├── .gitignore ├── Makefile ├── after_using_photorec.rst ├── bootable.rst ├── building_from_source.rst ├── compilation.rst ├── compilation_env.rst ├── conf.py ├── crosscompilation_env.rst ├── ddrescue.rst ├── dfrws2006.rst ├── dftt_fat16_undelete.rst ├── dftt_ntfs_undelete.rst ├── forensics.rst ├── images ├── photorec.png └── testdisk.png ├── index.rst ├── installation.rst ├── livecd.rst ├── make.bat ├── partition_recovery.rst ├── photorec.rst ├── photorec_custom_signature.rst ├── photorec_video.rst ├── presentation.rst ├── repairing_filesystem.rst ├── running.rst ├── scripted_run.rst ├── smart.rst ├── storage.rst ├── testcase.rst ├── undelete.rst ├── undelete_fat.rst ├── undelete_ntfs.rst └── unix.rst /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | *.bak 3 | _build/doctrees/ 4 | _build/html/ 5 | _build/pdf/ 6 | _build/latex/ 7 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | PAPER = 8 | BUILDDIR = _build 9 | 10 | # Internal variables. 11 | PAPEROPT_a4 = -D latex_paper_size=a4 12 | PAPEROPT_letter = -D latex_paper_size=letter 13 | ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 14 | # the i18n builder cannot share the environment and doctrees with the others 15 | I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 16 | 17 | .PHONY: help 18 | help: 19 | @echo "Please use \`make ' where is one of" 20 | @echo " html to make standalone HTML files" 21 | @echo " dirhtml to make HTML files named index.html in directories" 22 | @echo " singlehtml to make a single large HTML file" 23 | @echo " pickle to make pickle files" 24 | @echo " json to make JSON files" 25 | @echo " htmlhelp to make HTML files and a HTML help project" 26 | @echo " qthelp to make HTML files and a qthelp project" 27 | @echo " applehelp to make an Apple Help Book" 28 | @echo " devhelp to make HTML files and a Devhelp project" 29 | @echo " epub to make an epub" 30 | @echo " epub3 to make an epub3" 31 | @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" 32 | @echo " latexpdf to make LaTeX files and run them through pdflatex" 33 | @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" 34 | @echo " text to make text files" 35 | @echo " man to make manual pages" 36 | @echo " texinfo to make Texinfo files" 37 | @echo " info to make Texinfo files and run them through makeinfo" 38 | @echo " gettext to make PO message catalogs" 39 | @echo " changes to make an overview of all changed/added/deprecated items" 40 | @echo " xml to make Docutils-native XML files" 41 | @echo " pseudoxml to make pseudoxml-XML files for display purposes" 42 | @echo " linkcheck to check all external links for integrity" 43 | @echo " doctest to run all doctests embedded in the documentation (if enabled)" 44 | @echo " coverage to run coverage check of the documentation (if enabled)" 45 | @echo " dummy to check syntax errors of document sources" 46 | 47 | .PHONY: clean 48 | clean: 49 | rm -rf $(BUILDDIR)/* 50 | 51 | .PHONY: html 52 | html: 53 | $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html 54 | @echo 55 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." 56 | 57 | .PHONY: dirhtml 58 | dirhtml: 59 | $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml 60 | @echo 61 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." 62 | 63 | .PHONY: singlehtml 64 | singlehtml: 65 | $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml 66 | @echo 67 | @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." 68 | 69 | .PHONY: pickle 70 | pickle: 71 | $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle 72 | @echo 73 | @echo "Build finished; now you can process the pickle files." 74 | 75 | .PHONY: json 76 | json: 77 | $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json 78 | @echo 79 | @echo "Build finished; now you can process the JSON files." 80 | 81 | .PHONY: htmlhelp 82 | htmlhelp: 83 | $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp 84 | @echo 85 | @echo "Build finished; now you can run HTML Help Workshop with the" \ 86 | ".hhp project file in $(BUILDDIR)/htmlhelp." 87 | 88 | .PHONY: qthelp 89 | qthelp: 90 | $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp 91 | @echo 92 | @echo "Build finished; now you can run "qcollectiongenerator" with the" \ 93 | ".qhcp project file in $(BUILDDIR)/qthelp, like this:" 94 | @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/testdisk.qhcp" 95 | @echo "To view the help file:" 96 | @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/testdisk.qhc" 97 | 98 | .PHONY: applehelp 99 | applehelp: 100 | $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp 101 | @echo 102 | @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." 103 | @echo "N.B. You won't be able to view it unless you put it in" \ 104 | "~/Library/Documentation/Help or install it in your application" \ 105 | "bundle." 106 | 107 | .PHONY: devhelp 108 | devhelp: 109 | $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp 110 | @echo 111 | @echo "Build finished." 112 | @echo "To view the help file:" 113 | @echo "# mkdir -p $$HOME/.local/share/devhelp/testdisk" 114 | @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/testdisk" 115 | @echo "# devhelp" 116 | 117 | .PHONY: epub 118 | epub: 119 | $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub 120 | @echo 121 | @echo "Build finished. The epub file is in $(BUILDDIR)/epub." 122 | 123 | .PHONY: epub3 124 | epub3: 125 | $(SPHINXBUILD) -b epub3 $(ALLSPHINXOPTS) $(BUILDDIR)/epub3 126 | @echo 127 | @echo "Build finished. The epub3 file is in $(BUILDDIR)/epub3." 128 | 129 | .PHONY: latex 130 | latex: 131 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 132 | @echo 133 | @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." 134 | @echo "Run \`make' in that directory to run these through (pdf)latex" \ 135 | "(use \`make latexpdf' here to do that automatically)." 136 | 137 | .PHONY: latexpdf 138 | latexpdf: 139 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 140 | @echo "Running LaTeX files through pdflatex..." 141 | $(MAKE) -C $(BUILDDIR)/latex all-pdf 142 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 143 | 144 | .PHONY: latexpdfja 145 | latexpdfja: 146 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 147 | @echo "Running LaTeX files through platex and dvipdfmx..." 148 | $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja 149 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 150 | 151 | .PHONY: text 152 | text: 153 | $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text 154 | @echo 155 | @echo "Build finished. The text files are in $(BUILDDIR)/text." 156 | 157 | .PHONY: man 158 | man: 159 | $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man 160 | @echo 161 | @echo "Build finished. The manual pages are in $(BUILDDIR)/man." 162 | 163 | .PHONY: texinfo 164 | texinfo: 165 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 166 | @echo 167 | @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." 168 | @echo "Run \`make' in that directory to run these through makeinfo" \ 169 | "(use \`make info' here to do that automatically)." 170 | 171 | .PHONY: info 172 | info: 173 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 174 | @echo "Running Texinfo files through makeinfo..." 175 | make -C $(BUILDDIR)/texinfo info 176 | @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." 177 | 178 | .PHONY: gettext 179 | gettext: 180 | $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale 181 | @echo 182 | @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." 183 | 184 | .PHONY: changes 185 | changes: 186 | $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes 187 | @echo 188 | @echo "The overview file is in $(BUILDDIR)/changes." 189 | 190 | .PHONY: linkcheck 191 | linkcheck: 192 | $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck 193 | @echo 194 | @echo "Link check complete; look for any errors in the above output " \ 195 | "or in $(BUILDDIR)/linkcheck/output.txt." 196 | 197 | .PHONY: doctest 198 | doctest: 199 | $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest 200 | @echo "Testing of doctests in the sources finished, look at the " \ 201 | "results in $(BUILDDIR)/doctest/output.txt." 202 | 203 | .PHONY: coverage 204 | coverage: 205 | $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage 206 | @echo "Testing of coverage in the sources finished, look at the " \ 207 | "results in $(BUILDDIR)/coverage/python.txt." 208 | 209 | .PHONY: xml 210 | xml: 211 | $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml 212 | @echo 213 | @echo "Build finished. The XML files are in $(BUILDDIR)/xml." 214 | 215 | .PHONY: pseudoxml 216 | pseudoxml: 217 | $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml 218 | @echo 219 | @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." 220 | 221 | .PHONY: dummy 222 | dummy: 223 | $(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy 224 | @echo 225 | @echo "Build finished. Dummy builder generates no files." 226 | 227 | .PHONY: pdf 228 | pdf: 229 | $(SPHINXBUILD) -b pdf $(ALLSPHINXOPTS) _build/pdf 230 | @echo 231 | @echo "Build finished. The PDF files are in _build/pdf." 232 | -------------------------------------------------------------------------------- /after_using_photorec.rst: -------------------------------------------------------------------------------- 1 | After using PhotoRec 2 | ==================== 3 | Usually PhotoRec and QPhotoRec recover a lot of files but without the original filenames, it may be hard to locate the files you are interested in. 4 | 5 | Sorting the files by extension 6 | ****************************** 7 | 8 | Using a powershell script under Windows 9 | --------------------------------------- 10 | https://github.com/lconte/Copy-PhotoRecFilesbyExtension.ps1 11 | 12 | Using a Python script 13 | --------------------- 14 | Python comes preinstalled on macOS and most Linux distributions. It can also be installed under Windows. 15 | The Python program `sort-PhotorecRecoveredFiles `_ 16 | 17 | * sorts all files by file extensions into own folders. 18 | * limits the number of files/folder by creating subfolders if a certain numbers is exceeded. The file/folder number can be customized. 19 | * For all '''jpgs''': it put them into their own folders per year (EXIF-Data). Within a year, folders for every event are created, e.g. all photos taken at one weekend or vacation are sorted into one folder. 20 | 21 | Renaming files using exiftool 22 | ***************************** 23 | exiftool can use meta-data from several popular file formats to rename files. 24 | All Linux distributions comes with a package for :command:`exiftool` (file:`perl-Image-ExifTool` for Red Hat, CentOS and Fedora) but otherwise it is available for Windows, Linux and macOS from https://exiftool.org/ 25 | 26 | 27 | .. code-block:: none 28 | 29 | exiftool -r -ext avi '-FileName`_ is a compiled version of a program which has been statically linked against libraries. 43 | A static binary does not depend on library availability of the computer it's running on, usually you can copy this binary on another computer and it will work. 44 | It is still architecture specific (i.e. CPU) and may be kernel (OS version) dependent, so static binaries may be used for portable applications. 45 | For the build to be successful, you may have to install static version of libraries. 46 | -------------------------------------------------------------------------------- /compilation_env.rst: -------------------------------------------------------------------------------- 1 | Compilation environment 2 | *********************** 3 | TestDisk uses several libraries if available: 4 | 5 | * libncurses - Required, TestDisk and PhotoRec use a text user interface, Ncurses library and development files must be available. 6 | * Ext2fs library - Optional, used by TestDisk to list files from ext2/ext3/ext4 partition and by PhotoRec to be able to carve the free space from an ext2/ext3 partition instead of the whole partition 7 | * EWF library - Optional, TestDisk and PhotoRec use it to access Expert Witness Compression Format files (e.g. Encase files) 8 | * Iconv - Optional, used to handle Unicode filenames 9 | * Jpeg library - Optional, used by PhotoRec to improved JPEG recovery rate 10 | * NTFS library - Optional, used by TestDisk to list files from NTFS partition 11 | * Reiserfs library - Optional, used by TestDisk to list files from reiserfs partition 12 | * zlib library - Optional, used by PhotoRec to decompress gzipped content 13 | * Qt5 library - Optional, required for QPhotoRec and to update the configure script. 14 | 15 | Linux 16 | ----- 17 | 18 | * Debian/Ubuntu: 19 | :command:`apt-get install build-essential e2fslibs-dev libewf-dev libncurses5-dev libncursesw5-dev ntfs-3g-dev libjpeg-dev uuid-dev zlib1g-dev qtbase5-dev qttools5-dev-tools pkg-config dh-autoreconf git` 20 | * RHEL/CentOS 6 or later: 21 | :command:`yum install @buildsys-build desktop-file-utils e2fsprogs-devel libewf-devel libjpeg-devel libuuid-devel ncurses-devel ntfs-3g-devel qt-devel qt5-qtbase-devel zlib-devel git` 22 | * Fedora: 23 | :command:`dnf install @buildsys-build desktop-file-utils e2fsprogs-devel libewf-devel libjpeg-devel libuuid-devel ncurses-devel ntfs-3g-devel qt-devel qt5-qtbase-devel zlib-devel git` 24 | 25 | macOS 26 | ----- 27 | Install Xcode 28 | 29 | .. code-block:: none 30 | 31 | xcode-select --install 32 | 33 | Install brew 34 | 35 | .. code-block:: none 36 | 37 | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" 38 | 39 | Install pkg-config, libjpeg-turbo and wget via brew 40 | 41 | .. code-block:: none 42 | 43 | brew install pkg-config libjpeg-turbo wget 44 | 45 | 46 | Download wanted library (Adjust the version) 47 | 48 | .. code-block:: none 49 | 50 | wget -N http://prdownloads.sourceforge.net/e2fsprogs/e2fsprogs-1.46.2.tar.gz 51 | wget -N https://download.tuxera.com/opensource/ntfs-3g_ntfsprogs-2017.3.23.tgz 52 | wget -N https://www.cgsecurity.org/testdisk-7.2-WIP.tar.bz2 53 | 54 | Decompress and compile them (Replace :file:`/User/kmaster` by the correct path) 55 | 56 | .. code-block:: none 57 | 58 | tar xzf e2fsprogs-1.46.2.tar.gz 59 | tar xzf ntfs-3g_ntfsprogs-2017.3.23.tgz 60 | tar xzf testdisk-7.2-WIP.tar.bz2 61 | cd e2fsprogs-1.46.2 && ./configure && make && cd .. 62 | cd ntfs-3g_ntfsprogs-2017.3.23 && ./configure --disable-ntfs-3g --disable-nfconv && make && cd .. 63 | mkdir -p testdisk 64 | ../testdisk-7.2-WIP/configure --disable-qt \ 65 | --with-ext2fs-lib=/Users/kmaster/e2fsprogs-1.46.2/lib \ 66 | --with-ext2fs-includes=/Users/kmaster/e2fsprogs-1.46.2/lib \ 67 | --with-ntfs3g-lib=/Users/kmaster/ntfs-3g_ntfsprogs-2017.3.23/libntfs-3g/.libs/ \ 68 | --with-ntfs3g-includes=/Users/kmaster/ntfs-3g_ntfsprogs-2017.3.23/include/ \ 69 | --with-jpeg-lib=/usr/local/opt/jpeg-turbo/lib \ 70 | --with-jpeg-includes=/usr/local/opt/jpeg-turbo/include 71 | make 72 | cd .. 73 | 74 | Windows 75 | ------- 76 | cygwin 77 | ^^^^^^ 78 | Cygwin https://cygwin.com/ is a large collection of GNU and Open Source tools which provide functionality similar to a Linux distribution on Windows, it includes the GCC compiler. 79 | A DLL (:file:`cygwin1.dll`) provides substantial POSIX API functionality, such functions may be required by some libraries that TestDisk or PhotoRec can use. 80 | 81 | MinGW-w64 82 | ^^^^^^^^^ 83 | MinGW-w64 https://www.mingw-w64.org/ is a free and open source software development environment for creating Microsoft Windows applications. It provides GCC for Windows 64 & 32 bits. 84 | -------------------------------------------------------------------------------- /conf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # 4 | # testdisk documentation build configuration file, created by 5 | # sphinx-quickstart on Wed Sep 7 15:44:38 2016. 6 | # 7 | # This file is execfile()d with the current directory set to its 8 | # containing dir. 9 | # 10 | # Note that not all possible configuration values are present in this 11 | # autogenerated file. 12 | # 13 | # All configuration values have a default; values that are commented out 14 | # serve to show the default. 15 | 16 | # If extensions (or modules to document with autodoc) are in another directory, 17 | # add these directories to sys.path here. If the directory is relative to the 18 | # documentation root, use os.path.abspath to make it absolute, like shown here. 19 | # 20 | # import os 21 | # import sys 22 | # sys.path.insert(0, os.path.abspath('.')) 23 | 24 | # -- General configuration ------------------------------------------------ 25 | 26 | # If your documentation needs a minimal Sphinx version, state it here. 27 | # 28 | # needs_sphinx = '1.0' 29 | 30 | # Add any Sphinx extension module names here, as strings. They can be 31 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom 32 | # ones. 33 | extensions = [ 34 | # 'sphinx.ext.githubpages', 35 | # 'rst2pdf.pdfbuilder' 36 | ] 37 | 38 | # Add any paths that contain templates here, relative to this directory. 39 | templates_path = ['_templates'] 40 | 41 | # The suffix(es) of source filenames. 42 | # You can specify multiple suffix as a list of string: 43 | # 44 | # source_suffix = ['.rst', '.md'] 45 | source_suffix = '.rst' 46 | 47 | # The encoding of source files. 48 | # 49 | # source_encoding = 'utf-8-sig' 50 | 51 | # The master toctree document. 52 | master_doc = 'index' 53 | 54 | # General information about the project. 55 | project = 'testdisk' 56 | copyright = '2016-2023, Christophe GRENIER' 57 | author = 'Christophe GRENIER' 58 | 59 | # The version info for the project you're documenting, acts as replacement for 60 | # |version| and |release|, also used in various other places throughout the 61 | # built documents. 