Article:  Andy Collinson
Email :

Overview
When a file is deleted, its content may still be recoverable. A lot depends on the file system used, the amount of free space left on the media, and the operating system. Two programs available to help in this quest are Testdisk and Photorec. Both are open source and available for Linux, Mac and Windows. The majority of file systems on removable drives such as memory sticks use a file system called FAT32. Testdisk and Photorec can work with FAT32, NTFS and linux filesystems. If the file system is full or media is damaged, it may or may not be possible to remove some or all of the data. Recently I accidentally deleted a picture (I wanted to keep) from my camera. Was it possible to recover the deleted file? The answer was yes, using testdisk. I then tried a full format of the memory stick and was again was able to recover a full set of images using photorec. This article is how to recover data from memory cards using only free software. Depending on the memory stick and camera it may not be possible to retrieve deleted data from certain media.

Recuva
I successfully used photorec and testdisk which are both command driven but wondered if there was anything similar for windows with a graphical interface. A search on google listed many programmes, however some that claimed to be free were not free and required pament or time limited demoes. I did eventually find a few free programs but the results were not good :( then I found Recuva (pronounced "Recover").

Download Link for Recuva
Recuva works with XP, Vista and Windows 7 and works with fat32 and NTFS filesystems only. Once installed you just need to know which drive letter is assigned to the memory card. The memory card is usually marked as removable media and drive letter can be found from windows explorer. Once installed and run. the program starts with a wizard guide which can be skipped if desired. The next screen is drive choice and is shown below:

After selecting drive H: and pressing the recover button the first scan results in no data found. Recuva suggests a deeper scan. As recuva can work with hard drives not just memory sticks information is displayed it may take one hour.

A single photograph was found in a matter of seconds. Could it work if the memory stick was formatted? Well yes it could. The deeper scan this time found 54 images, which is the maximum that can be displayed on the Sony 128M memory stick.

All filenames are highlighted and then recovered to the computer hard drive or cdrom etc. I should note that the memory stick has a windows fat32 file system. When an image is deleted just the first character is overwritten. The format in the camera makes you think twice about data security. The camera is a few years old and later cameras may have a more secure format feature.

Testdisk
Testdisk is produced by Christophe Grenier under the GNU FDL license and runs on FreeBSD, Linux, Mac, Unix and Windows. You can download a copy from Christophe's web site CG Security . Testdisk can recover files from most media, hard disks, USB memory sticks, Smart Card, CD-ROM, DVD, etc and works with many different file systems, ext2/3, Reiser, hfs, ntfs and others. It has features for novices and experts, although just basic use is shown here.

Starting Testdisk
Testdisk is run in a terminal (Command prompt for windows) and is available for Windows, Linux, FreeBSD and Mac. Before starting you may need admin rights to access the physical device.
To start open a terminal (as root) and type testdisk
Click on testdisk_static.exe You need to right click and Run as Administrator if using Vista or Windows 7.

Recovering Deleted Images
The following recovery screenshots are all done from a working linux installation. The commands used on tesdisk are the same for any operating system. After starting testdisk the first screen is device selection.
The device is highlighted by linux naming conventions, so will appear as /dev/sdx where "x" represents the block device (memory, hard disk etc). With a memory stick the device name "Sony" and size 129M is also displayed. If you had several entries and were unsure which device was connected, you can use the command "dmesg". Under linux, any removable media connected to a running system is logged and events wrote to /var/log/messages. The kernel message file can be read by typing "dmesg" without the quotes, example below:

USB Mass Storage support registered.
scsi 8:0:0:0: Direct-Access   Sony   Sony DSC   5.00 PQ: 0 ANSI: 0 CCS
sd 8:0:0:0: Attached scsi generic sg3 type 0
sd 8:0:0:0: [sdc] 253696 512-byte logical blocks: (129 MB/123 MiB)
sd 8:0:0:0: [sdc] Write Protect is off
The important information is the name sdc showing that the whole media has been detected as sdc. If the device contained partitions, then these would simply be numbered in partition order, starting with sdc1, sdc2 and so on.
sdc is selected and use tab to go to proceed and click enter.
The above screen requires a partition table to be selected. An Intel partition table is always created on any media that Windows has to access. So a memory card used in a camera or usb flash drive will always contain an Intel partition table.
The above screen shows the utilities on testdisk. Analyse is used to find data on the partition and is selected.
After analysing the partition (shown above) the size of the file system is shown 129M along with filesystem type FAT16.
The above screen is the devices geometry, shown in cylinders, heads and sectors CHS format. This should not be touched unless some partitions are missing. In our case its a memory card and has a single partition so the warning can be ignored and Continue is pressed.
The above screen now highlights the entire memory card in green. There are options at the bottom, we need to descend into the partition so p is pressed to list the files.
After pressing P three files are shown using unix file permissions. The pictures on a Sony camera are created in a folder called 101MSDCF under a parent directory DCIM. The down arrow is used to select DCIM and enter pressed.
The above screen now shows the folder 101MSDCF where the actual photos are stored. On this screen an option c is presented to copy the whole directory, however I am only interested in recovering the deleted image. Enter is pressed while 101MSDCF is selected.
The above screen finally shows the images on the memory stick. The deleted image is shown highlighted in red, only the first charcter of the filename is replaced by an underscore. Using cursor keys the delted image (or images are selected) and c for copy is pressed.
You are now given a choice of where to save the recovered files. You can save to home or any other directory, press "Y" to confirm. The above screen is confirmation that the file has been copied. You can now press q to quit.
After pressing q you are greeted with more options. Simply use cursor keys and quit the program. Also note that in this case that no information was ever wrote to the media. It may look more complex but only takes about a minute to navigate the options, much less time than it took for me to write this page.

Photorec
Photorec is produced by Christophe Grenier under the GNU FDL license and runs on FreeBSD, Linux, Mac, Unix and Windows. You can download a copy from Christophe's web site CG Security . Photorec can recover files from most media, hard disks, USB memory sticks, Smart Card, CD-ROM, DVD, etc.

Starting Photorec
Testdisk is run in a terminal (Command prompt for windows) and is available for Windows, Linux, FreeBSD and Mac. Before starting you may need admin rights to access the physical device.
To start open a terminal (as root) and type photorec.
Click on photorec_win.exe You need to right click and Run as Administrator if using Vista or Windows 7.

Recovering a card from a Format
Once started Photorec will ask for a drive selection. Note that in my case PClinux gives full access to memory cards and smart media, if the device was a hard drive then Photorec would need to be started with root privilidges. The screenshots are similar for windows, except that under windows removable media is assigned a single drive letter e.g. H:
The memory stick can be accessed via a computer card reader or connected via a USB lead connected to the camera. The memory is identified by its drive name and media size, in this case /dev/sdc and 129M. After clicking on Proceed the next screen shows:

All memory cards are formatted as FAT32 or NTFS so [Other] is chosen:

As my memory card was formatted then [Whole] partition is selected. The next screen asks where to save the recovered files:

A temp folder was selected and selection is confirmed by typing "Y"

As there is only 1 partition on a memory card, it is selected with cursor keys.

After pressing enter Photorec went to work. It took just 18 seconds to recover 54 files. All files were recoverable.

Summary
Depending on the camera model and type of memory card it may be possible to use these techniques to recover some data. Early cameras may use a fat16 or fat32 filesystem and the camera format may not be considered secure. However I should point out that only previous images before a format can be recovered. If you are worried about data security then it may be better to use use data shredder software. The linux command "shred" was tried and no data could be recovered after using the shred command. Later cameras may also have a more secure format so on some models it may not be possible to recover any data.