Undeleting FAT Files

I already had a post on undeleting files from an NTFS partition. But what if the partition is a FAT partition? Don't worry there are several solutions that will only require you to use a handful of commands.

IMPORTANT: Do not write anything or use the partition where the delete file is. That will increase your chances of getting your files back

I've used a couple of solutions. Both successfully but geared to two different situations:

The fist method is is PhotoRec

http://www.cgsecurity.org/wiki/PhotoRec

That one is kind of a brute force as it just looks for files ignoring the file directory or directory structure but it is dead easy to use. It's done wonders when undeleting files from USB memories and camera memories which were accidentally deleted by pressing the wrong button in the Camera.

The second method is using the fsck.vfat command

The second method is great for undeleting individual files keeping the original name

fsck.vfat -vru

e.g. to delete a file called "importantFile.txt" that was on my home folder which is on /dev/sda1

fsck.vfat -vru /home/rarsa/importantFile.txt /dev/sda1

I got this one from the following archive but I will repeat here in case that page is ever gone
http://lists.slug.org.au/archives/slug/2006/05/msg00002.html

Important!!!
You may want to play it safe. If you have another partition with enough space to create a partition image where to "play" and recover the files without touching the original you can do the following:

dd if=<originalPartition> of=/<somepath>/carddump bs=1024

First figure out the name of the partition where your deleted data is. You can do it in several ways, for example:
sudo fdisk -l
and then from the drive size you can "guess" which one is the partition

Or if the partition is currently mounted and you know the mount point name
df -h
Then match the mount point with the partition name.

e.g. To create on your home folder a partition image file named "carddump" of a camera memory which is identified as /dev/sdc1

dd if=/dev/sdc1 of=~/carddump bs=1024

After that, you can use that "carddump" file as if it was another drive, you can mount it, read it, recover files there:

fsck.vfat -vru /mycamdir/mydeletedfile.jpg ~/carddump

You will need to do this for each file. Of course, if you are handy enough you can create a script that automates this if you have multiple files to undelete

If you can't remember the names of the files, you can get a rough idea from looking at a hexdump of the fat table;

fsck.vfat -rv ~/carddump

gives me this:
First FAT starts at byte 512 (sector 1)
2 FATs, 16 bit entries
16384 bytes per FAT (= 32 sectors)

As the FAT directory is at the start you can browse it with:

hexdump -C ~/carddump | less

(note: filenames are missing the first letter and there is no "." between the
name and extension, you can assign any first letter to the filename)

Once you've finished undeleting;

mkdir ~/card
mount /home/rarsa/carddump ~/card -t vfat -o loop

Now you can navigate the "card" folder using your favourite file manager and copy the files somewhere else.

After you are done you can either delete the memory image or back it up in case you forgot to undelete something :D

Syndicate content Syndicate content