fbpx
Wikipedia

PhotoRec

May 12, 2024

PhotoRec is a free and open-source utility software for data recovery with text-based user interface using data carving techniques, designed to recover lost files from various digital camera memory, hard disk and CD-ROM. It can recover the files with more than 480 file extensions (about 300 file families). [1] It is also possible to add custom file signature to detect less known files.[2]

PhotoRec
Demonstration of PhotoRec running in Linux
Developer(s)Christophe Grenier
Initial releaseApril 30, 2002; 22 years ago (2002-04-30)
Stable release
7.2 / February 22, 2024; 2 months ago (2024-02-22)
Repositorygit.cgsecurity.org/cgit/testdisk/
Written inC (nCurses)
Operating systemCross-platform
PlatformCLI
TypeData recovery
LicenseGNU GPL v2+ (free software)
Websitewww.cgsecurity.org/wiki/PhotoRec

PhotoRec does not attempt to write to the damaged media the user is about to recover from. Recovered files are instead written to the directory from which PhotoRec is run, any other directory may be chosen. It can be used for data recovery or in a digital forensics context.[3][4][5] [6] [7] PhotoRec is shipped with TestDisk.[8]

Functionality edit

FAT, NTFS, ext2/ext3/ext4 file systems store files in data blocks (also called data clusters under Windows). The cluster or block size remains at a constant number of sectors after being initialized during the formatting of the filesystem. In general, most operating systems try to store the data in a contiguous way so as to minimize data fragmentation. The seek time of mechanical drives is significant for writing and reading data to/from a hard disk, so that is why it is important to keep the fragmentation to a minimum level.

When a file is deleted, the meta-information about this file (filename, date/time, size, location of the first data block/cluster, etc.) is lost; e.g., in an ext3/ext4 filesystem, the names of deleted files are still present, but the location of the first data block is removed. This means the data is still present on the filesystem, but only until some or all of it is overwritten by new file data.

To recover these "lost" files, PhotoRec first tries to find the data block (or cluster) size. If the filesystem is not corrupted, this value can be read from the superblock (ext2/ext3/ext4) or volume boot record (FAT, NTFS). Otherwise, PhotoRec reads the media, sector by sector, searching for the first ten files, from which it calculates the block/cluster size from their locations. Once this block size is known, PhotoRec reads the media block by block (or cluster by cluster). Each block is checked against a signature database; which comes with the program and has been growing in the type of files it can recover ever since PhotoRec's first version came out. It is a common data recovery method called file carving.

For example, PhotoRec identifies a JPEG file when a block begins with:

  • Start Of Image + APP0: 0xff, 0xd8, 0xff, 0xe0
  • Start Of Image + APP1: 0xff, 0xd8, 0xff, 0xe1
  • or Start Of Image + Comment: 0xff, 0xd8, 0xff, 0xfe

If PhotoRec has already started to recover a file, it stops its recovery, checks the consistency of the file when possible and starts to save the new file (which it determined from the signature it found).

If the data is not fragmented, the recovered file should be identical to (or possibly larger than) the original file in size. In some cases, PhotoRec can learn the original file size from the file header, so the recovered file is truncated to the correct size. If, however, the recovered file ends up being smaller than its header specifies, it is discarded. Some files, such as *.MP3 types, are data streams. In this case, PhotoRec parses the recovered data, then stops the recovery when the stream ends.

When a file is recovered successfully, PhotoRec checks the previous data blocks to see whether a file signature was found but the file was not able to be successfully recovered (i.e., the file was too small), and it tries again. This way, some fragmented files can be successfully recovered.[9]

Notable, PhotoRec does no restore original filenames but one can e.g. rename the JPG files with pictures using exiftool: https://www.cgsecurity.org/testdisk_doc/after_using_photorec.html#renaming-files-using-exiftool

PhotoRec is superior to Scalpel and provides technically more correct files. In a discussion at https://github.com/sleuthkit/scalpel/issues/35 came ou that "Scalpel does not repair broken headers/EOF markers like PhotoRec in Autopsy. If you use a hex editor to manually repair the recovered files, then you will end up with the same images/files." Scalpel provides more broken JPG files where PhotoRec did the correct task on ext4 filesystem.

PhotoRec (Testdisk) is bundled in Autopsy and WondershareRecoverIt packages (paid).

