Recovering deleted photos with Linux using 'foremost'

Linux howto's, compile information, information on whatever we learned on working with linux, MACOs and - of course - Products of the big evil....
Post Reply
User avatar
^rooker
Site Admin
Posts: 1484
Joined: Fri Aug 29, 2003 8:39 pm

Recovering deleted photos with Linux using 'foremost'

Post by ^rooker »

[PROBLEM]
Recently, I've cut (instead of copied) images from an SD card to my harddisk, but the adapter caused data corruption and so the files arrived broken on my HDD and were erased from the SD card. yeah. great.

[SOLUTION]
An SD card is (usually) formatted with the vfat (FAT32) or fat (FAT16) filesystem.
(note: the same procedure works for USB sticks, etc, too)

Here's what I did to recover the lost fotos:
a) Take a binary image of the partition on the SD card to work with:

Code: Select all

dd if=/dev/sda1 of=/path/to/image/of/sdcard.bin
b) install and run "foremost" on this image.
("foremost" is a forensic tool which comes in the default repositories of major )distributions (e.g. Ubuntu).

Code: Select all

apt-get install foremost
foremost -i sdcard.bin -T temp
Now foremost will work on that image and try to find patterns of files on that partition, which it will recover and output by their filetype, in a folder called "output_CURRENT_DATE"

Note: From what I've seen so far, foremost does not preserve folder structures or filenames and only recovers the file data itself.
Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
Top
Post Reply

Return to “Knowledge Base”