Testdisk searches for files by extension. Recovering data from a RAW partition using TestDisk

A very advanced utility designed for all kinds of restorative actions. Despite its name → , consists of a trio of utilities: TestDisk, PhotoRec, Fidentifi. In this particular case, we will look at a method for recovering accidentally deleted files from a removable storage device, for example from a flash drive, but in general, the utility is so powerful that we will describe all its capabilities and various settings, does not fit the format of this article. We will analyze in detail the easiest recovery method for common understanding process.

A few words about the content, briefly and in general terms.

» - can fix partition tables, recover deleted partitions and files, copy files, fix boot sectors, restore " MFT"and superblocks from copies.

"PhotoRec" - can recover files from any media from any file systems, even damaged, but only in " RAW».

"FIdentify" - this is a kind of extension, an addition to “PhotoRec”, which most accurately identifies recoverable files by their extension.

For our specific task, the utility " PhotoRec", because Its capabilities for recovering files are the most advanced and it can sometimes restore what it cannot.” " First, let's install the program:

sudo apt-get install testdisk

Launch the utility:

After entering the password, the utility will launch and show you which drives it was able to detect. IN in this case, in the screenshot below, a disk (flash drive) with a size of 500 (512) MB is highlighted. Using the keyboard, use the up/down arrows to select required disk(flash drive) and press " Enter" I would like to note that the utility, in fact, in almost all cases, determines the required item automatically, where possible.

The following window opens displaying the file system of the selected disk " FAT32", in the lower left corner should be highlighted " Search", click " Enter».

On next step, select the value “ Other", which corresponds to our file system " FAT32", is usually the default. Click " Enter».

Next, we again have two positions to choose from: “ Free" - the utility will scan only free space, " Whole"- everything will be scanned. To restore any one file or even, say, a music collection, the “ Free" Select what you want and click " Enter».

IN next action, you are prompted to select a directory to save the recovered files. Choose what you need and click " Enter».

Here, you don’t have to touch anything and press the “Y” key, the process will start.

I missed the snapshot of the process itself, but when it ends, you will receive the following message:

This means that everything is over, you can go to the appropriate directory and look for your files. A few words about what you get in the end. " PhotoRec"is very good in its ability to find any files, but this is also its disadvantage, because In addition to the searched files, all files that were in the scanned space will be found and restored, and there can be quite a lot of them. The second unpleasant moment is that the utility changes file names and replaces them with alphanumeric values. If a lot of files were recovered, then searching for the one you need by normal viewing, may be difficult. The best option in this case, go to the directory and use the search, typing only the file extension into the search bar. For example, if you restored graphic file with the extension " PNG", then enter the value " into the search. png", this will make it much easier to find the file we need.

Positive characteristics

Just necessary utility for restoration, for almost any occasion.

Negative characteristics

Although it is perfectly controlled from the terminal, it would have been possible to create a graphical interface a long time ago.

As you understand, this is not all the capabilities of the program, we are considering only the specifics here, so as not to bother our heads with unnecessary things, but for those who want to study in more detail the full power of this utility, you can visit this resource.

TestDisk program with open source code, distributed under license GNU General Public License .

TestDisk is a powerful free data recovery program. It was developed to restore lost partitions and disk boot capacity. Restores partition tables, and you can also restore individual files from the list without restoring the entire partition, which is very convenient. TestDisk also convenient to use for analysis.

Let's look at an example of recovery separate files in the operating system Xubuntu.

Installing the program TestDisk V Xubuntu:

$ sudo apt install testdisk

Launch the program TestDisk:

$sudo testdisk

A program welcome window will open. Choose Create a new log file(create a new log file). Click Enter:

In the next window you need to select carrier(disk) on which the data to be recovered is located, and Proceed. Click Enter:

A list of operation selections will appear in the next window. Choose . Click Enter:

Mark the required section and command . Click Enter:

You can see all the content on the selected media:

Up, down and Enter find the desired directory. Deleted files that can be recovered will be red:

Mark the folder or file and press the key c and in the window that opens, select the directory to save our file. And press the key again c. If you need to return to the previous window, press the key q:

The recovery process has begun:

After the recovery and copying process is completed, the program will return you to the directory with the restored files, where you can select other documents, images, folders.

