recovering-deleted-files-with-photorec
Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage.
Best use case
recovering-deleted-files-with-photorec is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage.
Teams using recovering-deleted-files-with-photorec should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/recovering-deleted-files-with-photorec/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How recovering-deleted-files-with-photorec Compares
| Feature / Agent | recovering-deleted-files-with-photorec | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
SKILL.md Source
# Recovering Deleted Files with PhotoRec
## When to Use
- When recovering deleted files from a forensic disk image or storage device
- When the file system is corrupted, formatted, or overwritten
- During investigations requiring recovery of documents, images, videos, or databases
- When file system metadata is unavailable but raw data sectors remain intact
- For recovering files from memory cards, USB drives, and hard drives
## Prerequisites
- PhotoRec installed (part of TestDisk suite)
- Forensic disk image or direct device access (read-only)
- Sufficient output storage space (potentially larger than source)
- Write-blocker if working with original media
- Root/sudo privileges for device access
- Knowledge of target file types for focused recovery
## Workflow
### Step 1: Install PhotoRec and Prepare the Environment
```bash
# Install TestDisk (includes PhotoRec) on Debian/Ubuntu
sudo apt-get install testdisk
# On RHEL/CentOS
sudo yum install testdisk
# On macOS
brew install testdisk
# Verify installation
photorec --version
# Create output directory structure
mkdir -p /cases/case-2024-001/recovered/{all,documents,images,databases}
# Verify the forensic image
file /cases/case-2024-001/images/evidence.dd
ls -lh /cases/case-2024-001/images/evidence.dd
```
### Step 2: Run PhotoRec in Interactive Mode
```bash
# Launch PhotoRec against a forensic image
photorec /cases/case-2024-001/images/evidence.dd
# Interactive menu steps:
# 1. Select the disk image: evidence.dd
# 2. Select partition table type: [Intel] for MBR, [EFI GPT] for GPT
# 3. Select partition to scan (or "No partition" for whole disk)
# 4. Select filesystem type: [ext2/ext3/ext4] or [Other] for NTFS/FAT
# 5. Choose scan scope: [Free] (unallocated only) or [Whole] (entire partition)
# 6. Select output directory: /cases/case-2024-001/recovered/all/
# 7. Press C to confirm and begin recovery
# For direct device scanning (with write-blocker)
sudo photorec /dev/sdb
```
### Step 3: Run PhotoRec with Command-Line Options for Targeted Recovery
```bash
# Non-interactive mode with specific file types
photorec /d /cases/case-2024-001/recovered/documents/ \
/cmd /cases/case-2024-001/images/evidence.dd \
partition_table,options,mode,fileopt,search
# Recover only specific file types using photorec command mode
photorec /d /cases/case-2024-001/recovered/documents/ \
/cmd /cases/case-2024-001/images/evidence.dd \
options,keep_corrupted_file,enable \
fileopt,everything,disable \
fileopt,doc,enable \
fileopt,docx,enable \
fileopt,pdf,enable \
fileopt,xlsx,enable \
search
# Recover only image files
photorec /d /cases/case-2024-001/recovered/images/ \
/cmd /cases/case-2024-001/images/evidence.dd \
fileopt,everything,disable \
fileopt,jpg,enable \
fileopt,png,enable \
fileopt,gif,enable \
fileopt,bmp,enable \
fileopt,tif,enable \
search
# Recover database files
photorec /d /cases/case-2024-001/recovered/databases/ \
/cmd /cases/case-2024-001/images/evidence.dd \
fileopt,everything,disable \
fileopt,sqlite,enable \
fileopt,dbf,enable \
search
```
### Step 4: Organize and Catalog Recovered Files
```bash
# PhotoRec outputs files into recup_dir.1, recup_dir.2, etc.
ls /cases/case-2024-001/recovered/all/
# Count recovered files by type
find /cases/case-2024-001/recovered/all/ -type f | \
sed 's/.*\.//' | sort | uniq -c | sort -rn > /cases/case-2024-001/recovered/file_type_summary.txt
# Sort recovered files into directories by extension
cd /cases/case-2024-001/recovered/all/
for ext in jpg png pdf docx xlsx pptx zip sqlite; do
mkdir -p /cases/case-2024-001/recovered/sorted/$ext
find . -name "*.$ext" -exec cp {} /cases/case-2024-001/recovered/sorted/$ext/ \;
done
# Generate SHA-256 hashes for all recovered files
find /cases/case-2024-001/recovered/all/ -type f -exec sha256sum {} \; \
> /cases/case-2024-001/recovered/recovered_hashes.txt
# Generate file listing with metadata
find /cases/case-2024-001/recovered/all/ -type f \
-printf "%f\t%s\t%T+\t%p\n" | sort > /cases/case-2024-001/recovered/file_listing.txt
```
### Step 5: Validate and Filter Recovered Files
```bash
# Verify file integrity using file signatures
find /cases/case-2024-001/recovered/all/ -type f -exec file {} \; \
> /cases/case-2024-001/recovered/file_signatures.txt
# Find files with mismatched extension/signature
while IFS= read -r line; do
filepath=$(echo "$line" | cut -d: -f1)
filetype=$(echo "$line" | cut -d: -f2-)
ext="${filepath##*.}"
if [[ "$ext" == "jpg" ]] && ! echo "$filetype" | grep -qi "JPEG"; then
echo "MISMATCH: $filepath -> $filetype"
fi
done < /cases/case-2024-001/recovered/file_signatures.txt > /cases/case-2024-001/recovered/mismatches.txt
# Filter out known-good files using NSRL hash comparison
hashdeep -r -c sha256 /cases/case-2024-001/recovered/all/ | \
grep -vFf /opt/nsrl/nsrl_sha256.txt > /cases/case-2024-001/recovered/unknown_files.txt
# Remove zero-byte and corrupted files
find /cases/case-2024-001/recovered/all/ -type f -empty -delete