62 | # 63 | # The short X.Y version. 64 | version = '7.1' 65 | # The full version, including alpha/beta/rc tags. 66 | release = '7.1' 67 | 68 | # The language for content autogenerated by Sphinx. Refer to documentation 69 | # for a list of supported languages. 70 | # 71 | # This is also used if you do content translation via gettext catalogs. 72 | # Usually you set "language" from the command line for these cases. 73 | language = 'en' 74 | 75 | # There are two options for replacing |today|: either, you set today to some 76 | # non-false value, then it is used: 77 | # 78 | # today = '' 79 | # 80 | # Else, today_fmt is used as the format for a strftime call. 81 | # 82 | # today_fmt = '%B %d, %Y' 83 | 84 | # List of patterns, relative to source directory, that match files and 85 | # directories to ignore when looking for source files. 86 | # This patterns also effect to html_static_path and html_extra_path 87 | exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store'] 88 | 89 | # The reST default role (used for this markup: `text`) to use for all 90 | # documents. 91 | # 92 | # default_role = None 93 | 94 | # If true, '()' will be appended to :func: etc. cross-reference text. 95 | # 96 | # add_function_parentheses = True 97 | 98 | # If true, the current module name will be prepended to all description 99 | # unit titles (such as .. function::). 100 | # 101 | # add_module_names = True 102 | 103 | # If true, sectionauthor and moduleauthor directives will be shown in the 104 | # output. They are ignored by default. 105 | # 106 | # show_authors = False 107 | 108 | # The name of the Pygments (syntax highlighting) style to use. 109 | pygments_style = 'sphinx' 110 | 111 | # A list of ignored prefixes for module index sorting. 112 | # modindex_common_prefix = [] 113 | 114 | # If true, keep warnings as "system message" paragraphs in the built documents. 115 | # keep_warnings = False 116 | 117 | # If true, `todo` and `todoList` produce output, else they produce nothing. 118 | todo_include_todos = False 119 | 120 | 121 | # -- Options for HTML output ---------------------------------------------- 122 | 123 | # The theme to use for HTML and HTML Help pages. See the documentation for 124 | # a list of builtin themes. 125 | # 126 | #html_theme = 'alabaster' 127 | html_theme = 'sphinx_rtd_theme' 128 | 129 | # Theme options are theme-specific and customize the look and feel of a theme 130 | # further. For a list of options available for each theme, see the 131 | # documentation. 132 | # 133 | # html_theme_options = {} 134 | 135 | # Add any paths that contain custom themes here, relative to this directory. 136 | # html_theme_path = [] 137 | 138 | # The name for this set of Sphinx documents. 139 | # " v documentation" by default. 140 | # 141 | # html_title = 'testdisk v7.1' 142 | 143 | # A shorter title for the navigation bar. Default is the same as html_title. 144 | # 145 | # html_short_title = None 146 | 147 | # The name of an image file (relative to this directory) to place at the top 148 | # of the sidebar. 149 | # 150 | # html_logo = None 151 | 152 | # The name of an image file (relative to this directory) to use as a favicon of 153 | # the docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 154 | # pixels large. 155 | # 156 | # html_favicon = None 157 | 158 | # Add any paths that contain custom static files (such as style sheets) here, 159 | # relative to this directory. They are copied after the builtin static files, 160 | # so a file named "default.css" will overwrite the builtin "default.css". 161 | html_static_path = ['_static'] 162 | 163 | # Add any extra paths that contain custom files (such as robots.txt or 164 | # .htaccess) here, relative to this directory. These files are copied 165 | # directly to the root of the documentation. 166 | # 167 | # html_extra_path = [] 168 | 169 | # If not None, a 'Last updated on:' timestamp is inserted at every page 170 | # bottom, using the given strftime format. 171 | # The empty string is equivalent to '%b %d, %Y'. 172 | # 173 | # html_last_updated_fmt = None 174 | 175 | # If true, SmartyPants will be used to convert quotes and dashes to 176 | # typographically correct entities. 177 | # 178 | # html_use_smartypants = True 179 | 180 | # Custom sidebar templates, maps document names to template names. 181 | # 182 | # html_sidebars = {} 183 | 184 | # Additional templates that should be rendered to pages, maps page names to 185 | # template names. 186 | # 187 | # html_additional_pages = {} 188 | 189 | # If false, no module index is generated. 190 | # 191 | # html_domain_indices = True 192 | 193 | # If false, no index is generated. 194 | # 195 | # html_use_index = True 196 | 197 | # If true, the index is split into individual pages for each letter. 198 | # 199 | # html_split_index = False 200 | 201 | # If true, links to the reST sources are added to the pages. 202 | # 203 | html_show_sourcelink = False 204 | 205 | # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. 206 | # 207 | html_show_sphinx = False 208 | 209 | # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. 210 | # 211 | # html_show_copyright = True 212 | 213 | # If true, an OpenSearch description file will be output, and all pages will 214 | # contain a tag referring to it. The value of this option must be the 215 | # base URL from which the finished HTML is served. 216 | # 217 | # html_use_opensearch = '' 218 | 219 | # This is the file name suffix for HTML files (e.g. ".xhtml"). 220 | # html_file_suffix = None 221 | 222 | # Language to be used for generating the HTML full-text search index. 223 | # Sphinx supports the following languages: 224 | # 'da', 'de', 'en', 'es', 'fi', 'fr', 'h', 'it', 'ja' 225 | # 'nl', 'no', 'pt', 'ro', 'r', 'sv', 'tr', 'zh' 226 | # 227 | # html_search_language = 'en' 228 | 229 | # A dictionary with options for the search language support, empty by default. 230 | # 'ja' uses this config value. 231 | # 'zh' user can custom change `jieba` dictionary path. 232 | # 233 | # html_search_options = {'type': 'default'} 234 | 235 | # The name of a javascript file (relative to the configuration directory) that 236 | # implements a search results scorer. If empty, the default will be used. 237 | # 238 | # html_search_scorer = 'scorer.js' 239 | 240 | # Output file base name for HTML help builder. 241 | htmlhelp_basename = 'testdiskdoc' 242 | 243 | # -- Options for LaTeX output --------------------------------------------- 244 | 245 | latex_elements = { 246 | # The paper size ('letterpaper' or 'a4paper'). 247 | # 248 | # 'papersize': 'letterpaper', 249 | 250 | # The font size ('10pt', '11pt' or '12pt'). 251 | # 252 | # 'pointsize': '10pt', 253 | 254 | # Additional stuff for the LaTeX preamble. 255 | # 256 | # 'preamble': '', 257 | 258 | # Latex figure (float) alignment 259 | # 260 | # 'figure_align': 'htbp', 261 | } 262 | 263 | # Grouping the document tree into LaTeX files. List of tuples 264 | # (source start file, target name, title, 265 | # author, documentclass [howto, manual, or own class]). 266 | latex_documents = [ 267 | (master_doc, 'testdisk.tex', 'TestDisk Documentation', 268 | 'Christophe GRENIER', 'manual'), 269 | ] 270 | 271 | # The name of an image file (relative to this directory) to place at the top of 272 | # the title page. 273 | # 274 | # latex_logo = None 275 | 276 | # For "manual" documents, if this is true, then toplevel headings are parts, 277 | # not chapters. 278 | # 279 | # latex_use_parts = False 280 | 281 | # If true, show page references after internal links. 282 | # 283 | # latex_show_pagerefs = False 284 | 285 | # If true, show URL addresses after external links. 286 | # 287 | # latex_show_urls = False 288 | 289 | # Documents to append as an appendix to all manuals. 290 | # 291 | # latex_appendices = [] 292 | 293 | # It false, will not define \strong, \code, itleref, \crossref ... but only 294 | # \sphinxstrong, ..., \sphinxtitleref, ... To help avoid clash with user added 295 | # packages. 296 | # 297 | # latex_keep_old_macro_names = True 298 | 299 | # If false, no module index is generated. 300 | # 301 | # latex_domain_indices = True 302 | 303 | 304 | # -- Options for manual page output --------------------------------------- 305 | 306 | # One entry per manual page. List of tuples 307 | # (source start file, name, description, authors, manual section). 308 | man_pages = [ 309 | (master_doc, 'testdisk', 'TestDisk Documentation', 310 | [author], 1) 311 | ] 312 | 313 | # If true, show URL addresses after external links. 314 | # 315 | # man_show_urls = False 316 | 317 | 318 | # -- Options for Texinfo output ------------------------------------------- 319 | 320 | # Grouping the document tree into Texinfo files. List of tuples 321 | # (source start file, target name, title, author, 322 | # dir menu entry, description, category) 323 | texinfo_documents = [ 324 | (master_doc, 'testdisk', 'TestDisk Documentation', 325 | author, 'testdisk', 'Opensource data recovery software', 326 | 'Miscellaneous'), 327 | ] 328 | 329 | # Documents to append as an appendix to all manuals. 330 | # 331 | # texinfo_appendices = [] 332 | 333 | # If false, no module index is generated. 334 | # 335 | # texinfo_domain_indices = True 336 | 337 | # How to display URL addresses: 'footnote', 'no', or 'inline'. 338 | # 339 | # texinfo_show_urls = 'footnote' 340 | 341 | # If true, do not generate a @detailmenu in the "Top" node's menu. 342 | # 343 | # texinfo_no_detailmenu = False 344 | 345 | pdf_documents = [ 346 | ('index', u'TestDisk', u'TestDisk', u'Christophe GRENIER'), 347 | ] 348 | pdf_break_level = 1 349 | pdf_breakside = 'any' 350 | -------------------------------------------------------------------------------- /crosscompilation_env.rst: -------------------------------------------------------------------------------- 1 | Cross Compilation environment 2 | ***************************** 3 | Using Linux, it's possible to generate binaries for Windows. 4 | Two cross-compiler toolchains are available under Fedora to create binaries for Windows 32 and 64 bits. 5 | All packages needed are available at 6 | 7 | * Windows Cygwin target 8 | 9 | * https://copr.fedorainfracloud.org/coprs/grenier/cygwin-testdisk/ 10 | * https://copr.fedorainfracloud.org/coprs/yselkowitz/cygwin/ 11 | 12 | * Windows MinGW target 13 | 14 | * https://copr.fedorainfracloud.org/coprs/grenier/mingw-testdisk/ 15 | 16 | :command:`testdisk`, :command:`photorec` and :command:`fidentify` official binaries are generated using Cygwin, 17 | :command:`qphotorec` using MinGW. 18 | -------------------------------------------------------------------------------- /ddrescue.rst: -------------------------------------------------------------------------------- 1 | DDRescue: data recovery from damaged disk 2 | ========================================= 3 | 4 | A bad sector is a sector on a computer's disk drive that is either inaccessible or unwritable due to permanent damage, such as physical damage to the disk surface. 5 | Flash memory may also have "bad sectors" (even if technically there is no sector in flash memory) due to permanent damage like failed flash memory transistors. 6 | 7 | Instead of working directly on the damaged disk, it's recommended to create a copy and to work on the clone. 8 | Two possibilities: create a disk image (a file) or overwrite a new/empty disk. 9 | 10 | When cloning a disk to a healthy disk, the destination disk will remain healthy. 11 | There is no way to recreate the missing content (content that was stored in the sector that now failed to be read), so if the file that was using this sector is "recovered", it will be damaged/corrupted. 12 | 13 | .. warning:: Do not reformat a disk if you want to recover its content. 14 | Do not reuse a disk with bad sectors. Reinstalling the OS or reformating the partition will at best hide the problem for a moment. 15 | 16 | ddrescue can be found for Linux or macOS. If your computer is using another operating system, no problem, create a Linux Live USB! (See :ref:`live-usb`) 17 | 18 | ddrescue on Linux 19 | ***************** 20 | ddrescue is available on all Linux distribution. 21 | 22 | * CentOS: :command:`yum install ddrescue` 23 | * Debian/Ubuntu: :command:`apt install gddrescue` 24 | * Fedora: :command:`dnf install ddrescue` 25 | 26 | Use :command:`lsblk` or :command:`testdisk -lu` to identify all the disks. 27 | 28 | ddrescue on macOS 29 | ***************** 30 | To install ddrescue: 31 | 32 | * Press Command+Space and type :command:`Terminal` and press enter/return key. 33 | * Run in Terminal app: 34 | 35 | .. code-block:: none 36 | 37 | 38 | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" 39 | brew install ddrescue 40 | 41 | Done! You can now use :command:`ddrescue`. 42 | Use :command:`diskutil list` to get information on all available disks and their partitioning. 43 | 44 | DDRescue: disk to file image 45 | **************************** 46 | It's the recommended method for forensic purpose. 47 | You need enough space to store the file: if you want to create a clone of a 1TB disk, you need at least 1TB free on a filesystem. 48 | Avoid FAT filesystem for the destination as they are limited to 4GB file. 49 | 50 | In the following example, an image named :file:`sdb.dd` will be created from the second disk :file:`/dev/sdb`. 51 | 52 | .. code-block:: none 53 | 54 | ddrescue /dev/sdb sdb.dd sdb.log 55 | 56 | The log file :file:`sdb.log` can be used to restart the recovery. 57 | It can take a few hours to several days to clone a disk with a lot of bad sectors. 58 | 59 | DDRescue: disk to disk copy 60 | *************************** 61 | The destination disk must be at least as big as the original one. Be careful, two disks of the same announced capacity from different vendors or sometimes from different models of the same vendor can differ slightly in size (a few 100 MB). 62 | 63 | Ie. WD10EZRZ and WD10EZEX are two models sold by Western Digital as 1TB model, in fact the first one is 1,000,000 MB, the second one 1,000,204 MB. 64 | 65 | Before beginning, disconnect all disks, USB device, CD/DVD reader/writer not needed: there is less chance to overwrite the wrong disk. 66 | 67 | .. code-block:: none 68 | 69 | ddrescue /dev/sdb /dev/sdc sdb.log 70 | 71 | The log file :file:`sdb.log` can be used to restart the recovery. 72 | 73 | 74 | ddrutility: restricting ddrescue to NTFS allocated data block 75 | ************************************************************* 76 | When a disk contains a lot of bad sectors, it may be safer to use `ddrutility `_ to limit the copy to allocated data block from an NTFS partition. 77 | 78 | .. code-block:: none 79 | 80 | testdisk -lu /home/kmaster/data/data_for_testdisk/ntfs.dd 81 | TestDisk 7.1-WIP, Data Recovery Utility, August 2016 82 | Christophe GRENIER 83 | http://www.cgsecurity.org 84 | Please wait... 85 | Disk /dev/sdb - 130 MB / 124 MiB - CHS 16 255 63 (RO) 86 | Sector size:512 87 | 88 | 89 | Disk /dev/sdb - 130 MB / 124 MiB - CHS 16 255 63 (RO) 90 | Partition Start End Size in sectors 91 | 1 * HPFS - NTFS 32 255487 255456 [NTFS] 92 | NTFS, blocksize=512 93 | 94 | In this example, the first NTFS partition begins at sector 32 and the sector size is 512 bytes. 95 | 96 | .. code-block:: none 97 | 98 | ddru_ntfsbitmap /dev/sdb -i $((32 * 512)) sdb1_domain 99 | ddrescue /dev/sdb sdb.dd sdb.log -m sdb1_domain 100 | 101 | 102 | -------------------------------------------------------------------------------- /dfrws2006.rst: -------------------------------------------------------------------------------- 1 | .. include:: 2 | .. include:: 3 | 4 | DFRWS 2006 Forensics Challenge 5 | ****************************** 6 | 7 | DFRWS 2006 Forensics Challenge is a data carving challenge. It's possible to use PhotoRec to recover most files: 8 | 9 | * run :command:`photorec dfrws-2006-challenge.raw` 10 | * Choose Proceed 11 | * Go In Options menu 12 | * Set "Paranoid : Yes (Brute force enabled)" 13 | * Set "Keep corrupted files : Yes" 14 | * Use "Quit" to return to the main menu 15 | * Chose Search 16 | * Confirm the filesystem type "[ Other ]" 17 | * Use 'C' key to confirm the destination of the recovered files (current directory) 18 | * Wait for the recovery to finish 19 | * Quit 20 | 21 | All these steps can also be automated in a single command: 22 | 23 | .. code-block:: none 24 | 25 | photorec /log /d recup_dir /cmd dfrws-2006-challenge.raw options,paranoid_bf,keep_corrupted_file,search 26 | 27 | 28 | The file to analyze contained 32 files (not including the embedded files, such as pictures in Word documents or the files inside of ZIP files). The 32 files were used to create 22 different scenarios. 29 | Each scenario was designed to test a specific situation that might occur in a real file system. 30 | 31 | Category 1 focused on HTML files with ASCII text: 32 | * 1a) One HTML non-fragmented |check| 33 | * 1b) One HTML fragmented with a JPEG in between 34 | * 1c) One HTML fragmented with Unicode text in between 35 | * 1d) Two HTML files that are intertwined 36 | 37 | PhotoRec doesn't recover fragmented HTML correctly. 