7.1 / July 7, 2019
TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows (i.e. NT 4.0, 2000, XP, Server 2003, Server 2008, Vista, Windows 7, Windows 8.1, Windows 10), Linux, FreeBSD, NetBSD, OpenBSD, SunOS, and MacOS. TestDisk handles non-partitioned and partitioned media. In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy.
TestDisk retrieves the LBA size and CHS geometry of attached data storage devices (i.e. hard disks, memory cards, USB flash drives, and virtual disk images) from the BIOS or the operating system. The geometry information is required for a successful recovery. TestDisk reads sectors on the storage device to determine if the partition table or filesystem on it requires repair. TestDisk can perform deeper checks to locate partitions that have been deleted from a storage device or disk image. However, it is up to the user to look over the list of possible partitions found by TestDisk and to select those that they wish to recover.
TestDisk can deal with some specific logical filesystem corruption.
When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. TestDisk can recover deleted files especially if the file was not fragmented and the clusters have not been reused.
TestDisk can be used in digital forensics to retrieve partitions that were deleted long ago. It can mount various types of disk images including the Expert Witness File Format used by EnCase. Binary disk images, such as those created with ddrescue can be read by TestDisk as though it were a storage device. In TestDisk versions prior to version 7, this feature could be exploited to inject malicious code into a running TestDisk application on Windows.
File system support
File system support for TestDisk is shown in the table:
|Name||Partition Recovery||Filesystem Recovery||File Recovery|
|Partition undelete||Rebuild Partition table||MBR / GPT Rewrite||Boot Sector Rewrite||Boot Sector Restore||Find filesystem||Undelete||Extract files from image||File carving|
|ext2, ext3, and ext4||Yes||?||Yes[e]||?||Yes|
|BSD disklabel (FreeBSD/OpenBSD/NetBSD)||Yes||No|
|Linux Swap 1 and 2||Yes||No|
|LVM and LVM2||Yes||No|
|Novell Storage Services (NSS)||Yes||No|
|ReiserFS 3.5, 3.6 and 4||Yes||No|
|Sun Solaris i386 disklabel||Yes||No|
|Unix File System UFS and UFS2 (Sun/BSD/…)||Yes||No|
|XFS, SGI’s Journaled File System||Yes||No|
- Find filesystem parameters to rewrite a valid boot sector
- Restore the boot sector using its backup
- Use the two copies of the FAT to rewrite a coherent version
- Restore the Master File Table (MFT) from its backup
- Find backup superblock location to assist fsck
- RAID 1: mirroring, RAID 4: striped array with parity device, RAID 5: striped array with distributed parity information and RAID 6: striped array with distributed dual redundancy information
- Moggridge, J. (2017). "Security of patient data when decommissioning ultrasound systems". Ultrasound. Leeds, England. 25 (1): 16–24. doi:10.1177/1742271X16688043.
- Grenier, Christophe (2021-05-31), TestDisk Documentation (PDF), CG Security, archived from the original (PDF) on 2021-11-17
- kumar, Hany; Saharan, Ravi; Panda, Saroj Kumar (March 2020). "Identification of Potential Forensic Artifacts in Cloud Storage Application". 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA): 1–5. doi:10.1109/ICCSEA49143.2020.9132869. ISBN 978-1-7281-5830-3. S2CID 220367251.
- Debra Littlejohn Shinder, Michael Cross (2002). Scene of the cybercrime, page 328. Syngress. ISBN 978-1-931836-65-4.
- Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, page 373. Syngress. ISBN 978-1-59749-228-7.
- Altheide, C., & Carvey, H. (2011). File System and Disk Analysis. In Digital Forensics with Open Source Tools. Elsevier. https://booksite.elsevier.com/samplechapters/9781597495868/Chapter_3.pdf
- Németh, Z. L. (2015). "Modern binary attacks and defences in the windows environment—Fighting against microsoft EMET in seven rounds". 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY). pp. 275–280. doi:10.1109/SISY.2015.7325394.
- TestDisk Wiki
- List of news articles about TestDisk and PhotoRec
- Data Recovery With TestDisk, Falko Timme, HowtoForge
- Digital Forensics using Linux and Open Source Tools
Test Disk Team:
Main Contributor: Christophe Grenier. Location: Paris, France. URL: cgsecurity.org. He started the project in 1998 and is still the main developer. He is also responsible for the packaging of TestDisk & PhotoRec for DOS, Windows, Linux (generic version), MacOS X, and Fedora distribution.