HOWTO: Recover lost and deleted data (files, folders, media) from Windows Hard Drive in Linux for free
Purpose: I think this is going to be one of the most useful post for Linux users. Data is valuable and data’s worth can easily run in to millions and millions of dollars ($$$) over a period of time and the cost of your computer/hardware becomes minuscule. In this post I am going to show you how you can recover data easily from any fixed/removable drive from your Linux machine. Below is a scenario which explains what happened and how did we recover the data.
Scenario: So I was using Windows XP and I have my USB drive (FAT partition) attached to my computer and I was trying to remove unwanted data from it (USB drive). While cleaning the drive, I accidentally deleted a 400+ MB video file (.wmv) format by mistake. Within a minute I realized what I had done and I went “ooops”.
Search for Windows Data Recovery software: So I frantically started searching for some free utilities for Windows to recover my lost data and guess what all of them were license-based utilities which means that I had to pay (around $100) to recover the file. Since the video file was not “very” important I thought it would not be worth spending so much money to recover the lost file. So I thought why not use the “Open source” tools to see if I can recover something that I deleted in Windows using tools from a Debian Linux box.
Background: I don’t consider myself as an expert in data security and all but here is what I know: Whenever you delete a file (delete (Recycle Bin) or shift delete (permanently)), it does not get erased from your storage media (Hard Drive, Jump Drive, etc.) instantly. It still “resides” on your hard drive with the exception that it is not being “showed”. When I say not being showed it means that the file has been simply unlinked from directory structure and because that you see the corresponding increase in the free space available. For example, suppose my USB drive had a total capacity of 1 GB and it was 800 MB full (200 MB free) when I had the video file on it. After deleting the video file it showed me it was 400 MB full (600 MB free). So now at this time we know that the video file still resides on the hard drive but still we got our 400 MB of free space back because the file was unlinked from the directory structure.
Important Note: The first thing to do whenever you delete important file(s) by mistake from any storage media is to stop using the media i.e. do not try to copy, move any new or existing data on/from that drive. Just FREEZE it. The reason is that if you continue to do write data on it, there are chances that the drive ( or rather you) might overwrite some data on the file(s) that got deleted. Note in this process we don’t have any control where the new data is going to get written on the drive – it completely depends upon the OS algorithm and the drive read/write mechanism. And that’s why it is very important that you just stop using the drive otherwise chances are that you will never be able to recover data from your drive (as mentioned in the “Background” section above).
So now without wasting any time let’s get started…
Step 1: Make a image of your USB drive
Attach your drive (from which you would like to recover data) to a Linux system. I am using Debian Lenny (5.0) for this purpose. Now make a copy of your USB drive using “dd”:
# dd if=/dev/sdb of=~/usb_drive_image.img
This is useful because let’s say accidentally you do happen to write some data on your drive before you could recover your lost data (in spite of telling you 100 times, but hey we are humans and we are prone to make mistakes). In that case you can always restore the image on your drive back to start recovering the data. If you still don’t understand what I am trying to say, simply do this step.
Step 2: Mount your USB drive as Read Only
Before you start recovering the data, mount your USB drive as “Read Only” by giving the following command:
# mount -o ro /dev/sdc1 /mnt/testing/
Note: I am using “sdc1″ instead of “sdc” because I am mounting the partition of the USB drive. Also if your Linux system automatically mounts all the partition on your USB drive as soon as you attach it you might have to manually un-mount them first.
Step 3: Install data recovery software
We are going to use a program called photorec. So let’s install it first:
# apt-get update
# apt-get install testdisk
Although the package name is testdisk, it will also install a program called photorec.
Step 4: Select a directory to restore data
You need to have a directory (preferably empty) where you would like to restore your data. You can either decide (mentally) which directory you are going to use or you can just create a new one. I am going to use the following directory where my recover data will be stored:
# mkdir /mnt/recover
We will need this in our later steps.
Step 5: Launch photorec to start recovery process
and follow the wizard screens as shown below:
Step 5 (a): Select the drive from which you would like to recover the data. I selected my USB drive (/dev/sdc).
Step 5 (b): Select the type of computer architecture that the partition has. Mostly it is first one – Intel.
