PhotoRec

Last updated
PhotoRec
Developer(s) Christophe Grenier
Initial releaseApril 30, 2002;21 years ago (2002-04-30)
Stable release
7.2 / February 22, 2024;27 days ago (2024-02-22)
Repository git.cgsecurity.org/cgit/testdisk/
Written in C (nCurses)
Operating system Cross-platform
Platform CLI
Type Data recovery
License GNU GPL v2+ (free software)
Website www.cgsecurity.org/wiki/PhotoRec

PhotoRec is a free and open-source utility software for data recovery with text-based user interface using data carving techniques, designed to recover lost files from various digital camera memory, hard disk and CD-ROM. It can recover the files with more than 480 file extensions (about 300 file families). [1] It is also possible to add custom file signature to detect less known files. [2]

Contents

PhotoRec does not attempt to write to the damaged media the user is about to recover from. Recovered files are instead written to the directory from which PhotoRec is run, any other directory may be chosen. It can be used for data recovery or in a digital forensics context. [3] [4] [5] [6] [7] PhotoRec is shipped with TestDisk. [8]

Functionality

FAT, NTFS, ext2/ext3/ext4 file systems store files in data blocks (also called data clusters under Windows). The cluster or block size remains at a constant number of sectors after being initialized during the formatting of the filesystem. In general, most operating systems try to store the data in a contiguous way so as to minimize data fragmentation. The seek time of mechanical drives is significant for writing and reading data to/from a hard disk, so that is why it is important to keep the fragmentation to a minimum level.

When a file is deleted, the meta-information about this file (filename, date/time, size, location of the first data block/cluster, etc.) is lost; e.g., in an ext3/ext4 filesystem, the names of deleted files are still present, but the location of the first data block is removed. This means the data is still present on the filesystem, but only until some or all of it is overwritten by new file data.

To recover these "lost" files, PhotoRec first tries to find the data block (or cluster) size. If the filesystem is not corrupted, this value can be read from the superblock (ext2/ext3/ext4) or volume boot record (FAT, NTFS). Otherwise, PhotoRec reads the media, sector by sector, searching for the first ten files, from which it calculates the block/cluster size from their locations. Once this block size is known, PhotoRec reads the media block by block (or cluster by cluster). Each block is checked against a signature database; which comes with the program and has been growing in the type of files it can recover ever since PhotoRec's first version came out. It is a common data recovery method called file carving.

For example, PhotoRec identifies a JPEG file when a block begins with:

If PhotoRec has already started to recover a file, it stops its recovery, checks the consistency of the file when possible and starts to save the new file (which it determined from the signature it found).

If the data is not fragmented, the recovered file should be identical to (or possibly larger than) the original file in size. In some cases, PhotoRec can learn the original file size from the file header, so the recovered file is truncated to the correct size. If, however, the recovered file ends up being smaller than its header specifies, it is discarded. Some files, such as *.MP3 types, are data streams. In this case, PhotoRec parses the recovered data, then stops the recovery when the stream ends.

When a file is recovered successfully, PhotoRec checks the previous data blocks to see whether a file signature was found but the file was not able to be successfully recovered (i.e., the file was too small), and it tries again. This way, some fragmented files can be successfully recovered. [9]

Notable, PhotoRec does no restore original filenames but one can e.g. rename the JPG files with pictures using exiftool: https://www.cgsecurity.org/testdisk_doc/after_using_photorec.html#renaming-files-using-exiftool

PhotoRec is superior to Scalpel and provides technically more correct files. In a discussion at https://github.com/sleuthkit/scalpel/issues/35 came ou that "Scalpel does not repair broken headers/EOF markers like PhotoRec in Autopsy. If you use a hex editor to manually repair the recovered files, then you will end up with the same images/files." Scalpel provides more broken JPG files where PhotoRec did the correct task on ext4 filesystem.

PhotoRec (Testdisk) is bundled in Autopsy and WondershareRecoverIt packages (paid).

