stevepedwards.com/DebianAdmin linux mint IT admin tips info

File Recovery with TestDisk / Photorec


Example using a phone SIM card. In Windows, a deleted file from such flash type media does not go into the Recycle Bin so is "lost" immediately no? 

The card is /dev/sdf1 in this case.

Let's look at it with some Linux tools...

# cfdisk /dev/sdf 

cfdisk (util-linux-ng 2.13.1.1) 

Disk Drive: /dev/sdf 

Size: 249823232 bytes, 249 MB 

Heads: 16 Sectors per Track: 32 Cylinders: 953 

Name Flags Part Type FS Type [Label] Size (MB) 

Pri/Log Free Space 0.09 * 

sdf1 Boot Primary FAT16 [ ] 249.48 * 

Pri/Log Free Space 0.27 

So it is formatted with FAT16 file system.

Lets look at the boot sector with fdisk...

# fdisk /dev/sdf 

Command (m for help): m 

Command action 

a toggle a bootable flag 

b edit bsd disklabel 

c toggle the dos compatibility flag 

d delete a partition 

l list known partition types 

m print this menu 

n add a new partition 

o create a new empty DOS partition table 

p print the partition table 

q quit without saving changes 

s create a new empty Sun disklabel 

t change a partition's system id 

u change display/entry units 

v verify the partition table 

w write table to disk and exit 

x extra functionality (experts only) 

Command (m for help): 

Type p for partition info... 

Disk /dev/sdf: 249 MB, 249823232 bytes 

16 heads, 32 sectors/track, 953 cylinders 

Units = cylinders of 512 * 512 = 262144 bytes 

Disk identifier: 0x00000000 

Device Boot Start End Blocks Id System 

/dev/sdf1 * 1 952 243630+ 6 FAT16 

Command (m for help): 

Now type x, then d to show hex info: 

The last 55 AA shows a FAT file system:

0x1A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 05
0x1C0: 04 00 06 0F E0 B7 A3 00 00 00 5D 6F 07 00 00 00
0x1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 *55 AA*
 

Type Q to quit.

Install TestDisk and DDrescue

# apt-get install testdisk ddrescue 

I will zero the whole card so we know it is totally blank to start...

# dd_rescue /dev/zero /dev/sdf 

dd_rescue /dev/zero /dev/sdf 

dd_rescue: (info): ipos: 31744.0k, opos: 31744.0k, xferd: 31744.0k 

errs: 0, errxfer: 0.0k, succxfer: 31744.0k 

+curr.rate: 319778kB/s, avg.rate: 319778kB/s, avg.load: 80.6% 

Once you see repeated info, Ctrl C to Quit...

dd_rescue: (warning): /dev/sdf1 (92920448.0k): No space left on device 

dd_rescue: (warning): assumption rd(65536) == wr(^Cvice! 

dd_rescue: (fatal): Caught signal 2 "Interrupt". Exiting! 

Now the partition should be blank...check what cfdisk says...

# cfdisk /dev/sdf 

cfdisk (util-linux-ng 2.13.1.1) 

Disk Drive: /dev/sdf 

Size: 249823232 bytes, 249 MB 

Heads: 8 Sectors per Track: 60 Cylinders: 1016 

Name Flags Part Type FS Type [Label] Size (MB) 

----------------------------------------------------------------------------------- 

Pri/Log Free Space 249.70 

YEP! It is blank...

OK, let's create a partition and give it FAT file system...

# fdisk /dev/sdf 

n add a new partition 

o create a new empty DOS partition table 

p print the partition table 

q quit without saving changes 

s create a new empty Sun disklabel 

t change a partition's system id 

u change display/entry units 

v verify the partition table 

w write table to disk and exit 

x extra functionality (experts only) 

Command (m for help): n 

Command action 

e extended 

p primary partition (1-4) 

Command action 

e extended 

p primary partition (1-4) 

Partition number (1-4): 1 

First cylinder (1-1016, default 1): 

Using default value 1 

Last cylinder or +size or +sizeM or +sizeK (1-1016, default 1016): 

Using default value 1016 

Command (m for help):
p 

Disk /dev/sdf: 249 MB, 249823232 bytes 

8 heads, 60 sectors/track, 1016 cylinders 

Units = cylinders of 480 * 512 = 245760 bytes 

Disk identifier: 0x1d3b765e 

Device Boot Start End Blocks Id System 

/dev/sdf1 1 1016 243810 83 Linux 

# mkfs.vfat /dev/sdf1 

mkfs.vfat 3.0.1 (23 Nov 2008) 

Looking at the card with Hexedit...

# apt-get install hexedit 

# hexedit /dev/sdf1 

00000000 EB 3C 90 6D 6B 64 6F 73 66 73 00 00 02 08 01 00 .<.mkdosfs......
00000010 02 00 02 00 00 F8 EE 00 20 00 10 00 00 00 00 00 ........ .......
00000020 5C 6F 07 00 00 00 29 D8 29 DF AF 20 20 20 20 20 \o....).)..
00000030 20 20 20 20 20 20 46 41 54 31 36 20 20 20 0E 1F FAT16 ..
00000040 BE 5B 7C AC 22 C0 74 0B 56 B4 0E BB 07 00 CD 10 .[|.".t.V.......
00000050 5E EB F0 32 E4 CD 16 CD 19 EB FE 54 68 69 73 20 ^..2.......This
00000060 69 73 20 6E 6F 74 20 61 20 62 6F 6F 74 61 62 6C is not a bootabl
00000070 65 20 64 69 73 6B 2E 20 20 50 6C 65 61 73 65 20 e disk. Please
00000080 69 6E 73 65 72 74 20 61 20 62 6F 6F 74 61 62 6C insert a bootabl
00000090 65 20 66 6C 6F 70 70 79 20 61 6E 64 0D 0A 70 72 e floppy and..pr
000000A0 65 73 73 20 61 6E 79 20 6B 65 79 20 74 6F 20 74 ess any key to t
000000B0 72 79 20 61 67 61 69 6E 20 2E 2E 2E 20 0D 0A 00 ry again ... ...
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 

CtrlC to quit prog...