To be fair, it should be noted that not all recovered files can be used. Some are damaged and cannot be opened. But in in this example the last folder, deleted a week ago, was completely restored with 100% safety of both documents and images. Whereas the previous one had broken files, although it was deleted 6 days later.

What else can TestDisk do?

Correct the partition table, restore deleted partitions;
FAT32 from a backup copy;
FAT12/FAT16/FAT32;
correct the table FAT;
rebuild (reconstruct) boot sector NTFS;
repair boot sector NTFS from a backup copy;
restore MFT using MFT mirror;
determine backup SuperBlock ext2/ext3/ext4;
restore deleted files on file systems FAT, NTFS and ext2;
copy files from remote FAT, NTFS and ext2/ext3/ext4 sections.

TestDisk supports operating systems:

DOS (real or in Windows 9x, DOS-box);
Windows (NT4, 2000, XP, 2003, Vista);
Linux;
FreeBSD, NetBSD, OpenBSD;
SunOS;
MacOS.

TestDisk works with file systems:

BeFS (BeOS);
BSD disklabel (FreeBSD/OpenBSD/NetBSD);
CramFS, Compressed File System (compressed file system);
DOS/Windows FAT12, FAT16 And FAT32;
Windows exFAT;
HFS, HFS+ And HFSX, Hierarchical File System(hierarchical file system);
JFS, IBM's Journaled File System(journaled file system IBM);
Linux ext2, ext3 And ext4;
Linux LUKS encrypted partition(encrypted section Linux);
Linux RAID md 0.9/1.0/1.1/1.2;
- RAID 1: mirroring(mirror raid);
- RAID 4: striped array with parity device;
- RAID 5: striped array with distributed parity information;
- RAID 6: striped array with distributed dual redundancy information;
Linux Swap(versions 1 and 2);
LVM And LVM2, Linux Logical Volume Manager;
Mac partition map;
Novell Storage Services NSS;
NTFS (Windows NT/2000/XP/2003/Vista/2008);
ReiserFS 3.5, 3.6 And 4 ;
Sun Solaris i386 disklabel;
Unix File System UFS And UFS2 (Sun/BSD/...);
XFS, SGI's Journaled File System.

Greetings dear readers!

Just recently I posted an article about a data recovery program. But unfortunately, I didn’t think about the fact that not all users will be able to handle it... Today I want to fix this problem. Some users asked me to do a video review, but since I this moment I'm on vacation :)) And that's why I'm not upset the right material, that is: no installed Windows and there is no damaged removable media. So I decided to make a simple selection of screenshots describing all the actions!

All screenshots will be taken from the operating room Linux systems. But in Windows all functions will be the same.

1. This window asks us to do Log file all the work But I think that in this situation it does not make sense, although you may think otherwise, so we select the desired option and confirm the choice. Click Enter

2. The required media appears, select the desired one and confirm by pressing Proceed.

3. Next we are asked to select the type of partition table; in most cases this is the type Intel/PC Partition.

4. A menu appears with the choice of operation. To begin, select the item Analyze to perform disk analysis.

5.In section Analyze Choose Quick Search.

6. Once again we confirm and see that an analysis is being carried out.

7. After the analysis is completed, you can begin data recovery. At the moment we are interested in 2 actions.

Get the list of files we are interested in by clicking P
Try to download backup copy partition tables by clicking L This will take you back to the original state of the device before it broke down.

We will display a list of files by clicking R

From here you can try to copy especially important files and folders, especially if you are afraid that the data will not be restored, but on the contrary, you will lose the last one, even if broken information. We highlight necessary information and press WITH to copy it. Select the folder where these files will be saved; in Windows, these files are saved in the same folder where the program itself is located .