38 | 39 | Category 2 focused on Microsoft Office documents: 40 | * 2a) One Word file, non-fragmented |check| 41 | * 2b) One Word file, fragmented with 3 fragments and random data in between 42 | * 2c) One Excel file fragmented with random data in between 43 | * 2d) One Word file fragmented with a JPEG in between |check| 44 | * 2e) One Word file fragmented with text in between 45 | 46 | Category 3 focused on JPEG files: 47 | * 3a) One JPEG non-fragmented |check| 48 | * 3b) One JPEG non-fragmented, larger than a typical default max file size |check| 49 | * 3c) One JPEG non-fragmented, but sector before it has 0xffd8 in the first two bytes |check| 50 | * 3d) One JPEG fragmented with text in between |check| 51 | * 3e) One JPEG fragmented with a Word document in between |check| 52 | * 3f) One JPEG fragmented with random data in between |check| 53 | * 3g) One JPEG fragmented with a JPEG in between |check| 54 | * 3h) Two JPEGs that are intertwined 55 | * 3i) One JPEG non-fragmented that is REALLY big |check| 56 | * 3j) One JPEG fragmented with singe sector in between that starts with 0xffd9 |check| 57 | 58 | PhotoRec has good results in the JPEG category. 59 | 60 | Category 4 focused on ZIP files: 61 | * 4a) One ZIP file, non-fragmented |check| 62 | * 4b) One ZIP file fragmented with text in between |check| 63 | * 4c) One ZIP file fragmented with random data in between 64 | 65 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 66 | | | Filename | Location | Size | md5 | 67 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 68 | | | f0000000.html | 0-8 | 4608 | | 69 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 70 | | 1a | f0000009_Alice_in_Wonderland_[...].html | 9-44 | 18147 | |check| | 71 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 72 | | 2c | b0002051.doc | 2051-3867 4429-4435 4557-7963 ... | 4428800 | X | 73 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 74 | | 3a | f0003868.jpg | 3868-4428 | 287186 | |check| | 75 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 76 | | 1d | f0004436_A_STUDY_IN_SCARLET_1.1.html | 4436-4455 | 10240 | X | 77 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 78 | | 1d | f0004456_1_Stave_1_Marley_s_Ghost.html | 4456-4501 | 23544 | X | 79 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 80 | | 1d | f0004502.html | 4502-4556 | 27875 | fragment | 81 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 82 | | 2d | f0007964_National_Park_Service.doc | 7964-8284 9474-10031 | 450048 | |check| | 83 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 84 | | 2d | f0008285.jpg | 8285-9473 | 608703 | |check| | 85 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 86 | | 3d | f0011619.jpg | 11619-11822 11849-12017 | 190720 | |check| | 87 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 88 | | 3d | f0011823.txt | 11823-11848 | 12828 (+2) | X | 89 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 90 | | 3b | f0012222.jpg | 12222-26116 | 7113968 | |check| | 91 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 92 | | 1b | f0027496_Comedy_of_Errors_Entire_Play.html | 27496-27606 | 56832 | X | 93 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 94 | | 1b | f0027607.jpg | 27607-27977 | 189534 | |check| | 95 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 96 | | 1b | f0027978.html | 27978-28196 | 111693 | fragment | 97 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 98 | | 1c | f0028244_Chapter_cxxxiv\_-_THE_CHASE_[...].html | 28244-28306 (X) | 31850 | X | 99 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 100 | | 1c | f0028307.html | 28307-28344 | 18995 | fragment | 101 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 102 | | 4a | f0028439_4n6rodeo3-fix_copy.zip | 28439-28726 | 147150 | |check| | 103 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 104 | | 4b | f0028729_file1.zip | 28729-29528 29896-31368 | 1163745 | |check| | 105 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 106 | | 4b | f0029529_The_Tempest_Entire_Play.html | 29529-29895 | 187793 (-2) | X | 107 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 108 | | 3h | b0031475.jpg | 31475-31532 | 29696 | X | 109 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 110 | | 3h | b0031533.jpg | 31533-31887 | 181760 | X | 111 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 112 | | 2a | f0032837_Fact_Sheet\_-_Permitted_and_[...].doc | 32837-33397 | 287232 | |check| | 113 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 114 | | 2e | b0034288.doc | 34288-34398 34413-36291 36641-36997 | 1201664 | X | 115 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 116 | | 2e | f0034399.txt | 34399-34412 | 6781 | fragment | 117 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 118 | | 3c | f0036292.jpg | 36292-36640 | 178659 | |check| | 119 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 120 | | 2b | b0036998.doc | 36998-40637 41220-41238 41610 ... | 3133440 | X | 121 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 122 | | 3f | f0040638.jpg | 40638-41219 41239-41609 | 487473 | |check| | 123 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 124 | | 3g | f0041611.jpg | 41611-43433 44029-44200 | 1021085 | |check| | 125 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 126 | | 3g | f0043434.jpg | 43434-44028 | 304413 | |check| | 127 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 128 | | 3e | f0045566.jpg | 45566-45963 46104-46826 | 573499 | |check| | 129 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 130 | | 3e | f0045964_Statements_of_Financial_Condition.doc | 45964-46103 | 71680 | |check| | 131 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 132 | | 3i | f0046910.jpg | 46910-94836 | 24538540 | |check| | 133 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 134 | | 3j | f0094846.jpg | 94846-95628 95630-96653 | 924877 | |check| | 135 | +----------+-------------------------------------------------+-----------------------------------------+-------------+----------+ 136 | 137 | -------------------------------------------------------------------------------- /dftt_fat16_undelete.rst: -------------------------------------------------------------------------------- 1 | DFTT: Undelete files from a FAT16 filesystem 2 | ******************************************** 3 | 4 | Download the small `FAT filesystem `_ image archive and extract all the files. 5 | This test image is a 6MB FAT16 file system with six deleted files and two deleted directories. The files range from single cluster files to multiple fragments. 6 | 7 | To undelete all files manually, 8 | 9 | * run :command:`testdisk 6-fat-undel.dd` 10 | * Choose `Proceed`. 11 | * A non partitioned media is detected automatically, press Enter to confirm. 12 | * Choose `Undelete`. 13 | 14 | All files and directories are deleted, they are listed in red. 15 | 16 | * Press 'a' to select all files. 17 | 18 | The selected files and directories are now listed in green and prefixed by '*' or '<' for the current highlighted file. 19 | 20 | * Press 'C' (uppercase) to copy all selected files and directories. 21 | * Choose a destination to copy all the files: use the arrow keys (up, down, left, right) to navigate, you can also use the enter key to enter into a directory. 22 | * Press 'C' when the destination is correct. 23 | 24 | All files are copied. 25 | 26 | * Press 'q' to quit 27 | * Choose [Quit] until you have exited all menus 28 | 29 | The usual filenames for a FAT filesystem are composed of 8 chars for the name and 3 for the extension. 30 | When a file is deleted, the first character of the filename is overwritten. TestDisk represents the lost char by a underscore `_` (e.g. :file:`_RAG1.DAT` instead of :file:`FRAG1.DAT`) 31 | If a long filename (> 8 characters) is present, it will be use instead. A benefit is that the whole filename can be displayed (e.g. `System Volume Information`) 32 | 33 | All files are recovered successfully except the 3 fragmented files. 34 | The size of these 3 files is correct but the content is wrong. When a file is deleted, the linked list formed by the cluster numbers used by the file are marked as free in the FAT tables. TestDisk assumes there is no fragmentation but it's not the case here. 35 | 36 | -------------------------------------------------------------------------------- /dftt_ntfs_undelete.rst: -------------------------------------------------------------------------------- 1 | DFTT: Undelete files from a NTFS filesystem 2 | ******************************************* 3 | Download the small `NTFS filesystem `_ image archive and extract all the files. This test image is a 6MB NTFS file system with eight deleted files, two deleted directories, and a deleted alternate data stream. The files range from resident files, single cluster files, and multiple fragments. No data structures were modified in this process to thwart recovery. They were created in Windows XP, deleted in XP, and imaged in Linux. 4 | 5 | To undelete all files manually, 6 | 7 | * run :command:`testdisk 7-ntfs-undel.dd` 8 | * Choose `Proceed`. 9 | * A non partitioned media is detected automatically, press Enter to confirm. 10 | * Choose `Undelete`. 11 | 12 | TestDisk lists all lost files successfully. The alternate data stream is listed as :file:`./mult1.dat:ADS`, alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. Malware has used alternate data streams to hide code. As a result, malware scanners and other special tools now check for alternate data streams. Forensics analyst should also search for them as they may be used to hide documents. 13 | 14 | * Press 'C' (uppercase) to copy all selected files and directories. 15 | * Choose a destination to copy all the files: use the arrow keys (up, down, left, right) to navigate, you can also use the enter key to enter into a directory. 16 | * Press 'C' when the destination is correct. 17 | 18 | All files are copied. 19 | 20 | * Press 'q' to quit 21 | * Choose [Quit] until you have exited all menus 22 | 23 | -------------------------------------------------------------------------------- /forensics.rst: -------------------------------------------------------------------------------- 1 | Forensics: write blockers 2 | ************************* 3 | 4 | The content of a disk may be modified by simply connecting it to a computer: 5 | 6 | * LVM driver will sync two RAID1-like volumes if they are out of sync 7 | * Linux Raid and fake Raid will also resync the disks if they are out of sync 8 | * Auto-mounting of the filesystem will modify the last-mount date and the mount count 9 | * ext3 and ext4 will replay the journal if the filesystem is dirty. 10 | * The NTFS file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". 11 | * The operating system will update the access time for any file accessed 12 | * Windows may create hidden folders for the recycle bin or saved hardware configuration 13 | * Virus infections or malware on the system used for analysis may attempt to infect the disk being inspected. 14 | * Auto-indexation of the files may creates new files on the disk 15 | 16 | Forensic disk controllers or hardware write-blockers are most commonly associated with the process of creating a disk image, or acquisition, during forensic analysis. Their use is to prevent inadvertent modification of evidence. Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation. Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted. 17 | 18 | A hardware write-blocker prevents modifications from the computer but it doesn't prevent a disk from modifying itself (i.e. SMART status 19 | updates in service area each time the device is powered-on.). It remains the best solution to prevent accidental modifications. 20 | 21 | Without a hardware write blocker, it's still possible to reduce the risks of accidental modifications. 22 | Using a Linux computer without graphical interface and without auto-mounting *may* be considered a good enough solution. 23 | 24 | Under Linux, :command:`blockdev` or :command:`hdparm` can be used to switch a disk to read-only: 25 | 26 | .. code-block:: none 27 | 28 | blockdev --setro /dev/sdb 29 | hdparm -r1 /dev/sdb 30 | 31 | In practice, it doesn't work! TestDisk will open these devices in read-write. 32 | 33 | 34 | Loopback device is a safer alternative: 35 | 36 | .. code-block:: none 37 | 38 | losetup -r /dev/loop0 /dev/sdb 39 | testdisk /dev/loop0 40 | 41 | This way TestDisk is forced to open the device in read-only. 42 | 43 | 44 | Loopback can also be used to mount a filesystem in read-only: 45 | .. code-block:: none 46 | 47 | losetup -r /dev/loop0 /dev/sdb 48 | partprobe /dev/loop0 49 | mkdir /mnt/p1 50 | mount -o ro /dev/loop0p1 /mnt/p1 51 | 52 | -------------------------------------------------------------------------------- /images/photorec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cgsecurity/testdisk_documentation/1edc9921ea092449567455e32f7fb4354920c587/images/photorec.png -------------------------------------------------------------------------------- /images/testdisk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cgsecurity/testdisk_documentation/1edc9921ea092449567455e32f7fb4354920c587/images/testdisk.png -------------------------------------------------------------------------------- /index.rst: -------------------------------------------------------------------------------- 1 | .. testdisk documentation master file, created by 2 | sphinx-quickstart on Wed Sep 7 15:44:38 2016. 3 | You can adapt this file completely to your liking, but it should at least 4 | contain the root `toctree` directive. 5 | 6 | testdisk 7 | ======== 8 | 9 | 10 | |testdisk| TestDisk & PhotoRec |photorec| 11 | 12 | .. |testdisk| image:: images/testdisk.png 13 | :alt: TestDisk 14 | :width: 200px 15 | 16 | .. |photorec| image:: images/photorec.png 17 | :alt: PhotoRec 18 | :width: 200px 19 | 20 | 21 | TestDisk & PhotoRec are free and open-source data recovery utilities. 22 | They can be downloaded from https://www.cgsecurity.org/. 23 | 24 | TestDisk can be used to recover lost partitions, fix boot sectors, and recover files from damaged or deleted file systems. It is mainly used to recover data from hard drives, but it can also work with other storage devices such as USB drives and memory cards. It supports a wide variety of file systems, including NTFS, exFAT, FAT, ext2, ext3, and ext4. 25 | 26 | PhotoRec is designed to recover lost files, including photos, videos, and music files, from various types of storage devices. It can recover files from hard drives, memory cards, and USB drives, and it can also recover files from digital cameras and other portable devices. 27 | 28 | .. toctree:: 29 | :maxdepth: 2 30 | :numbered: 31 | :includehidden: 32 | 33 | presentation 34 | installation 35 | building_from_source 36 | livecd 37 | storage 38 | running 39 | repairing_filesystem 40 | undelete 41 | partition_recovery 42 | bootable 43 | photorec 44 | photorec_custom_signature 45 | photorec_video 46 | after_using_photorec 47 | smart 48 | ddrescue 49 | scripted_run 50 | testcase 51 | unix 52 | -------------------------------------------------------------------------------- /installation.rst: -------------------------------------------------------------------------------- 1 | Installation 2 | ============ 3 | 4 | Linux: Installation of distribution package 5 | ******************************************* 6 | 7 | Arch Linux 8 | ---------- 9 | TestDisk is available in the Extra repo from `Arch Linux `_. 10 | As root, 11 | 12 | .. code-block:: none 13 | 14 | pacman -S testdisk 15 | 16 | 17 | CentOS 18 | ------ 19 | 20 | TestDisk and QPhotoRec are available in the EPEL repository for `CentOS `_. 21 | As root, 22 | 23 | .. code-block:: none 24 | 25 | yum install epel-release 26 | yum install testdisk qphotorec 27 | 28 | If epel repository is disabled on your CentOS, use 29 | 30 | .. code-block:: none 31 | 32 | yum install --enablerepo=epel testdisk qphotorec 33 | 34 | ClearLinux 35 | ---------- 36 | 37 | To install TestDisk bundle on `ClearLinux `_, run 38 | 39 | .. code-block:: none 40 | 41 | sudo swupd bundle-add testdisk 42 | 43 | Debian 44 | ------ 45 | 46 | TestDisk is available for `Debian `_. 47 | 48 | As root, 49 | 50 | .. code-block:: none 51 | 52 | apt update 53 | apt install testdisk 54 | 55 | Fedora 56 | ------ 57 | 58 | TestDisk is available for `Fedora `_. 59 | 60 | As root, 61 | 62 | .. code-block:: none 63 | 64 | dnf install testdisk qphotorec 65 | 66 | Fedora Copr 67 | ----------- 68 | 69 | `Copr `_ is an automatic build system for Fedora. It provide the latest development version. 70 | As root, 71 | 72 | .. code-block:: none 73 | 74 | dnf copr enable grenier/testdisk 75 | dnf install testdisk qphotorec 76 | 77 | Gentoo 78 | ------ 79 | 80 | TestDisk is available on `Gentoo `_. 81 | 82 | .. code-block:: none 83 | 84 | sudo emerge --ask app-admin/testdisk 85 | 86 | openSUSE 87 | -------- 88 | 89 | .. code-block:: none 90 | 91 | zypper refresh 92 | zypper install testdisk photorec qphotorec 93 | 94 | Ubuntu 95 | ------ 96 | As root on the `Ubuntu `_ system, 97 | 98 | .. code-block:: none 99 | 100 | apt update 101 | apt install testdisk 102 | 103 | macOS: Installation via Homebrew 104 | ******************************** 105 | 106 | Install brew from https://brew.sh if you haven't do so: 107 | 108 | .. code-block:: none 109 | 110 | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" 111 | 112 | Then, install testdisk 113 | 114 | .. code-block:: none 115 | 116 | brew install testdisk 117 | 118 | Official binaries 119 | ***************** 120 | Official binaries: stable or WIP ? 121 | ---------------------------------- 122 | 123 | Using the development version (WIP=Work In Progress) is usually recommended as fixes are not backported. 124 | The WIP archive may be modified several times per week but keep the same name. If this version doesn't start, 125 | you can always use the stable version and warn the developer of the problem with the beta version. 