Categories
General IT Masters Tutorials

Using PhotoRec to Recover Images

PhotoRec is an open-source application that aims to recover media files (photos, videos and documents) from drives even after they have been deleted and removed. Despite What many user may think, files are hardly ever truly deleted.

I chose to perform this example test on a small USB drive (1GB) to reduce the time required to scan the drive. I removed all files from the USB and reformatted the drive. I then copied a photograph onto the drive, deleted it and ensured it was also removed from the recycle bin.

The next step was to load PhotoRec as an administrator and select the disc to be scanned. Make sure you choose the right disc here, although you do have the opportunity to go back before commencing the scan.

photorec

After selecting the drive, you will then need to select the partition. On this USB drive there are (essentially) no partitions however two options will appear in the menu; one for scanning the full disc and one for scanning the partition (which just so happens to be the whole disc also in this case).

You will also need to tell PhotoRec the file system type where the files were stored. In most cases this will be the ‘Other’ option (FAT, NTFS etc). Once all of these configurations have been made you need to tell PhotoRec where you would like the scan results to be saved. I chose to save them in a new folder in the program folder.

photorec_location

Once you have stated the correct directory, press ‘c’ to commence the scan. As this is a small drive the scan time was approximately five minutes. On completion of the scan PhotoRec will show a summary of the files and file types that were recovered.

photorec_running

You can then navigate to the save location you specified and review the findings.

Files are very rarely truly deleted. The only sure way of permanently removing data from a disc is to destroy it (usually by using an industrial strength electromagnet). As this is out of reach for the average user, it is more reasonable to overwrite the drive with a file you wouldn’t mind someone finding.

PhotoRec is a great tool that is simple to use and yields big results. In its simplicity it also scans in read-only mode ensuring that no files are ever modified; an important part of the forensic process.

Leave a Reply

Your email address will not be published. Required fields are marked *