You can’t always blame data loss on hardware failure. A clumsy user can be just as harmful. PhotoRec is a nifty little command-line based tool that can recover accidentally deleted files.
To use PhotoRec effectively you need to understand how the filesystem handles files. When you delete a file, it isn’t actually zapped into oblivion. Rather the file system just marks it as deleted, and makes the space the file occupies available to other files.
This means that until another app uses that recently freed-up space, the original file is still there, and can be retrieved by a file recovery tool. For this very reason, it’s very important that you immediately stop using the computer as soon as you realize that you have accidentally deleted files in order to minimize the interactions with the hard disk.
Note: PhotoRec is cross-platform compatible. For this tutorial, we will use a Linux (Ubuntu) system for illustration.
Carving files
PhotoRec is a file carver. A file carver is a tool that can recover files even when it’s missing regular metadata such as a filename, or its location. That’s because a file carver doesn’t rely on the filesystem to read files and instead painstakingly trawls through the hard disk.
The tool works on all sorts of disks including hard disks and removable media such as USB disks. In addition to reading unbootable disks, PhotoRec will also recover files from partitions that have been formatted and reinstalled into.
PhotoRec can sniff the most common image formats and can additionally pick out files in various formats including odf, pdf, 7zip, zip, tar, rpm, deb, and even virtual disks.
PhotoRec is an integral part of almost every recovery distro out there, and it ships along with the powerful TestDisk utility that can recover and restore partitions. You’ll find PhotoRec in the official repositories of most distros. But to install it, you need to install the TestDisk tool.
Command-line magic
Before you fire up PhotoRec, create a directory where it will save the recovered files. Once the tool is done, this directory will be populated with lots of weirdly named files in different formats. This is because PhotoRec names these files as it finds them and leaves the sorting to you.
Also despite the fact that PhotoRec is a command-line utility, it breaks the process of recovering files into steps, much like a wizard.
When you launch the tool, it will display all hard disks and connected removable devices including any plugged-in USB drives. To proceed, select the disk with the missing files. In case the disk houses multiple partitions, PhotoRec will display all the partitions and allows you to select the one that housed the lost files.
Next up, the tool needs to know the file system type your files were stored in. It only presents two options. Select the [ext2/ext3] option if the deleted file resided inside a Linux distro. The [Other] option will look for files created under FAT/NTFS/HFS+ or any other filesystem.
You’ll then have to decide whether you want to look for deleted files only inside the freed up space or in the whole partition. The last step is to point PhotoRec to the folder you’ve created to store all recovered files.
That’s all the information PhotoRec needs from you. The tool will now get to work. Depending on the size of the partition, PhotoRec can take quite a while to complete.
Focused recovery
As you’ll discover, PhotoRec is a little too good at its job. It’ll find lots and lots of files and sorting through them can be quite a task. A better option would be to limit the filetypes to recover.
You can do this using the [File Opt] option after selecting the disk from which you want the tool to recover files. By default, the tool searches files of all types. Press the “s” key to deselect all supported formats. Then scroll through the list and press the spacebar to select the format or formats you are interested in.
Sort files
When you peek inside the destination folder, you’ll see several folders named recup_dir.1, recup_dir.2, and so on. The recovered files are saved under these folders.
Manually sorting the files would take forever. You could do some basic sorting from the CLI to beter organize the files. For example, use the command
to move all the jpg files from under all the recovered folders into the all-recovered-images folder.
You can also sort files by their size. This is very useful especially when recovering images. In addition to recovering the image itself, PhotoRec will also recover their thumbnails as well which will have the same extension.
The command
will move all images less than 10KB in size out of the all-recovered-images folder.
Conclusion
There’s a reason why you’ll find PhotoRec in almost every disaster recovery toolkit. The tool works and how! I’ve used it to recover files from an accidental rm command that went after my SDCARD, as well as important PDFs from a USB drive formatted in Windows.
There is a learning curve involved when using the tool, but it comes into play when sorting the recovered files. But once you get the hang of it, you’ll never lose a file again!
Image credit: U.S. Army Corps of Engineers
Mayank Sharma has been writing on Linux for over a decade and is a regular contributor to Linux Format magazine.
Our latest tutorials delivered straight to your inbox