126 | 127 | Installation of official binaries for Windows 128 | --------------------------------------------- 129 | 130 | * Download the archive (32-bit x86 or 64-bit x64) from https://www.cgsecurity.org/wiki/TestDisk_Download 131 | * Extract all the files including the subdirectories 132 | 133 | Installation of official binaries for macOS 134 | ------------------------------------------- 135 | 136 | Download the archive from https://www.cgsecurity.org/wiki/TestDisk_Download 137 | 138 | * macOS / Mac OS X Intel / OS X 64-bit (macOS >= 10.6) 139 | * macOS / Mac OS X Intel / OS X 32-bit (macOS <= 10.14) 140 | * Mac OS X PowerPC for very old Mac (macOS <= 10.5) 141 | 142 | Extract all the files including the subdirectories 143 | 144 | Installation of official binaries for Linux 145 | ------------------------------------------- 146 | 147 | Download the archive from https://www.cgsecurity.org/wiki/TestDisk_Download 148 | Currently we have 149 | 150 | * https://www.cgsecurity.org/testdisk-7.1.linux26-x86_64.tar.bz2 for the last stable version 151 | * https://www.cgsecurity.org/testdisk-7.2-WIP.linux26-x86_64.tar.bz2 for the development version 152 | 153 | The archives contains static binaries for Intel (x86_64 or i686) platforms. They should work as-is on any 154 | recent Linux distribution. 155 | 156 | Decompress the archive, no need to be root 157 | 158 | .. code-block:: none 159 | 160 | tar xjf testdisk-7.2-WIP.linux26-x86_64.tar.bz2 161 | 162 | 163 | List your files (:command:`ls`), a directory named :file:`testdisk-7.2-WIP` should has been created in the current working directory. 164 | 165 | .. warning:: The ready-to-use Linux binaries may not list correctly filenames from NTFS or exFAT filesystems. 166 | These binaries provided on cgsecurity.org are static binaries. 167 | Unfortunately, the GNU C Library’s iconv implementation uses shared loadable modules to implement the Unicode conversions. 168 | iconv support need to be disabled otherwise the binaries will crash if the local glibc version don't match the glibc version used when compiling. 169 | -------------------------------------------------------------------------------- /livecd.rst: -------------------------------------------------------------------------------- 1 | .. _live-usb: 2 | 3 | Creating a live USB 4 | =================== 5 | If you need to repair a computer that isn't booting correctly, you can move its harddisk to a working computer or start your computer from an USB key or a DVD. 6 | It's this later solution that will be presented here. 7 | 8 | You need an USB flash drive also known as USB stick, thumb drive, pen drive, or jump drive that you can erase. 9 | Note it's also possible to use a blank DVD. 10 | 11 | Download Fedora "Image Live" from https://fedoraproject.org/fr/workstation/download/ 12 | 13 | 14 | Windows 15 | ------- 16 | 17 | * Download and run `Rawrite32 `_ 18 | * Choose the Fedora image as the **Filesystem image** - if the image file is not shown, you may have to change the file selector options or change the image's extension 19 | * Choose the USB stick as the **Target** 20 | * Double-check you're really, really sure you don't need any of the data on the USB stick! 21 | * Click **Write to disk...** 22 | * Wait for the operation to complete, 23 | 24 | Linux (command line) 25 | -------------------- 26 | 27 | * Identify the name of the USB drive partition 28 | * unmount all mounted partition from that device (Replace /run/media/user/mountpoint by the correct mountpoint) 29 | * use `dd` to create do the copy (Adapt the source and destination) 30 | 31 | .. code-block:: none 32 | 33 | lsblk 34 | umount /run/media/user/mountpoint 35 | sudo dd if=/path/to/image.iso of=/dev/sdX bs=8M status=progress oflag=direct 36 | 37 | Wait until the command completes. 38 | If you receive ``dd: invalid status flag: ‘progress’ error``, your dd version doesn't support ``status=progress`` option and you'll need to remove it (and you won't see writing progress). 39 | 40 | .. warning:: The :command:`dd` command is very powerful and can destroy any existing data on the specified device. 41 | Make **absolutely sure** of the device name to write to and do not mistype the device name when using :command:`dd`! 42 | 43 | Linux (GNOME) 44 | ------------- 45 | 46 | This method is for people running Linux with GNOME, Nautilus and the GNOME Disk Utility installed. A standard installation of Fedora, or a standard GNOME installation of many other distributions, should be able to use this method. On Fedora, ensure the packages nautilus and gnome-disk-utility are installed. Similar graphical direct-write tools may be available for other desktops. 47 | 48 | * Download a Fedora image, choose a USB stick that does not contain any data you need, and connect it 49 | * Run Nautilus (Files) - for instance, open the Overview by pressing the Start/Super key, and type *Files*, then hit enter 50 | * Find the downloaded image, right-click on it, go to **Open With**, and click **Disk Image Writer** 51 | * Double-check you're really, really sure you don't need any of the data on the USB stick! 52 | * Select your USB stick as the **Destination**, and click **Start Restoring...** 53 | * Wait for the operation to complete, then reboot your computer, and do whatever you need to do to boot from a USB stick - often this will involve pressing or holding down **F12**, **F2** or **Del**. 54 | 55 | OS X 56 | ---- 57 | 58 | * Open a terminal 59 | * Run :command:`diskutil list`. This will list all disks connected to the system, as :file:`/dev/rdisk1`, :file:`/dev/rdisk2` and so on. Identify - very carefully! - which one corresponds to the USB stick you wish to use as destination. Hereafter, we'll assume it was :file:`/dev/rdisk2`` - modify the commands as appropriate for your stick. 60 | * Run :command:`diskutil unmountDisk /dev/rdisk2` 61 | * Type :command:`dd if=`, then drag and drop the Fedora image file to the terminal window - this should result in its filesystem location being appended to the command. Now complete the command with :command:`of=/dev/rdisk2 bs=1m`, but *don't hit Enter yet*. You should wind up with something like :command:`sudo dd if=/Volumes/Images/Fedora-Live-Desktop-x86_64-20-1.iso of=/dev/rdisk2 bs=1m` 62 | * Double-check you have the correct disk number and you're really, really sure you don't need any of the data on the USB stick! 63 | * Hit Enter 64 | 65 | Starting from the USB stick 66 | --------------------------- 67 | Plug the USB key on the damaged computer and boot this computer, and do whatever you need to do to boot from a USB stick - often this will involve pressing or holding down **F12**, **F2** or **Del**. 68 | If you are using a Mac computer, hold down the left Alt/Option key to access the boot menu - you should see a Fedora logo. Click this to boot. 69 | 70 | Original source of this page: https://docs.fedoraproject.org/en-US/quick-docs/creating-and-using-a-live-installation-image/index.html 71 | -------------------------------------------------------------------------------- /make.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | REM Command file for Sphinx documentation 4 | 5 | if "%SPHINXBUILD%" == "" ( 6 | set SPHINXBUILD=sphinx-build 7 | ) 8 | set BUILDDIR=_build 9 | set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% . 10 | set I18NSPHINXOPTS=%SPHINXOPTS% . 11 | if NOT "%PAPER%" == "" ( 12 | set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS% 13 | set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS% 14 | ) 15 | 16 | if "%1" == "" goto help 17 | 18 | if "%1" == "help" ( 19 | :help 20 | echo.Please use `make ^` where ^ is one of 21 | echo. html to make standalone HTML files 22 | echo. dirhtml to make HTML files named index.html in directories 23 | echo. singlehtml to make a single large HTML file 24 | echo. pickle to make pickle files 25 | echo. json to make JSON files 26 | echo. htmlhelp to make HTML files and a HTML help project 27 | echo. qthelp to make HTML files and a qthelp project 28 | echo. devhelp to make HTML files and a Devhelp project 29 | echo. epub to make an epub 30 | echo. epub3 to make an epub3 31 | echo. latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter 32 | echo. text to make text files 33 | echo. man to make manual pages 34 | echo. texinfo to make Texinfo files 35 | echo. gettext to make PO message catalogs 36 | echo. changes to make an overview over all changed/added/deprecated items 37 | echo. xml to make Docutils-native XML files 38 | echo. pseudoxml to make pseudoxml-XML files for display purposes 39 | echo. linkcheck to check all external links for integrity 40 | echo. doctest to run all doctests embedded in the documentation if enabled 41 | echo. coverage to run coverage check of the documentation if enabled 42 | echo. dummy to check syntax errors of document sources 43 | goto end 44 | ) 45 | 46 | if "%1" == "clean" ( 47 | for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i 48 | del /q /s %BUILDDIR%\* 49 | goto end 50 | ) 51 | 52 | 53 | REM Check if sphinx-build is available and fallback to Python version if any 54 | %SPHINXBUILD% 1>NUL 2>NUL 55 | if errorlevel 9009 goto sphinx_python 56 | goto sphinx_ok 57 | 58 | :sphinx_python 59 | 60 | set SPHINXBUILD=python -m sphinx.__init__ 61 | %SPHINXBUILD% 2> nul 62 | if errorlevel 9009 ( 63 | echo. 64 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx 65 | echo.installed, then set the SPHINXBUILD environment variable to point 66 | echo.to the full path of the 'sphinx-build' executable. Alternatively you 67 | echo.may add the Sphinx directory to PATH. 68 | echo. 69 | echo.If you don't have Sphinx installed, grab it from 70 | echo.http://sphinx-doc.org/ 71 | exit /b 1 72 | ) 73 | 74 | :sphinx_ok 75 | 76 | 77 | if "%1" == "html" ( 78 | %SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html 79 | if errorlevel 1 exit /b 1 80 | echo. 81 | echo.Build finished. The HTML pages are in %BUILDDIR%/html. 82 | goto end 83 | ) 84 | 85 | if "%1" == "dirhtml" ( 86 | %SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml 87 | if errorlevel 1 exit /b 1 88 | echo. 89 | echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml. 90 | goto end 91 | ) 92 | 93 | if "%1" == "singlehtml" ( 94 | %SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml 95 | if errorlevel 1 exit /b 1 96 | echo. 97 | echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml. 98 | goto end 99 | ) 100 | 101 | if "%1" == "pickle" ( 102 | %SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle 103 | if errorlevel 1 exit /b 1 104 | echo. 105 | echo.Build finished; now you can process the pickle files. 106 | goto end 107 | ) 108 | 109 | if "%1" == "json" ( 110 | %SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json 111 | if errorlevel 1 exit /b 1 112 | echo. 113 | echo.Build finished; now you can process the JSON files. 114 | goto end 115 | ) 116 | 117 | if "%1" == "htmlhelp" ( 118 | %SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp 119 | if errorlevel 1 exit /b 1 120 | echo. 121 | echo.Build finished; now you can run HTML Help Workshop with the ^ 122 | .hhp project file in %BUILDDIR%/htmlhelp. 123 | goto end 124 | ) 125 | 126 | if "%1" == "qthelp" ( 127 | %SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp 128 | if errorlevel 1 exit /b 1 129 | echo. 130 | echo.Build finished; now you can run "qcollectiongenerator" with the ^ 131 | .qhcp project file in %BUILDDIR%/qthelp, like this: 132 | echo.^> qcollectiongenerator %BUILDDIR%\qthelp\testdisk.qhcp 133 | echo.To view the help file: 134 | echo.^> assistant -collectionFile %BUILDDIR%\qthelp\testdisk.ghc 135 | goto end 136 | ) 137 | 138 | if "%1" == "devhelp" ( 139 | %SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp 140 | if errorlevel 1 exit /b 1 141 | echo. 142 | echo.Build finished. 143 | goto end 144 | ) 145 | 146 | if "%1" == "epub" ( 147 | %SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub 148 | if errorlevel 1 exit /b 1 149 | echo. 150 | echo.Build finished. The epub file is in %BUILDDIR%/epub. 151 | goto end 152 | ) 153 | 154 | if "%1" == "epub3" ( 155 | %SPHINXBUILD% -b epub3 %ALLSPHINXOPTS% %BUILDDIR%/epub3 156 | if errorlevel 1 exit /b 1 157 | echo. 158 | echo.Build finished. The epub3 file is in %BUILDDIR%/epub3. 159 | goto end 160 | ) 161 | 162 | if "%1" == "latex" ( 163 | %SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex 164 | if errorlevel 1 exit /b 1 165 | echo. 166 | echo.Build finished; the LaTeX files are in %BUILDDIR%/latex. 167 | goto end 168 | ) 169 | 170 | if "%1" == "latexpdf" ( 171 | %SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex 172 | cd %BUILDDIR%/latex 173 | make all-pdf 174 | cd %~dp0 175 | echo. 176 | echo.Build finished; the PDF files are in %BUILDDIR%/latex. 177 | goto end 178 | ) 179 | 180 | if "%1" == "latexpdfja" ( 181 | %SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex 182 | cd %BUILDDIR%/latex 183 | make all-pdf-ja 184 | cd %~dp0 185 | echo. 186 | echo.Build finished; the PDF files are in %BUILDDIR%/latex. 187 | goto end 188 | ) 189 | 190 | if "%1" == "text" ( 191 | %SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text 192 | if errorlevel 1 exit /b 1 193 | echo. 194 | echo.Build finished. The text files are in %BUILDDIR%/text. 195 | goto end 196 | ) 197 | 198 | if "%1" == "man" ( 199 | %SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man 200 | if errorlevel 1 exit /b 1 201 | echo. 202 | echo.Build finished. The manual pages are in %BUILDDIR%/man. 203 | goto end 204 | ) 205 | 206 | if "%1" == "texinfo" ( 207 | %SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo 208 | if errorlevel 1 exit /b 1 209 | echo. 210 | echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo. 211 | goto end 212 | ) 213 | 214 | if "%1" == "gettext" ( 215 | %SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale 216 | if errorlevel 1 exit /b 1 217 | echo. 218 | echo.Build finished. The message catalogs are in %BUILDDIR%/locale. 219 | goto end 220 | ) 221 | 222 | if "%1" == "changes" ( 223 | %SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes 224 | if errorlevel 1 exit /b 1 225 | echo. 226 | echo.The overview file is in %BUILDDIR%/changes. 227 | goto end 228 | ) 229 | 230 | if "%1" == "linkcheck" ( 231 | %SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck 232 | if errorlevel 1 exit /b 1 233 | echo. 234 | echo.Link check complete; look for any errors in the above output ^ 235 | or in %BUILDDIR%/linkcheck/output.txt. 236 | goto end 237 | ) 238 | 239 | if "%1" == "doctest" ( 240 | %SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest 241 | if errorlevel 1 exit /b 1 242 | echo. 243 | echo.Testing of doctests in the sources finished, look at the ^ 244 | results in %BUILDDIR%/doctest/output.txt. 245 | goto end 246 | ) 247 | 248 | if "%1" == "coverage" ( 249 | %SPHINXBUILD% -b coverage %ALLSPHINXOPTS% %BUILDDIR%/coverage 250 | if errorlevel 1 exit /b 1 251 | echo. 252 | echo.Testing of coverage in the sources finished, look at the ^ 253 | results in %BUILDDIR%/coverage/python.txt. 254 | goto end 255 | ) 256 | 257 | if "%1" == "xml" ( 258 | %SPHINXBUILD% -b xml %ALLSPHINXOPTS% %BUILDDIR%/xml 259 | if errorlevel 1 exit /b 1 260 | echo. 261 | echo.Build finished. The XML files are in %BUILDDIR%/xml. 262 | goto end 263 | ) 264 | 265 | if "%1" == "pseudoxml" ( 266 | %SPHINXBUILD% -b pseudoxml %ALLSPHINXOPTS% %BUILDDIR%/pseudoxml 267 | if errorlevel 1 exit /b 1 268 | echo. 269 | echo.Build finished. The pseudo-XML files are in %BUILDDIR%/pseudoxml. 270 | goto end 271 | ) 272 | 273 | if "%1" == "dummy" ( 274 | %SPHINXBUILD% -b dummy %ALLSPHINXOPTS% %BUILDDIR%/dummy 275 | if errorlevel 1 exit /b 1 276 | echo. 277 | echo.Build finished. Dummy builder generates no files. 278 | goto end 279 | ) 280 | 281 | :end 282 | -------------------------------------------------------------------------------- /partition_recovery.rst: -------------------------------------------------------------------------------- 1 | Recovering deleted partition using TestDisk 2 | =========================================== 3 | 4 | When a partition is deleted or if the partition table is corrupted, the filesystems remain on the disk but their location is unknown and no data can be accessed. 5 | TestDisk can search partitions and rewrite the partition table with the partitions selected by the user. 6 | 7 | Start testdisk 8 | -------------- 9 | 10 | * :ref:`running_testdisk_win` 11 | * :ref:`running_testdisk_linux` 12 | * :ref:`running_testdisk_macos` 13 | 14 | Log creation 15 | ------------ 16 | 17 | * Choose Create unless you have a reason to append data to the log or if you execute TestDisk from read only media and can't create it elsewhere. 18 | * Press Enter to proceed. 19 | 20 | If you have chosen to create the log file, TestDisk tries to create a file named :file:`testdisk.log` in the current directory. 21 | 22 | .. note:: Windows users, if you have difficulties to find the :file:`testdisk.log` file, in File Explorer under View, in the Show/hide group, select the File name extensions check box. 23 | 24 | Disk selection 25 | -------------- 26 | All hard drives should be detected and listed with the correct size by TestDisk. 27 | 28 | * Use up/down arrow keys to select your hard drive with the lost partition/s. 29 | * Press Enter to Proceed. 30 | 31 | .. note:: macOS - If available, use raw device :file:`/dev/rdisk*` instead of :file:`/dev/disk*` for faster data transfer. 32 | 33 | .. warning:: macOS - If no disk is listed, select `System Settings` --> `Privacy & Security` --> `Full Disk Access` --> Use `+` to add `Terminal` ( or `TestDisk` itself) 34 | 35 | .. warning:: Windows - Do not select :file:`C:`, :file:`D:` or another drive letter. It's useless to search partitions inside a partition. 