To use PhotoRec effectively you need to understand how the filesystem handles files. When you delete a file, it isn’t actually zapped into oblivion. Rather the file system just marks it as deleted, and makes the space the file occupies available to other files. This means that until another app uses that recently freed-up space, the original file is still there, and can be retrieved by a file recovery tool. For this very reason, it’s very important that you immediately stop using the computer as soon as you realize that you have accidentally deleted files in order to minimize the interactions with the hard disk. Note: PhotoRec is cross-platform compatible. For this tutorial, we will use a Linux (Ubuntu) system for illustration.

Carving files

PhotoRec is a file carver. A file carver is a tool that can recover files even when it’s missing regular metadata such as a filename, or its location. That’s because a file carver doesn’t rely on the filesystem to read files and instead painstakingly trawls through the hard disk. The tool works on all sorts of disks including hard disks and removable media such as USB disks. In addition to reading unbootable disks, PhotoRec will also recover files from partitions that have been formatted and reinstalled into.

PhotoRec can sniff the most common image formats and can additionally pick out files in various formats including odf, pdf, 7zip, zip, tar, rpm, deb, and even virtual disks. PhotoRec is an integral part of almost every recovery distro out there, and it ships along with the powerful TestDisk utility that can recover and restore partitions. You’ll find PhotoRec in the official repositories of most distros. But to install it, you need to install the TestDisk tool.

Command-line magic

Before you fire up PhotoRec, create a directory where it will save the recovered files. Once the tool is done, this directory will be populated with lots of weirdly named files in different formats. This is because PhotoRec names these files as it finds them and leaves the sorting to you. Also despite the fact that PhotoRec is a command-line utility, it breaks the process of recovering files into steps, much like a wizard. When you launch the tool, it will display all hard disks and connected removable devices including any plugged-in USB drives. To proceed, select the disk with the missing files. In case the disk houses multiple partitions, PhotoRec will display all the partitions and allows you to select the one that housed the lost files. Next up, the tool needs to know the file system type your files were stored in. It only presents two options. Select the [ext2/ext3] option if the deleted file resided inside a Linux distro. The [Other] option will look for files created under FAT/NTFS/HFS+ or any other filesystem. You’ll then have to decide whether you want to look for deleted files only inside the freed up space or in the whole partition. The last step is to point PhotoRec to the folder you’ve created to store all recovered files. That’s all the information PhotoRec needs from you. The tool will now get to work. Depending on the size of the partition, PhotoRec can take quite a while to complete.

Focused recovery

As you’ll discover, PhotoRec is a little too good at its job. It’ll find lots and lots of files and sorting through them can be quite a task. A better option would be to limit the filetypes to recover.

You can do this using the [File Opt] option after selecting the disk from which you want the tool to recover files. By default, the tool searches files of all types. Press the “s” key to deselect all supported formats. Then scroll through the list and press the spacebar to select the format or formats you are interested in.

Sort files

When you peek inside the destination folder, you’ll see several folders named recup_dir.1, recup_dir.2, and so on. The recovered files are saved under these folders. Manually sorting the files would take forever. You could do some basic sorting from the CLI to beter organize the files. For example, use the command to move all the jpg files from under all the recovered folders into the all-recovered-images folder. You can also sort files by their size. This is very useful especially when recovering images. In addition to recovering the image itself, PhotoRec will also recover their thumbnails as well which will have the same extension. The command will move all images less than 10KB in size out of the all-recovered-images folder.

Conclusion

There’s a reason why you’ll find PhotoRec in almost every disaster recovery toolkit. The tool works and how! I’ve used it to recover files from an accidental rm command that went after my SDCARD, as well as important PDFs from a USB drive formatted in Windows. There is a learning curve involved when using the tool, but it comes into play when sorting the recovered files. But once you get the hang of it, you’ll never lose a file again! Image credit: U.S. Army Corps of Engineers