Wednesday October 31, 2007 12:28

Recover deleted files with photorec

Posted by shakir as Information Insemination





I was just watching a movie while suddenly all the files except the hidden ones in my home directory were gone, just as someone issued the command

sudo rm -rf /home/shakir/*

To avoid further data loss, I quickly power off and boot into my Ubuntu live CD to create an image of my /home partition. Here’s how to see in which partition is my /home directory:

shakir@herugrim ~ $ cat /proc/partitions
major minor  #blocks  name
8     0  156290904 sda
8     1   21494938 sda1
8     2    8795587 sda2
8     3    2939895 sda3
8     4          1 sda4
8     5    9775521 sda5
8     6  113282316 sda6

From the partition sizes I can tell my /home partition was in the /dev/sda6, and the next step is to really create an image of the partition to safely doing the recovery process without risking of losing more data. /media/usbdisk is where my external usb harddisk is mounted

sudo dd if=/dev/sda6 of=/media/usbdisk/herugrim-sda6-20071010.img

Photorec is part of testdisk package, and this is how to install it in ubuntu;

sudo apt-get update
sudo apt-get install testdisk

It’s time to actually do run the program

sudo photorec /home/shakir/temp/herugrim-sda6-20071010.img

After going through some options, photorec starts doing it’s job.

Photorec stores recovered files in recup_dir.<sequence>/<sequence>.<file extension> in the specified target directory, which is not very useful. Here’s a script I wrote to find all the recovered JPEG files and move/rename it accordingly. Almost the same technique can be used for other file formats.

#!/bin/bash
PHOTODIR=/home/shakir/temp/photorec
cd $PHOTODIR
mkdir JPEG
for i in `ls | grep recup`;do
	for j in `ls $i/*.jpg`; do
		if FILE=`exiv2 $j 2>/dev/null | grep timestamp | awk ‘{ print $4"-"$5 }’ | tr -d ‘:’ | grep 200`; then
			cp -v $j "JPEG/"$FILE".jpg"
		fi
	done
done
Digg    Delicious    Stumbleupon    More...




Tags: , ,



5 Responses to Recover deleted files with photorec

izlan

October 31st, 2007 at 2:22 pm

sifu, kalo dah create image cmna nk reverse blk..hehe..cthnye backup 1 partition linux pastu nk extract blk

shakir

October 31st, 2007 at 2:31 pm

just tukar *if* ngan *of* ajelah

sudo dd if=/media/usbdisk/herugrim-sda6-20071010.img of=/dev/sda6

Make sure the image file is not any bigger than the partition’s size or it might overwrite your next partition’s data

izlan

November 2nd, 2007 at 2:49 pm

TemperatureReadEvent,1191036795.878820,2007-09-29 11:33:15,,142,00173b00115eb27a,node6-6lowpan,77.3
TemperatureReadEvent,1191037095.882040,2007-09-29 11:38:15,,148,00173b00115eb27a,node6-6lowpan,77.4
TemperatureReadEvent,1191037395.889310,2007-09-29 11:43:15,,154,00173b00115eb27a,node6-6lowpan,77.5
TemperatureReadEvent,1191037695.932600,2007-09-29 11:48:15,,160,00173b00115eb27a,node6-6lowpan,77.5

kalo ada 4 line ni camne nk extract no yg blakang saje?

kalo cat TemperatureReadEvent.txt | tr “,” ” ” | cut -d ” ” -f9

77.3
77.4
77.5
77.5

kalo nk amik line pertama je cmne? :)

shakir

November 3rd, 2007 at 7:26 am

pipe je ke head..

bla2 | head -n 1

miles

October 17th, 2009 at 7:45 pm

this was very helpful, thanks for the instructions on photorec. Worked like a charm. One thing I found helpful though is instead of the script, you can find all the files you want and copy or move them is in terminal a little bit easier, like this:

find /path/to/music -iname ‘*.mp3′ -exec cp {} /new/directory/ \;

Comment Form

Copyright © 2010 - /home/shakir - is proudly powered by WordPress | Log in