Compatibility edit

PhotoRec is compatible with:[10]

Distribution edit

PhotoRec and TestDisk are shipped together. They can be downloaded from CGSecurity website. These utilities can be found on various Linux Live CDs:

They are also packaged for numerous *nix (mostly Linux based) distributions:

See also edit

References edit

  1. ^ "File Formats Recovered by PhotoRec". April 2015.
  2. ^ "Add your own extension to PhotoRec". 18 May 2016.
  3. ^ Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, p. 220. Syngress Publishing Inc. ISBN 978-1-59749-228-7.
  4. ^ Cameron H. Malin, Eoghan Casey, James M. Aquilina (2008). Malware Forensics: Investigating and Analyzing Malicious Code, p. xxviii. Syngress Publishing Inc. ISBN 978-1-59749-268-3.
  5. ^ Nathan Clarke (2010), Computer Forensics: A Pocket Guide, p. 67. IT Governance Publishing. ISBN 978-1-84928-039-6.
  6. ^ NIST Test Results for Graphic File Carving Tool: PhotoRec v7.0-WIP[permanent dead link].
  7. ^ NIST Test Results for Video File Carving Tool: PhotoRec v7.0-WIP Archived 2015-04-22 at archive.today.
  8. ^ Scott Mueller, Brian Knittel (2008). Upgrading and Repairing Microsoft Windows, Second Edition, page 685. Pearson Education Inc. ISBN 978-0-7897-3695-6.
  9. ^ How PhotoRec works (Description from the author website).
  10. ^ "PhotoRec - CGSecurity". Retrieved March 1, 2013.
  11. ^ "GParted -- Live CD/USB/PXE/HD". Retrieved March 1, 2013.
  12. ^ . Archived from the original on January 2, 2011. Retrieved March 1, 2013.
  13. ^ . Archived from the original on May 2, 2013. Retrieved March 1, 2013.
  14. ^ "System-tools - SystemRescueCd". Retrieved March 1, 2013.
  15. ^ . Archived from the original on 2013-01-23. Retrieved March 1, 2013.
  16. ^ . Archived from the original on 2011-08-11. Retrieved 2011-05-25.
  17. ^ ArchLinux Extra Repository
  18. ^ TestDisk on Debian
  19. ^ TestDisk in Fedora 2011-03-10 at the Wayback Machine
  20. ^ . Archived from the original on 2015-09-13. Retrieved 27 July 2013.
  21. ^ TestDisk in FreeBSD ports
  22. ^ TestDisk in OpenBSD ports
  23. ^ TestDisk in Gentoo
  24. ^ TestDisk in Gentoo Portage 2011-06-07 at the Wayback Machine
  25. ^ TestDisk in Source Mage 2011-05-19 at the Wayback Machine
  26. ^ . Archived from the original on 2019-06-08. Retrieved 2019-06-08.

