PhotoRec
Encyclopedia
PhotoRec is a file carver
File carving
File carving is the process of reassembling computer files from fragments in the absence offilesystem metadata. The carving process makes use of knowledge of common file structures, information contained in files, and heuristics regarding how filesystems fragment data...

 data recovery
Data recovery
Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives, solid-state drives , USB flash drive,...

 software tool designed to recover lost files from digital camera memory (CompactFlash
CompactFlash
CompactFlash is a mass storage device format used in portable electronic devices. Most CompactFlash devices contain flash memory in a standardized enclosure. The format was first specified and produced by SanDisk in 1994...

, Memory Stick
Memory Stick
Memory Stick is a removable flash memory card format, launched by Sony in October 1998, and is also used in general to describe the whole family of Memory Sticks...

, Secure Digital
Secure Digital card
Secure Digital is a non-volatile memory card format developed by the SD Card Association for use in portable devices. The SD technology is used by more than 400 brands across dozens of product categories and more than 8,000 models, and is considered the de-facto industry standard.Secure Digital...

, SmartMedia
SmartMedia
SmartMedia is a flash memory card standard owned by Toshiba, with capacities ranging from 2 MB to 128 MB. SmartMedia memory cards are no longer manufactured.- History :...

, Microdrive
Microdrive
Microdrive is a brand name for a miniature, 1-inch hard disk designed to fit in a CompactFlash Type II slot. The release of similar drives by other makers has led to them often being referred to as 'microdrives'...

, MMC
MultiMediaCard
The MultiMediaCard is a flash memory memory card standard. Unveiled in 1997 by Siemens AG and SanDisk, it is based on Toshiba's NAND-based flash memory, and is therefore much smaller than earlier systems based on Intel NOR-based memory such as CompactFlash. MMC is about the size of a postage...

, USB flash drive
USB flash drive
A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...

s etc.), hard disk
Hard disk
A hard disk drive is a non-volatile, random access digital magnetic data storage device. It features rotating rigid platters on a motor-driven spindle within a protective enclosure. Data is magnetically read from and written to the platter by read/write heads that float on a film of air above the...

s and CD-ROM
CD-ROM
A CD-ROM is a pre-pressed compact disc that contains data accessible to, but not writable by, a computer for data storage and music playback. The 1985 “Yellow Book” standard developed by Sony and Philips adapted the format to hold any form of binary data....

s. It recovers most common photo formats, including JPEG, and also recovers audio files including MP3
MP3
MPEG-1 or MPEG-2 Audio Layer III, more commonly referred to as MP3, is a patented digital audio encoding format using a form of lossy data compression...

, document formats such as OpenDocument
OpenDocument
The Open Document Format for Office Applications is an XML-based file format for representing electronic documents such as spreadsheets, charts, presentations and word processing documents....

, Microsoft Office
Microsoft Office
Microsoft Office is a non-free commercial office suite of inter-related desktop applications, servers and services for the Microsoft Windows and Mac OS X operating systems, introduced by Microsoft in August 1, 1989. Initially a marketing term for a bundled set of applications, the first version of...

, PDF and HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....

, and archive format
Archive format
An archive format is the file format of an archive file. The archive format is determined by the file archiver. Some archive formats are well-defined by their authors and have become conventions supported by multiple vendors and/or open-source communities....

s including ZIP.
PhotoRec does not attempt to write to the damaged media the user is about to recover from. Recovered files are instead written to the directory from which PhotoRec is run, any other directory may be chosen. It can be used for data recovery
Data recovery
Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives, solid-state drives , USB flash drive,...

 or in a digital forensics
Digital forensics
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime...

 context.
PhotoRec is shipped with TestDisk
TestDisk
TestDisk is a free data recovery utility. It was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error .TestDisk can be used to collect detailed...

.

PhotoRec is compatible with:
  • DOS
    DOS
    DOS, short for "Disk Operating System", is an acronym for several closely related operating systems that dominated the IBM PC compatible market between 1981 and 1995, or until about 2000 if one includes the partially DOS-based Microsoft Windows versions 95, 98, and Millennium Edition.Related...

     (either real or in a Windows 9x DOS box)
  • Microsoft Windows
    Microsoft Windows
    Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

    : NT4
    Windows NT
    Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...

    , 2000
    Windows 2000
    Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...

    , XP
    Windows XP
    Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...

    , 2003
    Windows Server 2003
    Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...

    , Vista
    Windows Vista
    Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...

