Recovering deleted images from flash cards
Posted by Steve on Tue 27 Jul 2010 at 11:00
Chances are if you have a digital camera writing images to a SDHC card, or some similar card, at some point you've accidentally deleted images from it. Here we're going to walk-through the process of retrieving deleted images from a card using the testdisk suite of tools.
Most digital cameras these days which write images to removable cards will format them with the FAT filesystem, which is a historical format developed by Microsoft and used in various revisions from MS-DOS up to Windows 95.
The FAT filesystem is pretty simple, and there are numerous tools which allow you to undelete files from it. This is possible because of the simplicity of the filesystem, and the way it works. In this guide we're going to concentrate upon using the testdisk package to recover the files, because this collection of tools comes with a helpful utility which is designed to look for image files.
To get started you should install the package:
# aptitude update # aptitude install testdisk
The tool that we're going to use is called photorec and you can read the manpage by running:
# man photorec
The manpage gives a good introduction to the tool, and describes basic usage:
PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (Photo Recovery) from digital camera memory.
PhotoRec ignores the filesystem and goes after the underlying data, so itíll work even if your mediaís filesystem is severely damaged or formatted.
PhotoRec is safe to use, it will never attempt to write to the drive or memory support you are about to recover lost data from.
Despite the claims of safety, I've learned over the years when it comes to file recovery to be paranoid:
- If you accidentally delete a file, or files, the first thing you should do is unmount the disk so that you never make additional writes to it.
- Always work upon a copy of the data, never try to recover from the actual device - if something goes wrong you run the risk of making the situation worse otherwise.
So our first step in recovery will be to take a copy of the card contents, which we will then work upon. The benefit of wrking upon a copy of the disk is that we know we've left the original source pristine and unmodified, and if we make a mistake when dealing with the copy we can take another one.
To make a copy of the filesystem image you can use the dd tool, once you know what device you're copying from. The simplest way to determine which device to copy from is to plug the card into a card-reader, and then run dmesg.
When I install the card-reader, with card, into my system and run dmesg I see this:
[71690.206668] usb 2-1: Product: Generic USB2.0 card [71690.206670] usb 2-1: Manufacturer: Silicon Motion, Inc. [71690.206671] usb 2-1: SerialNumber: 12345678901234567890 [71690.206754] usb 2-1: configuration #1 chosen from 1 choice [71690.207025] scsi3 : SCSI emulation for USB Mass Storage devices [71690.207071] usb-storage: device found at 7 [71690.207074] usb-storage: waiting for device to settle before scanning [71695.204145] usb-storage: device scan complete [71695.205000] scsi 3:0:0:0: Direct-Access Generic USB SD Reader 1.00 PQ: 0 ANSI: 0 CCS [71695.206723] sd 3:0:0:0: [sdd] 15523840 512-byte logical blocks: (7.94 GB/7.40 GiB) [71695.207214] sd 3:0:0:0: [sdd] Write Protect is off [71695.207217] sd 3:0:0:0: [sdd] Mode Sense: 4b 00 00 08 [71695.207219] sd 3:0:0:0: [sdd] Assuming drive cache: write through [71695.209089] sd 3:0:0:0: [sdd] Assuming drive cache: write through [71695.209092] sdd: sdd1 [71695.211714] sd 3:0:0:0: [sdd] Assuming drive cache: write through [71695.211717] sd 3:0:0:0: [sdd] Attached SCSI removable disk
Here we can see that the device has presented itself to the kernel as /dev/sdd1 so we can clone that image to the local system by running:
# dd if=/dev/sdd1 of=disk.img bs=1024M
Once this process is complete you'll find you have a copy of the contents of the card located at disk.img and at this point we can remove the card from the reader and concentrate upon the recovery process on this copy.
To use photorec we run like this:
# mkdir ./recovered # photorec /d ./recovered disk.img
This might give you a warning that your terminal is too small, if so resize it.
Once you've started this you'll see a simple curses menu which allows you to make a few choices. For most of these you can accept the defaults:
Select a media (use Arrow keys, then press Enter): Disk disk.img - 1975 MB / 1884 MiB (RO) [Proceed ] [ Quit ]
Here we're choosing the input to recover from, so we can just press Enter to proceed. Then we choose "Intel" from the next selection:
Please select the partition table type, press Enter when done. [Intel ] Intel/PC partition [EFI GPT] EFI GPT partition map (Mac i386, some x86_64...) [Mac ] Apple partition map [None ] Non partitioned media [Sun ] Sun Solaris partition [XBox ] XBox partition [Return ] Return to disk selection
Next we select the single partition, and choose "Other" as our filesystem is FAT-based.
After a short while we'll see the recovery process begin:
Disk disk.img - 1975 MB / 1884 MiB (RO) Partition Start End Size in sectors D No partition 0 0 1 240 45 54 3858489 [Whole disk] Pass 1 - Reading sector 292025/3858489, 37 files found Elapsed time 0h00m14s - Estimated time for achievement 0h02m50 jpg: 37 recovered
This process will continue until the disk image has been completely examined, and any found images will be placed in the directory ./receovered which we specified upon the command line.