find /cases/case-2024-001/recovered/all/ -name "*.jpg" -exec jpeginfo -c {} \; 2>&1 | \
grep "ERROR" > /cases/case-2024-001/recovered/corrupted_images.txt
```
## Key Concepts
| Concept | Description |
|---------|-------------|
| File carving | Recovering files from raw data using file header/footer signatures |
| File signatures | Magic bytes at the start of files identifying their type (e.g., FF D8 FF for JPEG) |
| Unallocated space | Disk sectors not assigned to any active file; may contain deleted data |
| Fragmented files | Files stored in non-contiguous sectors; harder to carve completely |
| Cluster/Block size | Minimum allocation unit on a file system; affects carving granularity |
| File footer | Byte sequence marking the end of a file (not all formats have footers) |
| Data remanence | Residual data remaining after deletion until sectors are overwritten |
| False positives | Carved artifacts that match signatures but contain corrupted or partial data |
## Tools & Systems
| Tool | Purpose |
|------|---------|
| PhotoRec | Open-source file carving tool supporting 300+ file formats |
| TestDisk | Companion tool for partition recovery and repair |
| Foremost | Alternative file carver originally developed by US Air Force OSI |
| Scalpel | High-performance file carver based on Foremost |
| hashdeep | Recursive hash computation and audit tool |
| jpeginfo | JPEG file integrity verification |
| file | Unix utility identifying file types by magic bytes |
| exiftool | Extract metadata from recovered image and document files |
## Common Scenarios
**Scenario 1: Recovering Deleted Evidence from a Suspect's USB Drive**
Image the USB drive with dcfldd, run PhotoRec targeting document and image formats, organize by file type, hash all recovered files, compare against known-bad hash sets, extract metadata from images for GPS and timestamp information.
**Scenario 2: Formatted Hard Drive Recovery**
Run PhotoRec in "Whole" mode against the entire formatted partition, recover all file types, expect higher false positive rate due to file fragmentation, validate recovered files with signature checking, catalog and hash for evidence chain.
**Scenario 3: Memory Card from a Surveillance Camera**
Recover deleted video files (AVI, MP4, MOV) from the memory card image, use targeted file type selection to speed recovery, verify video files are playable, extract frame timestamps, document recovery in case notes.
**Scenario 4: Corrupted File System on Evidence Drive**
When file system metadata is destroyed, PhotoRec bypasses the file system entirely and carves from raw sectors, recover maximum possible data, accept that file names and directory structure will be lost, rename files based on content during review.
## Output Format
```
PhotoRec Recovery Summary:
Source Image: evidence.dd (500 GB)
Partition: NTFS (Partition 2)
Scan Mode: Free space only
Files Recovered: 4,523
Documents: 234 (doc: 45, docx: 89, pdf: 67, xlsx: 33)
Images: 2,145 (jpg: 1,890, png: 198, gif: 57)
Videos: 34 (mp4: 22, avi: 12)
Archives: 67 (zip: 45, rar: 22)
Databases: 12 (sqlite: 8, dbf: 4)
Other: 2,031
Data Recovered: 12.4 GB
Corrupted Files: 312 (flagged for review)
Output Directory: /cases/case-2024-001/recovered/all/
Hash Manifest: /cases/case-2024-001/recovered/recovered_hashes.txt
```Related Skills
recovering-from-ransomware-attack
Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or disaster recovery from ransomware.
deploying-ransomware-canary-files
Deploys and monitors ransomware canary files across critical directories using Python's watchdog library for real-time filesystem event detection. Places strategically named decoy files that mimic high-value targets (financial records, credentials, database exports) in locations ransomware typically enumerates first. Monitors for any read, modify, rename, or delete operations on canary files and triggers immediate alerts via email, Slack webhook, or syslog when interaction is detected, providing early warning before full encryption begins.
deploying-decoy-files-for-ransomware-detection
Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time. Uses strategically placed decoy documents monitored via file integrity monitoring or OS-level watchdogs to trigger alerts when ransomware modifies or encrypts them. Activates for requests involving ransomware canary deployment, honeyfile setup, deception-based ransomware detection, or file integrity monitoring for encryption.
analyzing-windows-lnk-files-for-artifacts
Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.
analyzing-prefetch-files-for-execution-history
Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.
analyzing-mft-for-deleted-file-recovery
Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
analyzing-cobaltstrike-malleable-c2-profiles
Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
validating-backup-integrity-for-recovery
Validate backup integrity through cryptographic hash verification, automated restore testing, corruption detection, and recoverability checks to ensure backups are reliable for disaster recovery and ransomware response scenarios.
triaging-vulnerabilities-with-ssvc-framework
Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.
triaging-security-incident
Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.
triaging-security-incident-with-ir-playbook
Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.
triaging-security-alerts-in-splunk
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.