I have a situation where a user accidentally deleted all of the photos in a directory and its sub-directories, ironically to save some space in preparation for a backup. (Helpful hint: Wise Duplicate File Remover apparently removes the originals along with the duplicates). The photos in question are stored on a FreeBSD server that the user was accessing over Samba as a network drive from Windows.
The first thing I did was immediately unmount the drive, remount as read only, and take a full image with dd. What do we know? There were probably somewhere around 2,000-5,000 pictures in the deleted directories, we don't have the exact file names, but most of them were taken on an iPhone, a Panasonic Lumix, and a Kyocera phone, so all of the filenames were in the format IMG_xxxx.JPG, P10xxxxx.JPG, and KIMGxxxx.jpg respectively.
So, right now I'm running a pass with recoverjpeg, which is in the ports collection. It's taking forever because it's a 1TB disk and there was a lot of other stuff on there. It's a little over halfway done and it's found over 77,000 files. Not sure how many are duplicates, but the same developer that created recoverjpeg also has a tool to deal with that. From a cursory glance it looks like most of the deleted files are being recovered, but with some issues. Most of the recovered images have very specific defects: either a horizontal line about a fourth of the way down the image, or multiple images weirdly mosaiced together. None of the images have their original filename or attributes, but most still have their EXIF data.
Tomorrow I'm going to take a crack at it with Sleuthkit Autopsy, which is actually a digital forensics tool, but its PhotoRec Carver module looks promising. I'll report back here on how well that works (or doesn't).
If you have any ideas on how to best recover deleted files from a UFS filesystem, please do feel free to post it. It would be excellent if there was a way to recover just the files that were deleted from that one directory tree, and even better if there was a way to do that while preserving the original attributes like the filenames and date modified. Both free and paid software suggestions are welcome.
The first thing I did was immediately unmount the drive, remount as read only, and take a full image with dd. What do we know? There were probably somewhere around 2,000-5,000 pictures in the deleted directories, we don't have the exact file names, but most of them were taken on an iPhone, a Panasonic Lumix, and a Kyocera phone, so all of the filenames were in the format IMG_xxxx.JPG, P10xxxxx.JPG, and KIMGxxxx.jpg respectively.
So, right now I'm running a pass with recoverjpeg, which is in the ports collection. It's taking forever because it's a 1TB disk and there was a lot of other stuff on there. It's a little over halfway done and it's found over 77,000 files. Not sure how many are duplicates, but the same developer that created recoverjpeg also has a tool to deal with that. From a cursory glance it looks like most of the deleted files are being recovered, but with some issues. Most of the recovered images have very specific defects: either a horizontal line about a fourth of the way down the image, or multiple images weirdly mosaiced together. None of the images have their original filename or attributes, but most still have their EXIF data.
Tomorrow I'm going to take a crack at it with Sleuthkit Autopsy, which is actually a digital forensics tool, but its PhotoRec Carver module looks promising. I'll report back here on how well that works (or doesn't).
If you have any ideas on how to best recover deleted files from a UFS filesystem, please do feel free to post it. It would be excellent if there was a way to recover just the files that were deleted from that one directory tree, and even better if there was a way to do that while preserving the original attributes like the filenames and date modified. Both free and paid software suggestions are welcome.