Tools - PhotoRec (Data Recovery)

| F.A.Q.
Facebook Twitter Clipboard

Tools - PhotoRec (Data Recovery)

PhotoRec is software for recovering data that has been lost, including videos, documents and archives from hard disk drives (HDD), SSDs, CD-ROMs and lost photos (hence the name Photo Recovery) from digital camera memory. PhotoRec ignores the file system and recovers data directly, so it still works even if the media file system is severely damaged or reformatted.
PhotoRec is free - this multi-platform application under the GNU General Public License (GPLv2+) is available as open source software. PhotoRec is a companion program to TestDisk, an application for recovering lost partitions on various file systems and restoring bootability on unbootable drives.

For added security, PhotoRec uses read-only access to handle the drive or memory card from which you intend to recover lost data. Important: If you accidentally delete a photo or file, or discover that something is missing, DO NOT save any more photos or files to this memory device or hard drive. Otherwise, you may overwrite the lost data. This means that when using PhotoRec, do not choose to save recovered files to the same partition where they were stored

Operating Systems:

PhotoRec can work on:

  • DOS/Windows 9x
  • Windows 11/10/8.1/8/7/Vista/XP, Windows Server 2022/2019/2016/2012/2008/2003
  • Linux
  • FreeBSD, NetBSD, OpenBSD
  • Sun Solaris
  • Mac OS X
  • Unix (can be compiled on most Unix systems)

File systems

PhotoRec ignoruje system plików; dzięki temu działa nawet w przypadku poważnego uszkodzenia systemu plików. Może odzyskiwać utracone pliki z co najmniej

  • FAT
  • NTFS
  • exFAT
  • systemu plików ext2/ext3/ext4
  • HFS+

It may not work well with ReiserFS!

Media

PhotoRec works with hard drives, CD-ROMs, memory cards (CompactFlash, Memory Stick, Secure Digital/SD, SmartMedia, Microdrive, MMC, etc.), USB memory drives, DD images in RAW format, EnCase E01 images, etc. PhotoRec has been successfully tested with various portable media players, including iPod, and the following digital cameras:

  • Canon EOS 10D, 60D, 80D, 300D
  • Casio Exilim EX-Z 750
  • Fujifilm X-T10
  • HP PhotoSmart 620, 850, 935
  • Nikon CoolPix 775, 950, 5700
  • Olympus C350N, C860L, Mju 400 Digital, Stylus 300
  • Sony Alpha DSLR, DSC-P9, NEX-6
  • Pentax K20D
  • Praktica DCZ-3.4

File formats

PhotoRec searches for known file headers. If there is no data fragmentation, which is often the case, it can recover the entire file. PhotoRec recognizes and recovers many file formats, including ZIP, Office, PDF, HTML, JPEG and various image file formats. The entire list of file formats recovered by PhotoRec includes more than 480 file extensions (about 300 file families).

How does PhotoRec work?

The FAT, NTFS and ext2/ext3/ext4 file systems store files in blocks of data (also called clusters in Windows systems). The size of a cluster, or block, remains fixed and consists of a specific number of sectors when initialized during file system formatting. In the general case, most operating systems try to store data continuously to minimize data fragmentation. Search time on mechanical disks is important when writing and reading data from a hard drive, so it is important to keep fragmentation to a minimum.

When a file is deleted, the metainformation about that file (file name, date/time, size, location of the first block/cluster of data, etc.) is lost; for example, in the ext3/ext4 file system, the names of deleted files are still present, but the location of the first block of data is deleted. This means that the data is still present in the file system, but only until some or all of it is overwritten by new file data.
To recover these lost files, PhotoRec first tries to find the size of a block (or cluster) of data. If the file system is not corrupted, this value can be read from the superblock (ext2/ext3/ext4) or the boot record of the volume (FAT, NTFS). Otherwise, PhotoRec reads the media, sector by sector, searching for the first ten files, from which it calculates the block/cluster size of the data based on their location. Once this block size is known, PhotoRec reads the media block by block (or cluster by cluster). Each block is checked against the signature database that comes with the program and is constantly growing with new file types that can be recovered since the first version of PhotoRec.

For example, PhotoRec recognizes a JPEG file when the block begins with:
  • 0xff, 0xd8, 0xff, 0xe0
  • 0xff, 0xd8, 0xff, 0xe1
  • or 0xff, 0xd8, 0xff, 0xfe
If PhotoRec has already started the file recovery process, it stops the recovery, checks the integrity of the file, if possible, and starts writing a new file (which was determined by the signature found).
If the data is not fragmented, the recovered file should be identical to or larger than the original file in terms of size. In some cases, PhotoRec can learn the original file size based on the file header, so the recovered file is trimmed to the correct size. However, if the recovered file is smaller than the header indicates, it is discarded. Some files, such as *.MP3 type files, are data streams. In this case, PhotoRec analyzes the recovered data and then stops the recovery process when the stream is finished.
After successfully recovering the file, PhotoRec checks the previous data blocks to see if the file signature was found, but the file was not recovered correctly (that is, the file was too small), and tries again. In this way, it is possible to successfully recover some fragmented files.
 
Procedure
The program requires administrator / root user privileges to operate
In the first step, select the drive from which you want to recover data, the selection should be confirmed - Proceed.

 

The next step is to select the partition from which to restore the data.

 

 

Here you can change the recovery option and narrow or expand the range of file formats to be recovered.

 

 

The next  step is to select the file systems where the data was stored:
ext2/ext3 for ext2/ext3/ext4 or other for FAT/NTFS/HFS+/ReiserFS/.

 

 

Choose the scope of disk analysis whole (Whole) or only free space (Free).

 

 

The next step is to choose where to save the restored files.

Note: this must not be the same drive from which the data is being recovered, and the FAT32 partition should not be selected, as it has a file size limit of 4GB. The selection is confirmed with the letter C.

 

 

Once confirmed, the recovery process begins. During the process, the program keeps you informed about the found files. The process can take from a few minutes to even a couple of hours. It all depends on the size of the disk.

 

 

The last screen is a summary.

 

 

Conclusion

PhotoRec is a powerful tool that can restore files, but it has a major drawback the restored files do not have their original name.

Related articles:
  1. Tools - TestDisk (Partition table recovery).
  2. Backblaze - disk failure report Q1 2023
  3. Backblaze - disk failure report