Linux goesZen

Recently, while using an USB memory stick formatted in FAT32, I accidentally deleted a few files. My first idea while sitting on a Windows machine was to seek for a simple utility from the DOS world to get the files back. I thought it would be a no-brainer, but after wading through tons of Google spam results, nasty Shareware and fake apps I was near giving up. The final stage was to try an older Version of Norton Utilites' Unerase, but as I soon found out, it wasn't able to "see" my USB device...

The next idea was to take the stick to the Unix/Linux/ Ubuntu world, as the free and open source movement produced quite a few very professional, versatile and useful tools in the domain of data handling and storage device management. (If you don't believe me: software raid, ntfs drivers, the SystemRescueCD, ... the list goes on).

So I fired up apt-get and browsed around:

recoverjpeg
foremost

Were the first apps I tried. recoverjpeg was useless for me, as I was looking for a zip file (it returned zero results!).

Next was the mighty foremost, so forensic and versatile that it didn't work for me at all (note the cynicism). The other obstacle I soon discovered was that I was trying to recover files from a USB stick, which foremost and many other tools do not read in easily. Or at least these apps were no help in discovering where my USB-stick had been mounted by the system on a lower level (/dev/sdd by the way). /media/USBSTICK, the convenience path supplied by Ubuntu, as path on the command-line to foremost got rejected. And then this annoying "output directoryis not empty" error, each time I fired foremost without success it created empty folders in my output dir...

Further, on other blogs, people kept telling that I first need to copy the USB stick raw and then inspect it:

sudo dd if=/dev/sdb of=sdcard.img bs=1M

• sudo - used to perform command as root user (i.e. have correct privileges)
• dd - command to copy data a byte level
• if=/dev/sdb - read data from /dev/sdb - you may need to change this depending on where your memory card it located.
• of=sdcard.img - save this to the sdcard.img file in the current directory
• bs=1M - Copy it in 1M chunks

Just too lazy to do that. My hope sank and I turned to some more apps. On some thread a guy recommended "fatback", which I downloaded but could not get compiled.

Finally I found photrorec a helpful and working little app that saved the day for me! Initially developed for photo recovery from removable media (hence the name) the tool finds all types of files. Fire it up and it conveniently displays all mounted devices (no need to know about the structure of the /dev path...). Select the USB device here. The next screen asks if you know about the type of filesystem - don't select "Windows/PC" or similar here, as it will limit your results (I don't know why)! Select the raw/unformatted option (can't quite remember the exact name, it's the default. Proceed through the next screens and photorec will spit out all it can undelete from this device, although the names will be lost. And in contrast to foremost, photorec is smart enough to create ascending subdirs in your supplied output path, so you can run it multiple times without changing the output over and over. And it is not CLI only, it has a simple shell GUI!

Thumbs up for photorec!