    , Windows 7
  • GNU/Linux
  • FreeBSD
    FreeBSD
    FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...

    , NetBSD
    NetBSD
    NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...

    , OpenBSD
    OpenBSD
    OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...

  • SunOS
    SunOS
    SunOS is a version of the Unix operating system developed by Sun Microsystems for their workstation and server computer systems. The SunOS name is usually only used to refer to versions 1.0 to 4.1.4 of SunOS...

  • Mac OS X
    Mac OS X
    Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...


How PhotoRec works

FAT
File Allocation Table
File Allocation Table is a computer file system architecture now widely used on many computer systems and most memory cards, such as those used with digital cameras. FAT file systems are commonly found on floppy disks, flash memory cards, digital cameras, and many other portable devices because of...

, NTFS, ext2
Ext2
The ext2 or second extended filesystem is a file system for the Linux kernel. It was initially designed by Rémy Card as a replacement for the extended file system ....

/ext3
Ext3
The ext3 or third extended filesystem is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions, including Debian...

/ext4
Ext4
The ext4 or fourth extended filesystem is a journaling file system for Linux, developed as the successor to ext3.It was born as a series of backward compatible extensions to ext3, many of them originally developed by Cluster File Systems for the Lustre file system between 2003 and 2006, meant to...

 filesystems store files in data blocks (also called data clusters under Windows). The cluster or block size remains at a constant number of sectors after being initialized during the formatting of the filesystem. In general, most operating systems try to store the data in a contiguous way so as to minimize data fragmentation. The seek time of mechanical drives is significant for writing and reading data to/from a hard disk, so that′s why it′s important to keep the fragmentation to a minimum level.

When a file is deleted, the meta-information about this file (filename, date/time, size, location of the first data block/cluster, etc.) is lost; e.g., in an ext3/ext4 filesystem, the names of deleted files are still present, but the location of the first data block is removed. This means the data is still present on the filesystem, but only until some or all of it is overwritten by new file data.

To recover these ‘lost’ files, PhotoRec first tries to find the data block (or cluster) size. If the filesystem is not corrupted, this value can be read from the superblock (ext2/ext3/ext4) or volume boot record (FAT, NTFS). Otherwise, PhotoRec reads the media, sector by sector, searching for the first ten files, from which it calculates the block/cluster size from their locations. Once this block size is known, PhotoRec reads the media block by block (or cluster by cluster). Each block is checked against a signature database; which comes with the program and has been growing in the type of files it can recover ever since PhotoRec′s first version came out. It′s a common data recovery method called File carving
File carving
File carving is the process of reassembling computer files from fragments in the absence offilesystem metadata. The carving process makes use of knowledge of common file structures, information contained in files, and heuristics regarding how filesystems fragment data...

.

For example, PhotoRec identifies a JPEG
JPEG
In computing, JPEG . The degree of compression can be adjusted, allowing a selectable tradeoff between storage size and image quality. JPEG typically achieves 10:1 compression with little perceptible loss in image quality....

 file when a block begins with:
  • Start Of Image + APP0: 0xff, 0xd8,0xff, 0xe0
  • Start Of Image + APP1: 0xff, 0xd8,0xff, 0xe1
  • or Start Of Image + Comment: 0xff, 0xd8, 0xff, 0xfe


If PhotoRec has already started to recover a file, it stops its recovery, checks the consistency of the file when possible and starts to save the new file (which it determined from the signature it found).

If the data is not fragmented, the recovered file should be either identical; or possibly larger than the original file, in size. In some cases, PhotoRec can learn the original filesize from the file header, so the recovered file is truncated to the correct size. If, however, the recovered file ends up being smaller than its header specifies, it is discarded. Some files, such as *.MP3 types, are data streams. In this case, PhotoRec parses the recovered data, then stops the recovery when the stream ends.

When a file is recovered successfully, PhotoRec checks the previous data blocks to see if a file signature was found but the file wasn′t able to be successfully recovered (i.e., the file was too small), and it tries again. This way, some fragmented files can be successfully recovered.

Popularity

TestDisk
TestDisk
TestDisk is a free data recovery utility. It was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error .TestDisk can be used to collect detailed...

 and PhotoRec have been downloaded more than 150,000 times in July 2008 from the primary website.
In fact these utilities are even more popular as they can be found on various GNU/Linux Live CD
Live CD
A live CD, live DVD, or live disc is a CD or DVD containing a bootable computer operating system. Live CDs are unique in that they have the ability to run a complete, modern operating system on a computer lacking mutable secondary storage, such as a hard disk drive...

s:
  • Recovery Is Possible
    Recovery Is Possible
    Recovery Is Possible is a small, specialized Linux distribution based on Slackware that includes system maintenance and recovery applications on a live CD or USB flash drive. The RIP disc comes in two flavors: one with the X Window System and one without...

