File Carving

I mentioned before that it is possible to recover files from file systems where the partition information has been damaged or where the volume itself has been partially reformatted. This can be done through a technique called "data carving" or "file carving," where a program hunts for specific kinds of files by looking for patterns common to certain file types. One of the best things about this technique is that it's almost entirely automatic: all you have to do is point it at a partition -- or the place where a partition was -- select a place to restore the files to, and let the program do the heavy lifting.

The authors of TestDisk have created an excellent file-carving tool called PhotoRec, which recovers many common file formats from pretty much any type of media.

This is about as essential a standalone file-recovery tool as you're going to get. I tried it out on a camera card I'd written off as wiped out after a recent trip, and managed to recover literally everything from the card -- both pictures and video. It wasn't able to recover some of the actual filenames, but the files themselves were all perfectly readable. Like TestDisk, by default it will attempt to copy files somewhere other than the media being rescued to avoid further damage.

The default settings for PhotoRec generally work fine, but if you need finer-grained control there are a few options you can set. "Paranoid mode," normally disabled, recovers everything including partially corrupted files; if you turn this on, you'll get more data recovered, but the recovery process may take much longer. (Brew some coffee.) In the same vein, "Keep corrupted files" will recover files that are not fully readable in the hopes that the user can salvage something further from them, perhaps with a hex editor or another tool.

These files recovered with PhotoRec have new names, but the metadata tells you they are audio files.
(click for image gallery)

Note that most of the time, files recovered with PhotoRec will not have their original names, but internal metadata (e.g., MP3 tags or EXIF data) will still be available. Also note that if you're looking for one very specific kind of file in a relatively small file system, you can use the program's internal options to narrow down the search and not waste time recovering everything under the sun.

TestDisk and PhotoRec are also both included by default with the Partedmagic rescue disc, so that's one of the easiest ways to get your hands on them and put them to work -- but you can also download them as standalone programs and use them that way. Both can also be integrated into the BartPE rescue disc if you use it; my trick has been to include them with my PortableApps installation. It's also possible to mount them on a removable drive, boot a Vista installation DVD (if you have one), go to the System Recovery command line, and then run the programs from there.