How to safely recover deleted data from a USB flash drive

data-recoveryfat32rm

This event actually took place a few years ago, but I still have the unchanged USB flash drive in my possession. I may be out of luck, but I thought I would ask all you smart people here for your suggestions.

Short Story:

A few years back, my wife wanted to store all of her photos from her iPhone onto a USB flash drive because she was running out of storage. We picked up a brand new USB flash drive from the store, so I assume it had a FAT32 file system. We plugged the flash drive into a Mac OS X and were able to backup all of her photos. We realized after the backup had complete that almost every photo had a duplicate file. photo.jpg had a duplicate file called photo\ 1.jpg. All of the duplicate files ended with the \ 1.jpg suffix.

Just having started UNIX, I knew that I could use the shell's simple regex to remove all of the duplicate files, but I ended up not putting my command in quotes… And I ended up executing the following: rm * 1.jpg. As you can see, I told the system to remove every single file and then remove 1.jpg. Instead of telling the system to remove every file that ended in 1.jpg. After this occurred, with my furious wife (at the time girlfriend) next to me, I unplugged the flash drive and stored it in a drawer.

Question:

Are there any secure UNIX tools to recover data, that was removed with rm, from a USB flash drive? Or am I out of luck? As I stated above, I have not touched the flash drive since the event occurred.

If this question is far too broad, feel free to move it to meta or wherever it best fits.

Best Answer

Are there any secure UNIX tools to recover data, that was removed with rm, from a USB flash drive?

Yes and, by the way, recovery of photos is one of the most common scenarios.

The conditions you described are actually optimal because:

  • you directly deleted the files
  • the file system is not damaged
  • you did not use the drive anymore

These conditions lead to two available options.

If you care about the file names (or have fragmented files)

When you write a lot of pictures sequentially on a drive, the risk of fragmentation is actually very low, but still. To recover files and file names you need a tool which is file-system aware.

Enter TestDisk:

sudo testdisk /dev/sdb

It will show you a step-by-step procedure through a TUI (textual user interface). The essential steps are:

  • scanning the drive
  • selecting the partition
  • pressing P to show the files
  • copying the deleted (red) files with C

If you actually just want the photos back

For pictures, you might as well not care about the names. Moreover, the file system might be damaged (not your case) and TestDisk would not help.

PhotoRec (from the same developer) comes to the rescue:

sudo photorec /dev/sdb

Here you just need to specify the output directory. You can also disable detection for some file types which you don't care about.

Related Question