36 | 37 | Partition table type selection 38 | ------------------------------ 39 | TestDisk displays the partition table types. 40 | * Select the partition table type - usually the default value is the correct one as TestDisk auto-detects the partition table type. 41 | * Press Enter to Proceed. 42 | 43 | .. note:: You should select the partition table type that was used when you had access to your data. 44 | 45 | Analyze current partition table 46 | ------------------------------- 47 | 48 | * Select **Analyse** 49 | * Confirm with the Enter key 50 | * TestDisk will list the current partition table. 51 | 52 | If a partition is damaged or a partition entry corrupted, the problem will be listed and the partition listed twice. 53 | By example, if you see "Invalid NTFS or exFAT boot" on a partition (partition size is OK, the partition doesn't overlap another one...) you want to access, it's better to fix this problem ( 54 | :ref:`repairing_ntfs_boot_sector`) before searching other partitions. 55 | 56 | * Confirm at **Quick Search** to proceed 57 | 58 | 59 | Quick Search for partitions 60 | --------------------------- 61 | 62 | TestDisk displays the first results in real time. If necessary, you can choose Stop to abort the quick search. 63 | TestDisk lists all partitions it has found. 64 | To list the files of a FAT, exFAT, NTFS, ext2/3/4 filesystem, highlight this partition and press **P**. Press **Q** to return to the partition list. 65 | 66 | Search for more partitions 67 | -------------------------- 68 | 69 | If a partition is still missing, choose **[Deeper Search]**. It can take a few hours, so you need to be certain that your computer will not sleep (Power management feature...) 70 | 71 | Partitions selection 72 | -------------------- 73 | 74 | Partitions listed as D(eleted) will not be recovered if you let them listed as deleted. 75 | Use the arrow keys to switch the partitions you want to recover (check the partition size, list the file contents...) from D(eleted) to \*(bootable), P(rimary) or L(ogical). 76 | Only one partition can be listed as \*(bootable). It is not a problem if a partition is marked as bootable on a disk you will not start from (e.g. an external disk) but there MUST be a bootable partition on a disk you want to start your computer from. 77 | 78 | Once all the partitions you want to keep and all the partitions you want to recover are properly marked as non deleted, continue on next screen. 79 | Review the partitions list. If all partitions are listed and only in this case, confirm at Write with Enter, y and OK. 80 | Now, the partitions are registered in the partition table. 81 | 82 | If a FAT32 or an NTFS partition was found using its backup boot sector, TestDisk will let you rewrite the main boot sector with the content of the backup boot sector: to copy the backup of the boot sector over the boot sector, select Backup BS, validate with Enter, use y to confirm. 83 | 84 | Restart your computer. 85 | -------------------------------------------------------------------------------- /photorec.rst: -------------------------------------------------------------------------------- 1 | Recovering deleted files using PhotoRec 2 | ======================================= 3 | 4 | PhotoRec doesn't recover the original filenames or the file structure but it can recover lost files even from corrupted filesystem. 5 | PhotoRec is a signature based file recovery utility (a file carver) and may be able to recover your data where other methods failed. 6 | 7 | Remember, you must avoid writing anything on the filesystem that was holding the data. If you do, 8 | deleted files may be overwritten by new ones. 9 | 10 | Start PhotoRec 11 | ************** 12 | 13 | * :ref:`running_testdisk_win` 14 | * :ref:`running_testdisk_linux` 15 | * :ref:`running_testdisk_macos` 16 | 17 | Disk selection 18 | ************** 19 | Available media are listed. Use up/down arrow keys to select the disk that holds the lost files. 20 | 21 | * Use up/down arrow keys to select your hard drive with the lost partition/s. 22 | * Press Enter to Proceed. 23 | 24 | Hint for macOS: If available, use raw device :file:`/dev/rdisk*` instead of :file:`/dev/disk*` for faster data transfer. 25 | 26 | .. warning:: macOS - If no disk is listed, select `System Settings` --> `Privacy & Security` --> `Full Disk Access` --> Use `+` to add `Terminal` ( or `PhotoRec` itself) 27 | 28 | 29 | Source partition selection 30 | ************************** 31 | Choose 32 | * ``Search`` after selecting the partition that holds the lost files to start the recovery, 33 | * ``Options`` to modify the options, 34 | * ``File Opt`` to modify the list of file types recovered by PhotoRec. 35 | 36 | PhotoRec options 37 | **************** 38 | * ``Paranoid`` By default, recovered files are verified and invalid files rejected. Enable ``bruteforce`` if you want to recover more fragmented JPEG files, note it is a very CPU intensive operation, it's started after the normal scan process. 39 | * The ``expert mode`` option allows the user to force the file system block size and the offset. Each filesystem has his own block size (a multiple of the sector size) and offset (0 for NTFS, exFAT, ext2/3/4), these value are fixed when the filesystem has been created/formatted. When working on the whole disk (i.e. original partitions are lost) or a reformatted partition, if PhotoRec has found very few files, you may want to try the minimal value that PhotoRec let you select (it's the sector size) for the block size (0 will be used for the offset). 40 | * Enable ``Keep corrupted files`` to keep files even if they are invalid in the hope that data may still be salvaged from an invalid file using other tools. 41 | * Enable ``Low memory`` if your system does not have enough memory and crashes during recovery. It may be needed for large file systems that are heavily fragmented. Do not use this option unless absolutely necessary. 42 | 43 | Selection of files to recover 44 | ***************************** 45 | In ``FileOpts``, enable or disable the recovery of certain file types, for example, 46 | 47 | .. code-block:: none 48 | 49 | [X] riff RIFF audio/video: wav, cdr, avi 50 | ... 51 | [X] tif Tag Image File Format and some raw file formats (pef/nef/dcr/sr2/cr2) 52 | ... 53 | [X] zip zip archive including OpenOffice and MSOffice 2007 54 | 55 | The whole list of file formats recovered by PhotoRec contains more than 300 file families representing more than 480 file extensions. 56 | 57 | .. warning:: For some file formats, PhotoRec can determine the original filesize from the file header. For the others, PhotoRec stops appending data to the file it is currently recovering when a new file header is found. So disabling too many file formats leads to numerous overlarge files. 58 | 59 | 60 | File system type 61 | **************** 62 | Once a partition has been selected and validated with ``Search``, PhotoRec needs to know how the data blocks are allocated. 63 | Unless it is an ext2/ext3/ext4 filesystem, choose ``Other``. 64 | 65 | Carve the partition or unallocated space only 66 | ********************************************* 67 | 68 | PhotoRec can search files 69 | 70 | * from the whole partition (useful if the filesystem is corrupted) or 71 | * from the unallocated space only (available for ext2/ext3/ext4, FAT12/FAT16/FAT32 and NTFS). With this option only deleted files are recovered. 72 | 73 | Select where recovered files should be written 74 | ********************************************** 75 | Choose the directory where the recovered files should be written. Use the arrow keys (up, down, left, right) to navigate, you can also use the enter key to enter into a directory. 76 | 77 | * Dos/Windows/Os2: To get the drive list (:file:`C:`, :file:`D:`, :file:`E:`, etc.), use the arrow keys to select :file:`..`, press the ``Enter`` key - repeat until you can select the drive of your choice. Validate with ``Y`` es when you get the expected destination. 78 | * Linux: File system from external disk may be available in a :file:`/media`, :file:`/mnt` or :file:`/run/media` sub-directory. Mount your destination drive if necessary. 79 | * macOS: Partitions from external disk are usually mounted in :file:`/Volumes`. 80 | 81 | .. warning:: Do not store the recovered files on the source filesystem. Otherwise lost data may be overwritten and definitively lost. 82 | 83 | .. warning:: Avoid choosing a FAT32 filesystem for the destination as it doesn't handle file over 4 GB. 84 | 85 | 86 | Recovery in progress 87 | ******************** 88 | Number of recovered files is updated in real time. 89 | * During pass 0, PhotoRec searches the first 10 files to determine the block size. This step is skipped when searching files from the unallocated space only, the block size value found in the filesystem structure is used. 90 | * During pass 1 and later, files are recovered including some fragmented files. 91 | 92 | Recovered files are written in :file:`recup_dir.1`, :file:`recup_dir.2`... sub-directories. It's possible to access the files even if the recovery is not finished. 93 | 94 | Recovery is completed 95 | ********************* 96 | When the recovery is complete, a summary is displayed. Note that if you interrupt the recovery, the next time PhotoRec is restarted you will be asked to resume the recovery. 97 | 98 | * Thumbnails found inside pictures are saved as :file:`t*.jpg` 99 | * If you have chosen to keep corrupted files/file fragments, their filenames will beginning by the letter ``b`` (roken). 100 | * Windows: You may have disabled your live antivirus protection during the recovery to speed up the process, but it's recommended to scan the recovered files for viruses before opening them - PhotoRec may have undeleted an infected document or a Trojan. 101 | * Hint: When looking for a specific file. Sort your recovered files by extension and/or date/time. PhotoRec uses time information (metadata) when available in the file header to set the file modification time. 102 | 103 | .. note:: Windows - You may need to take ownership of the :file:`recup_dir.*` folders: `https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753659(v=ws.11) `_ 104 | 105 | .. note:: macOS / Linux - To change the owner of the files, run :command:`sudo chown -R username recup_dir.*` 106 | 107 | 108 | PhotoRec: file name and date 109 | **************************** 110 | By default, files are saved in directories named :file:`recup_dir.1`, :file:`recup_dir.2`... 111 | A new directory is created each new 500 files (The thumb files are not included in this count, nor the :file:`report.xml` file). 112 | A filename begins by a letter followed by a number (7 digits or more) and ends, if any, by a file extension. 113 | 114 | Letter meaning: 115 | 116 | * f=file 117 | * b=broken 118 | * t=jpeg embedded thumbnail 119 | 120 | The number is calculated by using the file location minus the partition offset divided by the sector size. For some filesystems like NTFS, exFAT, ext2/3/4, this number may be identical to the original cluster/block number when the block size is equal to the sector size. 121 | 122 | Using metadata information embedded in the recovered file, the file may be renamed to include the documentation title (example, Microsoft Office doc/xls/ppt or Acrobate pdf files) like 123 | :file:`recup_dir.1/f0016741_Prudent_Engineering_Practice_for_Cryptographic_Protocols.pdf`. 124 | 125 | By default, the file creation and modification times are corresponding to the data recovery time. Some file format may embedded date/time information (ie. jpg pictures taken by a digital camera, Microsoft Office documents), PhotoRec will try to reuse them. This way, it may be easier to sort the recovered files. For forensics purpose, do not trust this information blindly: the date/time information may be off by a few hours (no or wrong timezone information) or totally wrong (the original device clock may have a wrong date/time setting.) 126 | 127 | PhotoRec: matching filename and data location 128 | ********************************************* 129 | Let's take an example. PhotoRec has recovered a file and named it as :file:`f0017088.txt`. 130 | This file begins at sector 17088 of this partition. 131 | 132 | It comes from a Linux partition starting at sector 411648 as seen in PhotoRec interface 133 | 134 | .. code-block:: none 135 | 136 | > 2 P MS Data 411648 1460223 1048576 [/boot] [/boot] 137 | 138 | The :file:`report.xml` file records the sector size (sectorsize) and the partition offset (img_offset) 139 | 140 | .. code-block:: none 141 | 142 | 143 | /dev/sda 144 | 512 145 | CT500MX500SSD1 146 | 500107862016 147 | 148 | 149 | 150 | 151 | 4096 152 | 153 | 154 | 155 | The command :command:`testdisk -lu` shows the same information: 156 | 157 | .. code-block:: none 158 | 159 | Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63 160 | Sector size:512 161 | ... 162 | 163 | Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63 164 | Partition Start End Size in sectors 165 | 1 P EFI System 2048 411647 409600 [EFI System Partition] 166 | 2 P MS Data 411648 1460223 1048576 [/boot] [/boot] 167 | ext4 blocksize=4096 Large_file Sparse_SB Recover 168 | 169 | 170 | An offset of 210763776 bytes is an offset of 411648 sectors for a sector size of 512 bytes. 171 | This file begins at sector 411648 from the beginning of the disk. 172 | 173 | 174 | :file:`report.xml` shows that the file was beginning at 219512832 bytes from the start of the disk. 175 | 176 | .. code-block:: none 177 | 178 | 179 | 180 | f0017088.txt 181 | 1024 182 | 183 | 184 | 185 | 186 | 187 | (219512832-210763776)/512=17088: this file is beginning at sector 17088 of this partition. 188 | 189 | For NTFS, exFAT, ext2/3/4, if you need to get the first cluster or block of the file, divide the offset by the cluster size. 190 | In this example, the first cluster is 2136: (219512832-210763776)/4096=2136 or if you are using the filename: 17088*512/4096=2136 191 | -------------------------------------------------------------------------------- /photorec_custom_signature.rst: -------------------------------------------------------------------------------- 1 | Creating custom signature for PhotoRec 2 | ====================================== 3 | 4 | PhotoRec recognizes numerous file formats. More than 480 file extensions (about 300 file families) are referenced. 5 | In example, PhotoRec is able to identify the JPEG file format and it can recover lost files using this format whatever the original file extension (jpg, jpeg, JPG...). 6 | 7 | To check if a file format is already recognized, you can 8 | 9 | * consult the `file formats `_. 10 | * submit a sample file to the `PhotoRec online checker `_. 11 | * use :command:`fidentify` on a file sample (See :ref:`running_fidentify_win` or :ref:`running_fidentify_linux`) 12 | 13 | .. code-block:: none 14 | 15 | [kmaster@adsl ~]$ fidentify /home/kmaster/src/testfiles/sample.pfi 16 | /home/kmaster/src/testfiles/sample.pfi: unknown 17 | 18 | 19 | In this case, the file type is listed as **unknown**, so PhotoRec can't recover this kind of file, at least for the moment. We will check if it's possible to add a custom signature for it. 20 | 21 | If instead of unknown an extension is listed, PhotoRec knows this file format, it may recover the file with another extension than the extension you are used to. 22 | 23 | Signature Syntax 24 | **************** 25 | 26 | The file must contain one signature definition per line. A signature is composed of 27 | 28 | * extension name 29 | * offset of the signature 30 | * signature or magic value 31 | 32 | The magic value can be composed of 33 | 34 | * a string, e.g. "data". Special characters can be escaped like "\b", "\n", "\r", "\t", "\0" or "\\". 35 | * hexadecimal data, e.g. 0x12, 0x1234, 0x123456... Note that `0x123456`, `0x12 0x34 0x56` and `0x12, 0x34, 0x56` are equivalents. 36 | * space or comma delimiters are ignored 37 | 38 | By using an hexadecimal editor, you can see that the :file:`pfi` file from our example begins by a distinctive string `PhotoFiltre Image` at offset 0. 39 | 40 | .. code-block:: none 41 | 42 | [kmaster@adsl ~]$ hexdump -C /home/kmaster/src/testfiles/sample.pfi | head 43 | 00000000 50 68 6f 74 6f 46 69 6c 74 72 65 20 49 6d 61 67 |PhotoFiltre Imag| 44 | 00000010 65 03 40 06 00 00 b0 04 00 00 40 19 01 00 40 19 |e.@.......@...@.| 45 | 00000020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 46 | 47 | The signature can be written as 48 | 49 | .. code-block:: none 50 | 51 | pfi 0 "PhotoFiltre Image" 52 | 53 | or 54 | 55 | .. code-block:: none 56 | 57 | pfi 0 "PhotoFiltre", 0x20, "Image" 58 | 59 | or if you prefer hexadecimal 60 | 61 | .. code-block:: none 62 | 63 | pfi 0 0x50686f746f46696c74726520496d616765 64 | 65 | From :command:`fidentify`/:command:`photorec` point of view, the signatures are identical. 66 | 67 | .. warning:: 68 | Be careful, :command:`hexdump` displays non-printable chars as dots. The following signature is wrong: 69 | 70 | .. code-block:: none 71 | 72 | pfi 0 "PhotoFiltre Image." 73 | 74 | This signature using an hexadecimal value instead of a dot is correct: 75 | 76 | .. code-block:: none 77 | 78 | pfi 0 "PhotoFiltre Image", 0x03 79 | 80 | 81 | 82 | File location 83 | ************* 84 | 85 | PhotoRec searches for the signature file named 86 | 87 | * Windows: :file:`photorec.sig` in the `USERPROFILE` or `HOMEPATH` directory, e.g. :file:`C:\\Documents and Settings\\bob\\` or :file:`C:\\Users\\bob`. 