  • Knoppix STD
    Knoppix STD
    Knoppix STD is a Live CD Linux distribution based on Knoppix that focused on computer security tools. It included GPL licensed tools in the following categories: authentication, password cracking, encryption, forensics, firewalls, honeypots, intrusion detection system, network utilities,...

  • GParted
    GParted
    GParted is a GTK+ front-end to GNU Parted and the official GNOME Partition Editor application.It is used for creating, deleting, resizing, moving, checking and copying partitions, and the file systems on them...

     Live CD
  • Iloog
  • Parted Magic
    Parted Magic
    Parted Magic is a computer operating system based on GNU/Linux and is distributed as free and open source software. It is named after GParted, an open source partitioning tool, and the distribution is primarily designed for the purpose of disk partitioning and data recovery.-Features:The...

  • PLD Live CD and PLD RescueCD, based on PLD Linux distribution
  • Slax-LFI, a Slax
    SLAX
    Slax is a LiveCD Linux distribution based on Slackware and is currently being developed by Tomáš Matějíček. Packages can be selected in a website where users can build a custom Slax iso image. Slax slogan refers to the software as a "Pocket Operating System"...

    -derived distribution
  • SystemRescueCD
    SystemRescueCD
    SystemRescueCd is an operating system for the x86 computer platform, though the primary purpose of SystemRescueCD is to repair unbootable or otherwise damaged computer systems after a system crash. SystemRescueCD is not intended to be used as a permanent operating system. It runs from a Live CD or...

  • Trinity Rescue Kit
    Trinity Rescue Kit
    Trinity Rescue Kit is a free command-line Live CD Linux distribution created especially for rescuing Windows PCs It is aimed specifically at offline operations for Windows and Linux systems such as rescue, repair, password resets and disk cloning...

  • Ubuntu Rescue Remix, an Ubuntu
    Ubuntu (operating system)
    Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...

     derivation

They are also packaged for numerous GNU/Linux based distributions:
  • ALT Linux
    ALT Linux
    ALT Linux is a set of RPM-based operating systems built on top of the Linux kernel and Sisyphus packages repository. ALT Linux is developed jointly by ALT Linux Team developers community and ALT Linux Ltd.- History :...

  • ArchLinux Extra Repository
  • Debian
    Debian
    Debian is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential...

     contrib
  • Fedora
    Fedora (operating system)
    Fedora is a RPM-based, general purpose collection of software, including an operating system based on the Linux kernel, developed by the community-supported Fedora Project and sponsored by Red Hat...

     Extras
  • Red Hat
    Red Hat
    Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....

     Epel
  • FreeBSD
    FreeBSD
    FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...

     ports
  • Gentoo
    Gentoo Linux
    Gentoo Linux is a computer operating system built on top of the Linux kernel and based on the Portage package management system. It is distributed as free and open source software. Unlike a conventional software distribution, the user compiles the source code locally according to their chosen...

     and Gentoo Portage
  • Mandriva
    Mandriva
    Mandriva S.A. is a publicly traded Linux and open source software company with its headquarters in Paris, France and development center in Curitiba, Brazil. Mandriva, S.A...

     contrib
  • PLD Linux Distribution
  • Source Mage GNU/Linux
  • Ubuntu
    Ubuntu (operating system)
    Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...


External links

  • Official site
  • Adrian Crenshaw, Data Carving with PhotoRec to retrieve deleted files from formatted drives for forensics and disaster recovery. This video introduces the concept of data carving/file carving for recovering deleted files, even after a drive has been formatted.
  • Seth Fogie - InformIT
    InformIT
    InformIT, a subsidiary of Pearson Education, is an online book vendor and an electronic publisher of technology and education content.InformIT.com is one of three flagship web sites of the Information Technology-focused Pearson Technology Group publishing imprints, and one of several sites in the...

    , Stealing Your Family Vacation: Memories of a Media Card
  • Kaspersky Lab
    Kaspersky Lab
    Kaspersky Lab is a Russian computer security company, co-founded by Natalia Kaspersky and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products...

    , Recovering files encrypted by Virus.Win32.Gpcode.ak using PhotoRec After encrypting files, the virus deletes the original files but PhotoRec can recover them.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK