Recover deleted files on GNU Linux with Testdisk

The first thing to know before discussing the process is to introduce you to free and open software called TestDisk.

What is TestDisk?

To answer this question let us take the following text quote:

“TestDisk is a data recovery utility licensed as free software. It was developed primarily to help recover lost data on partitions and to repair bootable disks, problems caused by faulty software, some types of viruses or human error (such as deleting the partition table). TestDisk can be used to obtain detailed information about a corrupted disk which can be sent to a technician for further analysis.”

Source: Wikipedia

Now having the answer to our initial question, testdisk and photorec are 2 tools that are found together in the installation package in Debian and Debian GNU/Linux based Linux distributions, it can be installed as follows with root or sudo access on a terminal:

apt install testdisk

For a simple user manual we can run the following command:

man testdisk
man photorec

A quick help on the testdisk and photorec commands can be viewed as follows:

testdisk --help
photorec --help

The testdisk command allows to some extent to recover damaged partitions, defective disks and data on partitions, in the case of photorec it is mostly to recover files that are deleted or on partitions that have been damaged.

It should be noted that testdisk/photorec works with a wide range of file systems such as FATx, NTFS, EXTx, UFSx, ReiserFS, among many other partition systems.

Here are some simple steps to recover files from a removable storage drive (flash drive):

The first thing to do is to run the command fdisk -l as administrator or (root) to obtain and identify a list of drives connected to the computer, here is an example of the result on the console screen:

Disk /dev/sda: 223.6 GiB, 240057409536 bytes, 468862128 sectors
Disk model: KINGSTON SA400S3
Units: 1 * 512 sectors = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: two
Disk identifier: 0x94f8f291

Device  Start Start End Sectors Size Id Type
/dev/sda1 2048 7813119 7811072 3.7G 82 Linux swap / Solaris
/dev/sda2 * 7813120 468860927 461047808 219,9G 83 Linux

Disk /dev/sdb: 14.5 GiB, 15506440192 bytes, 30286016 sectors
Disk model: USB DISK 2.0     
Drives: 1 * 512 sectors = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: two
Disk identifier: 0x029004cb

Device  Start Start End Sectors Size Id Type
/dev/sdb1 2048 30286015 30283968 14.5G b W95 FAT32

You can see that the removable storage drive is /dev/sdb1 the next thing to do is to create the destination folder to save the recovered files with:

mkdir recoveredFiles

Easy Steps to follow for Data Recovery

1. Run photorec with the command:

photorec

2. In the interface that is displayed, select the removable storage unit (pendrive) with the keyboard navigation keys.

3. Then select the type of file system, usually by default, the one detected by testdisk / photorec is selected, only press the enter key.

4. In the next screen, all you have to do is select the destination folder where all the files recovered from the recovery process executed by photorec / testdisk on the removable storage unit (pendrive) will be saved and press the enter key.

5. On the next screen, just press enter, this confirms the option selected in terms of permissions on the destination folder to save the files.

6. Then the recovery process begins, after this process, you only have to enter the destination folder that has been created for this purpose.

Explanation of the file recovery process

Once the files are deleted, their memory addresses still exist, if you have not saved new files or formatted a removable memory (pendrive), but the references to those memory parts are deleted, testdisk / photorec, in its algorithm interprets all those parts of the files and reconstructs them, although in cases where the person saved files after realizing that they deleted important files by mistake, the recovery of the files is not reliable, due to the overwriting the memory locations of part of the files that were deleted.

Note: If you have deleted files on a storage drive and you want to recover them, do not use it to save new files until you have done the process of recovering the deleted files.

Use of Testdisk / Photorec for Forensic Analysis

This tool is key in the area of ​​police technology in each country, since at the time of seizing computer equipment with erased information that can serve as evidence to determine different crimes according to the Laws of each country itself is key to recovering said key information.

Secure erasure is a way to prevent testdisk / photorec from recovering the information:

There are ways to do secure erasure of files to avoid recovering files from computer systems and it is very simple to overwrite the file before deleting it with the same amount of information as it originally contained, for this there are already software tools that perform secure deletion of files and they can even be integrated into the functions of the operating system if you want, in this way you can never recover the information that was contained in the storage units of computer systems, allowing many criminals not to leave any type of information that incriminates them before the law.

Can entire partitions be recovered with everything and the information contained in them?

The answer to this question is if testdisk is a very advanced tool that is capable of doing so, it is currently widely used in data recovery centers around the world.

What do you think of it guys? I recommend each one of you readers to try it out and have fun recovering your deleted files. Tools like Testdisk/photorec can be most useful productivity tools, so you should go ahead and learn some basics, just in case you need it tomorrow or in near future.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.