88 | * Linux and macOS: :file:`.photorec.sig` in the `HOME` directory, e.g. :file:`/home/bob` 89 | * :file:`photorec.sig` in the current directory 90 | 91 | This file doesn't exist by default, you need to create one. 92 | Using a text editor (e.g. notepad, vim...), create the signature file and add the signature you have identified. 93 | 94 | Check your custom signature with fidentify 95 | ****************************************** 96 | 97 | :command:`fidentify` now perfectly identify the file 98 | 99 | .. code-block:: none 100 | 101 | [kmaster@adsl ~]$ fidentify /home/kmaster/src/testfiles/sample.pfi 102 | /home/kmaster/src/testfiles/sample.pfi: pfi 103 | 104 | If :command:`fidentify` doesn't recognize the signature, 105 | 106 | * check your signature, it may be incorrect 107 | * **verify that the signature file is a true ASCII text file**. It must not begin by `EF BB BF` (UTF-8 Byte Order Mark) or `FF FE` (UTF-16 LE BOM) by example. 108 | * verify the filename of your signature file 109 | 110 | Run PhotoRec 111 | ************ 112 | 113 | You are now ready to use PhotoRec with your custom signature to recover your files. 114 | If a signature file is present, PhotoRec will use it by default. 115 | 116 | .. warning:: 117 | If you are using a :file:`.photorec.sig` in your `HOME` directory, be warned that when running photorec as root (ie. via the :command:`sudo` command), photorec will search in :file:`/root/.photorec.sig`, not in your user home directory. So you may have to copy the :file:`.photorec.sig` file first. 118 | 119 | 120 | Improved file recover 121 | ********************** 122 | 123 | To control all aspects of the recovery (file content check, file size control, footer detection...), 124 | the best way to add a signature, if you are developer, is to `modify PhotoRec `_ itself. 125 | 126 | **Commercial support is also available from the author** grenier@cgsecurity.org. 127 | -------------------------------------------------------------------------------- /photorec_video.rst: -------------------------------------------------------------------------------- 1 | Recovering lost videos from a memory card using PhotoRec 2 | ======================================================== 3 | 4 | Due to the way videos are recorded, all videos created by some digital camera (i.e. Canon 5D Mark III, Panasonic DMC-TZ80's photos in burst mode) are fragmented on the memory card. Data recovery software, PhotoRec included, expect non fragmented files. 5 | 6 | If all videos (.mov / .mp4) recovered by PhotoRec are unreadable, you are probably in this case. Note this chapter does not concern copies or downloaded files, only files written by some digital camera, not by your computer. 7 | 8 | When using PhotoRec, in FileOpts, enable 9 | 10 | .. code-block:: none 11 | 12 | [X] mov/mdat Recover mdat atom as a separate file 13 | 14 | and next start the recovery. 15 | 16 | If you sort the files by name, you should see that the names alternates between :file:`_ftyp.mov` and :file:`_mdat.mov`. 17 | You need to concatenate each ftyp file with a mdat file: 18 | 19 | * If using Windows, run :command:`cmd` to start a terminal, use :command:`cd directory_name` to go where your files are, and run 20 | 21 | .. code-block:: none 22 | 23 | type file2_ftyp.mov file1_mdat.mov > test.mov 24 | 25 | If you do not have the permissions to write to the directory, before using the type command, take ownership of the directories or run :command:`cmd` using right click run as administrator. 26 | 27 | * Under macOS and Linux, start a terminal/console, use :command:`cd directory_name` to go where your files are, and run 28 | 29 | 30 | .. code-block:: none 31 | 32 | cat file2_ftyp.mov file1_mdat.mov > test.mov 33 | 34 | If you do not have the permissions to write to the directory, before using the :command:`cat` command, change the files and directories ownership using :command:`chown -R username:groupname recup_dir.*` 35 | 36 | Play the resulting :file:`test.mov` file. If it works, you need to do the same with each couple of files. 37 | 38 | This solution works only for videos written in two fragments. Videos from GoPro HD2, Hero3-Black Edition, HERO4 Silver are stored in more than 2 fragments, so special software solutions are needed to recover such videos. This chapter does not concern copies or downloaded files, only files written by some digital camera, not by your computer. 39 | 40 | .. note:: Panasonic DMC-TZ80's photos in burst mode are saved as a movie. To extract the photos from this movie, macOS users can import the movie into Photos and save each frame as a single still photo. 41 | 42 | -------------------------------------------------------------------------------- /presentation.rst: -------------------------------------------------------------------------------- 1 | Presentation 2 | ============ 3 | 4 | TestDisk & PhotoRec are free and open-source data recovery utilities. 5 | TestDisk has been created in 1998 and PhotoRec in April 2002 by Christophe GRENIER, they can be downloaded from https://www.cgsecurity.org/. 6 | They are distributed under the GNU General Public License v2 or later, you can 7 | 8 | * run the program as you wish, for any purpose, 9 | * study how the program works, and change it so it does your computing as you wish (You have access to the source code.), 10 | * redistribute copies so you can help your neighbor, 11 | * distribute copies of your modified versions to others under the same license. By doing this you can give the whole community a chance to benefit from your changes. 12 | 13 | This documentation can be found online at https://github.com/cgsecurity/testdisk_documentation. 14 | Anyone can contribute to TestDisk & PhotoRec documentation. We especially welcome the contributions of beginners. In fact, beginners have a distinct advantage over the experts, because they can more easily spot the places where documentation is lacking. If it's only to fix a spelling or grammar error, your contribution is also welcome! 15 | 16 | Archives with ready-to-use binaries are available for 17 | 18 | * DOS (32-bit x86) 19 | * Microsoft Windows (32-bit x86 or 64-bit x64) 20 | * Linux (32-bit x86 or 64-bit x64) 21 | * macOS / Mac OS X (PowerPC or Intel) / OS X 22 | * Marvell 88F628x Linux 23 | 24 | TestDisk & PhotoRec can also be compiled for other platforms, notably 25 | 26 | * FreeBSD/OpenBSD/NetBSD, Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Research Unix derivative developed at the University of California, Berkeley. 27 | * Haiku, a free and open-source operating system compatible with the now discontinued BeOS. 28 | * SunOS/Solaris, a Unix-branded operating system developed by Sun Microsystems for their workstation and server computer systems, 29 | 30 | 31 | TestDisk - Partition recovery 32 | ***************************** 33 | 34 | TestDisk recognizes the following disk partitioning: 35 | 36 | * Apple partition map 37 | * GUID Partition Table 38 | * Humax 39 | * PC/Intel Partition Table (master boot record) 40 | * Sun Solaris slice 41 | * Xbox fixed partitioning scheme 42 | 43 | It also handles non-partitioned media. 44 | 45 | TestDisk can 46 | 47 | * recover deleted partition 48 | * rebuild partition table 49 | * rewrite the Master boot record (MBR) 50 | 51 | TestDisk does a quick check of the disk's structure and compares it with the partition table for entry errors. 52 | Next, it searches for lost partitions of these file systems: 53 | 54 | * Be File System (BeOS) 55 | * BSD disklabel (FreeBSD/OpenBSD/NetBSD) 56 | * Cramfs, Compressed File System 57 | * DOS/Windows FAT12, FAT16, and FAT32 58 | * Windows exFAT 59 | * HFS, HFS+ and HFSX, Hierarchical File System 60 | * IBM Journaled File System 2 (JFS2) 61 | * Linux ext2, ext3 and ext4 62 | * Linux RAID 63 | 64 | * RAID 1: mirroring 65 | * RAID 4: striped array with parity device 66 | * RAID 5: striped array with distributed parity information 67 | * RAID 6: striped array with distributed dual redundancy information 68 | 69 | * Linux Swap (versions 1 and 2) 70 | * LVM and LVM2, Linux Logical Volume Manager 71 | * Novell Storage Services (NSS) 72 | * Windows New Technology File System (NTFS) 73 | * ReiserFS 3.5, 3.6 and 4 74 | * Sun Solaris i386 disklabel 75 | * Unix File System UFS and UFS2 (Sun/BSD/…) 76 | * XFS, SGI’s Journaled File System 77 | 78 | 79 | TestDisk - Filesystem repair 80 | **************************** 81 | 82 | TestDisk can deal with some specific logical filesystem corruption: 83 | 84 | * File Allocation Table, FAT12 and FAT16 85 | 86 | * Find filesystem parameters to rewrite a valid boot sector 87 | * Use the two copies of the FAT to rewrite a coherent version 88 | 89 | * File Allocation Table, FAT32 90 | 91 | * Find filesystem parameters to rewrite a valid boot sector 92 | * Restore the boot sector using its backup 93 | * Use the two copies of the FAT to rewrite a coherent version 94 | 95 | * exFAT 96 | 97 | * Restore the boot sector using its backup 98 | 99 | * NTFS (New Technology File System) boot sector and MFT repair 100 | 101 | * Find filesystem parameters to rewrite a valid boot sector 102 | * Restore the boot sector using its backup 103 | * Restore the Master File Table (MFT) from its backup 104 | 105 | * Extended file systems, ext2, ext3 and ext4 106 | 107 | * Find backup superblock location to assist fsck 108 | 109 | * HFS+ 110 | 111 | * Restore the boot sector using its backup 112 | 113 | TestDisk - File recovery 114 | ************************ 115 | When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. If the file wasn't fragmented and the clusters haven't been reused, TestDisk can recover the deleted file for various filesystem: 116 | 117 | * FAT 118 | * NTFS 119 | * exFAT 120 | * ext2 121 | 122 | PhotoRec - File recovery 123 | ************************ 124 | PhotoRec is a file carver data recovery software tool. It doesn't recover the original filenames but it can recover delete files even from corrupted filesystem. 125 | PhotoRec recognizes and recovers numerous file formats including ZIP, Office, PDF, HTML, JPEG and various graphics file formats. The whole list of file formats recovered by PhotoRec contains more than 480 file extensions (about 300 file families). It's possible to create custom signature to recover file format unknown to PhotoRec. 126 | 127 | QPhotoRec - File recovery 128 | ************************* 129 | QPhotoRec is a file carver data recovery software tool with a graphical user interface. Like PhotoRec, it doesn't recover the original filenames but it can recover delete files even from corrupted filesystem. 130 | 131 | -------------------------------------------------------------------------------- /repairing_filesystem.rst: -------------------------------------------------------------------------------- 1 | Repairing filesystem 2 | ==================== 3 | 4 | Repairing a filesystem may be a risky business as sometimes the problem is "fixed" by removing all invalid files. 5 | So if you have access to some of your files but not all, it's recommended to backup what it's possible to access before trying to repair the filesystem. 6 | 7 | Repairing filesystems from Windows 8 | ---------------------------------- 9 | 10 | Windows can read and write files from FAT, exFAT and NTFS filesystem. The :command:`chkdsk` command is used to check and repair filesystems. 11 | Run :command:`cmd` (Right-click Run As Administrator) 12 | 13 | .. code-block:: none 14 | 15 | chkdsk /f d: 16 | 17 | 18 | Repairing filesystems from Linux 19 | -------------------------------- 20 | 21 | Linux can read and write from a large variety of filesystems. The :command:`fsck` generic command is used to run a filesystem check. 22 | To check and repair automatically the filesystem on /dev/sda, run as root 23 | 24 | .. code-block:: none 25 | 26 | fsck -y /dev/sda1 27 | 28 | fsck starts a filesystem specific command, in example for ext4, it run :command:`fsck.ext4`. 29 | If you need a fine grained repair, you should read the man page of the command related to the filesystem you want to repair, i.e. :command:`man fsck.ext4`. 30 | If some files or directories are missing, remember to check the :file:`lost+found` directory at the root of this filesystem. 31 | 32 | :command:`ntfsfix` can be used to repair NTFS filesystem followed by Windows :command:`chkdsk` . Note that it resets the NTFS journal file, so it should be used only if Windows failed to repair the filesystem. 33 | 34 | Repairing filesystems from macOS 35 | -------------------------------- 36 | To check an external drive, 37 | 38 | .. code-block:: none 39 | 40 | sudo diskutil list 41 | sudo fsck /dev/disk1s1 42 | 43 | You may have to repeat the :command:`fsck` command several times until no remaining error is reported. 44 | 45 | If you get Invalid b-tree node size, you can try 46 | 47 | .. code-block:: none 48 | 49 | sudo fsck_hfs -r -d /dev/disk1s1 50 | 51 | Repairing FAT32, exFAT and NTFS boot sector using TestDisk 52 | ---------------------------------------------------------- 53 | The boot sector is a sector containing information required to access any files from a FAT, exFAT or NTFS filesystem. 54 | FAT32 and NTFS filesystems have a main boot sector and a backup. If the main boot sector is damaged, the filesystem is listed as raw or unreadable. 55 | TestDisk is able to use the backup boot sector to repair the main boot sector: 56 | 57 | * start TestDisk 58 | * select the device containing the partition (avoid drive letter like D:) 59 | * confirm the partition table type 60 | * go in the Advanced menu 61 | * select the partition 62 | * choose Boot 63 | 64 | If the boot sector is damaged, *Boot sector: Bad* will be shown. 65 | If the backup is OK, *Backup boot sector: Ok* will also be listed. 66 | 67 | * choose BackupBS 68 | * confirm 69 | * Quit 70 | * restart the computer 71 | 72 | 73 | TestDisk: Repairing FAT boot sector 74 | ----------------------------------- 75 | 76 | The first sector of a FAT filesystem is named boot sector. It contains the main filesystem properties and some small code necessary only to start the computer from this partition. 77 | If the boot sector is damaged, it's impossible to access your data. Windows :command:`chkdsk` or Linux :command:`fsck` can not repair a filesystem without a valid boot sector, they return error message like *Chkdsk is not available for RAW drives*. Fortunately TestDisk can find all the parameters that need to be recorded in the boot sector and rewrite this sector, so further repair operations or normal access can be conducted. 78 | 79 | * start TestDisk 80 | * select the device containing the partition (avoid drive letter like D:) 81 | * confirm the partition table type 82 | * go in the Advanced menu 83 | * select the FAT partition 84 | * choose Boot 85 | * select RebuildBS 86 | * choose List 87 | 88 | If testdisk is able to list your files, choose 89 | 90 | * quit the file listing 91 | * choose Write 92 | * confirm 93 | * Quit 94 | * restart the computer 95 | 96 | .. _repairing_ntfs_boot_sector: 97 | 98 | TestDisk: Repairing NTFS boot sector 99 | ------------------------------------ 100 | 101 | The first sector of a NTFS filesystem is named boot sector. It contains the main filesystem properties and some small code necessary only to start the computer from this partition. 102 | If the boot sector is damaged, it's impossible to access your data. Windows :command:`chkdsk` or Linux :command:`fsck` can not repair a filesystem without a valid boot sector, they return error message like *Chkdsk is not available for RAW drives*. Fortunately TestDisk can find all the parameters that need to be recorded in the boot sector and rewrite this sector, so further repair operations or normal access can be conducted. 103 | 104 | * start testdisk 105 | * select the device containing the partition (avoid drive letter like D:) 106 | * confirm the partition table type 107 | * go in the Advanced menu 108 | * select the NTFS partition 109 | * choose Boot 110 | * select RebuildBS 111 | * choose List 112 | 113 | If testdisk is able to list your files, choose 114 | 115 | * quit the file listing 116 | * choose Write 117 | * confirm 118 | * Quit 119 | 120 | TestDisk: repairing ext2/3/4 filesystem superblock 121 | -------------------------------------------------- 122 | 123 | 1024 bytes after the beginning of the ext2/3/4 filesystem sits the superblock. It contains the main filesystem properties. 124 | With a damaged main superblock, it's not possible to mount and access the files normally. Fortunately copies of the main superblock are spread over the filesystem. To be precise, they are not exact copy of the main superblock, each copy contains its own location to prevent confusion between copies and the original. TestDisk can search for alternate superblocks. 125 | 126 | * start testdisk 127 | * select the device containing the partition 128 | * confirm the partition table type 129 | * go in the Advanced menu 130 | * select the Linux partition 131 | * choose SuperBlock 132 | 133 | 134 | .. code-block:: none 135 | 136 | TestDisk 7.1-WIP, Data Recovery Utility, August 2016 137 | Christophe GRENIER 138 | http://www.cgsecurity.org 139 | 140 | Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63 141 | 142 | Partition Start End Size in sectors 143 | 144 | MS Data 2048 3907020799 3907018752 [/home2] 145 | superblock 0, blocksize=4096 [/home2] 146 | superblock 32768, blocksize=4096 [/home2] 147 | superblock 98304, blocksize=4096 [/home2] 148 | superblock 163840, blocksize=4096 [/home2] 149 | superblock 229376, blocksize=4096 [/home2] 150 | superblock 294912, blocksize=4096 [/home2] 151 | superblock 819200, blocksize=4096 [/home2] 152 | superblock 884736, blocksize=4096 [/home2] 153 | superblock 1605632, blocksize=4096 [/home2] 154 | superblock 2654208, blocksize=4096 [/home2] 155 | 156 | To repair the filesystem using alternate superblock, run 157 | fsck.ext4 -p -b superblock -B blocksize device 158 | 159 | >[ Quit ] 160 | Return to Advanced menu 161 | 162 | If superblock 0 is listed, it means the main superblock is correct. If it's damaged, this line will be missing, 163 | use next superblock and block size information to run :command:`fsck`. 