Compatibility

PhotoRec is compatible with: [10]

Distribution

PhotoRec and TestDisk are shipped together. They can be downloaded from CGSecurity website. These utilities can be found on various Linux Live CDs:

They are also packaged for numerous *nix (mostly Linux based) distributions:

See also

Related Research Articles

XFS is a high-performance 64-bit journaling file system created by Silicon Graphics, Inc (SGI) in 1993. It was the default file system in SGI's IRIX operating system starting with its version 5.3. XFS was ported to the Linux kernel in 2001; as of June 2014, XFS is supported by most Linux distributions; Red Hat Enterprise Linux uses it as its default file system.

ext2, or second extended file system, is a file system for the Linux kernel. It was initially designed by French software developer Rémy Card as a replacement for the extended file system (ext). Having been designed according to the same principles as the Berkeley Fast File System from BSD, it was the first commercial-grade filesystem for Linux.

ext3, or third extended filesystem, is a journaled file system that is commonly used by the Linux kernel. It used to be the default file system for many popular Linux distributions. Stephen Tweedie first revealed that he was working on extending ext2 in Journaling the Linux ext2fs Filesystem in a 1998 paper, and later in a February 1999 kernel mailing list posting. The filesystem was merged with the mainline Linux kernel in November 2001 from 2.4.15 onward. Its main advantage over ext2 is journaling, which improves reliability and eliminates the need to check the file system after an unclean shutdown. Its successor is ext4.

<span class="mw-page-title-main">Live CD</span> Complete, bootable computer installation that runs directly from a CD-ROM

A live CD is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading from a hard disk drive. A live CD allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery.

<span class="mw-page-title-main">Defragmentation</span> Rearrangement of sectors on a hard disk into contiguous units

In the maintenance of file systems, defragmentation is a process that reduces the degree of fragmentation. It does this by physically organizing the contents of the mass storage device used to store files into the smallest number of contiguous regions. It also attempts to create larger regions of free space using compaction to impede the return of fragmentation. Some defragmentation utilities try to keep smaller files within a single directory together, as they are often accessed in sequence.

In computing, the Global File System 2 or GFS2 is a shared-disk file system for Linux computer clusters. GFS2 allows all members of a cluster to have direct concurrent access to the same shared block storage, in contrast to distributed file systems which distribute data throughout the cluster. GFS2 can also be used as a local file system on a single computer.

fstab is a system file commonly found in the directory /etc on Unix and Unix-like computer systems. In Linux, it is part of the util-linux package. The fstab file typically lists all available disk partitions and other types of file systems and data sources that may not necessarily be disk-based, and indicates how they are to be initialized or otherwise integrated into the larger file system structure.

<span class="mw-page-title-main">File system</span> Computer filing system

In computing, a file system or filesystem governs file organization and access. A local file system is a capability of an operating system that services the applications running on the same computer. A distributed file system is a protocol that provides file access between networked computers.

In computing, an extent is a contiguous area of storage reserved for a file in a file system, represented as a range of block numbers, or tracks on count key data devices. A file can consist of zero or more extents; one file fragment requires one extent. The direct benefit is in storing each range compactly as two numbers, instead of canonically storing every block number in the range. Also, extent allocation results in less file fragmentation.

Undeletion is a feature for restoring computer files which have been removed from a file system by file deletion. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data without an undeletion facility is usually called data recovery, rather than undeletion. Undeletion can both help prevent users from accidentally losing data, or can pose a computer security risk, since users may not be aware that deleted files remain accessible.

<span class="mw-page-title-main">GParted</span> Partition editor

GParted is a GTK front-end to GNU Parted and an official GNOME partition-editing application. GParted is used for creating, deleting, resizing, moving, checking, and copying disk partitions and their file systems. This is useful for creating space for new operating systems, reorganizing disk usage, copying data residing on hard disks, and mirroring one partition with another. It can also be used to format a USB drive.

