Accidental deletion on hard drives, memory cards, and USB sticks often removes only directory entries while leaving the underlying data blocks intact for a limited time. As long as those blocks have not been overwritten, many common document, image, and video formats can still be reconstructed. Timely recovery greatly increases the chance of restoring important data before normal usage overwrites it.
photorec, part of the testdisk suite, scans disks and partitions at the raw block level, ignoring damaged or missing file system metadata. The tool searches for known file signatures (for example JPEG, PNG, PDF, and MP4 headers), carves the matching data out of the device, and writes recovered files into new directories on a separate destination. This signature-based approach works across many file systems, including FAT, NTFS, ext2/3/4, and exFAT.
Successful recovery depends strongly on how much the device was used after deletion and on avoiding further writes to the affected disk. Running photorec from a Linux live environment and writing recovered data to another disk reduces the risk of overwriting recoverable blocks. The tool requires terminal access and root privileges, so preparation and careful selection of disks and directories is essential, especially when working on system drives.
Steps to recover deleted files using photorec:
- Stop all writes to the storage device where deletion occurred to prevent overwriting recoverable data.
Continued use of the affected disk can overwrite deleted file blocks, permanently destroying data that photorec might otherwise recover.
- Boot a Linux live environment from USB or DVD when the deleted files are on the internal system disk.
Running from a live environment avoids writing logs and temporary files onto the disk that contains the deleted data.
- Install the testdisk package that includes photorec on an Ubuntu or Debian based live system.
$ sudo apt update WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Hit:1 http://ports.ubuntu.com/ubuntu-ports noble InRelease Hit:2 http://ports.ubuntu.com/ubuntu-ports noble-updates InRelease Hit:3 http://ports.ubuntu.com/ubuntu-ports noble-backports InRelease Hit:4 http://ports.ubuntu.com/ubuntu-ports noble-security InRelease Reading package lists... Building dependency tree... Reading state information... 5 packages can be upgraded. Run 'apt list --upgradable' to see them. $ sudo apt install --assume-yes testdisk WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Reading package lists... Building dependency tree... Reading state information... testdisk is already the newest version (7.1-5+nmu1build2). 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded.
photorec is distributed inside the testdisk package on most Debian based distributions.
- Confirm photorec is available before launching the interactive recovery interface.
$ sudo photorec /version PhotoRec 7.1, Data Recovery Utility, July 2019 Christophe GRENIER <grenier@cgsecurity.org> https://www.cgsecurity.org Version: 7.1 Compiler: GCC 13.2 ext2fs lib: 1.47.0, ntfs lib: libntfs-3g, ewf lib: none, libjpeg: libjpeg-turbo-2.1.5, curses lib: ncurses 6.4, zlib: 1.3 OS: Linux, kernel 6.12.54-linuxkit (#1 SMP Tue Nov 4 21:21:47 UTC 2025) aarch64
Root access allows photorec to read raw blocks from all attached disks, including those without mounted file systems.
- Identify the disk that contained the deleted files before launching photorec so you select the correct device in the UI.
$ lsblk -o NAME,SIZE,TYPE,MOUNTPOINTS NAME SIZE TYPE MOUNTPOINTS loop0 512M loop /mnt/bench loop1 64M loop loop2 32M loop nbd0 0B disk nbd1 0B disk nbd2 0B disk nbd3 0B disk nbd4 0B disk nbd5 0B disk nbd6 0B disk nbd7 0B disk vda 1.8T disk `-vda1 1.8T part /etc/hosts /etc/hostname /etc/resolv.conf vdb 606.5M disk nbd8 0B disk nbd9 0B disk nbd10 0B disk nbd11 0B disk nbd12 0B disk nbd13 0B disk nbd14 0B disk nbd15 0B diskChoose the correct physical disk that previously stored the lost files to avoid scanning the wrong device.
- Launch photorec and select the correct disk, partition table type, and file system type from the interactive menus.
Use ext2/ext3/ext4 for most Linux partitions and FAT/NTFS/exFAT for memory cards and Windows volumes.
- Choose a scanning mode such as [ Free ] for unallocated space or [ Whole ] for the entire partition.
Scanning only unallocated space reduces scan time and avoids touching live files, while scanning the whole partition can recover data that survived partial overwrites.
- Select a destination directory on a different disk or partition to store the recovered files.
Saving recovered data onto the same partition being scanned can overwrite yet-unrecovered blocks; choose a separate device such as an external drive.
- Start the scan so photorec can analyze the selected area until the progress indicator reaches 100%.
Scan duration depends on disk size, speed, and the number of blocks that need to be inspected.
- Inspect the destination directory in a terminal to view the recovered files.
$ ls /var/tmp/photorec-recovered/ recup_dir.1 recup_dir.2
photorec groups items into directories named recup_dir.N and assigns generic file names while preserving extensions derived from detected signatures.
- Move recovered files into type-specific folders to simplify review and sorting.
$ mkdir -p ~/Recovered/{pictures,documents,videos} $ find /var/tmp/photorec-recovered/ -type f -name "*.jpg" -exec mv -t ~/Recovered/pictures {} + $ find /var/tmp/photorec-recovered/ -type f -name "*.mp4" -exec mv -t ~/Recovered/videos {} +Organizing files by extension makes it easier to check which photos, documents, or videos were successfully restored.
- Verify that the recovered files open correctly from the recovery disk without resuming use of the original damaged disk.
Testing recovered files from the destination disk is safe, but resuming normal writes on the source disk can prevent any further deep recovery attempts.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
