2010-03-25

Simple recovery of deleted files from ext3 file systems

Yesterday I finished recovery of about 8000 photos by burning them to DVD and handing them over to a friend of mine.

Recovery of files from ext 3 partitions have long been considered somewhere between hard and impossible, but thanks to free and open source PhotoRec the recovery was done automatically during the night after answering a few, relatively simple questions. Next day I just rsynced the files to my laptop, splitted them into four folders about to fit into DVDs and burned them. It even read the files directly from the dumped img file.

The burning process was actually the one that took most time.

There's one pitfall I'd like to mention, though:

PhotoRec first does a scan to find the block size of the disk in question, and then reads the disk block by block, matching the beginning of each block with a signature database.

The first time I ran the program I chose to scan the entire drive. After scanning the entire drive it had found less than 50 photos. I decided to give it one more try, this time with just one partition. I chose the partition I considered most likely to contain the images, set the paranoid setting to false and chose photos (jpg) only.

This time it found more than 40 000 jpgs. Most of them seemed to be browser cache etc so I filtered out everything smaller than 1 MB.

Because I changed two parameters I can't say why this happened but my best guess is that it happened because the block size was different between the two partitions.

2 comments:

  1. @lawrence: Yes. That's what I thought too. Wish I knew it a year ago when that friend of mine lost the files.

    Luckily I had saved an image of the disk though, so when I realised there was a tool available it was just a matter of finding the disk image and running the tool.

    ReplyDelete