How long takes the brute force process to finish? Topic is solved

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
abiyi
Posts: 19
Joined: 12 Oct 2018, 18:50

How long takes the brute force process to finish?

#1 Post by abiyi »

I'm using PhotoRec 7.2-WIP to recover some delete files from a 500 GB hard drive (in a good shape according to smartctl), which it has done (just 15 files so long) but now seems to be stuck into the brute force stage and the numbers displayed doesn't make sense.

First, the number of remaining sectors is stuck in 793319575. Second, the test number keeps jumping back and forward randomly, so there's no sense of advance. Third, the elapsed time keep moving on but there's no time remaining as in the past stages.

Code: Select all

PhotoRec 7.2-WIP, Data Recovery Utility, August 2020
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org

Disk /dev/sdc5 - 500 GB / 465 GiB (RO) - WDC WD50 00LPVX-22V0TT0
     Partition                  Start        End    Size in sectors
   P Unknown                  0   0  1 60800   0  1  976752001

Destination /media/user/windows/recup_dir

Bruteforce  793319575 sectors remaining (test 8256), 15 files found
Elapsed time 11h48m16s
swf: 6 recovered
gz: 3 recovered
pst: 2 recovered
diskimage: 1 recovered
fit: 1 recovered
gpg: 1 recovered
tib: 1 recovered



  Stop  
Is that behavior normal?

PhotoRec configuration:

Code: Select all

debian:~# head -n 100 photorec.log
Using locale 'en_US.UTF-8'.


Wed Sep  2 02:47:33 2020
Command line: PhotoRec /log /debug /d /media/user/windows/ /dev/sdc5

PhotoRec 7.2-WIP, Data Recovery Utility, August 2020
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
OS: Linux, kernel 4.19.0-5-amd64 (#1 SMP Debian 4.19.37-5 (2019-06-19)) x86_64
Compiler: GCC 8.3
ext2fs lib: none, ntfs lib: none, ewf lib: none, libjpeg: none, curses lib: ncurses 6.1
Hard disk list
Disk /dev/sdc5 - 500 GB / 465 GiB - CHS 60800 255 63 (RO), sector size=512 - WDC WD50 00LPVX-22V0TT0, FW:1A01

Load parameters from /root/.photorec.cfg
Can't open photorec.ses file: No such file or directory
Partition table type defaults to None
   P Unknown                  0   0  1 60800   0  1  976752001
New options :
 Paranoid : Yes
 Brute force : Yes
 Keep corrupted files : Yes
 ext2/ext3 mode : No
 Expert mode : Yes
 Low memory : Yes

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: How long takes the brute force process to finish?

#2 Post by cgrenier »

You should not enable the bruteforce mode when recovering data from an hardddisk. It's only for small media like memory card to recover more fragmented jpg files. You can stop PhotoRec.
PhotoRec has recovered very few files. I wonder if your disk isn't encrypted (Veracrypt/Truecrypt/Bitlocker...).

abiyi
Posts: 19
Joined: 12 Oct 2018, 18:50

Re: How long takes the brute force process to finish?

#3 Post by abiyi »

That's a very interesting clarification that should be included in the manual, or even better: on the footer of the PhotoRec configuration screen.

The hard disk is not encrypted (none of my disks are).

Maybe I'll give it another try with the brute force feature deactivated to see what happens.

BitterColdSoul
Posts: 50
Joined: 07 Jun 2020, 20:38
Location: France

Re: How long takes the brute force process to finish?

#4 Post by BitterColdSoul »

@ OP : You should go to "File options" and uncheck all file types that you are not interested in. Among the files that were recovered in your first attempt are : 6 "swf" (Shockwave Flash), 3 "gz" (Linux archive), 2 "pst" (Outlook database), 1 "fit" (don't know what this is), 1 "gpg" (don't know either), 1 "tib" (True Image backup). Those are probably not the file types you wish to recover, and the more file types are included, in my experience, the more likely it is to not only get false positives (files detected as a certain file type based on their signature which are in fact “garbage” / random data / useless), but also risk corrupting valid and contiguous files which could otherwise have been recovered completely (for more explanations read this).

If few files are recovered it could mean that the block size was not selected properly. The block size detected during the initial test can be wrong, in which case Photorec's scan won't find file signatures at cluster boundaries, and will only detect false positives. Try selecting a smaller block size.

abiyi
Posts: 19
Joined: 12 Oct 2018, 18:50

Re: How long takes the brute force process to finish?

#5 Post by abiyi »

@cgrenier: I started a new PhotoRec session with all options in its default values (force brute deactivated), and PhotoRec recovered thousands and thousands of files, so your advice worked like a charm :D

abiyi
Posts: 19
Joined: 12 Oct 2018, 18:50

Re: How long takes the brute force process to finish?

#6 Post by abiyi »

BitterColdSoul wrote: 06 Sep 2020, 16:01 If few files are recovered it could mean that the block size was not selected properly. The block size detected during the initial test can be wrong, in which case Photorec's scan won't find file signatures at cluster boundaries, and will only detect false positives. Try selecting a smaller block size.
The block size detected by PhotoRec (and selected by me) is always 512, (the smaller block size available). I'm sure it's the right one cause is the same displayed on gparted.

Locked