Trying to recover deleted files and hard drive partitions can be a tricky and stressful process. This article will describe four tools that can recover data from hard drives in various levels of disarray. These methods are particularly useful when a device can’t be booted or a drive has been reformatted. Thankfully, these tools are compatible with Windows, Linux, and Mac, and can even assist when a partition table is wiped out entirely.
It’s important to note that once data has been overwritten on a hard disk, these tools will not be useful. Determining if a deleted file has been overwritten will depend on several factors. The best rule of thumb is that the quicker you discover you want to bring back a file, the more likely it will be possible.
Here’s an example scenario: Let’s say you have a hard drive with half of the space partitioned as ext2 (Linux file system) and the other half designated as FAT32 (Windows file system). Ten random photos are saved on each partition. Accidentally, the partition table gets wiped out from the hard drive. Oh no! What next?
To begin, make sure to gain access to Ubuntu’s Universe repository. This repository can be found by opening the Synaptic Package Manager and clicking on the System section in the top left. Then select the Administration option then Synaptic Package Manager. Click on Settings and locate the Repositories tab. A variety of software options will appear. Select the option labeled “Community-maintained Open Source software (universe).”
Close the window. In the main Synaptic Package Manager window, a Reload button will appear. It’s important to reload the package list as this will allow the search index to rebuild.
In the Package Manager, look for packages titled “testdisk,” “foremost,” and “scalpel.” After locating these tools, mark them for installation. Testdisk can recover lost partitions and restore boot sectors. This package also contains a tool titled “PhotoRec,” which is helpful in recovering various file types from several file systems.
Foremost is a particularly remarkable tool developed by the US Air Force of Special Investigations. It has the capability to recover files based on headers or other internal structures. Foremost is able to operate by using hard drives or drive image files created by various tools.
Scalpel is similar in function to Foremost, but has enhanced performance and uses less memory. Scalpel is a potentially better option when using an older machine with less RAM.
When a hard drive is having trouble mounting, the partition table might be corrupted. Instead of trying to recoup files individually, it’s possible to recover multiple partitions on a drive. This method makes it possible to salvage all files with just one step.
To accomplish this, you’ll need to open a terminal in Testdisk. This can be done by accessing applications, then accessories, and then selecting Terminal. Once opened, type this phrase:
sudo testdisk
At this stage, the computer will give an option to create a log file. This is entirely optional, as it will not affect the amount of data recovered. The device will now show a list of storage media. The hard drives will be identifiable by their size and label.
Testdisk will ask the type of partition table that you will want to search for. In using most file systems (ext2/3. NTFS, FAT32), you can select Intel and press Enter.
Highlight the Analyze option and press enter again.
Occasionally, Testdisk is able to find a partition but not able to recover it. This is usually the case with files that have been deleted for a longer period of time. With more recently deleted files, Testdisk will give the option to change their attributes or add more partitions. Alternatively, it’s also possible to recover them by pressing Enter.
In the event Testdisk has missed some partitions, you can initiate a more thorough search. To do this, locate the Write option at the bottom of the screen and click on it.
Testdisk will then inform you that you must reboot the device.
Before rebooting, take note if you installed persistent storage on an Ubuntu Live CD. If not, then upon rebooting, it will be necessary to reinstall any tools that were installed earlier.
This section will be going over how to use PhotoRec, a console-based utility. To begin the process of recovering files, open a terminal by accessing Applications, then Accessories, and then select Terminal. Next, type in:
sudo photorec
You will then be prompted to select a storage device to search. Devices here can also be identified by size and label. After picking the device, press Enter.
PhotoRec will then require you to choose which type of partition you would like to search. Again, usually selecting Intel and pressing Enter will work (when using ext2/3, NTFS, FAT32).
A list of partitions on the selected hard drive will appear on the screen. To recover all the files on any given partition, select Search and then press Enter.
However, if you’d like to search for a specific type of file, press the right arrow key to select File Opt and then hit Enter.
Because PhotoRec can recover a variety of different file types, it can take a considerable amount of time to deselect each one. To bypass this, it’s recommended to press S to clear all selections and then search for the appropriate file type. You can select a file type by pressing the right arrow key. Be sure to press B to save the selections.
Then press Enter to return to the list of hard drive partitions. At this stage, you can search multiple partitions (if available) on a drive.
If you’ve chosen to search another partition, PhotoRec will ask for a location to store recovered files. If you happen to have a non-corrupted or damaged hard drive, it’s best to store recovered files there.
However, you can also store it on an Ubuntu Live CD’s desktop. As a reminder: do not recover files to the hard drive you’re recovering files from.
Unlike some of the previous tools mentioned, Foremost is a command-line program without an interactive interface. Despite this limitation, Foremost presents itself as a tool with command-line options to maximize the amount of extracted data from a hard drive.
To access all of these options, open a terminal (locate Applications > Accessories > Terminal) and type:
foremost -h
Here’s a list of commonly used command line options within this tool:
Occasionally, Foremost will be able to retrieve files yet errors will remain. This can be partially due to the ext2 file system. To correct this, use the -d command line option when recovering Linux files.
Scalpel is a tool that requires configuration before attempting data recovery. Although it may seem intimidating at first, this guide will walk you through how to make the most of it.
To change the configuration file, open up any text editor. Gedit will be used for this specific example, but other programs will yield similar results. To begin, open a terminal window and type in:
sudo gedit /etc/scalpel/scalpel.conf
The configuration file scalpel.conf contains information about a number of different file types. Once this application opens up, scroll through and remove the # symbol from lines that begin with a file type you are seeking to recover. Save this file and close it, then return to the terminal window.
Scalpel is useful in that it boasts an impressive array of command-line options that facilitate file searching. For this example, the input device is (/dev/sda) and the output folder is a folder titled “scalpel” on the desktop.
The command reads:
sudo scalpel /dev/sda -o scalpel
All of the above-mentioned tools can be used to retrieve a variety of different file types or partitions on hard drives. Next time you’re having trouble with a hard drive, keep this guide in mind. Files and partitions that once seemed impossible to recover may be just a few clicks away.