8. In your opinion, we have retained particularly important information. Now we will restore the disk to its original form, that is, until it breaks. To do this, press the key Q Let's go back to point 7.

Let's try to return the media to its previous state. Click L. In the window that appears, select Load

And at the request of the program, we confirm our choice with a click Y

We are waiting for the restoration process to come to an end. I then rejoice that all our data is restored and the media works as before.
I wish everyone successful recovery of lost data, and even better, that this does not happen to anyone! Because I, like no one else, know what it’s like to lose very important data that you’ve been working on for weeks, or even months.

Once again I would like to apologize to the readers for what I did not foresee. And for the fact that at the moment I only posted screenshots.

If anyone has any questions, then write to me at [email protected]

Letter No. 1. I ask you to suggest a solution to my problem. My section is missing hard drive with important data, I tried to use the program, I did everything as written in your article, but to no avail, Acronis Recovery Expert writes - no deleted partitions were found on your hard drive, I also tried to use the TestDisk program, but apparently I’m doing something wrong, instructions for TestDisk program On the official website, half is in Russian, and the other half is in English, I could not master this work http://www.cgsecurity.org/wiki/TestDisk_step_by_step.
Administrator's note: Dear friends, the site has three more instructions for working with free but effective utilities for recovering deleted hard drive partitions: , and . Another deleted partition can be restored paid program Acronis Disk Director.

Letter No. 2. Tell me how to use TestDisk? I have after emergency shutdown electricity stopped loading operating system, after booting from Livecd, I discovered that all my HDD became unallocated space, and there were two partitions C and D, Windows 7 was installed on C, and very necessary files on D. I found information online about the free TestDisk program and downloaded it from the official website http://www.cgsecurity.org/wiki/TestDisk_Download. By the way, there are instructions for working with the program, namely how to recover a deleted partition from a hard drive formatted as a file NTFS system. I disconnected my hard drive and went to a friend, they connected my hard drive to his system unit, instead of my partitions there was the same unallocated space.
By instructions when starting the program TestDisk I type (Create), then in the window that appears, select my hard drive from the list and press Enter, then select desired type Partition Tables, always the correct value is already selected by default, since TestDisk detects the table type automatically (Intel). Then I leave (Analyse) to check the partition structure of the hard drive and search for “lost” partitions. Next in official instructions a window appears with the current partition structure, and I have this,
, I haven’t found information about what this means anywhere on the Internet and I don’t know whether I should continue working with the program, I’m very worried about my files, please give me advice.

Letter No. 3. Tell me please, where can I download TestDisk Livecd, that is, TestDisk on a boot CD, they say this disk was made in the operating room Ubuntu system- based on Debian GNU/Linux and the desktop there is somehow different from Windows. And is it possible somehow (it is possible, administrator's note).
The fact is that Windows 7 stopped loading for me, having decided to check the integrity system files, I booted the laptop from a simple Livecd and discovered that my C partition was gone along with the operating system. The hard drive on my laptop was divided into two volumes C and D, and partition C was displayed as unallocated space. One online forum suggested that I need to find TestDisk Livecd and boot the laptop from it and try to recover the deleted system partition. If you can tell me how to do all this step by step, then thank you very much.

TestDisk instructions

In this article I will give three examples of recovering deleted partitions using the TestDisk program. This program will help you in most cases to recover deleted hard drive partitions, whether this happened to you by accident or due to some extraneous reasons, for example, inept use of partition manager programs - or Paragon, emergency shutdown of the computer, and so on. We can help you, the main thing is not to spontaneously and without experience apply several programs at once to recover lost hard drive partitions and not stop them halfway through the work done.

But I want to warn you, do everything exactly according to the instructions, do not select program functions that you know nothing about. If you want to practice with this program, install it on your system virtual machine and train as much as you want, when you have already learned most of the capabilities of the TestDisk program, then get to work. TestDisk can return a deleted partition and lost information, but it may also delete the partition and you will lose all your data. You won’t be able to play with the TestDisk program, as well as with others similar programs. Laptop owners need to act especially carefully.

