Recovering Formatted files with Photorec

Welcome to hacking a rise in this post we are going to show you step by step to recovering deleted files or lost data from a reformatted partition or corrupted file system with Photorec.

What is Photorec? 

 Before we talk about how you can recover your data, let’s get to know something about the tool we are going to use Photorec. PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. 


PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted. Photorec is free and runs on Windows, Linux, FreeBSD, NetBSD, OpenBSD, Sun Solaris, Mac Os and almost every unix system.

How to run Photorec  

If you don’t have photorec on your system, feel free to download Photorec here and download the one best for your operating system. After downloading the file, extract everything inside the archives.


For those on Windows, look for where you extracted  PhotoRec. Open the folder and  right click photorec_win.exe and then click Run as administator to launch PhotoRec.


For BSD, Unix, Linux user, open terminal and please make sure you are a root user and navigate into the extracted folder and type ./photorec_static  and press the Enter key as show below.

Recovering Formatted files with Photorec 11

For our Mac Os user,  navigate into the extracted folder and start /photorec_static but please make sure you are  root user otherwise PhotoRec will restart itself using sudo after a confirmation on your part. Sudo will ask for a password – enter your Mac OS X user password.

if you were able to install Photorec successfully the i guess we are good to continue, if not leave a comment and we will get back to you..


 Selecting your Disk

if you got the installation right installation right you show see like this for all Os  but I’m running mine from linux

Recovering Formatted files with Photorec 12

 and please make sure the want to recover has been insert.


From the image above you will see the media available listed. In other to select a media use  up/down arrow keys to select the media that contains the formatted files. Press Enter to proceed

Selecting a Source Partition

Recovering Formatted files with Photorec 13

If the disk you are trying to recover was a partitioned disk, then you will have to select the partition that holds the formatted files. In my case, I’m  trying to recover the formatted files on  whole partition so i selected the whole disk. Before we proceed, there are some options we need to have a look before we recover our file and it can be seen at the bottom of the image above.

Search after selecting the partition that holds the lost files to start the recovery,Options to modify the options, File to modify the list of file types recovered by PhotoRec. Let’s see how the Search, Options and File Opt work. Lets start with the Options

Options

Recovering Formatted files with Photorec 14

From the image above you can see that

  • Paranoid By  default is set to Yes (Bruteforce disabled) which means recovered files are verified and invalid files rejected but when we enable bruteforce, it implies that you want to recover more fragmented JPEG files, note it is a very CPU intensive operation.
  • Allow partial last cylinder modifies  how the disk geometry is determined – only non-partitioned media should be affected.
  • The expert mode option  allows the user to force the file system block size and the offset. Each filesystem has his own block size (a multiple of the sector size) and offset (0 for NTFS, exFAT, ext2/3/4), these value are fixed when the filesystem has been created/formatted. When working on the whole disk (ie. original partitions are lost) or a reformatted partition, if PhotoRec has found very few files, you may want to try the minimal value that PhotoRec let you select (it’s the sector size) for the block size (0 will be used for the offset).
  • Enable Keep corrupted files to  keep files even if they are invalid in the hope that data may still be salvaged from an invalid file using other tools.
  • Enable Low memory if  your system does not have enough memory and crashes during recovery. It may be needed for large file systems that are heavily fragmented. Do not use this option unless absolutely necessary.

 Selecting File type

Recovering Formatted files with Photorec 15

 File option gives you the opportunity to select the file type by pressing the space bar to select/deselect the file type or S to select/deselect all of them simultaneously. After the change press B to save the change.

File system type  

When the partition source is selected and other settings are put in place. It’s now time for us to validate the search. PhotoRec needs to know how the data blocks are allocated. Unless it is an ext2/ext3/ext4 filesystem, choose other

Recovering Formatted files with Photorec 16

Select where recovered file should be kept

Recovering Formatted files with Photorec 17

choose the directory to save the recovered files. Use the up/down key to choose the folder and uses  “..” to exist the current directory. And if you are recovering data into an external disk you can find the disk location in /media or /mnt

Recovering Formatted files with Photorec 17

 

 

Recovery update

Recovering Formatted files with Photorec 19

Now we can see the recovery process in the above image. The output shown in the above image base on the file type. One thing about this tool is, you can access the files found during the recovery process. You can find with folder name like this recup_dir in the destination you selected for the recovery

Recovery Complete

Recovering Formatted files with Photorec 20

At the Stage the Photorec recovery process is complete. The details of the recovery process will be shown along with the directory the recover files was save to..

Hope you had a great time recovering your files..Have a nice day and don’t forget to share the link..

pentester

Leave a Reply