Although FAT32 or FAT16 are very old file systems, which reflects on their poor performance in comparison with other file system alternatives they are still widely used by many electronic devices. Usually, these devices include USB stick's, digital cameras , camcorders and etc. Chances are that you own and store personal data on a device with FAT flesystem is very high as is a likelihood of an accidental deletion of your important data. In this article we will use testdisk utility to undelete files from FAT file system.
OOPS.. I have accidentally removed a video file from my camcorder ! The first thing before we start panic is to unmount USB device and create a low level backup of the device partition with a dd command.
If from any reason you cannot unmount your device, remount it with read-only permissions:
# mount -o remount,ro /dev/sdX
Any data written or file manipulation after accidental file removal will weaken our chances for deleted file recovery. On the other hand creation of a low level backup with dd command gives us an opportunity for unlimited recovery attempts since we are always able to put the entire partition back bit by bit exactly as it was right after accidental file deletion.
After file deletion from a FAT file system the actual file was not removed immediately, but the sectors on which the file resides is now available to be overwritten. From this reason a backup of the entire partition:
# dd if=/dev/sdX of=/my/storage/backup_sdX.dd
To recover a backup for *.dd file we simple reverse the process:
# dd if=/my/storage/backup_sdX.dd of=/dev/sdX
To test testdisk recovery utility we will create a vfat file system, store video.mp4 and readme.txt files, get md5sum and simply remove and undelete both files.
Disk /dev/sdc: 2001 MB, 2001731584 bytes 62 heads, 62 sectors/track, 1017 cylinders Units = cylinders of 3844 * 512 = 1968128 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System /dev/sdc1 1 102 196013 6 FAT16
b9202e11fdad87ce520d6fb827d6e591 readme.txt b3f9373b1dcec8e929e3ebad7058c997 video.mp4
# uname -a Linux desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux # cat /etc/issue Ubuntu 10.04 LTS
The best and easiest recovery utility to undelete deleted files is testdisk. testdisk package is available from Ubuntu / Debian package repository and therefore installation of testdisk is therefore more than simple:
# apt-get install testdisk
To start undelete process we need to execute testdisk command:
# testdisk /dev/sdX
TestDisk 6.11, Data Recovery Utility, April 2009 Christophe GRENIER http://www.cgsecurity.org TestDisk is free software, and comes with ABSOLUTELY NO WARRANTY. Select a media (use Arrow keys, then press Enter): Disk /dev/sdd - 2001 MB / 1909 MiB - Verbatim STORE N GO [Proceed ] [ Quit ]
Select your disk and enter Proceed.
TestDisk 6.11, Data Recovery Utility, April 2009 Christophe GRENIER http://www.cgsecurity.org Disk /dev/sdd - 2001 MB / 1909 MiB - Verbatim STORE N GO Please select the partition table type, press Enter when done. [Intel ] Intel/PC partition [EFI GPT] EFI GPT partition map (Mac i386, some x86_64...) [Mac ] Apple partition map [None ] Non partitioned media [Sun ] Sun Solaris partition [XBox ] XBox partition [Return ] Return to disk selection Note: Do NOT select 'None' for media with only a single partition. It's very rare for a drive to be 'Non-partitioned'.
Usually we want to select a default partition type since teskdisk by defualt tries to find the correct partition type. In our case it is the Intel/PC partition.
TestDisk 6.11, Data Recovery Utility, April 2009 Christophe GRENIER http://www.cgsecurity.org Disk /dev/sdd - 2001 MB / 1909 MiB - CHS 1017 62 62 [ Analyse ] Analyse current partition structure and search for lost partitions [ Advanced ] Filesystem Utils [ Geometry ] Change disk geometry [ Options ] Modify options [ MBR Code ] Write TestDisk MBR code to first sector [ Delete ] Delete all data in the partition table [ Quit ] Return to disk selection Note: Correct disk geometry is required for a successful recovery. 'Analyse' process may give some warnings if it thinks the logical geometry is mismatched.
Select Advanced Filesystem Utils.
TestDisk 6.11, Data Recovery Utility, April 2009 Christophe GRENIER http://www.cgsecurity.org Disk /dev/sdd - 2001 MB / 1909 MiB - CHS 1017 62 62 Partition Start End Size in sectors 1 P FAT16 >32M 0 1 1 101 61 62 392026 [ Type ] [ Boot ] [Image Creation] [Undelete] [ Quit ] File undelete
At this stage we need to select a desired partition and choose Undelete.
TestDisk 6.11, Data Recovery Utility, April 2009 Christophe GRENIER http://www.cgsecurity.org 1 P FAT16 >32M 0 1 1 101 61 62 392026 Directory / -rwxr-xr-x 0 0 36657441 4-Jul-2010 17:08 video.mp4 -rwxr-xr-x 0 0 14 4-Jul-2010 17:08 readme.txt Use Right arrow to change directory, c to copy, h to hide deleted files, q to quit
At this stage we simply select desired file to recover and hit "c" key to copy into our current directory so answer Y. Once Copy is done quit from tesdisk utility with "q" key.
TestDisk 6.11, Data Recovery Utility, April 2009 Christophe GRENIER http://www.cgsecurity.org 1 P FAT16 >32M 0 1 1 101 61 62 392026 Directory / Copy done! -rwxr-xr-x 0 0 36657441 4-Jul-2010 17:08 video.mp4 -rwxr-xr-x 0 0 14 4-Jul-2010 17:08 readme.txt
Let's compare a md5sum of both recovered files with md5sum both original files:
root@desktop:~/recovered# ls readme.txt testdisk.log video.mp4 root@goldstein-desktop:~/recovered# md5sum readme.txt video.mp4 b9202e11fdad87ce520d6fb827d6e591 readme.txt b3f9373b1dcec8e929e3ebad7058c997 video.mp4
As we can see the process of recovering deleted files using testdisk Data Recovery Utility can not be more simple. As a result of our test both recovered files have same md5sum as the original files.