselect [ ] file types to be recovered. For instance, to recover only picture files, choose ‘jpg’, ‘gif ’, ‘dsc’, etc. Select ‘Quit’ when done. This takes you back to the last screen. Select the ‘Search’ option.
Step 5 : To recover lost/deleted files, PhotoRec needs to know the file system type your files were stored in. Options include ‘ext2/ext3’ and ‘Other’. Choose ‘Other’ for FAT, NTFS, ReiserFS.
Step 6 : The next screen gives the option of choosing between recovering data from the ‘whole partition/disk’ or from the ‘free space’ of the partition. This ‘free space’ has the inodes [en.wikipedia.org/wiki/Inode] that contain the deleted data. Choose the ‘free space’ option using the up/down arrow keys.
Step 7 : PhotoRec now needs to know the destination folder to save the recovered files. In Step 1, we created a folder called photorec_files. Navigate to your path using the up/down arrow key and press Enter. Mine was /hdc6/home/nelson/photorec_files. If the path is not provided, the default directory will be /root.
Your recovered files will be saved in the destination directory in a number of folders recup_dir.1, recup_dir.2, etc. In a single recup_dir, you will find zip files, doc files, jpg files, etc, if you have chosen to recover these files.
Searching for a file through those that are lost can be a real pain. You need to sort these files out. Here is what you can do to sort out zip files. Make a directory for zip files as follows:
mkdir /home/user/Zip
Now as the root user:
mv /home/user/recup_dir.1/*.zip ~/Zip
Alternatively, issue the following command:
mv /home/user/recup_dir.*/*.zip ~/Zip
You can similarly repeat the steps for other file types. Of particular interest is how to sort out picture files. Let us separate those little thumbnail pictures from your ‘real’ ones. Again, create a directory for small pictures with the code below:
mkdir ~/small_jpg
Now, as the root user, issue the following command:
find /home/user/recup_dir.1/ -name “*.jpg” \
-size -20K | xarg -i mv {} /home/user/small_jpg
This will find all jpg files equal to or smaller than 20K and move them to small_jpg.
The bottom line
I found almost all of my deleted photographs and various other files with a little sweat (manually opening each file till I got the one I was really looking for) using PhotoRec. Anyone looking at a launch pad for a career in forensics?
Source of Information : Linux For You May 2009
No comments:
Post a Comment