External links edit

  • Official website

May 12, 2024
photorec, free, open, source, utility, software, data, recovery, with, text, based, user, interface, using, data, carving, techniques, designed, recover, lost, files, from, various, digital, camera, memory, hard, disk, recover, files, with, more, than, file, e. PhotoRec is a free and open source utility software for data recovery with text based user interface using data carving techniques designed to recover lost files from various digital camera memory hard disk and CD ROM It can recover the files with more than 480 file extensions about 300 file families 1 It is also possible to add custom file signature to detect less known files 2 PhotoRecDemonstration of PhotoRec running in LinuxDeveloper s Christophe GrenierInitial releaseApril 30 2002 22 years ago 2002 04 30 Stable release7 2 February 22 2024 2 months ago 2024 02 22 Repositorygit wbr cgsecurity wbr org wbr cgit wbr testdisk wbr Written inC nCurses Operating systemCross platformPlatformCLITypeData recoveryLicenseGNU GPL v2 free software Websitewww wbr cgsecurity wbr org wbr wiki wbr PhotoRec PhotoRec does not attempt to write to the damaged media the user is about to recover from Recovered files are instead written to the directory from which PhotoRec is run any other directory may be chosen It can be used for data recovery or in a digital forensics context 3 4 5 6 7 PhotoRec is shipped with TestDisk 8 Contents 1 Functionality 2 Compatibility 3 Distribution 4 See also 5 References 6 External linksFunctionality editFAT NTFS ext2 ext3 ext4 file systems store files in data blocks also called data clusters under Windows The cluster or block size remains at a constant number of sectors after being initialized during the formatting of the filesystem In general most operating systems try to store the data in a contiguous way so as to minimize data fragmentation The seek time of mechanical drives is significant for writing and reading data to from a hard disk so that is why it is important to keep the fragmentation to a minimum level When a file is deleted the meta information about this file filename date time size location of the first data block cluster etc is lost e g in an ext3 ext4 filesystem the names of deleted files are still present but the location of the first data block is removed This means the data is still present on the filesystem but only until some or all of it is overwritten by new file data To recover these lost files PhotoRec first tries to find the data block or cluster size If the filesystem is not corrupted this value can be read from the superblock ext2 ext3 ext4 or volume boot record FAT NTFS Otherwise PhotoRec reads the media sector by sector searching for the first ten files from which it calculates the block cluster size from their locations Once this block size is known PhotoRec reads the media block by block or cluster by cluster Each block is checked against a signature database which comes with the program and has been growing in the type of files it can recover ever since PhotoRec s first version came out It is a common data recovery method called file carving For example PhotoRec identifies a JPEG file when a block begins with Start Of Image APP0 0xff 0xd8 0xff 0xe0 Start Of Image APP1 0xff 0xd8 0xff 0xe1 or Start Of Image Comment 0xff 0xd8 0xff 0xfe If PhotoRec has already started to recover a file it stops its recovery checks the consistency of the file when possible and starts to save the new file which it determined from the signature it found If the data is not fragmented the recovered file should be identical to or possibly larger than the original file in size In some cases PhotoRec can learn the original file size from the file header so the recovered file is truncated to the correct size If however the recovered file ends up being smaller than its header specifies it is discarded Some files such as MP3 types are data streams In this case PhotoRec parses the recovered data then stops the recovery when the stream ends When a file is recovered successfully PhotoRec checks the previous data blocks to see whether a file signature was found but the file was not able to be successfully recovered i e the file was too small and it tries again This way some fragmented files can be successfully recovered 9 Notable PhotoRec does no restore original filenames but one can e g rename the JPG files with pictures using exiftool https www cgsecurity org testdisk doc after using photorec html renaming files using exiftoolPhotoRec is superior to Scalpel and provides technically more correct files In a discussion at https github com sleuthkit scalpel issues 35 came ou that Scalpel does not repair broken headers EOF markers like PhotoRec in Autopsy If you use a hex editor to manually repair the recovered files then you will end up with the same images files Scalpel provides more broken JPG files where PhotoRec did the correct task on ext4 filesystem PhotoRec Testdisk is bundled in Autopsy and WondershareRecoverIt packages paid Compatibility editPhotoRec is compatible with 10 DOS either real or in a Windows 9x DOS box Microsoft Windows NT4 2000 XP 2003 2008 2016 Vista Windows 7 Windows 8 Windows 8 1 Windows 10 Windows 11 Linux FreeBSD NetBSD OpenBSD SunOS macOSDistribution editPhotoRec and TestDisk are shipped together They can be downloaded from CGSecurity website These utilities can be found on various Linux Live CDs GParted Live CD 11 Parted Magic 12 Slax LFI a Slax derived distribution 13 SystemRescueCD 14 Ubuntu Rescue Remix an Ubuntu derivation 15 They are also packaged for numerous nix mostly Linux based distributions ALT Linux 16 Arch Linux Extra Repository 17 Debian contrib 18 Fedora Extras 19 Red Hat Epel 20 FreeBSD port 21 OpenBSD port 22 Gentoo 23 and Gentoo Portage 24 Mandriva contrib Source Mage Linux 25 Ubuntu 26 See also editPhoto recovery List of free and open source software packages File recoveryReferences edit File Formats Recovered by PhotoRec April 2015 Add your own extension to PhotoRec 18 May 2016 Jack Wiles Kevin Cardwell Anthony Reyes 2007 The best damn cybercrime and digital forensics book period p 220 Syngress Publishing Inc ISBN 978 1 59749 228 7 Cameron H Malin Eoghan Casey James M Aquilina 2008 Malware Forensics Investigating and Analyzing Malicious Code p xxviii Syngress Publishing Inc ISBN 978 1 59749 268 3 Nathan Clarke 2010 Computer Forensics A Pocket Guide p 67 IT Governance Publishing ISBN 978 1 84928 039 6 NIST Test Results for Graphic File Carving Tool PhotoRec v7 0 WIP permanent dead link NIST Test Results for Video File Carving Tool PhotoRec v7 0 WIP Archived 2015 04 22 at archive today Scott Mueller Brian Knittel 2008 Upgrading and Repairing Microsoft Windows Second Edition page 685 Pearson Education Inc ISBN 978 0 7897 3695 6 How PhotoRec works Description from the author website PhotoRec CGSecurity Retrieved March 1 2013 GParted Live CD USB PXE HD Retrieved March 1 2013 programs Parted Magic Archived from the original on January 2 2011 Retrieved March 1 2013 Recover file with PhotoRec Archived from the original on May 2 2013 Retrieved March 1 2013 System tools SystemRescueCd Retrieved March 1 2013 Software Ubuntu Rescue Remix Archived from the original on 2013 01 23 Retrieved March 1 2013 TestDisk on ALT Linux Archived from the original on 2011 08 11 Retrieved 2011 05 25 ArchLinux Extra Repository TestDisk on Debian TestDisk in Fedora Archived 2011 03 10 at the Wayback Machine RepoView Fedora EPEL 6 x86 64 Archived from the original on 2015 09 13 Retrieved 27 July 2013 TestDisk in FreeBSD ports TestDisk in OpenBSD ports TestDisk in Gentoo TestDisk in Gentoo Portage Archived 2011 06 07 at the Wayback Machine TestDisk in Source Mage Archived 2011 05 19 at the Wayback Machine Delete Hui Photo Waapas Kese Laaye ड ल ट ह ई फ ट व पस क स ल ए 2 म नट म Archived from the original on 2019 06 08 Retrieved 2019 06 08 External links editOfficial website Retrieved from https en wikipedia org w index php title PhotoRec amp oldid 1214679619, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.