It is 3 AM on the very last day of that extension your teacher gave you to finish your paper on the zoological impact of the West Indies Fer-de-lance snake being imported to Southern California to help combat the rat overpopulation. And then you save your only copy on your diskette and delete the original from your computer because, well, you need to save space. Then you drop your diskette into a bucket of bleach. And try to dry it off in the microwave.

What to do? Well, make sure to put out the fire and then pull out PhotoRec.

—————————–

PhotoRec is a file recovery program that runs on most any computer you will run across. It also happens to be open source, so if you do run on one that it doesn’t, like that old Commodore 64 you have lying around, you can just hack your own version of it.

A quick rundown of the popular operating systems it supports include DOS, Windows 95/98, NT and 2000 up to Windows 7. It also supports Linux globally, though you may have to compile from source. Mac, Sun Solaris and BSD are also in the loop.

PhotoRec is also pretty good at working with most file systems. FAT, NTFS, EXT and HFS+ are reported to be able to work well with PhotoRec. However according to the documentation(http://www.cgsecurity.org/wiki/PhotoRec#File_systems) ReiserFS has been known to cause some problems. Be that as it may, I have successfully recovered some 700 PDFs I accidentally deleted from my external hard drive which had been formatted to ReiserFS.

One of the best features I find is the ability to search for deleted files by filetype. Just make sure not to download anything new to the drive until after the restoration is complete (more on this later).

When a file is deleted it’s like grabbing the map to the treasure, ripping it into shreds and and then burning it. You may not have the map to the treasure, but burning the map does not destroy the treasure (unless the map is the “L’Amerique Septentrionale ou se remarquent Les Etats Unis . . . An VII“, in which case you are in trouble). What PhotoRec does is look everywhere that there is “nothing” and see if it can find any files. It checks to see if it matches your search criteria and then copies them over to your chosen recovery folder. Make sure that it is not on the same partition or that may cause problems. If you start adding or moving files in the disk this could start to overwrite the files.

What PhotoRec does is try and find hints to where the file is located, sorta like looking in a book for a missing page number to see what page was ripped out. If the file system is still in working order PhotoRec goes and looks for the file where it isn’t. If it isn’t there or the file system is corrupted (to give a simile this would be like having the book get dropped in water and all the ink is runny and you can’t read the page numbers) then PhotoRec will begin searching the disk itself. This is like knowing there is a piece of paper hidden in a book somewhere in a library but you don’t know where or what it looks says is on it. The last method will take a lot longer since it has to look through a lot of bits to find the bytes you are looking for.

What PhotoRec first does is try and find the size of the data blocks being used. If the filesystem is fine they are listed. If not, then PhotoRec finds the first files and and then derives the cluster size. Once PhotoRec knows the cluster size it starts reading cluster by cluster (or parsec by parsec). It then compares the cluster is checked against a database to see if it matches a known filetype. If you set PhotoRec to look for PDFs and it comes across a file that begins with some magic numbers like this:

0xff,0xd8,0xff,0xe0

0xff,0xd8,0xff,0xe1

or 0xff,0xd8,0xff,0xfe

It checks it across a database of filetypes and realizes that this is a JPEG file. It sends a message back that it doesn’t need to scan the rest of the file and that these are not the bytes you are looking for and goes about its business, scanning for the next file.

PhotoRec does it’s best to make sure that it recovers only uncorrupted files (though you can set it to recover corrupted files if you work for the FBI). If the file is the same size or larger than listed in the headers the file will be truncated to the correct size. If the file is too small, however, the rejects the file and tries again.

Be aware that this does not get done in a few minutes, especially on larger drives. I would suggest leaving it to run overnight. Another tip would be to make sure that the drive you are saving to has a lot of space as PhotoRec will find a lot of stuff you thought was gone. You don’t want to wake up with 0kB left on your drive. (This happened to me.)

Now that you know how easy it is to recover files, remember how easy it is for the KGB and the FBI to get the information back.

Coming up next, DBAN and how it can keep those Russian spies guessing.

___________________

For a great beginners guide to PhotoRec see here.