164 | 165 | .. code-block:: none 166 | 167 | fsck.ext4 -p -b 32768 -B 4096 /dev/sda1 168 | 169 | Repairing HFS/HFS+ volume header using TestDisk 170 | ----------------------------------------------- 171 | 172 | The volume header is locate 1024 bytes after the beginning of the HFS/HFS+ filesystem. If it is damaged, it is not possible to access files normally. 173 | TestDisk is able to use the backup volume header to repair the main volume header: 174 | 175 | * start TestDisk 176 | * select the device containing the partition 177 | * confirm the partition table type 178 | * go in the Advanced menu 179 | * select the partition 180 | * choose SuperBlock 181 | 182 | If the main superblock is damaged, *Volume header: Bad* will be shown. 183 | If the backup is OK, *Backup volume header: HFS+ Ok* (or HFS Ok) will also be listed. 184 | In this case, 185 | 186 | * choose BackupBS 187 | * confirm 188 | * Quit 189 | * restart the computer 190 | 191 | Repairing BitLocker volume 192 | -------------------------- 193 | 194 | :command:`Repair-bde` can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. 195 | See `https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11) `_ 196 | -------------------------------------------------------------------------------- /running.rst: -------------------------------------------------------------------------------- 1 | Starting the tools 2 | ================== 3 | 4 | 5 | Disk image 6 | ********** 7 | 8 | TestDisk and PhotoRec can be used on disk image: 9 | 10 | * raw files (.dd) 11 | * Encase (.E01) 12 | * splitted Encase files (.E01, E02...) 13 | 14 | Splitted raw files are not supported. 15 | No administrator rights are needed to run :command:`testdisk` or :command:`photorec` on disk image. 16 | 17 | Examples: 18 | 19 | * :command:`photorec image.dd` to carve a raw disk image 20 | * :command:`photorec image.E01` to recover files from an Encase EWF image 21 | * :command:`photorec 'image.???'` if the Encase image is split into several files. 22 | 23 | .. _running_testdisk_win: 24 | 25 | Running TestDisk, PhotoRec or QPhotoRec under Windows 26 | ***************************************************** 27 | 28 | Double-click on the executable (:command:`testdisk_win.exe`, :command:`photorec_win.exe` or :command:`qphotorec_win.exe`) from an account in the Administrator Group. 29 | Administrator rights are necessary to get a low-level access to all medias (hard disk, USB key, Smart Card, etc.). 30 | Windows UAC (Vista and later) will ask you to confirm that you want to run the executable with administrator rights. 31 | 32 | .. note:: Windows users, if you see ``cygwin1.dll not found, c\\cygwin is missing``, extract all the files from the archive before running TestDisk or PhotoRec. 33 | 34 | .. _running_testdisk_linux: 35 | 36 | Running TestDisk, PhotoRec under Linux 37 | ************************************** 38 | 39 | You need to be root to run TestDisk or PhotoRec, so they can access all your disks. 40 | 41 | .. code-block:: none 42 | 43 | cd testdisk-7.1 44 | sudo ./testdisk_static 45 | 46 | 47 | .. code-block:: none 48 | 49 | cd testdisk-7.1 50 | sudo ./photorec_static 51 | 52 | .. note:: If your Raid device (ie. Intel raid) is missing, run "sudo dmraid -ay" to activate it. 53 | 54 | Running QPhotoRec under Linux X.org X11 55 | *************************************** 56 | 57 | QPhotoRec is a Qt5 application, it isn't shipped with the official Linux binaries 58 | from www.cgsecurity.org. But it is available on most Linux distribution or can be compiled from source. 59 | To run it in a Terminal, 60 | 61 | .. code-block:: none 62 | 63 | sudo qphotorec 64 | 65 | Running QPhotoRec under Linux Wayland 66 | ************************************* 67 | 68 | To run QPhotoRec in a Terminal, 69 | 70 | .. code-block:: none 71 | 72 | xhost +local: 73 | sudo qphotorec 74 | 75 | .. _running_testdisk_macos: 76 | 77 | Running TestDisk, PhotoRec under macOS 78 | ************************************** 79 | 80 | If you are not root, TestDisk (i.e. :command:`testdisk-7.1/testdisk`) or PhotoRec will restart itself using :command:`sudo` after confirmation from your part. 81 | 82 | If your administrator account has no password (a blank password), you must give that user a password before using the :command:`sudo` command: 83 | 84 | - Choose Apple menu > System Preferences and click Accounts. 85 | - Click Change Password. 86 | 87 | Terminal doesn't show the password as you type. If you enter the wrong password or a blank password, the command isn't executed and Terminal asks you to try again. 88 | 89 | If no disk is listed when running TestDisk or PhotoRec, select `System Settings` --> `Privacy & Security` --> `Full Disk Access` --> Use `+` to add `Terminal` ( or TestDisk and PhotoRec themself) 90 | 91 | .. _running_fidentify_win: 92 | 93 | Running Fidentify under Windows 94 | ******************************* 95 | 96 | Fidentify checks all the files from a directory with the same signatures than PhotoRec. It's useful to check if PhotoRec is able to recover some file extensions/some file formats. 97 | Run :command:`cmd`, Windows Command Prompt. :command:`cd` is the command to change directory. 98 | 99 | .. code-block:: none 100 | 101 | cd testdisk-7.1 102 | fidentify_win.exe d:\directory 103 | 104 | .. _running_fidentify_linux: 105 | 106 | Running Fidentify under Linux or macOS 107 | ************************************** 108 | 109 | Start a terminal, go in :file:`testdisk` directory and use :command:`fidentify` to check if the files present in a directory are recognized. This identification is identical in PhotoRec. 110 | 111 | .. code-block:: none 112 | 113 | cd testdisk-7.1 114 | ./fidentify_static /home/user/ 115 | 116 | 117 | -------------------------------------------------------------------------------- /scripted_run.rst: -------------------------------------------------------------------------------- 1 | Scripted run 2 | ============ 3 | TestDisk and PhotoRec can run automatically using their own built-in commands. A script file (such as .cmd or .bat batch files under MS-DOS/Windows, or some shell under Linux) may also be helpful. 4 | 5 | Automating recovery using TestDisk 6 | ********************************** 7 | Syntax: 8 | 9 | .. code-block:: none 10 | 11 | testdisk [/debug] [/log] [/logname file.log] /cmd [file.dd|file.e01|device] cmd 12 | 13 | Some examples 14 | ------------- 15 | 16 | .. code-block:: none 17 | 18 | testdisk /debug /log /cmd /dev/hda analyze,search 19 | testdisk /debug /log /cmd partition.dd partition_none,geometry,H,32,analyze,list,advanced,boot,rebuildbs,list 20 | 21 | 22 | Device selection 23 | ---------------- 24 | Use the device name, e.g. `/dev/hda`, `/dev/hdb`, `/dev/sda`. 25 | 26 | For DOS version, use `/dev/sda128` for first disk, `/dev/sda129` for the second and so on... 27 | You may have to use single quote, i.e. ``'c:\input dir\image.dd'``, if the path or file name contains spaces. 28 | For Encase files, you can use ``file.e??`` if you have less than 100 files, otherwise use ``file.???`` 29 | 30 | Partition type selection 31 | ------------------------ 32 | 33 | * partition_i386 34 | * partition_gpt 35 | * partition_humax 36 | * partition_mac 37 | * partition_none 38 | * partition_sun 39 | * partition_xbox 40 | * ask_type: the user will be asked for the partition type (new in 6.9) 41 | 42 | If no partition type is specified or asked, TestDisk will detect it automatically. 43 | 44 | Main menu 45 | --------- 46 | 47 | * advanced 48 | * analyze 49 | * delete 50 | * geometry 51 | * mbr_code 52 | * options 53 | * list 54 | 55 | Analyse menu 56 | ------------ 57 | 58 | * backup: save to backup.log file the current partition structure 59 | * number: select a partition found during Quick Search or Deeper Search 60 | * list: list of the content of the selected partition (first one by default, new in 6.10) 61 | * search: Deeper Search for more partitions 62 | * noconfirm,write 63 | * write 64 | 65 | Advanced menu 66 | ------------- 67 | 68 | * type 69 | * addpart: add a partition entry (not written to disk) 70 | * boot: for FAT12/FAT16, FAT32, exFAT and NTFS partition, go to the specific menu 71 | * copy: backup the partition to the file image.dd (new in 6.9) 72 | * list: list the content of the partition (new in 6.10) 73 | * list,recursive: list the content of the whole partition (new in 6.10) 74 | * list,recursive,fullpathname: list the content of the whole partition with the whole pathname (new in 6.11) 75 | * list,filecopy: list and copy all the files (new in 7.1) 76 | * superblock: search ext2/ext3 superblocks or go to HFS+ menu depending of the partition 77 | * undelete: go in the undelete menu (FAT12/16/32, NTFS, exFAT, ext2) 78 | * number: the partition number to select 79 | 80 | Add partition 81 | ^^^^^^^^^^^^^ 82 | 83 | * PC Intel 84 | 85 | * c,XX starting cylinder 86 | * h,XX starting head 87 | * s,XX starting sector 88 | * C,XX ending cylinder 89 | * H,XX ending head 90 | * S,XX ending sector 91 | * T,XX type 92 | 93 | * EFI GPT, Mac, XBoX 94 | 95 | * s,XX starting sector 96 | * s,XX ending sector 97 | * T,XX type 98 | 99 | * Humax, Sun 100 | 101 | * c,XX starting cylinder 102 | * C,XX ending cylinder 103 | * T,XX type 104 | 105 | FAT12/FAT16 boot menu 106 | ^^^^^^^^^^^^^^^^^^^^^ 107 | 108 | * dump 109 | * list (new in 6.9) 110 | * list,recursive: list the contents of the whole partition (new in 6.10) 111 | * list,recursive,fullpathname: list the contents of the whole partition with the whole path name (new in 6.11) 112 | * rebuildbs 113 | * repairfat 114 | * initroot 115 | 116 | FAT32 boot menu 117 | ^^^^^^^^^^^^^^^ 118 | * dump 119 | * list (new in 6.9) 120 | * list,recursive: list the contents of the whole partition (new in 6.10) 121 | * list,recursive,fullpathname: list the contents of the whole partition with the whole path name (new in 6.11) 122 | * rebuildbs 123 | * repairfat 124 | * originalfat 125 | * backupfat 126 | 127 | FAT rebuild menu 128 | ^^^^^^^^^^^^^^^^ 129 | * list 130 | * list,recursive: list the contents of the whole partition (new in 6.10) 131 | * dump 132 | * noconfirm,write 133 | * write 134 | 135 | exFAT boot menu 136 | ^^^^^^^^^^^^^^^ 137 | * dump 138 | * originalexFAT 139 | * backupexFAT 140 | 141 | NTFS boot menu 142 | ^^^^^^^^^^^^^^ 143 | * rebuildbs 144 | * dump 145 | * list 146 | * list,recursive: list the contents of the whole partition (new in 6.10) 147 | * list,recursive,fullpathname: list the contents of the whole partition with the complete path name (new in 6.11) 148 | * originalntfs 149 | * backupntfs 150 | * repairmft 151 | * noconfirm,backupntfs 152 | * noconfirm,repairmft 153 | 154 | NTFS undelete menu 155 | ^^^^^^^^^^^^^^^^^^ 156 | * allundelete (new in 7.1): list and recover all deleted files. WARNING: stores them in current local directory. 157 | 158 | NTFS rebuild menu 159 | ^^^^^^^^^^^^^^^^^ 160 | * list 161 | * list,recursive: list the contents of the whole partition (new in 6.10) 162 | * list,recursive,fullpathname: list the contents of the whole partition with the complete path name (new in 6.11) 163 | * dump 164 | * noconfirm,write 165 | * write 166 | 167 | HFS+ superblock menu 168 | ^^^^^^^^^^^^^^^^^^^^ 169 | * dump 170 | * originalhfsp 171 | * backuphfsp 172 | 173 | Geometry menu 174 | ------------- 175 | 176 | * C,number of cylinders 177 | * H,number of heads 178 | * S,number of sectors 179 | * N,sector size 180 | 181 | Options 182 | ------- 183 | 184 | * dump 185 | * nodump 186 | * align 187 | * noalign 188 | * expert 189 | * noexpert 190 | 191 | Automating recovery using PhotoRec 192 | ********************************** 193 | 194 | .. code-block:: none 195 | 196 | photorec [/debug] [/log] [/logname file.log][/d recup_dir] [/cmd ] 197 | 198 | General syntax: 199 | 200 | * /debug: switch on debug mode 201 | * /log: switch on logging (a log file named :file:`photorec.log` will be created/appended to in the current working directory 202 | * /logname file.log: log will be written to :file:`file.log` instead of :file:`photorec.log` 203 | * /d recup_dir: specify directory to store the recovered files into. This should be on a device different from the one you are recovering from. PhotoRec will add a numeric extension to the path specified, starting with ".1" - and increase this number as long as a directory with this name already exists. 204 | * /cmd: introduces the command section for scripted run 205 | * : the device (or image file) to recover from (Hint: use single-quote if the image file contains spaces) 206 | * : the command list (see below) 207 | 208 | Some examples of data recovery using PhotoRec 209 | --------------------------------------------- 210 | 211 | Recover from the second IDE drives i386 partition the user selects 212 | 213 | .. code-block:: none 214 | 215 | photorec /debug /log /cmd /dev/hdb partition_i386,select,search 216 | 217 | 218 | Recover from the first IDE drives i386 partition #5, which is using ext2/ext3/ext4 219 | 220 | .. code-block:: none 221 | 222 | photorec /debug /log /cmd /dev/hda partition_i386,options,mode_ext2,5,search 223 | 224 | 225 | Recover from a given disk image file named :file:`disk.dmp` which only has a single ext4 partition (or a part of it) 226 | Restore all file types known to PhotoRec to ``/mnt/recover/disk``. 227 | 228 | .. code-block:: none 229 | 230 | photorec /debug /log /d /mnt/recover/disk /cmd disk.dmp options,mode_ext2, \ 231 | fileopt,everything,enable,search 232 | 233 | The same without debug and log - but recover only :file:`*.gif` and :file:`*.jpg` 234 | 235 | .. code-block:: none 236 | 237 | photorec /d /mnt/recover/disk /cmd disk.dmp options,mode_ext2,fileopt,everything,disable, \ 238 | jpg,enable,gif,enable,search 239 | 240 | Recover jpg from the freespace of the first partition 241 | 242 | .. code-block:: none 243 | 244 | photorec /cmd /dev/hda fileopt,everything,disable,jpg,enable,freespace,search 245 | 246 | 247 | Recover all files from freespace from each partition as detected by TestDisk 248 | 249 | .. code-block:: none 250 | 251 | PARENT=`pwd` 252 | DEVICE=/dev/sda 253 | testdisk -l $DEVICE | tee testdisk.log | \ 254 | egrep "[[:digit:]][[:space:]][P,E,L,D,*][[:space:]].+([[:space:]]+[[:digit:]]+){3}" | \ 255 | cut -f 2 -d\ |while read PARTITION 256 | do 257 | mkdir $PARTITION && cd $PARTITION && 258 | xterm -e photorec /log /debug /d ./ /cmd $DEVICE freespace,$PARTITION,search 259 | cd $PARENT 260 | done 261 | 262 | 263 | Command list 264 | ------------ 265 | Below you find a list of available command options, grouped into categories. It is best to use them in the order they are mentioned here. 266 | These options must be separated by a comma. Partition type selection and options from the main menu can be used directly. 267 | 268 | PhotoRec - Partition type selection 269 | ----------------------------------- 270 | 271 | * partition_i386 272 | * partition_gpt 273 | * partition_humax 274 | * partition_mac 275 | * partition_none 276 | * partition_sun 277 | * partition_xbox 278 | * ask_type: the user will be asked for the partition type 279 | 280 | If no partition type is specified, it is auto-detected. 281 | 282 | PhotoRec - Main menu 283 | -------------------- 284 | 285 | * fileopt: change file types to recover 286 | * inter: PhotoRec usage becomes interactive 287 | * options 288 | * number: the partition number to select 289 | * blocksize: force the block size - followed by the block size in bytes. 290 | * geometry 291 | * wholespace / freespace : files will be recovered from the whole partition or only from the free space (new in 6.10) 292 | * ext2_group: carve the group whose number is following (new in 6.10) 293 | * ext2_inode: carve the group whose following inode belongs to (new in 6.10) 294 | * search: start the recovery 295 | 296 | PhotoRec - fileopt menu 297 | ----------------------- 298 | 299 | * everything,enable: use the values by default (may be different than the saved values, new in 6.9) 300 | * everything,disable: empty the list of file formats to locate (new in 6.9) 301 | * jpg,enable: will search for jpg 302 | * jpg,disable: will not search for jpg 303 | 304 | You can use the same syntax for all file formats. 305 | 306 | PhotoRec - Options menu 307 | ----------------------- 308 | 309 | To use anything from the options menu, you must specify the keyword "options" first. 310 | 311 | * expert 312 | * keep_corrupted_file_no (new in 6.10) 313 | * keep_corrupted_file 314 | * paranoid_no / paranoid / paranoid_bf (new in 6.10) 315 | * lowmem 316 | * mode_ext2 317 | 318 | Windows UAC 319 | *********** 320 | 321 | If you run TestDisk and PhotoRec, Windows User Account Control will ask "Do you want the following program from an unknown publisher to make changed to this computer ?" (or something similar). As administrator rights are unneeded for disk images, you may want to avoid this UAC prompt with the ``__COMPAT_LAYER`` environment variable. Example: 322 | 323 | .. code-block:: none 324 | 325 | set __COMPAT_LAYER=RunAsInvoker 326 | photorec_win.exe /cmd image.dd search 327 | -------------------------------------------------------------------------------- /smart.rst: -------------------------------------------------------------------------------- 1 | SMART status - Disk health monitoring 2 | ===================================== 3 | The smartmontools package contains two utility programs (:command:`smartctl` and :command:`smartd`) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA/SATA, SCSI/SAS and NVMe disks. In many cases, these utilities will provide advanced warning of disk degradation and failure. 