Accidental deletion usually removes filesystem metadata before it erases the file contents themselves, which leaves a short window to recover documents, archives, photos, and videos from the affected disk. The best recovery results come from stopping writes immediately, attaching a separate destination disk, and starting the carve before normal system activity reuses the deleted blocks.
PhotoRec is a signature-based file carver from the testdisk suite. Instead of relying on filenames, directory entries, or a healthy filesystem, it scans raw sectors for known file headers and rebuilds matching content into new recovery directories. That makes it useful when a partition is damaged, reformatted, or missing metadata, but it also means recovered files usually lose their original names and folder structure.
The practical constraints matter as much as the tool itself. Run the recovery from another Linux system or live USB when the source disk normally boots the machine, save recovered files to a different mounted filesystem, and choose [ Other ] unless the source filesystem is actually ext2, ext3, or ext4. Package versions vary by distribution, but the photorec workflow and menu choices remain the same.
Steps to recover deleted files using PhotoRec:
- Stop all writes to the device that held the deleted files and attach a separate disk, SSD, or network mount for the recovered data.
Do not install packages, copy new files, or continue normal work on the source filesystem after the deletion. Every new write can overwrite blocks that PhotoRec would otherwise be able to carve.
- Boot from a Linux live USB or another system when the deleted data is on the internal system disk.
This keeps logs, browser caches, swap, and package-manager activity off the drive you are trying to recover.
- Install the package that provides photorec with your distribution package manager.
$ sudo apt install testdisk $ sudo dnf install testdisk $ sudo pacman -S testdisk
Most distributions ship photorec in the testdisk package. Some repositories split the optional graphical qphotorec package separately, but the text-mode photorec tool is the one used here.
- Confirm the command is available before you start the interactive recovery session.
$ photorec /version PhotoRec 7.1, Data Recovery Utility, July 2019
The exact package version depends on the distribution, but the command should return immediately and print the PhotoRec banner.
- Identify the source device and the mounted destination you will use for recovered files.
$ lsblk -o NAME,SIZE,FSTYPE,TYPE,MOUNTPOINTS $ findmnt /mnt/recovery
Use lsblk to identify the correct source disk or partition and findmnt to confirm that the recovery destination is mounted on a different filesystem. Avoid a FAT32 destination when you expect files larger than 4 GB.
- Start PhotoRec with the recovery destination preselected, replacing /dev/sdb and /mnt/recovery/photorec with your actual source device and destination directory.
$ sudo photorec /d /mnt/recovery/photorec /dev/sdb
If you omit the device path, PhotoRec lists all detected disks first. Using /d skips the destination selection screen and reduces the chance of saving recovered data into the wrong location.
- In the PhotoRec menu, select the partition or disk region that held the deleted files, then use [ Search ] to begin the recovery workflow. Open [ File Opt ] only when you need to narrow the scan to a smaller set of file families.
Disabling too many file types can produce oversized or less useful results for formats whose full size cannot be determined from the header alone, so leave the defaults enabled unless you are targeting a specific format such as jpg, zip, or pdf.
- Choose the filesystem type carefully when PhotoRec asks how blocks are allocated.
Select [ ext2/ext3/ext4 ] only when the source filesystem is actually ext2, ext3, or ext4. For anything else, including FAT, NTFS, exFAT, or other non-ext filesystems, choose [ Other ].
- Choose [ Free ] when it is available and you only need deleted data from supported filesystems, or choose [ Whole ] when the filesystem is damaged, reformatted, or the free-space-only option is unavailable.
[ Free ] is available only on certain filesystem types such as ext2, ext3, ext4, FAT, and NTFS. [ Whole ] takes longer but is the safer choice when the on-disk filesystem metadata is unreliable.
- Let the scan finish and note where PhotoRec writes its output. Recovered files are stored in directories such as recup_dir.1 and recup_dir.2, and a report.xml summary file is written alongside them.
You can inspect recovered files before the scan completes, and PhotoRec creates a new recup_dir.N directory roughly every 500 recovered files.
- Inspect the recovered files from the destination disk before copying them anywhere else.
$ cd /mnt/recovery/photorec $ find recup_dir.1 -maxdepth 1 -type f | sort recup_dir.1/f0000008_notes.zip recup_dir.1/report.xml $ file recup_dir.1/f0000008_notes.zip recup_dir.1/f0000008_notes.zip: Zip archive data, at least v1.0 to extract, compression method=store
Recovered filenames usually begin with f, b, or t rather than the original name. Use the extension, file output, timestamps, and application previews to sort the results.
- Open or extract the recovered files from the recovery destination, then copy the files you want to keep into a new working directory.
Do not resume writes to the original source disk until you have finished reviewing the recovery results. If the first scan is incomplete, you may want a second pass with different [ File Opt ] settings or a whole-disk scan before the original blocks are reused.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
