How to recover deleted files using photorec

Accidental deletion on hard drives, memory cards, and USB sticks often removes only directory entries while leaving the underlying data blocks intact for a limited time. As long as those blocks have not been overwritten, many common document, image, and video formats can still be reconstructed. Timely recovery greatly increases the chance of restoring important data before normal usage overwrites it.

photorec, part of the testdisk suite, scans disks and partitions at the raw block level, ignoring damaged or missing file system metadata. The tool searches for known file signatures (for example JPEG, PNG, PDF, and MP4 headers), carves the matching data out of the device, and writes recovered files into new directories on a separate destination. This signature-based approach works across many file systems, including FAT, NTFS, ext2/3/4, and exFAT.

Successful recovery depends strongly on how much the device was used after deletion and on avoiding further writes to the affected disk. Running photorec from a Linux live environment and writing recovered data to another disk reduces the risk of overwriting recoverable blocks. The tool requires terminal access and root privileges, so preparation and careful selection of disks and directories is essential, especially when working on system drives.

1. Stop all writes to the storage device where deletion occurred to prevent overwriting recoverable data.

   Continued use of the affected disk can overwrite deleted file blocks, permanently destroying data that photorec might otherwise recover.

2. Boot a Linux live environment from USB or DVD when the deleted files are on the internal system disk.

   Running from a live environment avoids writing logs and temporary files onto the disk that contains the deleted data.

3. Install the testdisk package that includes photorec on an Ubuntu or Debian based live system.

   $ sudo apt update
   $ sudo apt install --assume-yes testdisk

   photorec is distributed inside the testdisk package on most Debian based distributions.

4. Launch photorec with root privileges in a terminal.

   $ sudo photorec

   Root access allows photorec to read raw blocks from all attached disks, including those without mounted file systems.

5. Select the disk that contained the deleted files using the arrow keys, then press Enter to continue.

   Please select a media (use Arrow keys, then press Enter):
   
   Disk /dev/sda - 500 GB / 465 GiB (RO) - WDC WD5000LPCX-24VHAT0
   Disk /dev/sdb - 32 GB / 29 GiB (RO) - USB Flash Drive

   Choose the correct physical disk that previously stored the lost files to avoid scanning the wrong device.

6. Confirm the partition table type (for example [ Intel ] for standard BIOS/MBR disks) when prompted.

   photorec usually auto-detects the partition table, so accepting the suggested default is appropriate in typical setups.

7. Highlight the partition that held the lost files, selecting the matching file system type menu entry.

   Please select the file system type:
   
   [ ext2/ext3/ext4 ]
   [ FAT/NTFS/exFAT ]

   Use ext2/ext3/ext4 for most Linux partitions and FAT/NTFS/exFAT for memory cards and Windows volumes.

8. Choose a scanning mode such as [ Free ] for unallocated space or [ Whole ] for the entire partition.

   [ Free ]  Scan for files from unallocated space only
   [ Whole ] Extract files from whole partition

   Scanning only unallocated space reduces scan time and avoids touching live files, while scanning the whole partition can recover data that survived partial overwrites.

9. Select a destination directory on a different disk or partition to store the recovered files.

   Save recovered files to:
     /media/ubuntu/RECOVERY/recovered/

   Saving recovered data onto the same partition being scanned can overwrite yet-unrecovered blocks; choose a separate device such as an external drive, for example /media/ubuntu/RECOVERY.

10. Start the scan so photorec can analyze the selected area until the progress indicator reaches 100%.

    Pass 1 - Reading sector 123456/976773167,  recovered 128 files
    Elapsed time 0h02m34s - Estimated time to completion 0h18m42s
    ##### snipped #####

    Scan duration depends on disk size, speed, and the number of blocks that need to be inspected.

11. Inspect the destination directory in a terminal to view the recovered files.

    $ ls /media/ubuntu/RECOVERY/recovered/
    recup_dir.1  recup_dir.2

    photorec groups items into directories named recup_dir.N and assigns generic file names while preserving extensions derived from detected signatures.

12. Move recovered files into type-specific folders to simplify review and sorting.

    $ mkdir -p ~/Recovered/{pictures,documents,videos}
    $ find /media/ubuntu/RECOVERY/recovered/ -type f -name "*.jpg" -exec mv -t ~/Recovered/pictures {} +
    $ find /media/ubuntu/RECOVERY/recovered/ -type f -name "*.mp4" -exec mv -t ~/Recovered/videos {} +

    Organizing files by extension makes it easier to check which photos, documents, or videos were successfully restored.

13. Verify that the recovered files open correctly from the recovery disk without resuming use of the original damaged disk.

    Testing recovered files from the destination disk is safe, but resuming normal writes on the source disk can prevent any further deep recovery attempts.