cgsecurity.org

Posted: **03 Sep 2020, 05:56**

I'm using PhotoRec 7.2-WIP to recover some delete files from a 500 GB hard drive (in a good shape according to smartctl), which it has done (just 15 files so long) but now seems to be stuck into the brute force stage and the numbers displayed doesn't make sense.

First, the number of remaining sectors is stuck in 793319575. Second, the test number keeps jumping back and forward randomly, so there's no sense of advance. Third, the elapsed time keep moving on but there's no time remaining as in the past stages.

Code: Select all

PhotoRec 7.2-WIP, Data Recovery Utility, August 2020
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org

Disk /dev/sdc5 - 500 GB / 465 GiB (RO) - WDC WD50 00LPVX-22V0TT0
     Partition                  Start        End    Size in sectors
   P Unknown                  0   0  1 60800   0  1  976752001

Destination /media/user/windows/recup_dir

Bruteforce  793319575 sectors remaining (test 8256), 15 files found
Elapsed time 11h48m16s
swf: 6 recovered
gz: 3 recovered
pst: 2 recovered
diskimage: 1 recovered
fit: 1 recovered
gpg: 1 recovered
tib: 1 recovered



  Stop

Is that behavior normal?

PhotoRec configuration:

Code: Select all

debian:~# head -n 100 photorec.log
Using locale 'en_US.UTF-8'.


Wed Sep  2 02:47:33 2020
Command line: PhotoRec /log /debug /d /media/user/windows/ /dev/sdc5

PhotoRec 7.2-WIP, Data Recovery Utility, August 2020
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
OS: Linux, kernel 4.19.0-5-amd64 (#1 SMP Debian 4.19.37-5 (2019-06-19)) x86_64
Compiler: GCC 8.3
ext2fs lib: none, ntfs lib: none, ewf lib: none, libjpeg: none, curses lib: ncurses 6.1
Hard disk list
Disk /dev/sdc5 - 500 GB / 465 GiB - CHS 60800 255 63 (RO), sector size=512 - WDC WD50 00LPVX-22V0TT0, FW:1A01

Load parameters from /root/.photorec.cfg
Can't open photorec.ses file: No such file or directory
Partition table type defaults to None
   P Unknown                  0   0  1 60800   0  1  976752001
New options :
 Paranoid : Yes
 Brute force : Yes
 Keep corrupted files : Yes
 ext2/ext3 mode : No
 Expert mode : Yes
 Low memory : Yes

Posted: **04 Sep 2020, 10:37**

You should not enable the bruteforce mode when recovering data from an hardddisk. It's only for small media like memory card to recover more fragmented jpg files. You can stop PhotoRec.
PhotoRec has recovered very few files. I wonder if your disk isn't encrypted (Veracrypt/Truecrypt/Bitlocker...).

Posted: **05 Sep 2020, 16:19**

That's a very interesting clarification that should be included in the manual, or even better: on the footer of the PhotoRec configuration screen.

The hard disk is not encrypted (none of my disks are).

Maybe I'll give it another try with the brute force feature deactivated to see what happens.

Posted: **06 Sep 2020, 16:01**

@ OP : You should go to "File options" and uncheck all file types that you are not interested in. Among the files that were recovered in your first attempt are : 6 "swf" (Shockwave Flash), 3 "gz" (Linux archive), 2 "pst" (Outlook database), 1 "fit" (don't know what this is), 1 "gpg" (don't know either), 1 "tib" (True Image backup). Those are probably not the file types you wish to recover, and the more file types are included, in my experience, the more likely it is to not only get false positives (files detected as a certain file type based on their signature which are in fact “garbage” / random data / useless), but also risk corrupting valid and contiguous files which could otherwise have been recovered completely (for more explanations read this).

If few files are recovered it could mean that the block size was not selected properly. The block size detected during the initial test can be wrong, in which case Photorec's scan won't find file signatures at cluster boundaries, and will only detect false positives. Try selecting a smaller block size.

Posted: **06 Sep 2020, 19:12**

@cgrenier: I started a new PhotoRec session with all options in its default values (force brute deactivated), and PhotoRec recovered thousands and thousands of files, so your advice worked like a charm

Posted: **06 Sep 2020, 19:31**

BitterColdSoul wrote: 06 Sep 2020, 16:01 If few files are recovered it could mean that the block size was not selected properly. The block size detected during the initial test can be wrong, in which case Photorec's scan won't find file signatures at cluster boundaries, and will only detect false positives. Try selecting a smaller block size.

The block size detected by PhotoRec (and selected by me) is always 512, (the smaller block size available). I'm sure it's the right one cause is the same displayed on gparted.

cgsecurity.org

How long takes the brute force process to finish?

How long takes the brute force process to finish?

Re: How long takes the brute force process to finish?

Re: How long takes the brute force process to finish?

Re: How long takes the brute force process to finish?

Re: How long takes the brute force process to finish?

Re: How long takes the brute force process to finish?