First, we will look at the simplest and most common case of recovering one lost partition on a hard drive belonging to one of my friends. After experimenting with one program, he lost a hard drive partition of approximately 130 GB with the folders he needed.
The second example will be more complicated, also taken from life, work colleagues brought a hard drive with two deleted partitions, one of which contained the installed Windows 7 operating system, and on the other partition there was a photo folder with a family photo archive, it had to be saved first. Upon closer inspection of the hard drive, the TestDisk program also gave us a warning Warning: the current number of heads per cylinder is 127 but the correct value may be 255. Results, but about everything in detail, we will need to restore all the data and launch the seven.
In the third example, we will download TestDisk Livecd from the official website and use it to also recover a deleted partition of a laptop’s hard drive.
If you need bootable flash drive with TestDisk program, read our article.

In fact, on the official website of the developer there is a wonderful free program TestDisk, available clear instructions application of the program, the program itself was developed by C. Grenier (Christophe GRENIER).

http://www.cgsecurity.org/wiki/TestDisk_step_by_step, but since all work with the program occurs in command line and on English language, many novice users this program They avoid it, but in vain. By the way, we already have one article describing the operation of the program - .
So let's look at three examples of recovering deleted hard drive partitions one by one.
Go to the official website of the program http://www.cgsecurity.org/wiki/TestDisk_Download and download it,

I suggest downloading and running Beta versions: TestDisk & PhotoRec 6.14-WIP, Data Recovery, you can choose the stable TestDisk & PhotoRec 6.13 (15 November 2011), Data Recovery, if you have Windows 64-bit, select your version,

downloaded then unzip the program from the archive. The testdisk_win.exe file is responsible for launching the program.

How to use TestDisk? We have a Maxtor STM3250310AS hard drive, on which a partition with a very the necessary files. As we can see in Disk Management, it is defined as Disk 2. It contains 113.2 GB of unallocated space, this is our deleted partition,

we need to restore it. Always when working with the TestDisk program, it is very important to know which files were located on remote partition, since the program can find long-deleted partitions that you no longer need. We need to return the deleted section with the Diploma, Coursework, Drawings folders.
In the initial window of the program, you and I need to choose whether the program during its operation should keep a report on all operations performed or not. Personally, I don’t need the report and I’ll select using the arrows on the keyboard No Log. You can choose Create (report required). To continue working, press Enter on the keyboard.

In this window, you need to select the hard drive on which to search for the deleted partition. In my case, as you can see, there are three hard drives: Western Digital and two identical Maxtor STM3250310AS. I select Maxtor, which is the last one in the list (why is it the third and not the second, it was on the third that I managed to find my friend’s files, how I did it, read on) and press Enter. Below is the default Proceed.

Select the required type of Partition Table, usually Intel. You need to know that TestDisk determines the table type automatically and correct type always selected by default. Next Enter

Select the Analyze item to search for deleted partitions and TestDisk scans the initial sectors of the cylinders, the primary partitions are located starting from the first sector of the cylinder, and the logical partitions are located from the second sector. In other words, the TestDisk program scans the hard drive for file system headers; TestDisk regards each header detected during such a scan as a found partition, then it determines its size and adds it to the list of found partitions.

This window displays the current partition structure of our hard drive, click Quick Search.

A more thorough search for deleted partitions occurs; it may take some time, which depends on the power of your computer.
Now attention friends, it’s better not to make mistakes in this window, among the sections found is ours remote volume, which needs to be restored.
Using the arrows on the keyboard, select the lower section, firstly we focus on the volume, it took us about 113 GB,

then we go inside the remote partition by pressing the keyboard key in English layout(P) and to our joy we see all the folders we need: Diploma, Coursework, Drawings.

To exit file display mode, press (Q). By the way, on the left of each section its type is indicated. * for boot partition, P for primary, L for logical, E for extended. Now press Enter.

