• ARTICLES
SEARCH

How-To Geek

Recover Data Like a Forensics Expert Using an Ubuntu Live CD

There are lots of utilities to recover deleted files, but what if you can’t boot up your computer, or the whole drive has been formatted? We’ll show you some tools that will dig deep and recover the most elusive deleted files, or even whole hard drive partitions.

We’ve shown you simple ways to recover accidentally deleted files, even a simple method that can be done from an Ubuntu Live CD, but for hard disks that have been heavily corrupted, those methods aren’t going to cut it. In this article, we’ll examine four tools that can recover data from the most messed up hard drives, regardless of whether they were formatted for a Windows, Linux, or Mac computer, or even if the partition table is wiped out entirely.

Note: These tools cannot recover data that has been overwritten on a hard disk. Whether a deleted file has been overwritten depends on many factors – the quicker you realize that you want to recover a file, the more likely you will be able to do so.

Our setup

To show these tools, we’ve set up a small 1 GB hard drive, with half of the space partitioned as ext2, a file system used in Linux, and half the space partitioned as FAT32, a file system used in older Windows systems. We stored ten random pictures on each hard drive.

sshot-1

We then wiped the partition table from the hard drive by deleting the partitions in GParted.

sshot-2

Is our data lost forever?

Installing the tools

All of the tools we’re going to use are in Ubuntu’s universe repository.

To enable the repository, open Synaptic Package Manager by clicking on System in the top-left, then Administration > Synaptic Package Manager.

Click on Settings > Repositories and add a check in the box labelled “Community-maintained Open Source software (universe)”.

sshot-3

Click Close, and then in the main Synaptic Package Manager window, click the Reload button. Once the package list has reloaded, and the search index rebuilt, search for and mark for installation one or all of the following packages: testdisk, foremost, and scalpel.

Testdisk includes TestDisk, which can recover lost partitions and repair boot sectors, and PhotoRec, which can recover many different types of files from tons of different file systems.

sshot-4

Foremost, originally developed by the US Air Force Office of Special Investigations, recovers files based on their headers and other internal structures. Foremost operates on hard drives or drive image files generated by various tools.

sshot-6

Finally, scalpel performs the same functions as foremost, but is focused on enhanced performance and lower memory usage. Scalpel may run better if you have an older machine with less RAM.

sshot-5

Recover hard drive partitions

If you can’t mount your hard drive, then its partition table might be corrupted. Before you start trying to recover your important files, it may be possible to recover one or more partitions on your drive, recovering all of your files with one step.

Testdisk is the tool for the job. Start it by opening a terminal (Applications > Accessories > Terminal) and typing in:

sudo testdisk

sshot-8

If you’d like, you can create a log file, though it won’t affect how much data you recover. Once you make your choice, you’re greeted with a list of the storage media on your machine. You should be able to identify the hard drive you want to recover partitions from by its size and label.

sshot-9

TestDisk asks you select the type of partition table to search for. In most cases (ext2/3, NTFS, FAT32, etc.) you should select Intel and press Enter.

sshot-10

Highlight Analyse and press enter.

sshot-11

In our case, our small hard drive has previously been formatted as NTFS. Amazingly, TestDisk finds this partition, though it is unable to recover it.

sshot-12

It also finds the two partitions we just deleted. We are able to change their attributes, or add more partitions, but we’ll just recover them by pressing Enter.

sshot-13

If TestDisk hasn’t found all of your partitions, you can try doing a deeper search by selecting that option with the left and right arrow keys. We only had these two partitions, so we’ll recover them by selecting Write and pressing Enter.

sshot-14

Testdisk informs us that we will have to reboot.

sshot-15

Note: If your Ubuntu Live CD is not persistent, then when you reboot you will have to reinstall any tools that you installed earlier.

After restarting, both of our partitions are back to their original states, pictures and all.

sshot-16

Recover files of certain types

For the following examples, we deleted the 10 pictures from both partitions and then reformatted them.

PhotoRec

Of the three tools we’ll show, PhotoRec is the most user-friendly, despite being a console-based utility. To start recovering files, open a terminal (Applications > Accessories > Terminal) and type in:

sudo photorec

To begin, you are asked to select a storage device to search. You should be able to identify the right device by its size and label. Select the right device, and then hit Enter.

sshot-17

PhotoRec asks you select the type of partition to search. In most cases (ext2/3, NTFS, FAT, etc.) you should select Intel and press Enter.

sshot-18

You are given a list of the partitions on your selected hard drive. If you want to recover all of the files on a partition, then select Search and hit enter.

