Saturday, February 19, 2011

Recovering photos with extundelete and PhotoRec using a Puppy Linux live USB stick

I recently screwed up an rsync and accidentally deleted a lot of my photos. I finally got round to recovering them, and here's how I did it.

Puppy Linux live CD/USB stick
EDIT: With the new versions op Puppy (the ones based on the Ubuntu repository), you can probably grab the appropriate packages from the repository instead of having to compile them yourself.

First, I made a Puppy Linux live USB stick. I absolutely love Puppy Linux! Setting up the latest Puppy Linux live CD/USB stick is explained on their website. Be sure to grab the appropriate devx_xxx.sfs too so we can build extundelete and PhotoRec.

Next boot up into Puppy Linux and download the sources for extundelete and alternatively for PhotoRec too, if you have reason to believe that extundelete will not be able to recover all files (eg when there has been some disk activity after deleting the lost files). Normally, Puppy will automatically configure your network, but if this isn't the case (and you can't get it to work), you can always download the sources and put them on the live CD/stick before booting into Puppy.

I had an extra complication in the sense that the partition from which I wanted to restore the files was on a software RAID. Puppy will normally have all the kernel modules you need to get RAID going. You'll need to get the mdadm utility and build it from sources (I found a .pet file for the Puppy version I used, so that made life easier for me). You can now easily assemble your RAID array, but don't mount it!

Extundelete Now it's time to build extundelete if you haven't done so already. Once you are finished, mount a partition with enough free space to store all your recovered files. This should not be the partition with the deleted files themselves, we will never mount that!
Extundelete will by default dump the restored files in the current working directory, so cd to the mounted filesystem where you want to store those files.

Now, you can ask extundelete to do the best it can to retrieve your deleted files. In my case, I told it to restore the directory /home/roald/canon/2010:

extundelete --restore-file /home/roald/canon/2010

A snippet of the output I got was:

1054 recoverable inodes found.
[...]
997 recoverable inodes still lost

Hopefully for you, that last number will be less big than what I got. The reason extdelete couldn't restore all those files is because there was still a lot of disk activity after deleting those files. (I'm an idiot, should have unmounted immediately.)

Now, if you are happy with the files extundelete could retrieve, there is no need to take the next step. If you want to recover more, continue reading.

PhotoRec PhotoRec has a more brute force aproach than extundelete. It basically scans the entile filesystem looking for data that matches a given pattern (eg, a JPEG or RAW file header).

I was mostly looking to restore my Canon RAW files (.CR2). The interface of PhotoRec is pretty self explanotory. In order to restore .CR2 files, you'll need to check the mark next to TIFF, as those RAW files are in fact special TIFF files. Note that this will restore all TIFF and RAW files on that partition. You cannot specify to only restore files that for example only belong to a certain directory.

Now, just tell it to dump the files to your seperately mounted partition and let it do its thing. Make sure that it has enough free space! At the time of writing, the lastest stable version is 6.11.3, but I really recommend the 6.12-WIP version. That last one will warn you when the disk space on the receiving partition gets too low and pause. The other seemed to try to continue going, not saving the new files any more if there isn't room for them.

Note that because of the brute force method, running PhoteRec will take a long time. (It took about 4 hours on my 1TB partition.)

The order in which PhotoRec finds the files is related to where they are on the disk. If you have a rather "fresh" partition, they will be found in roughly chronological time of creation. After some time, the first recovered files will start popping up.

In order to view the progress, I also downloaded geeqie, an excellent (RAW) image viewer. You can compile from sources or search for a .pet file for Puppy (I found one for the version op Puppy I was using at the time).

Now that you can view the recovered files, you can delete them if you don't need them (eg, if you are certain that they are still on the disk, and not deleted). You can also get a few false positives. I, for instance, got a couple files of several GB: chunks of data that were falsely recognised as image files. They could of course not be read by geeqie. The biggest one was 90GB. It caused the partition where I was dumping the files to run out of space, so I just deleted it while PhotoRec was scanning the rest of the filesystem.

After finishing, you'll be left with a lot of files, spread over a lot of directories (each holding 10GB of files).

Geeqie should be able to read the files and also their creation date (embedded in the RAW files themselves), so you can sort on that to find the files you lost more easily.

An important remark: I found that all files have a size that is a multiple of 8MB. I have lots of files of 8MB and 16MB. Note that an average RAW for my camera will have a size of about 20MB, so something looks fishy there. Indeed, the actual RAW data in those files seems to be corrupted (cut off). I don't know if this is a bug that can easily be fixed (eg, misinterpreting the .CR2 format), or a symptom of the file system (the partition I used was ext4). Either way, I was still able to get the embedded JPEG out of the .CR2 files using dcraw, so the images are not completely lost. The images I deleted weren't that stellar any way, so just having the JPEGs is good enough for me.

2 comments:

  1. Thank you for your information on recovering files via extundelete..I have used extundelete on command line via live usb, and recovered files were listed with their location including the directory RECOVERED_FILES..this was however all in the command line results.
    on the desktop, I have: nil. none of these recovered files were available nowhere, whether on hard drive or usb. so even if they are somehow recovered, I dont know how to actually find them on my computer and get them back.
    strange thing is, as if they disappear when I log out of the live cd and reboot into the original system.

    could you maybe help me find them?
    Thank you for your time,
    Kind Regards,
    Phil.

    ReplyDelete
  2. This post saved me a giant headache, particularly the part about dcraw. Thank you very much for taking the time to write about your experience.

    ReplyDelete