Data recovery with the TestDisk/PhotoRec duo

To conduct this test, I destroyed a partition table and deleted about 600GB of data. Then, I let TestDisk and PhotoRec show what they could do. A common saying for hard drives is that they have just three states: empty, full, and damaged. The latter two states occur more frequently than most users would expect. Damage to a hard disk has the habit of occurring quite unexpectedly once symptoms of mechanical fatigue appear.

Until a few years ago, all hard disks were mechanical. Users could therefore sometimes hear clacking noises when a hard drive was nearing the end of its life. They could then change out the drive before it became inaccessible. The SSD drives today are different; they die quietly.

One indicator that can be used to determine the health of a hard drive running under Linux is the hard drive monitoring software S.M.A.R.T. [1]. The Linux Smartmontools [2] can process and interpret the data for signs pointing to wear and tear of the drive. However, if the hard drive is no longer accessible, but is still visible from the BIOS, or if a partition or data within a partition have accidentally been deleted, then it is time to use the forensic tools TestDisk and PhotoRec.

No Overwrites, Please

A basic rule about how data recovery tools work is that deleted data does not disappear completely in the same moment that the delete key gets pressed. Instead, the data delete process involves making a change to the first character of a file name thereby causing the data to become invisible in the filesystem. (See the box "What Happens When Data Is Deleted?" for more information.)

At this point, chances for retrieving data are excellent. However the more that data is written to the disk – potentially overwriting the disk areas containing the deleted data – the less likely it is that a typical home user with common tools like TestDisk and PhotoRec will be able to recover lost data. A lot more can be done in a laboratory setting that offers clean room technology and direct work on the magnetic disk platters. However, the costs associated with this type of approach are often too high for private users.

The Data Rescuers

The software described here usually comes as a double package in most distributions. This makes sense because PhotoRec is a useful extension for TestDisk, and the two pieces of software are often used in tandem.

TestDisk is primarily responsible for recovering partitions, partition tables, the Master Boot Record (MBR), and data that have been deleted. PhotoRec was developed as recovery software for photos on the internal or the external storage medium for digital cameras. However, it can also deal with almost 450 different file formats, mainly in the areas of multimedia and office. TestDisk can repair the following filesystems: FAT{12,16,32}, NTFS, EXT{2,3,4}, Btrfs, and HFS+. Aside from Linux, both tools are available for various BSD versions as well as for Solaris, Mac OS, and Windows. TestDisk only works via the command line. Recently, the graphical interface QPhotoRec was developed for PhotoRec.