Back to Top

Sunday, July 29, 2007

Recovering deleted files the DIY way

I can't really remember if I've written about this or not (old age I suppose :-p), so here it goes:

There are certainly easier (and better) ways to do it, here is the DIY way for those who enjoy some hands-on fun:

  1. Save the contents of the entire partition (or disk) in a separate file. While this step is not an absolute must, it's still better than playing with the original media and risking unrecoverable damage (to the information, not to the physical image). You can do this for example with the free HxD HexEditor (under Windows) or with the dd command under Linux.
  2. Now you should go through the data (again, you can access directly the original media, but it's better to work on a backup copy), and look for the headers of the file types you wish to recover and drop a predefined amount of data from that location. The principles behind this approaches are:
    • Binary files usually have a size field in their headers so that having junk at the end doesn't influence the ability of the programs to use them.
    • The fragmentation on SD cards for digital cameras is very low, meaning that the file data is layed out in a sequential way with a very high probability
    If these principles don't apply, you can have less than ideal results.

Below is a quick and dirty Perl script implementing this approach for JPEG images:

use strict;
use warnings;

my $fileName = "Removable Disk 1";
my $picSize = 4*1024*1024;

open F, $fileName;
binmode F;

foreach my $strpos (1 .. -s $fileName) {
 seek(F, $strpos, 0);
 my $str;
 read F, $str, 10;

 if ($str =~ /Exif$/) {
  print "$strpos\n";

  seek(F, $strpos, 0);
  read F, $str, $picSize;

  open O, ">$strpos.jpg";
  binmode O;
  print O $str;
  close O;
 }
}

close F;

A final tip: you can clean-up the resulting files usually by opening and saving them with a program (which should strip the junk from the end). You can do this easily for image files with the batch conversion function of IrfanView, which is a great little freeware tool for iamge viewing / conversion under Windows (as long as you remember to uncheck the Google Toolbar during installation), just remember that converting from lossy image format to lossy image format always means data loss!

Update: Andreas Gohr (the lead devel on DokuWiki) has a nicer solution.

0 comments:

Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.