Recovering deleted images from flash cards

Posted by Steve on Tue 27 Jul 2010 at 11:00

Chances are if you have a digital camera writing images to a SDHC card, or some similar card, at some point you've accidentally deleted images from it. Here we're going to walk-through the process of retrieving deleted images from a card using the testdisk suite of tools.

Most digital cameras these days which write images to removable cards will format them with the FAT filesystem, which is a historical format developed by Microsoft and used in various revisions from MS-DOS up to Windows 95.

The FAT filesystem is pretty simple, and there are numerous tools which allow you to undelete files from it. This is possible because of the simplicity of the filesystem, and the way it works. In this guide we're going to concentrate upon using the testdisk package to recover the files, because this collection of tools comes with a helpful utility which is designed to look for image files.

To get started you should install the package:

# aptitude update
# aptitude install testdisk

The tool that we're going to use is called photorec and you can read the manpage by running:

# man photorec

The manpage gives a good introduction to the tool, and describes basic usage:

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (Photo Recovery) from digital camera memory.

PhotoRec ignores the filesystem and goes after the underlying data, so it’ll work even if your media’s filesystem is severely damaged or formatted.

PhotoRec is safe to use, it will never attempt to write to the drive or memory support you are about to recover lost data from.

Despite the claims of safety, I've learned over the years when it comes to file recovery to be paranoid:

  • If you accidentally delete a file, or files, the first thing you should do is unmount the disk so that you never make additional writes to it.
  • Always work upon a copy of the data, never try to recover from the actual device - if something goes wrong you run the risk of making the situation worse otherwise.

So our first step in recovery will be to take a copy of the card contents, which we will then work upon. The benefit of wrking upon a copy of the disk is that we know we've left the original source pristine and unmodified, and if we make a mistake when dealing with the copy we can take another one.

To make a copy of the filesystem image you can use the dd tool, once you know what device you're copying from. The simplest way to determine which device to copy from is to plug the card into a card-reader, and then run dmesg.

When I install the card-reader, with card, into my system and run dmesg I see this:

[71690.206668] usb 2-1: Product: Generic USB2.0 card
[71690.206670] usb 2-1: Manufacturer: Silicon Motion, Inc.
[71690.206671] usb 2-1: SerialNumber: 12345678901234567890
[71690.206754] usb 2-1: configuration #1 chosen from 1 choice
[71690.207025] scsi3 : SCSI emulation for USB Mass Storage devices
[71690.207071] usb-storage: device found at 7
[71690.207074] usb-storage: waiting for device to settle before scanning
[71695.204145] usb-storage: device scan complete
[71695.205000] scsi 3:0:0:0: Direct-Access     Generic  USB  SD Reader   1.00 PQ: 0 ANSI: 0 CCS
[71695.206723] sd 3:0:0:0: [sdd] 15523840 512-byte logical blocks: (7.94 GB/7.40 GiB)
[71695.207214] sd 3:0:0:0: [sdd] Write Protect is off
[71695.207217] sd 3:0:0:0: [sdd] Mode Sense: 4b 00 00 08
[71695.207219] sd 3:0:0:0: [sdd] Assuming drive cache: write through
[71695.209089] sd 3:0:0:0: [sdd] Assuming drive cache: write through
[71695.209092]  sdd: sdd1
[71695.211714] sd 3:0:0:0: [sdd] Assuming drive cache: write through
[71695.211717] sd 3:0:0:0: [sdd] Attached SCSI removable disk

Here we can see that the device has presented itself to the kernel as /dev/sdd1 so we can clone that image to the local system by running:

# dd if=/dev/sdd1 of=disk.img bs=1024M

Once this process is complete you'll find you have a copy of the contents of the card located at disk.img and at this point we can remove the card from the reader and concentrate upon the recovery process on this copy.

To use photorec we run like this:

# mkdir ./recovered
# photorec /d ./recovered disk.img

This might give you a warning that your terminal is too small, if so resize it.

Once you've started this you'll see a simple curses menu which allows you to make a few choices. For most of these you can accept the defaults:

Select a media (use Arrow keys, then press Enter):
Disk disk.img - 1975 MB / 1884 MiB (RO)


[Proceed ]  [  Quit  ]

Here we're choosing the input to recover from, so we can just press Enter to proceed. Then we choose "Intel" from the next selection:

Please select the partition table type, press Enter when done.
[Intel  ]  Intel/PC partition
[EFI GPT]  EFI GPT partition map (Mac i386, some x86_64...)
[Mac    ]  Apple partition map
[None   ]  Non partitioned media
[Sun    ]  Sun Solaris partition
[XBox   ]  XBox partition
[Return ]  Return to disk selection

Next we select the single partition, and choose "Other" as our filesystem is FAT-based.