Mount the card in a test directory and put some test files on it....

# mount /dev/sdf1 /mstest

I have already used these cmds so can call the cmd history to save re-typing them...

# history | grep cp 

581 cp -vr /College/ReportWriting/front\ cover.doc /mstest/ 

582 cp -vr /College/ReportWriting/ReportTemplate.doc /mstest/ 

# !581; !582 

cp -vr /College/ReportWriting/front\ cover.doc /mstest/; cp -vr /College/ReportWriting/ReportTemplate.doc /mstest/ 

`/College/ReportWriting/front cover.doc' -> `/mstest/front cover.doc' 

`/College/ReportWriting/ReportTemplate.doc' -> `/mstest/ReportTemplate.doc' 

# ls /mstest 

front cover.doc ReportTemplate.doc 

To see if file recovered is identical...

# shasum /mstest/* > /mstest/hashes.txt 

# ls /mstest/ 

front cover.doc hashes.txt ReportTemplate.doc 

# cat /mstest/hashes.txt 

3846af692dfbdee3dbc88f7a6b78c6d79cde07c7 /mstest/front cover.doc 

5ccd582e7ec047b0f79aa7efc864dc09b4a31089 /mstest/ReportTemplate.doc 

Now to "accidently" delete a file...

# rm -v /mstest/front\ cover.doc 

removed `/mstest/front cover.doc'
# ls /mstest/

hashes.txt ReportTemplate.doc 

Now, front\ cover.doc is missing.

Now to recover the lost file using TestDisk....

NOTE! Choose the whole disk – NOT the partition... 

Unmount the card first else TD won't find the partition!!! 

# umount /mstest 

# testdisk /dev/sdf 

TestDisk 6.11, Data Recovery Utility, April 2009 

Christophe GRENIER <grenier@cgsecurity.org> 

http://www.cgsecurity.org 

TestDisk is free software, and 

comes with ABSOLUTELY NO WARRANTY. 

Select a media (use Arrow keys, then press Enter): 

*Disk /dev/sdf - 249 MB / 238 MiB - Generic USB MS Reader* 

[Proceed ] [ Quit ] 

Disk /dev/sdf - 249 MB / 238 MiB - CHS 1016 8 60 

Partition Start End Size in sectors 

*1 P FAT16 >32M 0 1 1 1015 7 60 487620* 

[ Type ] [ Boot ] [Image Creation] *[Undelete] * [ Quit ] 

*1 P FAT16 >32M 0 1 1 1015 7 60 487620* 

Directory / 

*-rwxr-xr-x 0 0 19456 14-May-2012 00:23 front cover.doc* 

-rwxr-xr-x 0 0 36352 14-May-2012 00:23 ReportTemplate.doc 
-rwxr-xr-x 0 0 135 14-May-2012 00:24 hashes.txt 

Use Right arrow to change directory, *c *to copy, h to hide deleted files, q to quit 

Are you sure you want to copy /front cover.doc to the directory / ? [Y/*N]* 

To select another directory, use the arrow keys.

drwxr-xr-x 0 0 4096 14-May-2012 00:19 . 

drwxr-xr-x 0 0 4096 14-May-2012 00:19 .. 

drwx------ 1000 0 4096 26-Jun-2010 14:39 College 

drwxr-xr-x 0 0 4096 5-Oct-2009 20:41 Files 

drwxr-xr-x 0 0 4096 13-May-2012 19:31 bin 

drwxr-xr-x 0 0 4096 7-May-2012 13:29 black...... 

*drwxrwxrwt 0 0 4096 14-May-2012 00:02 tmp* 

drwxr-xr-x 0 0 4096 30-Aug-2008 16:37 usr 

drwxr-xr-x 0 0 4096 20-Feb-2010 22:50 var 

Are you sure you want to copy /front cover.doc to the directory /tmp ? [*Y*/N] 

1 P FAT16 >32M 0 1 1 1015 7 60 487620 

Directory / 

*Copy done!* 

-rwxr-xr-x 0 0 *19456* 14-May-2012 00:23 front cover.doc 

-rwxr-xr-x 0 0 36352 14-May-2012 00:23 ReportTemplate.doc 

-rwxr-xr-x 0 0 135 14-May-2012 00:24 hashes.txt 

Now check the recovered file size and checksum in the /tmp directory...

# ls -ls /tmp/front\ cover.doc 

20 -rw-r--r-- 1 root root *19456* 2012-05-14 00:23 /tmp/front cover.doc 

# shasum /tmp/front\ cover.doc 

3846af692dfbdee3dbc88f7a6b78c6d79cde07c7 /tmp/front cover.doc 

From earlier dir... 

3846af692dfbdee3dbc88f7a6b78c6d79cde07c7 /mstest/front cover.doc 

As the checksum is the same, the file size has to be the same by definition! 

Cool huh?

Comments are closed.

Post Navigation