However, this process can be very slow, and in our case we only want to search for pictures files, so instead we use the right arrow key to select File Opt and press Enter.

sshot-19

PhotoRec can recover many different types of files, and deselecting each one would take a long time. Instead, we press “s” to clear all of the selections, and then find the appropriate file types – jpg, gif, and png – and select them by pressing the right arrow key.

sshot-20

Once we’ve selected these three, we press “b” to save these selections.

sshot-21

Press enter to return to the list of hard drive partitions. We want to search both of our partitions, so we highlight “No partition” and “Search” and then press Enter.

sshot-22

PhotoRec prompts for a location to store the recovered files. If you have a different healthy hard drive, then we recommend storing the recovered files there. Since we’re not recovering very much, we’ll store it on the Ubuntu Live CD’s desktop.

Note: Do not recover files to the hard drive you’re recovering from.

sshot-23

PhotoRec is able to recover the 20 pictures from the partitions on our hard drive!

sshot-24

A quick look in the recup_dir.1 directory that it creates confirms that PhotoRec has recovered all of our pictures, save for the file names.

sshot-25

Foremost

Foremost is a command-line program with no interactive interface like PhotoRec, but offers a number of command-line options to get as much data out of your had drive as possible.

For a full list of options that can be tweaked via the command line, open up a terminal (Applications > Accessories > Terminal) and type in:

foremost –h

In our case, the command line options that we are going to use are:

  • -t, a comma-separated list of types of files to search for. In our case, this is “jpeg,png,gif”.
  • -v, enabling verbose-mode, giving us more information about what foremost is doing.
  • -o, the output folder to store recovered files in. In our case, we created a directory called “foremost” on the desktop.
  • -i, the input that will be searched for files. This can be a disk image in several different formats; however, we will use a hard disk, /dev/sda.

Our foremost invocation is:

sudo foremost –t jpeg,png,gif –o foremost –v –i /dev/sda

Your invocation will differ depending on what you’re searching for and where you’re searching for it.

sshot-26

Foremost is able to recover 17 of the 20 files stored on the hard drive.

sshot-27

Looking at the files, we can confirm that these files were recovered relatively well, though we can see some errors in the thumbnail for 00622449.jpg.

sshot-28

Part of this may be due to the ext2 filesystem. Foremost recommends using the –d command-line option for Linux file systems like ext2.

We’ll run foremost again, adding the –d command-line option to our foremost invocation:

sudo foremost –t jpeg,png,gif –d –o foremost –v –i /dev/sda

sshot-29

This time, foremost is able to recover all 20 images!

sshot-30

A final look at the pictures reveals that the pictures were recovered with no problems.

sshot-31

Scalpel

Scalpel is another powerful program that, like Foremost, is heavily configurable. Unlike Foremost, Scalpel requires you to edit a configuration file before attempting any data recovery.

Any text editor will do, but we’ll use gedit to change the configuration file. In a terminal window (Applications > Accessories > Terminal), type in:

sudo gedit /etc/scalpel/scalpel.conf

sshot-32

scalpel.conf contains information about a number of different file types. Scroll through this file and uncomment lines that start with a file type that you want to recover (i.e. remove the “#” character at the start of those lines).

sshot-33

Save the file and close it. Return to the terminal window.

Scalpel also has a ton of command-line options that can help you search quickly and effectively; however, we’ll just define the input device (/dev/sda) and the output folder (a folder called “scalpel” that we created on the desktop).

Our invocation is:

sudo scalpel /dev/sda –o scalpel

sshot-34

Scalpel is able to recover 18 of our 20 files.

sshot-35

A quick look at the files scalpel recovered reveals that most of our files were recovered successfully, though there were some problems (e.g. 00000012.jpg).

sshot-36

Conclusion

In our quick toy example, TestDisk was able to recover two deleted partitions, and PhotoRec and Foremost were able to recover all 20 deleted images. Scalpel recovered most of the files, but it’s very likely that playing with the command-line options for scalpel would have enabled us to recover all 20 images.

These tools are lifesavers when something goes wrong with your hard drive. If your data is on the hard drive somewhere, then one of these tools will track it down!

Trevor is our resident Linux geek, but always keeps his eyes open for neat Windows tricks too.

  • Published 04/27/10

Comments (41)

  1. Groid

    I need to use these tools. What version of Ubuntu was used in this example? Which versions of Ubuntu are able to be used with these tools?

  2. Enes

    Very usefull tutorial !

  3. Chuck Adams

    I do not have ubuntu, is there a way to do thie in XP?

  4. Groid

    Nevermind. I see it is using 9.10.

  5. Mister TKO

    @ Chuck Adams I needed these tools a couple of months ago, and since I was still too new to Linux to take advantage of these tools that way, I was able to use Hirens Boot CD 10.2 and I think System Rescue CD to use these tools.

