Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
I’m taking a Linux administration course, and my professor claims that TestDisk, with techniques too complicated to explain in class, can recover files even if the data blocks are overwritten, using only the i-node table / i-node information. However, in the TestDisk documentation (Chapter 8: “Recovering Deleted Files Using TestDisk”), it says:
“When a file is deleted, the data remains on the disk. Unless new data has overwritten your lost file, TestDisk can usually recover it.”
This suggests that once the disk blocks are overwritten, recovery is not possible.
In my view, it's clear that this is impossible, but since my professor insists otherwise, I'm left wondering if I'm misinterpreting the documentation or missing something. Thank you very much in advance!
Is there any advanced technique in TestDisk that can restore a file from the inode alone if its data blocks have been overwritten, or is that simply impossible?
Thank you for your time, and for all the work on TestDisk and PhotoRec. They are fantastic tools!
Your title states: "Can TestDisk recover overwritten data using i-nodes?"
The answer is yes because your title is not precise.
In your text your wrote instead "using only the i-node table / i-node information".
This answer is "generally no", short NTFS file can be contained completely in the i-node.
Please tell me the name of this institution where this particular professor teaches!
Especially in the linux world file systems like EXT4, XFS, BTRFS are used as well. File recovery in linux courses should rather focus on those new ones instead of the ones that TestDisk can recover.
You are citing a statement that is too generalized.
Not talking about the storage technology (HDD,SSD) or the file system type (FAT, NTFS, ext2, maybe ext3) and how this affects recoverability is a deception.
Generating a deleted file (file data) out of the content of an i-node (meta data) is not possible. Downlading "DRIVER.SYS" from the internet because the deleted entry contains "?RIVER.SYS" and has a known length so that the deleted file ressembles a known one does not count.
Thank you very much for your quick reply, recuperation!
The institution in question is the Linux College Argentina.
Let me give you some more context: The professor was explaining what inodes, soft links, and hard links are. During his explanation, he mentioned that inodes are extremely important because they allow you to recover deleted data from the disk using tools like TestDisk, which surprised everyone.
To clear up my doubts, I asked him, “If I have an HDD and, for some reason, there’s a physical problem in the sector where the data block is located, can I recover the information using only the inode?” His answer was yes, that nothing more than the inode was needed. I was completely astonished at that point.
So I followed up with another question: “If there were a way to copy the inode table from one disk to another, could I clone the disk?” He replied that this is the usual method of cloning disks. That really blew my mind, since it sounded too good to be true.
Afterward, he gave an example involving large files, saying that just the inode alone could be used to recover the contents of a multi-gigabyte video. Once class was over, the discussion continued in our WhatsApp group, where everyone had many doubts about this. He then posted a text with various definitions of inodes and file recovery, but didn’t elaborate on it; it seemed to contradict what he had taught in class.
Throughout the lesson, we were working with MBR and EXT4 partitions.
The following class he used a USB drive to demonstrate file recovery. First, the instructor used R-Linux, showing that some files had a green dot, others an orange dot, and others a red dot. He explained that the files marked with an orange dot had suffered some data block overwriting. Then he ran TestDisk 7.1, selected "Intel Partition", then "Analyze", and finally "Deeper Search". At that point, two deleted partitions marked with a "D" appeared, one FAT32 and one FAT16. He mentioned that the entire deleted partition can be recovered, and I quote: "which means the data block theory goes out the window." He then shared an anecdote about how powerful TestDisk is, explaining that a friend of his, several years ago, made seven failed Linux installations on a disk that contained his personal Windows XP installation, and according to him, TestDisk was able to recover the entire Windows XP partition. This immediately raised a red flag for me because I understand that installing Linux would have overwritten many data blocks. In the end, the example turned out to be confusing because he didn't show how to recover those files that appeared with an orange/red dot in R-Linux.
Given how insistent he was on this topic, I figured the best way to resolve my doubts was to come straight to the source—hence my post on the cgsecurity.org forum.
Again, thank you very much for taking the time to read my post.
Best regards!