So, almost the end, we have already selected the partition needed for recovery, here we select “Write” using the arrows on the keyboard and all information about the found partition will be written to the partition table of the hard drive, press Enter.

Press Y

Close the program and restart the computer. A remote partition appeared with the folders we needed.

In the second case, connecting a hard drive with two remote partitions, one of which had an operating system Windows system 7, to our computer, you and I see the following picture in Disk Management. Disk 2 with a capacity of 111.79 GB is completely unallocated, now we’ll see if we can recover anything on it.

Run TestDisk again and in the first program window select No Log (No report required) or Create (report required) and press Enter on the keyboard

Using the arrows on the keyboard, select hard Samsung drive and Enter

Analysis

In this window, TestDisk tells us that no active partitions were found, click Quick Search.

There's a warning waiting for us here Warning: the current number of heads per cylinder is. This message is not good and means that TestDisk detected an incorrect hard drive geometry (number of cylinders, heads or sectors), we ourselves will not change the hard drive geometry manually (although the program may allow us to do this) this is the topic of a separate article, we’ll trust TestDisk program. Even if we restore the deleted partitions, it would be good not to store important data on this hard drive. In the future, it will be necessary to treat this hard drive for bad sectors bad blocks following the example of our article.
Click Continue to continue.

We select the last partition of the hard drive, it matches the volume of the -52 GB partition on which the desired folder Photo,

to see the files located in the deleted partition, press on the keyboard in the English layout (P), we see the photo folder, if we restore the partition and this folder, especially with the family archive of photos, they will thank us.

Exit file display mode, press (Q). Then Enter

Move to the “Write” item and press Enter, information about the found partition will be written to the partition table of the hard drive.

TestDisk - how to use. Your section is missing hard drive on Windows, this can happen for many reasons, a virus has entered your computer, the malfunction of a program or incorrect user actions, which happens more often. No need to panic, your files are safe and sound, only the partition information has been deleted hard drive, from the partition table. This table is something similar to links, the file seems to exist, but without a link to it, the system cannot see it, because its address is not known. The first thing to do in this case is not to try to do anything about it hard drive (format, or try to write something to it). If this happened with system partition, that is, drive C, and the system does not start, then the hard drive must be removed and connected to another working computer and spend everything below with him following operations. In this case, partition E, located on the same hard drive as the system, disappeared. The powerful absolutely helped me with this free utility TestDisk. This program specially created for recover lost partitions on hard drives, recovery boot files, due to incorrect actions of programs, humans and viruses (for example, the partition table has disappeared), as well as when the storage medium fails. For now, TestDisk counts the best tool in his category, who has repeatedly helped cope where they could not help paid tools from such monsters as: Acronis, Runtime and others. It is believed that using a utility like Acronis Recovery is more likely to harm and aggravate the problem than it helps you. And so, I present to you an overview of how I dealt with this problem. Download TestDisk from official website or, and unpack it, be sure to onto another hard drive, not the one on which we are going to restore the partition; if you have one hard drive, then this must be done on another computer.

I lost section E.

Let's launch program by double clicking on the icon

The program window opens

In the program we work with the keys, up, down, left, right.

Here select Create and press Enter

Here we select the problematic hard drive, it’s my first one, 20 GB in size and press Enter

Select the desired Partition Table type. Usually the correct value is already selected "by default" because TestDisk during analysis, it automatically determines the table type.

Press Enter to continue.

Select the "Analyze" menu item to check the partition structure current disk and search for "lost" sections.

Press Enter to continue.

Answer the question Should TestDisk search for partition created under Vista? (Search for partitions created under Vista OS?).

Press Y to continue.

TestDisk displays search results in real time.

TestDisk I found two partitions, including the lost logical one labeled L, at the bottom of the table we look at the partition size.

Select this section and press p to display the file list (To exit the file list display mode, press q).

All folders and files are displayed normally. (The utility does not understand the Russian language, so files with Russian names may not be displayed correctly)
Press Enter to continue.