recovering-deleted-files-with-photorec

# Recovering Deleted Files with PhotoRec ## When to Use - When recovering deleted files from a forensic disk image or storage device - When the file system is corrupted, formatted, or overwritten - During investigations requiring recovery of documents, images, videos, or databases - When file system metadata is unavailable but raw data sectors remain intact - For recovering files from memory cards, USB drives, and hard drives ## Prerequisites - PhotoRec installed (part of TestDisk suite) - Forensic disk image or direct device access (read-only) - Sufficient output storage space (potentially larger than source) - Write-blocker if working with original media - Root/sudo privileges for device access - Knowledge of target file types for focused recovery ## Workflow ### Step 1: Install PhotoRec and Prepare the Environment ```bash # Install TestDisk (includes PhotoRec) on Debian/Ubuntu sudo apt-get install testdisk # On RHEL/CentOS sudo yum install testdisk # On macOS brew install testdisk # Verify installation photorec --version # Create output directory structure mkdir -p /cases/case-2024-001/recovered/{all,documents,images,databases} # Verify the forensic image file /cases/case-2024-001/images/evidence.dd ls -lh /cases/case-2024-001/images/evidence.dd ``` ### Step 2: Run PhotoRec in Interactive Mode ```bash # Launch PhotoRec against a forensic image photorec /cases/case-2024-001/images/evidence.dd # Interactive menu steps: # 1. Select the disk image: evidence.dd # 2...