Not long ago, somebody wrote a blog entry about recovering files from a partition. If anybody knows who that person was, please let me know in the comments.
Here’s what happened: Silke and I had a friend take a video of our latest Rueda performance on Saturday using our shiny new video camera. The camera just mounts USB mass storage. So I selected the videos in Nautilus, dragged them to a local folder, and deleted them. I know, dumb, right? The video of our performance is nowhere to be found, and I have no idea why. I know the video was actually taken, because we watched it on the camera right after the performance.
The first thing I did when I realized my mistake was dd the device to a local file. I’ve tried PhotoRec and Foremost. Foremost did jack for me. PhotoRec managed to recover some other videos I’d deleted, but not the one I want. Any other suggestions would be appreciated.
Update, this is the blog post I was thinking of. Thanks to Tobias who pointed me to Jakub’s blog which had a comment with this link.
http://jimmac.musichall.cz/log/?p=414
In the past I had used WinHex for desperate cases. It is aware of Wine and offers to use the /dev/{s,d}da devices then.
You probably want to try autopsy. Its fairly simple to use, just feed its web interface the location of the image file and you should get a nice list of all the deleted files. If you hadn’t written extra data between the time you trashed the files and the time you did a dd then it should be there as normal USB storage devices use FAT which doesn’t destroy anything important when you delete it.
Foremost is probably a bit to extreme if you didn’t write extra data since it analyzes the files themselfs, this is a problem if your files had some fragmentation since you won’t always get from start to end, this will of course often happen for large videos. Its more used for when the filesystems do delete the links themselfs thus trashing the links. Or when data has been written that might have deleted parts of files and such.
I carn’t really comment on photorec, but according to the website it ignores the filesystem which is the same problem as Foremost.
Another alternative to autopsy is pyflag, but last time I tried it I couldn’t get it working. You could get a copy of Helix (A live cd linux disto aimed at computer forensics with pyflag installed), just don’t choose the option to load the whole thing into ram at boot as that stopped pyflag loading for me.
If there was data written then you might just be screwed 🙁