Quick’n’dirty undelete pictures from memory card howto
Posted: February 14, 2008 Filed under: Tips | Tags: undelete fat32 pictures howto 10 CommentsI was asked by my wife if I could recover deleted pictures from a memory card for a coworker. Here is how I did it, it might be useful for others.
Dumping
The nice thing about Linux is that it lets you manipulate disks as files, making it possible to try every possible trick without fear of destroying data.
After putting the card into the card reader, I ran dmesg and found a few lines about the newly inserted device. From these lines I got the name of the raw device associated with the card. In my case it was mmcblk0p1.
I dumped the card by copying the device file to some tmp dir:
cp /dev/mmcblk0p1 ~/tmp/carddump
Getting a list of deleted files
After some googling, I found some useful information about fat32 and how to undelete files from here:
http://lists.slug.org.au/archives/slug/2006/05/msg00002.html
Fat32 keeps the file list at the beginning of the file system, and keeps name of deleted files except for the first character.
As suggested on above link, I had a look at the dump content with:
hexdump -C carddump | less
I found a set of IMG_nnnnJPG where nnnn is a number (and yes, that’s nnnnJPG, not nnnn.JPG). These were the “normal” files. I also found a set of MG_nnnnJPG. These were the deleted files I wanted to recover.
Using strings I grabbed a list of the deleted files:
strings carddump | head -n 2000 | grep '^MG_[0-9]*JPG' > deleted.lst
(2000 is just an empiric value. After 2000 I didn’t get new file names).
Full path
fsck.vfat is capable of undeleting a file, but it needs the full path to them, not just the filename.
I mounted the card and had a look at the folder names to find where were the images stored. In my case, it was in /dcim/100canon.
Undelete!
Now I was all set. I made a backup of the dump (it’s faster to copy files on hd than from the memory card):
cp carddump carddump.old
Then ran this bit of shell script:
cat deleted.lst | while read x ; do
sudo fsck.vfat -au /dcim/100canon/I${x/JPG/.JPG} carddump
done
(Note that I integrated the full path found before and did a bit of shell hackery to add back the missing dot before JPG.)
Mount the dump
I then mounted the dump to check the result:
mkdir foo sudo mount -o loop carddump foo gwenview foo
And was happy to found 167 new files, of which 165 were complete. Coworker is happy!
PS: This method only works for FAT32 (and FAT16 probably) and for files which have been deleted. It won’t work if the file system is damaged. In this case you will probably want to try specialized tools like Photorec or Foremost, as suggested by another user of the mailing list I quoted.
Easier and more fully featured: http://www.cgsecurity.org/wiki/PhotoRec
@Bimbo: looks a lot like the link I mentioned in my PS 🙂
Still, this method is probably faster than Photorec because it takes advantage of the “undelete” feature of the fat32 filesystem whereas Photorec uses the more brute-force way of scanning the whole disc. Of course, it’s nowhere as powerful as what Photorec can do.
Very informative for me, thank you 🙂
Some time ago, I used “The Coroners Toolkit” (TCT) to do basically the same thing. Worked quite well for me.
Yet another approach, usefull for fragmented files:
http://barrapunto.com/~ninjalj/journal/23291
[…] this is the blog post I was thinking of. Thanks to Tobias who pointed me to Jakub’s blog which had […]
Yay, my pictures are saved! You, sir, are the man.
thanks a lot for this howto, Aurelién! I used it *after* having tried photorec, and with better results, as it recovered the names of my raw files correctly. So I keep it in my ‘hot howto’ list.
Best regards – Markus
[…] clears the /tmp space at that occasion. bummer! but: search engines to the rescue, in this case Aurélien’s room – it is no problem to recover deleted files from a vfat file system. so i did not loose a […]
Thanks for the write-up! Very useful.