Aurélien Gâteau

Quick'n'dirty undelete pictures from memory card howto

written on Thursday, February 14, 2008

I was asked by my wife if I could recover deleted pictures from a memory card for a coworker. Here is how I did it, it might be useful for others.

Dumping

The nice thing about Linux is that it lets you manipulate disks as files, making it possible to try every possible trick without fear of destroying data.

After putting the card into the card reader, I ran dmesg and found a few lines about the newly inserted device. From these lines I got the name of the raw device associated with the card. In my case it was mmcblk0p1.

I dumped the card by copying the device file to some tmp dir:

cp /dev/mmcblk0p1 ~/tmp/carddump

Getting a list of deleted files

After some googling, I found some useful information about fat32 and how to undelete files from here:

http://lists.slug.org.au/archives/slug/2006/05/msg00002.html

Fat32 keeps the file list at the beginning of the file system, and keeps name of deleted files except for the first character.

As suggested on above link, I had a look at the dump content with:

hexdump -C carddump | less

I found a set of IMG_nnnnJPG where nnnn is a number (and yes, that's nnnnJPG, not nnnn.JPG). Those are the "normal" files. I also found a set of MG_nnnnJPG. Those are the deleted files I wanted to recover.

Using strings I grabbed a list of the deleted files:

strings carddump | head -n 2000 | grep '^MG_[0-9]*JPG' > deleted.lst

(2000 is just an empiric value. After 2000 I didn't get new file names).

Full path

fsck.vfat is capable of undeleting a file, but it needs the full path to them, not just the filename.

I mounted the card and had a look at the folder names to find where were the images stored. In my case, it was in /dcim/100canon.

Undelete!

Now I was all set. I made a backup of the dump (it's faster to copy files on hd than from the memory card):

cp carddump carddump.old

Then ran this bit of shell script:

cat deleted.lst | while read x ; do
    sudo fsck.vfat -au /dcim/100canon/I${x/JPG/.JPG} carddump
done

(Note that I integrated the full path found before and did a bit of shell hackery to add back the missing dot before JPG.)

Mount the dump

I then mounted the dump to check the result:

mkdir foo
sudo mount -o loop carddump foo
gwenview foo

And was happy to find 167 new files, of which 165 were complete. Coworker is happy!

PS: This method only works for FAT32 (and FAT16 probably) and for files which have been deleted. It won't work if the file system is damaged. In this case you will probably want to try specialized tools like Photorec or Foremost, as suggested by another user of the mailing list I quoted.

This post was tagged Tips, fat32 and undelete
blog comments powered by Disqus