Recently, I was searching for a bunch of photographs on all of my harddisks, and couldn’t find them. I know they had been there on the old notebook and on the old computer, and I thought I had copied them over. I could also not find them on any of my backup harddisks. Neither could I find any of the backup DVD’s containing the files that I was searching.
So I wanted to see if I could salvage them from an old hard-disk that I formatted and re-purposed. Actually, I installed a new operating system on that harddrive, but didn’t use it a lot. So, with regular tools that query the filesystem directly, you wouldn’t find a trace. From an eposide of hak5 I remembered that scalpel is a tool for just that. Scalpel is a data forensics tool, that scraps through all the blocks of a raw harddisk, searching for headers and footers of known file formats. This works fine as long as the blocks belonging to a file are arranged linearly, which is not always the case. So I did a quick read up on how it works, and gave it a try.
Basically, all I had to do is un-commenting the line with the jpg header definition, and run scalpel on the raw device file (e.g. /dev/sdc1 ) while providing an output folder. That way, thousands of jpeg’s were restored. Lots of them were corrupted due to them not being linearly distributed on the disk. But still lots of files were usable. I’m still looking for the backup DVD’s, but at least I have a fall-back now.
Update 30. July 2014:
If the partition is still intact, testdisk might lead to better results.
Leave a Reply