Recovering deleted files using testdisk

n00bie
4 min readNov 25, 2020

--

Hey guys,

Welcome back, In this blog we are going to see how to recover deleted files using “testdisk”.
Sorry for changing the topic from previous blogs, I hope you will find this helpful.

Testdisk is used to Scan and repair disk partitions. It can check and repair most partition types, also it can undelete files from
— DOS/Windows FAT12, FAT16 and FAT32
— Linux ext2
NTFS

Lets get this started.

First we can install testdisk in our machine,
In debian-based distributions, use

sudo apt-get install testdisk

In arch-based distributions, use

pacman -S testdisk

This will get testdisk installed in your machine

Next we can try to recover a deleted file from a pendrive using testdisk.

Notice the file called data-backup, we can mimick its deletion and try to recover it.

The data-backup file in a Filemanager
The contents of the data-backup file
The data-backup file in terminal

We can delete the data-backup file intentionally and proceed to recover the file.

The data-backup file deleted in Filemanger
The data-backup file deleted in Terminal

We can see that the file is permanently deleted from the filesystem.

Now lets move on and see how to recover that deleted file.

We can start testdisk using the testdisk command in the terminal.

testdisk
Launching testdisk

when testdisk command is typed in the terminal, it opens the interface as seen above.

If testdisk is run as root, it will directly show you the above screen, else it automatically, reruns using sudo prompting for the password, just type in the password and you are free to proceed.

Select the Create Option and press Enter.

Selecting disk from which to recover the deleted file

Now select the disk from which the file is to be recovered and Select the Proceed option and Press Enter.

Selecting the partition table type of the disk

testdisk automatically detects the partition table type of the device(pendrive or the harddisk), if you are not sure about this thing just press Enter. Else if you know stuff, just play around with it.

Selecting Advanced to proceed to recover the file

Then select Advanced Filesystem Utilities to use the undelete feature and press Enter.

Selecting the Undelete feature

Make sure the selected partition is right and select the Undelete option at bottom and press Enter to proceed.

testdisk highlighting all deleted files in red color

After selecting undelete, testdisk highlights all deleted files in RED color.

Now choose the file to recover using the Arrow keys and press c to copy the file.

Selecting destination to save the deleted file

Now testdisk asks us to select a location to save the file. Use the arrow keys to navigate the filesystem and press c to save the file in the selected location.

The deleted file successfully recovered

If the file is copied successfully, it is indicated as shown above in the picture.

The recovered file and log for this testdisk session

We can see the file is completely recovered along with the log file of the testdisk session.

As you saw it is this easy to recover a deleted file using testdisk. I hope you found this tutorial helpful.

Testdisk is capable of doing a lot more than this and I suggest you to play around with it and explore its capabilities. You are always welcome to use the --help option, and the man pages to know more or you may find countless tutorials like this all over the internet.

Thanks for reading and I hope you learned something new.

--

--