    THey are both bootable CD’s, that allow you to load an operating system from the disc. Hiren’s uses a Windows XP shell (optionally) and I think System Rescue CD uses a command Line I believe.

    I experimented with Testdisk and Photo Rec before ultimately deciding to go with GetBackData NTFS as it seemed simpler for me to understand.

  6. Mark

    Now *that* is a good use for an Ubuntu live CD. Probably would work under Knoppix and others, too, but the point is this article is a concise intro to some valuable tools. Thanks.

  7. ewyn

    that’s great !!!! nice tutorial and very usefull…..

  8. flanagan

    You don’t need exclusively ubuntu to use these tools.
    You can use Knoopix live CD instead

  9. Jeff

    Will any of these tools work to recover data from a bricked Seagate Barracuda 7200.11?

  10. Trevor Bekolay

    @Jeff

    According to this article, a bricked 7200.11 “won’t be detected by the BIOS. In other words, there’s power, spin-up, but no detection to enable booting.” Because of that, I don’t think these methods will work, no. You’d have to do something more sophisticated and lower level to at least get the disk to spin up so you can pull the data off of it. Unfortunately, I’m not sure how that would be done.

  11. JM

    Hi Trevor
    I remember there is a utility to crack Windows passwords with a linux utility this is the link (http://pcsupport.about.com/gi/o.htm?zi=1/XJ&zTi=1&sdn=pcsupport&cdn=compute&tm=6&f=20&su=p284.9.336.ip_p504.1.336.ip_&tt=29&bt=0&bts=0&zu=http%3A//pogostick.net/~pnh/ntpasswd/bootdisk.html)
    Is there a utility like this in ubuntu?
    Is there any way to add this utility into the flash drive we create?

  12. Trevor Bekolay

    @JM

    Yes actually, we covered that in this article.

    As long as your flash drive is persistent, then the utility will be there permanently.

  13. Ganesh Krishnan

    Dang! I used test disk to recover my partitions and then had to boot into windows and use GetDataBack for NTFS to try and recover. Halfway through the whole application hangs up due to the hard drive over heating and I am planning to solve that by freezing the hard driver for couple of hours in my fridge(yes, it works and no, I am not a lunatic)
    I dismissed photorec since the name sounds like an app to recover only photos and I had recover pdfs and true crypt files! Truly a misleading name for such an wonderful utility

    Really nice article and favourited your site.

  14. maria

    Great article about Linux recovery, Through Ubuntu live CD. I have tried the process my self and result is quiet satisfactory .

  15. Cathie Dunklee-Donnell

    This is a wonderful tutorial for those of us in the computer repair business. Thanks so much.

  16. Joe

    Thanks for the tutorial, but I think forensics need more than only images?

  17. Oceania2

    Good instruction and a lifesaver tool. I have incidents where I deleted the whole folder by accident and never recovered the files. Unfortunately, your instruction is for Linux, I used windows xp. I would appreciate if you have detailed instructions for windows operating system.

  18. sir jorge

    i wish i would’ve known this before hand, i’ve lost data before, now i know better

  19. one happy person

    Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! Thanks!
    I’ve got all my photo’s back from 2007 till now!
    And thanks a million times!

  20. Grateful user

    Thanks a lot. Tons of thanks :)
    Great tutorial and awesome programs. Yesterday I’ve recovered killed ext4 partition on my laptop and this save me from reinstallation, reanimated 4GiB memory stick, which already was considered as the broken, and save SD memory card, previously extracted all of photos from it.
    I’ve used TestDisk and PhotoRec.
    Just huge, superb tools.

  21. Sergio

    Hello, I have many data to save and for this I need an external HD. I don’t understand how can I change HD unit in the menu, thanks.

    Sergio.

  22. Zachrey

    Thanks so much for a wonderfully detailed tutorial! One question I have is how do you recover lost files on a laptop with the boot CD? Must the laptop have a CD/DVD burner so you can burn the files onto the boot CD?

    How about a memory stick? Can I copy the files from the failing hard disk to a memory stick? Does Ubuntu recognize most memory sticks?

    If not, can I email or ftp the files to the Internet?

    The laptop I’m working with does not have a floppy drive and does not boot Windows XP. I can boot WIndows 98 on it (you’re given an option in the windows bootup) and see all the files and run scandisk (chkdsk?) and there are LOTS of bad sectors on it. Only problem is I cannot copy the files to a memory stick OR connect to the Internet.

    Thanks!
    Zac

  23. Trevor Bekolay

    @ Zachrey

    There is a separate article about how to move files off of a dying computer here, hopefully it’s what you’re looking for! If not, let me know.

