search

cgsecurity / testdisk

TestDisk & PhotoRec
https://www.cgsecurity.org/
GNU General Public License v2.0
1.55k stars 190 forks source link

Recovered files from an EXT4-formatted partition are empty #91

Closed Ricky-Tigg closed 3 years ago

Ricky-Tigg commented 3 years ago

OS: Fedora; Component testdisk.x86_64 7.1-3.fc32

Hey. Files on an EXT4-formatted partition of an external USB device were deleted with option "Delete permanently" in graphical resources manager. Read-only recovered files are empty.

Commands executed:

$ umount /dev/sdc1
# testdisk
>[ Create ] Create a new log file

#Press Enter.

Disk /dev/sdc - 255 MB / 243 MiB - (...)
>[Proceed ]

#Choose the EXT4-formatted volume.

>[Intel ] Intel/PC partition
Hint: Intel partition table type has been detected. (...)

#Press Enter.

>[ Analyse] Analyse current partition structure and search for lost partitions

#Press Enter.

Disk /dev/sdc - 255 MB / 243 MiB - CHS 1021 8 61
Current partition structure:
Partition Start End Size in sectors
1 * Linux 4 1 36 1019 6 26 495616
Warning: Bad ending head (CHS and LBA don't match)
(...)
>[Quick Search]

#Press Enter.

Warning: the current number of heads per cylinder is 8 but the correct value may be 255. (...)

#Press Enter twice

>[Deeper Search]

#Press Enter.

(...) Warning: the current number of heads per cylinder is 8 but the correct value may be 255. (...)
[ Continue ]

#Press Enter

     Partition               Start        End    Size in sectors
 D Linux                    4   1 34  1019   6 24     495616
>D Linux                    4   1 36  1019   6 26     495616

Partitions respective informations are as follows:

ext4 blocksize=1024 Large_file Sparse_SB Backup_SB, 253 MB / 242 MiB
ext4 blocksize=1024 Large_file Sparse_SB, 253 MB / 242 MiB

#Press P.

     Linux                    4   1 36  1019   6 26     495616
Directory /

>drwx------  1000  1000      1024 28-Aug-2020 14:37 .
 drwx------  1000  1000      1024 28-Aug-2020 14:37 ..
 drwx------     0     0     12288 28-Aug-2020 14:02 lost+found
 -rw-r--r--  1000  1000         0 28-Aug-2020 14:37 Fedora.odt

#Press a then C.

Directory /home/yk
>drwx------  1000  1000      4096 28-Aug-2020 12:18 .
 drwxr-xr-x     0     0      4096 19-Aug-2020 13:36 ..

 #Press  C.

 Directory /
Copy done! 1 ok, 0 failed
>drwx------  1000  1000      1024 28-Aug-2020 17:29 .
 drwx------  1000  1000      1024 28-Aug-2020 17:29 ..
 drwx------     0     0     12288 28-Aug-2020 17:28 lost+found
 -rw-r--r--  1000  1000         0 28-Aug-2020 17:29 Fedora.odt
 -rw-rw-r--  1000  1000      4450 28-Aug-2020 13:29 testdisk.log
cgsecurity commented 3 years ago

Use PhotoRec on the free space of the partition

Extracts from https://www.cgsecurity.org/testdisk.pdf "ext2 is a Linux filesystem. It has been superseded by ext3 and ext4, so it’s not found often now. With ext3 and ext4, it’s possible to find the names of the deleted files but the location of the deleted data isn’t available anymore, so even if ext3/ext4 is similar to ext2, it’s not possible to recover lost files using TestDisk."

"PhotoRec doesn’t recover the original filenames or the file structure but it can recover lost files even from corrupted filesystem. PhotoRec is a signature based file recovery utility (a file carver) and may be able to recover your data where other methods failed. Remember, you must avoid writing anything on the filesystem that was holding the data. If you do, deleted files may be overwritten by new ones."