Tutorial Video
Written Guide
The PhotoRec Tool which we will use in this guide is available here:
Lets start with an example, 2 files on a USB Flash Drive a Word Document and a Picture (Screenshot):
Here is the Picture:
Here is the Word Document:
Now lets right click the files on the USB Flash Drive:
Then select Delete. Alternatively highlight the files and select the Delete Button:
Select Yes at the warning:
The Files are "Deleted" but are they "gone":
We can now Download and Extract TestDisk. Right click the zip file (this should not be on the Drive you want to test with). We are going to use it to Recover Files on E:\ so it is fine to be in the Downloads folder on C:\
Select Extract to…
Select Extract:
Snap the folder to the left:
Open the subfolder:
In this case I will snap it to the right hand side:
Now I'll run the PhotoRec Application:
Accept the User Account Control:
You will be presented with a list of Drives. In my case I will select the USB Flash Drive:
Pressing the [↓] key until my USB Flash Drive is highlighted (I can tell that this my USB Flash Drive by the name and the size of the volume, in this case 2 GB). Once the correct Device is selected press [Enter]:
In the screen you can select a Partition or you can "No Partition" to search the Entire Drive:
I will select No Partition to look at the entire volume by using the [↑] key and then pressing [Enter]:
In the next screen you will be given the option of Partition Type. Leave it at the default option given and press [Enter]:
By default file Recovery will occur within a subfolder beside the PhotoRec .exe:
We can go to this folder and to begin the Recovery we can press [ C ]
We will see the subfolder being created:
We have the folder recup_dir.1 which ends in 1 as it is the 1st time we ran the application. If we ran it again we would get recup_dir.2 and so on and so forth:
Wait for the PhotoRec program to carry out the attempted file recover:
Files will be shown in this folder:
Once done you are given information to donate to the project and can close down the program:
We have one word file and one picture. Unfortunately the original file names are gone so you will need to sort your files by type and open them one by one to find the document or picture etc that you are looking for. In my case its easy as I only had 1 picture and 1 document:
I can open these and they seem to both be in tact:
Test 1: Deleting Files
As seen these were readily recoverable. When a file is "deleted" in a Windows OS. It is merely consigned to free space. The file resides in the free space until and if the free space is overwritten with new data. The system generally will use up free space without data in it and only overwrite deleted files in general oldest to newest if this becomes depleted.
Test 2: Format (Quick)
If instead of deleting the files, we perform a standard (default) quick "Format" of the USB Flash Drive. Right click the Flash Drive:
Select Format:
By default Quick Format is selected. Type in the Volume Label and select Start:
Select OK:
Select OK:
As we can see after the "Format" all the files remain intact. Think of your data as a field surrounded by a fence. When you format, you remove all your fences and assign the field to free to grow other crops and then reconstruct new fences. All former crops in the free field remain in the field, they are just assigned to free space and will remain there until you physically dig them out. Thus the utility readily recovers files from a formatted USB Flash Drive:
Test 3: Format
If instead the above, Quick Format is unchecked. Then the files are not recoverable by PhotoRec. This was actually unexpected as reading online, the only difference between a Format and Quick Format is the system checks the drive for bad sectors… However this was my finding.
Test 4: Format and Cipher
Microsoft have the ability to Cipher a USB Flash Drive. The Cipher should overwrite all free space with 0's, then 1's and then with random data. To do this, we need to open a PowerShell Window. Right click the Start button and select Pwoershell (Admin):
Then type in:
Where X is your Drive volume, in my case E
CYPHER writes the 0's:
Then the 1's:
Then the Random Data:
Once done you can close down the PowerShell.
In the case of the Full Format and the Powershell, the PhotoRec tool cannot recover the data:
As mentioned this utility was unable to work with the Format on its own so it is possible that the CIPHER did nothing.
Test 5: Delete and Cipher
You do not need to format the full drive to use Cipher. It runs only on Free Space. Thus the next test is to delete the files and then perform a Cipher. In my case however the files were recoverable:
This is a bit concerning as it means Cipher doesn't wipe deleted files as expected. There is some notes stating that Cipher only works only files above 100 KB, which should include the picture but not the word document. If anyone has done any additional testing here please comment.