  24. jane

    thanks its absolutely amazing

  25. dnegelzero

    hey gracias muchimas gracias…. Thanks lots of thanks do you know how much do your help me…

  26. incontri

    really really useful. I managed to recover 3 documents I really needed for work

  27. vedette

    Good instruction and a lifesaver tool. I have incidents where I deleted the whole folder by accident and never recovered the files. Unfortunately, your instruction is for Linux, I used windows xp. I would appreciate if you have detailed instructions for windows operating system.

  28. Jennifer

    IM STUCK! ok i see the files on this harddrive using the first program- I’m checking a SATA drive that went through a power surge when it was in an imac- my friend wanted me to recover the data somehow and I think it’s all there- i just don’t know how to get it from there to something else like to my ubuntu desktop (i’m running a computer with ubuntu as the main os) or onto dvds, flash drive, or a portable drive which would be most ideal. So I’m a little confused as to why when i run foremost… it says 0 files when i want to transfer to my desktop- am i doing something wrong? this hd is supposed to be full of images any help is greatly appreciated…

  29. Cindy

    I tried PhotoRec but it doesn´t recognize my USB device, it is listed in Disc Management but unreadable. The device shows under properties 0 used and 0 free space, though it is 50% full of the capacity of 8 GB. When I open it, it is empty, but yesterday it showed all the folders for a moment, also empty. I went to the store, they tried on their PC, same problem, but also for a moment the folders showed, even the pictures showed, but then it disappeared…The light blinks all the time…Can you please please help??

  30. Anital

    Well … my question is simple. Would you have been able to recover just one (NOT the two) partition using Testdisk ?

    In other words, Are we forced to recover ALL partitions from a given drive even though we just wanted to recover a subset of them ?

    Thanks … and very nice article.

  31. Radon

    GREAT POST EVER! thanks

  32. Brian

    Thanks for the helpful information. I just got all my data back from a HDD I accidentally formatted when I was installing Ubuntu

  33. brandon

    Thank you for this great tutoril, phototrec is doing exclent for me, i’m using a vitual machine to recove rthe file, but having a hards time chaining the directory to go some where else, and not the home directory, is there a config that can help me?…

  34. Not2Mention

    I tried to recover partitions. I am using ubuntu 10.04 live cd and I’m sure I followed the instructions but I restart the notebook nothing changed. Please help!

  35. dV

    Thanks a ton fr such a wonderful tutorial…I have kept it as a reference for the future in case need arises..I had screwed up one of the partitions on my hard disk while installing ubuntu (it was on a dynamic volume) and had been been toiling with forums since a long time till recently i found out this one.. With the aid of your toy example you have demonstrated how four very powerful tools can be used to recover the lost partitions. Using testdisk and foremost i was able to recover all of my data safely.
    Thanks again…:)

  36. Freak Andelle

    Installed Linux Mint on my dad’s laptop. Accidentally deleted an external (yeah, how blind can you be…) hdd partition containing the (NTFS) backup data, existing of every single photograph we took the last 4 years or so .

    Got all of it back using testdisk, Lifesaver! Thnx a million for bringing these fantastic (and free) tools to our attention!!! Mind you, the proprietary and expensive alternatives usually come with tons of crapware and perhaps even virus… This take just one “sudo apt-get install …”, a couple of enters and about 1,5 hour of your time and you get your precious data back, for FREE!

  37. Freak Andelle

    open source doesn’t get any better…

  38. Affy

    Thanks for this post. Saved my ass. I partitioned by windows drive while installing Linux and all my data was on that drive.

  39. nevertell

    Good Instructions. I tried this on a 500gb sata drive, and TestDisk DID show the files, but I couldn’t get to them? I re-booted and the drive is still not mountable in Ubuntu for some reason? It’s strange because TestDisk shows the filesystem as NTFS, but it didn’t fix anything to make the drive accessable? I’m stumped? But, the tutorial is very good.

  40. drrdf

    Sergio asked a question and it seems you have ignored it completely and gone on to the next one! You state:above “PhotoRec prompts for a location to store the recovered files. If you have a different healthy hard drive, then we recommend storing the recovered files there.” Clearly it is a fact that to attempt to save any recovered files on the hard drive originally containing them risks a double disaster!

    I have attempted fro some long while to find a means of changing the drive to which files are recovered, in Photorec, but I now do not believe such an option is there, although you make the statement which I have quoted. Please answer Sergio’s question, which is now also mine. Thanks.

  41. Jorge Alban

    ddrdf and Segrio

    Yes, photorec prompts where you would like to save your recovered files. When asked just click on the option that end with two dots (..), navigate to the root of your linux system, into de MEDIA directory and look for the hard drive you want to save your files to. Remember that you must manually mount it for it to show up in Linux !

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!