Recover deleted media with testdisk, photorec and scalpel?

A friend of mine has 2 Windows Laptops, where in the process of moving from an old 2TB storage laptop to a newer 256GB storage laptop, moving files manually (somehow, dont ask me).

They noticed they accidentally removed a 35GB folder full of media files from a very big vacation, including nature photography and some strange GoPro format files. Valuable stuff.

So we took the newer laptop as its fresh, very small storage and not much done after deleting the files.

We used a 2TB backup drive which works well.

Used CloneZilla, exited to shell, mounted the drive with udisksctl and used testdisk and photorec, but with strange results.

  1. Testdisk created a “whole” recovery in .dd format
  2. Then noticed the “undelete” function in testdisk and manually undeleted all files we found
  3. Then used photorec on that .dd recovery

The testdisk undelete files are mostly corrupted, images with missing header files etc. Same as the result of some magic sauce proprietary recovery program.

The photorec results where really strange, everything was intact but only system stuff, cache, icons etc, not a single of the deleted media.

The media are 3000 or more, so this makes no sense, we used the “full” backup from testdisk.

The laptop is off and we have some time, we can also use the older, messier one if needed.

Questions:

  • any way to repair these corrupted images and media?
  • how to work with this data in photorec? How to export just the deleted files?

I think we should try to use photorec directly with the drive and not the .dd image, which may help.

We used dd and cloned the entire small, new disk to an .iso on the backup drive so we can work with it easier. Does this include all the stuff, also the deleted things?

We will also try scalpel.

Update

We did a lot with the small disk which should basically be in perfect condition to undelete stuff.

  • dd and ddrescue backup into an .iso and .raw image
  • testdisk backup into a .dd image
  • photorec found only usable pictures from the OS, not a single of the wanted ones
  • testdisk and Recuva had the exact same results, all of the files and all broken, missing headers and metadata
  • using scalpel currently

I would be happy about experience on how to restore such header files, information what they are and if you can use files for multiple media or guess them. We know the filetypes that we search for.

Also, are there any modern recovery tools out there, that promise better reliability?

Thanks!

This would be dangerous. Working on the original and altering it could cause more problems.
Working on the image means if an error is made then the image can be replaced with another copy of the original.

The dd command makes an exact bit for bit copy of the source so you should feel comfortable that the copy is the same as the original.

I dont think photorec writes anything to the source?

And the specific question was, if dd copies everything that you could find with testdisk.

I am sure it copies more then Clonezillas default tool, which is better suited for actually cloning your used data.

The dd command copies everything, bit for bit, so a created image is exactly the same as the source. Testdisk and photorec work differently, as does ddrescue and the result is usually not an exact bit for bit copy.

1 Like

Added file-recovery