During a forensic analysis, but also during other simple tasks (like helping a friend to recover deleted files), is useful to have a trusted tool to perform file-carving and data recovery.



The tool that I prefer to perform this kind of tasks is PhotoRec [1], developed by CGSecurity.

From the official website:

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted. PhotoRec is a companion program to TestDisk [2], an application for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again. For lost/deleted partitions or deleted files from a FAT or NTFS file system, try TestDisk first - it’s usually faster and TestDisk can retrieved the original file names.

The usage is really simple: you can follow the useful guide [3] on CGProject website, or this video:

https://www.youtube.com/watch?v=EJdx2ORi3r4

However, after the recovering process terminates, the output is a big list of files, named with the prefix “f” plus an identifying number (just some also have the original name after the number).

So, the best way to organize this files is order them by date and extension. In order to perform this tedious task, my suggestion is to use a python script originally developed by Chris Magnuson and enhanced by Lukas Hahmann, sort-PhotorecRecoveredFiles [4].

This program copy the files to own folders for each file type. Then, files are distinguished by the year and, in case the recovered file is an image, by month as well when they have been taken and by the event. If no date from the past can be detected, these jpgs are put into one folder to be sorted manually.

Installation

First install the package exifread:

pip install exifread

Then clone the git repository:

git clone https://github.com/tfrdidi/sort-PhotorecRecoveredFiles

Usage

python recovery.py <path to files recovered by Photorec> <destination>

This copies the recovered file to their file type folder in the destination directory. The recovered files are not modified. If a file already exists in the destination directory, it is skipped. Hence you can interrupt the process with Ctrl+C and continue afterwards.

References

  1. Photorec
  2. TestDisk
  3. PhotoRec Step By Step
  4. https://github.com/tfrdidi/sort-PhotorecRecoveredFiles