4 | 5 | This package is installed by default on most Linux distribution. For Windows and macOS, there are respectively a :file:`setup.exe` and an :file:`dmg` available from https://sourceforge.net/projects/smartmontools/files/smartmontools/ 6 | 7 | 8 | .. code-block:: none 9 | 10 | sudo smartctl -a /dev/sda 11 | === START OF INFORMATION SECTION === 12 | Model Family: Western Digital Green 13 | Device Model: WDC WD20EZRX-00D8PB0 14 | Serial Number: WD-WMC4M0875073 15 | LU WWN Device Id: 5 0014ee 058f9952c 16 | Firmware Version: 80.00A80 17 | User Capacity: 2,000,398,934,016 bytes [2.00 TB] 18 | Sector Sizes: 512 bytes logical, 4096 bytes physical 19 | Device is: In smartctl database [for details use: -P show] 20 | ATA Version is: ACS-2 (minor revision not indicated) 21 | SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s) 22 | Local Time is: Mon Oct 3 13:16:17 2016 CEST 23 | SMART support is: Available - device has SMART capability. 24 | SMART support is: Enabled 25 | 26 | === START OF READ SMART DATA SECTION === 27 | SMART overall-health self-assessment test result: PASSED 28 | ... 29 | SMART Attributes Data Structure revision number: 16 30 | Vendor Specific SMART Attributes with Thresholds: 31 | ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE 32 | 5 Reallocated_Sector_Ct 0x0033 200 200 140 Pre-fail Always - 0 33 | 34 | 35 | Even if the SMART health status is `PASSED`, it doesn't mean the disk is OK. You should also check the "Reallocated_Sector_Ct" attribute. 36 | 37 | When the hard drive finds a read/write/verification error, it marks that sector as "reallocated" and transfers data to a special reserved area (spare area). This process is also known as remapping, and reallocated sectors are called "remaps". The raw value normally represents a count of the bad sectors that have been found and remapped. Thus, the higher the attribute value, the more sectors the drive has had to reallocate. This allows a drive with bad sectors to continue operation; however, a drive which has had any reallocations at all is significantly more likely to fail in the near future. While primarily used as a metric of the life expectancy of the drive, this number also affects performance. As the count of reallocated sectors increases, the read/write speed tends to become worse because the drive head is forced to seek to the reserved area whenever a remap is accessed. If sequential access speed is critical, the remapped sectors can be manually marked as bad blocks in the file system in order to prevent their use. 38 | 39 | I recommend to replace a harddisk when the first bad sectors appears. 40 | 41 | -------------------------------------------------------------------------------- /storage.rst: -------------------------------------------------------------------------------- 1 | Storage: can I repair it or recover data from it ? 2 | ================================================== 3 | 4 | There are 3 kinds of storage: 5 | 6 | * `Direct Attached Storage `_ (DAS) or local storage for hard disks connected via 7 | 8 | * IDE/PATA 9 | * SATA/eSATA 10 | * SAS 11 | * firewire 12 | * devices connected via USB (external disk, digital camera, thumb drive, phone...) in USB mass storage mode 13 | 14 | * `Storage Area Networks `_ (SAN) 15 | 16 | * Fibre Channel Protocol (FCP) 17 | * Fibre Channel over Ethernet (FCoE) 18 | * iSCSI, mapping of SCSI over TCP/IP 19 | 20 | * `Network Attached Storage `_ (NAS) 21 | 22 | * Windows share (CIFS/SMB) 23 | * Network File System (NFS) 24 | * Phone or digital camera in Media Transfer Protocol (MTP) mode (even if connected via USB) 25 | 26 | 27 | TestDisk & PhotoRec can recover data from DAS and SAN storage. For NAS server (QNAP, Synology...), they need to run on the server itself or the disks need to be moved to a computer running Linux (sometimes FreeBSD). 28 | TestDisk & PhotoRec can store recovered data on any storage available from your computer. When recovering deleted files, be careful to avoid writing new data to the same partition the files were stored on. 29 | 30 | -------------------------------------------------------------------------------- /testcase.rst: -------------------------------------------------------------------------------- 1 | TestDisk and PhotoRec in various digital forensics test cases 2 | ============================================================= 3 | 4 | PhotoRec is considered one of the best file carving utilities for several reasons: 5 | 6 | * File format support: PhotoRec is able to recover a wide range of file types, including photos, videos, documents, and music files. It can also recover files from various file systems, including NTFS, exFAT, FAT, and ext2/ext3/ext4. 7 | * Robustness: PhotoRec is able to recover files even if the file system is severely damaged or the storage device has been reformatted. It can also recover files that have been deleted or lost due to formatting or other errors. 8 | * Flexibility: PhotoRec is a command-line tool, which gives users more control and flexibility in how they recover files. It also includes a graphical user interface called QPhotoRec, which makes it easy for users who are less familiar with command-line interface. 9 | * Open-source : PhotoRec is open source software. That means users can see the code, make changes and contribute to the development of the software. 10 | * Free: PhotoRec is completely free to use, which makes it accessible to a wide range of users and organizations. 11 | 12 | All these factors make PhotoRec an extremely powerful and versatile file carving utility that can be used to recover a wide range of files from various storage devices. 13 | 14 | The Computer Forensics Tool Testing (CFTT) program is a program run by the National Institute of Standards and Technology (NIST), which is a U.S. federal agency that provides technical standards and guidelines for a variety of industries and organizations, including forensic science. 15 | PhotoRec has been evaluated by the CFTT in 2014 for Forensic `File Carving purpose `_. PhotoRec had the best results ;-) 16 | 17 | It's worth noting that while Photorec is a widely used tool in forensic investigations, it's not the only one, and it may not be the best one for some cases. Other tools may be more appropriate for specific types of investigations or for specific types of storage media. The choice of the appropriate tool will depend on the specific needs of the investigation and the technical expertise of the forensic investigator. 18 | 19 | To learn to use TestDisk and PhotoRec, various test cases are available to practice in safe conditions. 20 | 21 | .. toctree:: 22 | 23 | dftt_fat16_undelete 24 | dftt_ntfs_undelete 25 | dfrws2006 26 | forensics 27 | -------------------------------------------------------------------------------- /undelete.rst: -------------------------------------------------------------------------------- 1 | Recovering deleted files using TestDisk 2 | ======================================= 3 | When a file is deleted, the data remains on the disk. Unless new data has overwritten your lost file, TestDisk can usually recover it. 4 | It's possible for 5 | 6 | * FAT12/16/32 7 | * exFAT 8 | * NTFS 9 | * ext2 10 | 11 | For other filesystems or if sought-after lost files are still missing, give PhotoRec a try. PhotoRec is a signature based file recovery utility and may be able to recover your data where other methods failed. 12 | 13 | * Do not further use the media (HDD, USB key, ...) on which the data stored have been deleted until data recovery process is completed. 14 | * It is highly recommended that TestDisk or PhotoRec recovers files on another destination media, at minimum on another filesystem. 15 | 16 | For maximum security, TestDisk doesn't try to unerase files but lets 17 | you copy the deleted files onto another partition or disk. Remember, you must avoid 18 | writing anything on the filesystem that was holding the data. If you do, 19 | deleted files may be overwritten by new ones. 20 | 21 | .. toctree:: 22 | undelete_fat.rst 23 | undelete_ntfs.rst 24 | 25 | -------------------------------------------------------------------------------- /undelete_fat.rst: -------------------------------------------------------------------------------- 1 | TestDisk: undelete file for FAT, exFAT, ext2 2 | ******************************************** 3 | 4 | FAT is mainly used on memory cards from digital cameras and on USB keys. 5 | When a file is deleted, the filename is marked as deleted and the data area as unallocated/free, but TestDisk can read the deleted directory entry and find where the file began. If the data area hasn't been overwritten by a new file, the file is recoverable. 6 | 7 | exFAT can be found on large memory card, large USB keys and hard disk. 8 | 9 | ext2 is a Linux filesystem. It has been superseded by ext3 and ext4, so it's not found often now. 10 | With ext3 and ext4, it's possible to find the names of the deleted files but the location of the deleted data isn't available anymore, so even if ext3/ext4 is similar to ext2, it's not possible to recover lost files using TestDisk. 11 | 12 | Start TestDisk 13 | -------------- 14 | 15 | * :ref:`running_testdisk_win` 16 | * :ref:`running_testdisk_linux` 17 | * :ref:`running_testdisk_macos` 18 | 19 | Log creation 20 | ------------ 21 | 22 | * Choose Create unless you have a reason to append data to the log or if you execute TestDisk from read only media and can't create it elsewhere. 23 | * Press Enter to proceed. 24 | 25 | Disk selection 26 | -------------- 27 | All hard drives should be detected and listed with the correct size by TestDisk. 28 | 29 | * Use up/down arrow keys to select your hard drive with the lost partition/s. 30 | * Press Enter to Proceed. 31 | 32 | macOS If available, use raw device ``/dev/rdisk*`` instead of ``/dev/disk*`` for faster data transfer. 33 | 34 | Partition table type selection 35 | ------------------------------ 36 | TestDisk displays the partition table types. 37 | * Select the partition table type - usually the default value is the correct one as TestDisk auto-detects the partition table type. 38 | * Press Enter to Proceed. 39 | 40 | Start the undelete process 41 | -------------------------- 42 | * Select **Advanced** 43 | * Select the partition that was holding the lost files and choose **Undelete** 44 | 45 | File undelete 46 | ------------- 47 | Navigate to the folder where your files were. 48 | Deleted files and directories are displayed in red. 49 | 50 | * To undelete a file, select the file to recover and press 'c' to copy the file. 51 | * To recover a deleted directory, select the directory and press 'c' to undelete the directory and its content. 52 | 53 | Select where recovered files should be written 54 | ---------------------------------------------- 55 | Select the destination 56 | 57 | File recovery is completed 58 | -------------------------- 59 | When you get your files back, use Quit to exit. 60 | 61 | If TestDisk has been unable to find your lost data, try PhotoRec instead. 62 | -------------------------------------------------------------------------------- /undelete_ntfs.rst: -------------------------------------------------------------------------------- 1 | TestDisk: undelete file for NTFS 2 | ******************************** 3 | 4 | Start TestDisk 5 | -------------- 6 | 7 | * :ref:`running_testdisk_win` 8 | * :ref:`running_testdisk_linux` 9 | * :ref:`running_testdisk_macos` 10 | 11 | Log creation 12 | ------------ 13 | 14 | * Choose Create unless you have a reason to append data to the log or if you execute TestDisk from read only media and can't create it elsewhere. 15 | * Press Enter to proceed. 16 | 17 | Disk selection 18 | -------------- 19 | All hard drives should be detected and listed with the correct size by TestDisk. 20 | 21 | * Use up/down arrow keys to select your hard drive with the lost partition/s. 22 | * Press Enter to Proceed. 23 | 24 | macOS If available, use raw device :file:`/dev/rdisk*` instead of :file:`/dev/disk*` for faster data transfer. 25 | 26 | Partition table type selection 27 | ------------------------------ 28 | TestDisk displays the partition table types. 29 | * Select the partition table type - usually the default value is the correct one as TestDisk auto-detects the partition table type. 30 | * Press Enter to Proceed. 31 | 32 | Start the undelete process 33 | -------------------------- 34 | * Select **Advanced** 35 | * Select the partition that was holding the lost files and choose **Undelete** 36 | 37 | NTFS file undelete 38 | ------------------ 39 | TestDisk scans MFT entries for deleted files. A list of NTFS deleted files found by TestDisk is displayed 40 | 41 | * To recover a single file, highlight the file and press 'c' (lowercase) to copy it. 42 | * To recover a several files, move the first file you want to recover, press ':' to select it, repeat the process for the others files, press 'C' (uppercase) to copy them 43 | 44 | It's not visible in interface but it's possible to filter the results, press 'f' to add a filter. 45 | Several filters can be added. To cancel all the filters, press 'r' (reset). 46 | 47 | Select where recovered files should be written 48 | ---------------------------------------------- 49 | Select the destination 50 | 51 | File recovery is completed 52 | -------------------------- 53 | When the NTFS file recovery is finished, choose Quit to exit. 54 | 55 | If TestDisk has been unable to find your lost data, try PhotoRec instead. 56 | -------------------------------------------------------------------------------- /unix.rst: -------------------------------------------------------------------------------- 1 | Linux / macos / BSD command line 2 | ******************************** 3 | 4 | The command line is a text interface to your computer/your NAS. It is often referred to as the shell, terminal, console, prompt. 5 | This short guide will give you a few basic commands and concepts. 6 | 7 | Starting a terminal 8 | ------------------- 9 | 10 | To open a Terminal 11 | 12 | * if your computer is actually running Linux with a Gnome graphical interfaces: 13 | 14 | * Choose "Activities" on the top left 15 | * On the prompt "type to search", type :command:`Terminal` 16 | * Click on the "Terminal" icon 17 | 18 | * if your computer is running macox 19 | 20 | * Press Command+Space and type :command:`Terminal` and press enter/return key. 21 | * Run in Terminal app 22 | 23 | * if your computer is running Windows and you want to connect to your NAS by ssh 24 | 25 | * use a ssh client like Putty 26 | 27 | * if your computer is running Linux or macos and you want to connect to your NAS by ssh 28 | 29 | * Press Command+Space and type :command:`Terminal` and press enter/return key. 30 | * Run in Terminal app 31 | * :command:`ssh root@192.168.0.1` (Replace root if necessary and 192.168.0.1 by the correct IP) 32 | 33 | 34 | Users 35 | ----- 36 | 37 | The root user is the default privileged user. Usually, the terminal prompt ends by '#' for root and by '$' for the other users. 38 | To check the current user, use :command:`id`. 39 | To become root from an user account, you can try 40 | 41 | * :command:`sudo -s` You may be prompted for your user password. 42 | * :command:`su -` You may have to type the root password. 43 | 44 | There will be no echo when you type the password. 45 | 46 | Filesystem 47 | ---------- 48 | 49 | * Filenames, paths and commands are case-sensitives. You need to respect the upper "ABC" and lower "abc" cases. 50 | * All files accessible in a Unix system are arranged in one big tree, the file hierarchy, rooted at :file:`/`. 51 | * The root user have access to every files, directories and commands [#]_. 52 | * The :command:`mount` command serves to attach the filesystem found on some device to the big file tree. 53 | * Conversely, the :command:`umount` command will detach it again. 54 | * When using a graphical interface, mount and umount operations can be done by a few mouse clicks on the icons representing the device. 55 | * When using the command line, root privileges are required. 56 | * The mount point is the name of the directory where the device is attached. By convention, it's usually in :file:`/mnt`, :file:`/media` or :file:`/run/media`. 57 | 58 | .. [#] Root access may be restricted by Role-Based Access Control (RBAC), Multi-Level Security (MLS)... 59 | 60 | Commands 61 | -------- 62 | 63 | * :command:`cd directory_name`: change current directory 64 | * :command:`pwd`: print working directory 65 | * :command:`ls`: list files from current directory (files beginning by a dot are not listed by default) 66 | * :command:`./testdisk_static`: lanch the testdisk_static program assuming it is present in the current directory. 67 | * :command:`testdisk`: launch testdisk if the command is found in the PATH, a list of directories. It will not try to start a programmed name testdisk in the correct directory. 68 | --------------------------------------------------------------------------------