NILFS or NILFS2 is a log-structured file system implementation for the Linux kernel. It was developed by Nippon Telegraph and Telephone Corporation (NTT) CyberSpace Laboratories and a community from all over the world. NILFS was released under the terms of the GNU General Public License (GPL).

<span class="mw-page-title-main">TestDisk</span> Data recovery utility

TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows, Linux, FreeBSD, NetBSD, OpenBSD, SunOS, and MacOS. TestDisk handles non-partitioned and partitioned media. In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy.

The following tables compare general and technical information for a number of file systems.

e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4 file systems. Since those file systems are often the default for Linux distributions, it is commonly considered to be essential software.

ext4 is a journaling file system for Linux, developed as the successor to ext3.

File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.

A journaling file system is a file system that keeps track of changes not yet committed to the file system's main part by recording the goal of such changes in a data structure known as a "journal", which is usually a circular log. In the event of a system crash or power failure, such file systems can be brought back online more quickly with a lower likelihood of becoming corrupted.

<span class="mw-page-title-main">Foremost (software)</span>

Foremost is a forensic data recovery program for Linux. Foremost is used to recover files using their headers, footers, and data structures through a process known as file carving. Although written for law enforcement use, the program and its source code are freely available and can be used as a general data recovery tool.

References

  1. "File Formats Recovered by PhotoRec". April 2015.
  2. "Add your own extension to PhotoRec". 18 May 2016.
  3. Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, p. 220. Syngress Publishing Inc. ISBN   978-1-59749-228-7.
  4. Cameron H. Malin, Eoghan Casey, James M. Aquilina (2008). Malware Forensics: Investigating and Analyzing Malicious Code, p. xxviii. Syngress Publishing Inc. ISBN   978-1-59749-268-3.
  5. Nathan Clarke (2010), Computer Forensics: A Pocket Guide, p. 67. IT Governance Publishing. ISBN   978-1-84928-039-6.
  6. NIST Test Results for Graphic File Carving Tool: PhotoRec v7.0-WIP [ permanent dead link ].
  7. NIST Test Results for Video File Carving Tool: PhotoRec v7.0-WIP Archived 2015-04-22 at archive.today .
  8. Scott Mueller, Brian Knittel (2008). Upgrading and Repairing Microsoft Windows, Second Edition, page 685. Pearson Education Inc. ISBN   978-0-7897-3695-6.
  9. How PhotoRec works (Description from the author website).
  10. "PhotoRec - CGSecurity" . Retrieved March 1, 2013.
  11. "GParted -- Live CD/USB/PXE/HD" . Retrieved March 1, 2013.
  12. "programs – Parted Magic". Archived from the original on January 2, 2011. Retrieved March 1, 2013.
  13. "Recover file with PhotoRec". Archived from the original on May 2, 2013. Retrieved March 1, 2013.
  14. "System-tools - SystemRescueCd" . Retrieved March 1, 2013.
  15. "Software Ubuntu Rescue Remix". Archived from the original on 2013-01-23. Retrieved March 1, 2013.
  16. "TestDisk on ALT Linux". Archived from the original on 2011-08-11. Retrieved 2011-05-25.
  17. ArchLinux Extra Repository
  18. TestDisk on Debian
  19. TestDisk in Fedora Archived 2011-03-10 at the Wayback Machine
  20. "RepoView: "Fedora EPEL 6 - x86_64"". Archived from the original on 2015-09-13. Retrieved 27 July 2013.
  21. TestDisk in FreeBSD ports
  22. TestDisk in OpenBSD ports
  23. TestDisk in Gentoo
  24. TestDisk in Gentoo Portage Archived 2011-06-07 at the Wayback Machine
  25. TestDisk in Source Mage Archived 2011-05-19 at the Wayback Machine
  26. "Delete Hui Photo Waapas Kese Laaye || डिलीट हुई फ़ोटो वापस कैसे लाए 2 मिनट में ?". Archived from the original on 2019-06-08. Retrieved 2019-06-08.