photorec: Taught me something new today

I just had a very, very illuminating session with photorec, which might be strangely named considering what it can do, but is still a great console application.

photorec is part of the testdisk suite (or at least it is in Arch), but it doesn’t just recover photos. It can scrape through a drive and recover almost anything.

And from almost any filesystem, I might add, although you’ll need to know beforehand what the filesystem is.

photorec is menu driven for the most part, requires elevated privileges (which is good), and as far as I can tell in my experiences with it, does a great job yanking files from the jaws of death.

Now, why did I say “illuminating” earlier? Well, in one of my test runs this morning I grabbed a leftover flash drive that I hadn’t used in a while, ran dd over it for a few seconds, repartitioned it, dumped a couple of text files on it, deleted them, and then sent photorec to work.

Originally the drive had been formatted in ext4, but I repartitioned it to hold a vfat partition, just because I wanted to see what photorec would do with a non-Unix drive.

photorec found the original text files I dropped there a few minutes earlier, then kept scrounging and found music files I had on the drive before I repartitioned and reformatted it. I kid you not. 😯

And … they played perfectly in mocp. 😯

Until this morning I assumed that data files from completely different file systems on drives that had been repartitioned and reformatted … would be irretrievable. How wrong I was. 😳

I know enough to realize that without letting dd run its course over the whole drive, that data was still exposed. But I honestly thought since they weren’t listed in file table or were in a completely different filesystem, they wouldn’t be so easily brought back.

But there you have it. photorec taught me something new today, and I am wiser for it. Now please excuse me while I rig an entire laptop to run dban over every drive I own. … 😕

Advertisements