PhotoRec is a recovery software for data and files, designed to recover lost files including video, documents and files on hard disks, CD-ROMs, pictures and images (hence the name Photo Recovery) from digital camera's memory.
PhotoRec ignores the filesystem and goes after the underlying data, so it keeps working even if the file system of the media is severely damaged or reformatted.
PhotoRec is free - this open source multi-platform application is distributed under the GNU General Public License. PhotoRec is a companion program to TestDisk, an application to recover lost partitions in a wide variety of file systems and fix problems with disks with boot issues.
PhotoRec runs under
- Windows NT 4/2000/XP/2003/Vista
- FreeBSD, NetBSD, OpenBSD
- Sun Solaris
- Mac OS X
and can be compiled on almost all Unix systems.
PhotoRec ignores the file system and works even if the filesystem is severely damaged.
You can recover lost files from:
- HFS +
ReiserFS includes some special optimizations centered around tails, a name for files and end portions of files that are smaller than a filesystem block. In order to increase performance, ReiserFS is able to store files inside the b*tree leaf nodes themselves, rather than storing the data somewhere else on the disk and pointing to it. Unfortunately, PhotoRec isn't able to deal with this - that's why it doesn't work well with ReiserFS.
PhotoRec works with hard drives, CD-ROMs, memory cards (Compact Flash, Memory Stick, SecureDigital / SD, SmartMedia, Microdrive, MMC, etc.), USB memory drives, DD raw image, EnCase E01 image, etc..
PhotoRec was successfully tested with various portable media players, including iPod and several digital cameras.
Known file formats
If there is no data fragmentation, which is often the case, it can retrieve the entire file. PhotoRec recognizes many file formats, including ZIP, Office, PDF, HTML, JPEG and various graphics formats. The entire list of file formats recovered by PhotoRec contains more than 320 families file extensions (about 200 files).
Using Photo REC.
The best way to use PhotoRec is in a maintenance LiveCD distro . Currently, Photo REC is present in the repositories of major distributions, and in the following maintenance distros: Ultimate Boot CD, System Rescue CD, RIPLinux and Parted Magic.
Since PhotoRec works in a non-destructive way, that is, it only reads the media, not writing it in any way, it will need another media / disk to save the files that it identified during the reading. I advise you to boot the compromised system with a LiveCD maintenance distro, any of the distros mentioned above and use a PenDrive as auxiliary memory for storing the recovered files. Pendrives with 4, 8, 16 Gigabytes of ram or more are suitable here, depending on the extent of the damage on the analyzed hard drive .
PhotoRec, despite running at the command line, is an interactive program and very easy to use. Note: The disk to be analyzed should be unmounted. When you enter PhotoRec specify which disk is going to be analyzed, which file extensions PhotoRec should look for and where the read files will be stored, and just let it work. Once retrieved, the files can be analyzed since PhotoRec retrieves the files and places a generic name on them. In my experiences, I have a success rate of almost 100% with graphics files, audio and some video files. With document files in proprietary formats, results may vary, since proprietary file formats may not be fully recognized by PhotoRec.
PhotoRec is also very useful to do forensic analysis of hard drives. Along with TestDisk, it can recover files from formatted partitions and get proof and evidence that would otherwise be lost. The caveat to be made here is about the process of Zero-Fill, which writes a pattern on the HD , making impossible to recover it later.
PhotoRec and TestDisk are creations of Chistophe Grennier.
Site: http://www.cgsecurity.org/ Sharing is Caring: