PhotoRec

From Wikipedia, the free encyclopedia
Jump to: navigation, search
PhotoRec
PhotoRec-logo.png
Developer(s) Christophe Grenier
Stable release 6.14 / July 30, 2013 (2013-07-30)
Development status Active
Written in C
Operating system Cross-platform
Platform CLI
Type Data recovery
License GPL (free software)
Website www.cgsecurity.org/wiki/PhotoRec

PhotoRec is a free and open source file carver data recovery software tool designed to recover lost files from digital camera memory (CompactFlash, Memory Stick, Secure Digital, SmartMedia, Microdrive, MMC, USB flash drives, etc.), hard disks and CD-ROMs. It recovers most common photo formats, including JPEG, and also recovers audio files including MP3, document formats such as OpenDocument, Microsoft Office, PDF and HTML, and archive formats including ZIP. [1]

PhotoRec does not attempt to write to the damaged media the user is about to recover from. Recovered files are instead written to the directory from which PhotoRec is run, any other directory may be chosen. It can be used for data recovery or in a digital forensics context.[2][3][4] PhotoRec is shipped with TestDisk.[5]

PhotoRec is compatible with:[6]

How PhotoRec works[edit]

FAT, NTFS, ext2/ext3/ext4 filesystems store files in data blocks (also called data clusters under Windows). The cluster or block size remains at a constant number of sectors after being initialized during the formatting of the filesystem. In general, most operating systems try to store the data in a contiguous way so as to minimize data fragmentation. The seek time of mechanical drives is significant for writing and reading data to/from a hard disk, so that′s why it′s important to keep the fragmentation to a minimum level.

When a file is deleted, the meta-information about this file (filename, date/time, size, location of the first data block/cluster, etc.) is lost; e.g., in an ext3/ext4 filesystem, the names of deleted files are still present, but the location of the first data block is removed. This means the data is still present on the filesystem, but only until some or all of it is overwritten by new file data.

To recover these ‘lost’ files, PhotoRec first tries to find the data block (or cluster) size. If the filesystem is not corrupted, this value can be read from the superblock (ext2/ext3/ext4) or volume boot record (FAT, NTFS). Otherwise, PhotoRec reads the media, sector by sector, searching for the first ten files, from which it calculates the block/cluster size from their locations. Once this block size is known, PhotoRec reads the media block by block (or cluster by cluster). Each block is checked against a signature database; which comes with the program and has been growing in the type of files it can recover ever since PhotoRec′s first version came out. It′s a common data recovery method called File carving.

For example, PhotoRec identifies a JPEG file when a block begins with:

  • Start Of Image + APP0: 0xff, 0xd8, 0xff, 0xe0
  • Start Of Image + APP1: 0xff, 0xd8, 0xff, 0xe1
  • or Start Of Image + Comment: 0xff, 0xd8, 0xff, 0xfe

If PhotoRec has already started to recover a file, it stops its recovery, checks the consistency of the file when possible and starts to save the new file (which it determined from the signature it found).

If the data is not fragmented, the recovered file should be either identical; or possibly larger than the original file, in size. In some cases, PhotoRec can learn the original filesize from the file header, so the recovered file is truncated to the correct size. If, however, the recovered file ends up being smaller than its header specifies, it is discarded. Some files, such as *.MP3 types, are data streams. In this case, PhotoRec parses the recovered data, then stops the recovery when the stream ends.

When a file is recovered successfully, PhotoRec checks the previous data blocks to see if a file signature was found but the file was not able to be successfully recovered (i.e., the file was too small), and it tries again. This way, some fragmented files can be successfully recovered.[7]

Popularity[edit]

PhotoRec and TestDisk have been downloaded more than 150,000 times in July 2008 from the primary website.[citation needed] In fact these utilities are even more popular as they can be found on various GNU/Linux Live CDs:[original research?]

They are also packaged for numerous GNU/Linux based distributions:

See also[edit]

References[edit]

  1. ^ File Formats Recovered By PhotoRec
  2. ^ Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, p. 220. Syngress Publishing Inc. ISBN 978-1-59749-228-7.
  3. ^ Cameron H. Malin, Eoghan Casey, James M. Aquilina (2008). Malware Forensics: Investigating and Analyzing Malicious Code, p. xxviii. Syngress Publishing Inc. ISBN 978-1-59749-268-3.
  4. ^ Nathan Clarke (2010), Computer Forensics: A Pocket Guide, p. 67. IT Governance Publishing. ISBN 978-1-84928-039-6.
  5. ^ Scott Mueller, Brian Knittel (2008). Upgrading and Repairing Microsoft Windows, Second Edition, page 685. Pearson Education Inc. ISBN 978-0-7897-3695-6.
  6. ^ "PhotoRec - CGSecurity". Retrieved 1/3/2013. 
  7. ^ How PhotoRec works (Description from the author website)
  8. ^ "Recovery Is Possible Changelog". Retrieved 1/3/2013. 
  9. ^ "GParted -- Live CD/USB/PXE/HD". Retrieved 1/3/2013. 
  10. ^ "programs – Parted Magic". Retrieved 1/3/2013. 
  11. ^ "Recover file with PhotoRec". Retrieved 1/3/2013. 
  12. ^ "System-tools - SystemRescueCd". Retrieved 1/3/2013. 
  13. ^ "6. List of all commands". Retrieved 1/3/2013. 
  14. ^ "Software Ubuntu Rescue Remix". Retrieved 1/3/2013. 
  15. ^ TestDisk on ALT Linux
  16. ^ ArchLinux Extra Repository
  17. ^ TestDisk on Debian
  18. ^ TestDisk in Fedora
  19. ^ "RepoView: "Fedora EPEL 6 - x86_64"". Retrieved 27 July 2013. 
  20. ^ TestDisk in FreeBSD ports
  21. ^ TestDisk in Gentoo
  22. ^ TestDisk in Gentoo Portage
  23. ^ TestDisk in Source Mage
  24. ^ TestDisk in Ubuntu

External links[edit]