After a short while we'll see the recovery process begin:

Disk disk.img - 1975 MB / 1884 MiB (RO)
     Partition                  Start        End    Size in sectors
   D No partition             0   0  1   240  45 54    3858489 [Whole disk]


Pass 1 - Reading sector     292025/3858489, 37 files found
Elapsed time 0h00m14s - Estimated time for achievement 0h02m50
jpg: 37 recovered

This process will continue until the disk image has been completely examined, and any found images will be placed in the directory ./receovered which we specified upon the command line.

 

 


Posted by Anonymous (88.16.xx.xx) on Tue 27 Jul 2010 at 12:31
Really impressive and useful. Thanks for the tip!

[ Parent | Reply to this comment ]

Posted by Anonymous (85.55.xx.xx) on Tue 27 Jul 2010 at 21:51
Muy bueno, facil y sencillo =) Gracias !

[ Parent | Reply to this comment ]

Posted by paulgear (124.171.xx.xx) on Tue 3 Aug 2010 at 13:48
I use photorec often and have found it excellent. I use it in the same fashion for USB sticks, CD-ROMs that don't quite work, and dead/dying hard disks as well.

The main problem i've experienced with it is: if my system is set up to automatically mount media (as it usually is on my Ubuntu laptop and my Debian desktop), how can i prevent it from being mounted (which causes writes to the device)?

[ Parent | Reply to this comment ]

Posted by Anonymous (217.216.xx.xx) on Tue 3 Aug 2010 at 22:55
That's why I do prefer to use $favorite_distro_name Linux Live-CD.

[ Parent | Reply to this comment ]

Posted by paulgear (124.171.xx.xx) on Wed 4 Aug 2010 at 11:49
Don't live CDs auto-mount USB sticks when you put them in, just like desktop distros do?

[ Parent | Reply to this comment ]

Posted by Anonymous (217.216.xx.xx) on Thu 5 Aug 2010 at 06:41
AFAIK (I don't know every Live-CD distro out in the world), no, they don't.

[ Parent | Reply to this comment ]

Posted by Anonymous (98.186.xx.xx) on Mon 16 Aug 2010 at 17:45
I more than enjoy rming hacked servers, I get off on it. This week I rmed like 10 pwned servers, all were used in production. Some Linux, Solaris, Aix with databases.

I either:
rm -rf /
dd if=/dev/zero of=<HDD>

I just feel so good from the thought that I destroy others work in seconds! :)

If you have good ideas how to leave the admin a message after the server rmd let me know. I also have a nice shellcode what I can write into the mbr so the idiot can read my message after reboot :)

Sincerely,
RmKing

[ Parent | Reply to this comment ]

Posted by Anonymous (173.93.xx.xx) on Mon 6 Sep 2010 at 11:33
That is SO cool!!!

[ Parent | Reply to this comment ]

Posted by jijitus (186.18.xx.xx) on Thu 14 Oct 2010 at 03:32
[ View Weblogs ]
Back on 2006, my camera corrupted the FAT of a 512Mb SD card with lots of pictures of our family vacation. So I bought my first USB card reader, imaged the whole card to a single binary file with dd, and watching it with khexview.

I soon discovered to look for "JFIF" at the start of each 512-byte sector (quite easy, considering that it was followed by other easily readable info like my own name, the camera model and the date the picture was taken), and saving the chunks between every match and the next to individual files. Over 95% of the photos could be recovered this way.

Anyway, nice to know there's no need to do that manually anymore :)

[ Parent | Reply to this comment ]

Posted by ajt (195.145.xx.xx) on Wed 8 Dec 2010 at 14:26
[ View Weblogs ]

I've used ddrescue and photorec in the past to salvage jpegs of dead CDs. A friend's missus went to the States, put all her photos on some CDs for safe storage, but the marker pen she used on the CDs destroyed them in only a few days, resulting in dead photos when she got home. She was not a happy bunny to say the least, however I managed to get almost all of the pictures off the dead/dying CDs for her - very useful tools!

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 143 votes ~ 0 comments )