Step 5 (c): Select the partition of your disk. Do not select the Whole_disk option. Select the Magic_Disk option has shown below:
Step 5 (d): Select the type of partition that your drive has. Mine was FAT, so I selected the Other option.
Step 5 (e): Select the type of analysis that you would like to perform. I just chose Free one. I think this option is more quicker and easier to use. If you are not able to recover the file with this option then try the Whole option.
Step 5 (f): Select the destination directory in which you would like to restores the files to (See Step 4). Never ever select your current drive partition from which you are trying to recover the data.
Press “y” key once you navigate to your folder and the software will start to scan and recover the files. It will take some time depending on your size of your disk and the data stored in it.
Step 5 (g): Below are the results of the data recovery process. As you can see it tells us the types of files that are recovered. Mine was .wmv which is not listed here but it seems that the software treats .wmv files as .asf files (we will see this later) and it looks like that my video file was recovered which we will verify soon.
Step 5 (h): Now simply quit the program.
Step 5 (i): Now just use the files and folder explorer program and go to the /mnt/recover directory and you will see couple of directories in that folder. Note you may see more than two directories depending upon the type of data that you have. I am not sure why it creates two directories.
Step 6: Simply search for lost data
Now all you need to do is simply search in the above two folders for your lost data. you can either search by type, size, content, etc. of the file.
Note: You cannot search by name because most of the data recovery program renames the files in their own way which do not make any sense.
As you can see below a simple “ls” on one of the directories shows my recovered file (in blue).
debian:/mnt/recover/recup_dir.2# ls -l
-rw-r--r-- 1 root root 1606 2009-05-22 13:28 f80009.txt
-rw-r--r-- 1 root root 2133 2009-05-22 13:28 f80041.txt
-rw-r--r-- 1 root root 1888 2009-05-22 13:28 f80073.txt
-rw-r--r-- 1 root root 2370 2009-05-22 13:28 f80105.txt
-rw-r--r-- 1 root root 3981 2009-05-22 13:28 f80233.txt
-rw-r--r-- 1 root root 2090 2009-05-22 13:28 f80265.txt
-rw-r--r-- 1 root root 853 2009-05-22 13:28 f80297.txt
-rw-r--r-- 1 root root 606 2009-05-22 13:28 f80329.txt
-rw-r--r-- 1 root root 471 2009-05-22 13:28 f80361.txt
-rw-r--r-- 1 root root 1476 2009-05-22 13:28 f80393.txt
-rw-r--r-- 1 root root 3306 2009-05-22 13:28 f80521.txt
-rw-r--r-- 1 root root 14223 2009-05-22 13:28 f80553.txt
-rw-r--r-- 1 root root 12450 2009-05-22 13:28 f80585.txt
-rw-r--r-- 1 root root 1986 2009-05-22 13:28 f80617.txt
-rw-r--r-- 1 root root 10380 2009-05-22 13:28 f80649.txt
-rw-r--r-- 1 root root 2832 2009-05-22 13:28 f80681.txt
-rw-r--r-- 1 root root 696 2009-05-22 13:28 f80713.txt
-rw-r--r-- 1 root root 4630 2009-05-22 13:28 f80745.txt
-rw-r--r-- 1 root root 853 2009-05-22 13:28 f80777.txt
-rw-r--r-- 1 root root 2787 2009-05-22 13:28 f80809.txt
-rw-r--r-- 1 root root 1461 2009-05-22 13:28 f80841.txt
-rw-r--r-- 1 root root 485146624 2009-05-22 13:28 f84393.asf
Note how the name of the file got changed to f84393 (in blue) instead of it’s original name introduction. See the size (in green) which amounts to 400+ MB which gives a clear indication that that’s the file that we want. Of course you can always play the file and see if the contents are what you were looking for.
Here is list of files that are supported by the photorec software. As you can see the .wmv and .asf are listed on the same line which makes be believe that both the formats are interchangeable. Once I recovered the video file I tried playing the video file in Windows XP with .asf and .wmv extension and both the extensions worked just fine.
That’s all. Please report your success stories (by commenting) if you were able to recover your lost data using this technique. Also if you have any additional information or feedback please leave a comment.
Happy Data Recovering!